fix(k8s): NetworkPolicy 繞過 kustomize commonLabels

問題: kustomize commonLabels 會加到 NetworkPolicy egress[].to[].podSelector
      導致 DNS rule 要求 CoreDNS pods 有 system:awoooi + environment:prod
      但 CoreDNS 只有 k8s-app:kube-dns,造成 DNS 解析失敗

修復:
- kustomization.yaml: 移除 02-network-policy.yaml
- cd.yaml: 新增 Apply NetworkPolicy step 單獨套用

2026-03-29 ogt: 根本原因修復

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
OG T
2026-03-29 01:27:29 +08:00
parent 4f7282a97a
commit 725392b578
126 changed files with 9 additions and 86 deletions

View File

@@ -328,6 +328,13 @@ jobs:
kubectl apply -k .
# 2026-03-29 ogt: NetworkPolicy 單獨 apply (避免 commonLabels 破壞 DNS rule)
- name: Apply NetworkPolicy
run: |
echo "🔒 套用 NetworkPolicy (繞過 kustomize commonLabels)..."
kubectl apply -f k8s/awoooi-prod/02-network-policy.yaml
echo "✅ NetworkPolicy 已套用"
# 2026-03-26: CoreDNS GitOps 同步 (ADR-026)
- name: Sync CoreDNS Config
if: needs.detect-changes.outputs.k3s-system == 'true'