fix(k8s): NetworkPolicy 繞過 kustomize commonLabels
問題: kustomize commonLabels 會加到 NetworkPolicy egress[].to[].podSelector
導致 DNS rule 要求 CoreDNS pods 有 system:awoooi + environment:prod
但 CoreDNS 只有 k8s-app:kube-dns,造成 DNS 解析失敗
修復:
- kustomization.yaml: 移除 02-network-policy.yaml
- cd.yaml: 新增 Apply NetworkPolicy step 單獨套用
2026-03-29 ogt: 根本原因修復
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
7
.github/workflows/cd.yaml
vendored
7
.github/workflows/cd.yaml
vendored
@@ -328,6 +328,13 @@ jobs:
|
||||
|
||||
kubectl apply -k .
|
||||
|
||||
# 2026-03-29 ogt: NetworkPolicy 單獨 apply (避免 commonLabels 破壞 DNS rule)
|
||||
- name: Apply NetworkPolicy
|
||||
run: |
|
||||
echo "🔒 套用 NetworkPolicy (繞過 kustomize commonLabels)..."
|
||||
kubectl apply -f k8s/awoooi-prod/02-network-policy.yaml
|
||||
echo "✅ NetworkPolicy 已套用"
|
||||
|
||||
# 2026-03-26: CoreDNS GitOps 同步 (ADR-026)
|
||||
- name: Sync CoreDNS Config
|
||||
if: needs.detect-changes.outputs.k3s-system == 'true'
|
||||
|
||||
Reference in New Issue
Block a user