As of this ticket, some core Toolforge k8s component configuration live in the ops/puppet.git tree. We're expected to load them all by hand into k8s. Puppet doesn't do it.
List of stuff (probably not complete):
 RBAC (`toolforge::k8s::config` i.e, `modules/toolforge/files/k8s/toolforge-tool-roles.yaml`)
 PSP (i.e ` modules/kubeadm/files/psp/base-pod-security-policies.yaml`)
[x] calico (i.e `modules/kubeadm/templates/calicoctl.yaml.erb`)
I don't think we have a lot of value having all that YAML coupled to the puppet git tree. Like what happened with [[https://gitlab.wikimedia.org/repos/cloud/toolforge/ingress-nginx | the ingress component]], we could move all that to a separate repository maintained as helm charts or whatever.