Starting from k8s 1.17 critical pods can now be created in namespaces other than kube-system. To limit critical pods to the kube-system namespace, cluster admins should create an admission configuration file limiting critical pods by default, and a matching quota object in the kube-system namespace permitting critical pods in that namespace. See https://kubernetes.io/docs/concepts/policy/resource-quotas/#limit-priority-class-consumption-by-default for details. (#76310)
This should have been possible already with 1.16 and we're prepared to just switch it on in:
- custom_deploy.d/istio/main/config.yaml
- custom_deploy.d/istio/ml-serve/config.yaml
- charts/cert-manager/values.yaml
It would probably make sense to add support into the cfss-issuer chart as well and set the same class as for cert-manager