fix(drift): kubectl not found + RBAC services/configmaps/ingresses
Some checks failed
CD Pipeline / build-and-deploy (push) Has been cancelled

drift_detector 用 kubectl 比對 Git YAML vs K8s 實際狀態,但:
1. API image 沒有 kubectl binary → No such file or directory: 'kubectl'
2. awoooi-executor ClusterRole 缺少 services/configmaps/ingresses list 權限

修復:
- Dockerfile: apt install curl + download kubectl v1.29.0 amd64
- 07-rbac.yaml: 加入 services/configmaps (core) + ingresses (networking.k8s.io) get/list/watch

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
OG T
2026-04-10 00:49:56 +08:00
parent 0571ad15d5
commit dbb8104557
2 changed files with 17 additions and 2 deletions

View File

@@ -58,9 +58,14 @@ COPY apps/api/alert_rules.yaml ./alert_rules.yaml
# 2026-04-10 Claude Sonnet 4.6: drift_detector 需要 k8s/ YAML 做 Git state 比對
COPY k8s/ ./k8s/
# Install openssh-client — SSH_COMMAND Playbook 執行路徑需要 ssh binary
# Install openssh-client + curl — SSH_COMMAND Playbook + healthcheck
# Install kubectl — drift_detector 需要 kubectl 讀取 K8s 實際狀態
# (2026-04-09 Claude Sonnet 4.6 Asia/Taipei, Bug #6 修正 — python:3.11-slim 無 openssh-client)
RUN apt-get update && apt-get install -y --no-install-recommends openssh-client && rm -rf /var/lib/apt/lists/*
# (2026-04-10 Claude Sonnet 4.6 Asia/Taipei: drift kubectl_error — No such file or directory: 'kubectl')
RUN apt-get update && apt-get install -y --no-install-recommends openssh-client curl && \
curl -LO "https://dl.k8s.io/release/v1.29.0/bin/linux/amd64/kubectl" && \
chmod +x kubectl && mv kubectl /usr/local/bin/kubectl && \
rm -rf /var/lib/apt/lists/*
# Create non-root user
RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app

View File

@@ -56,6 +56,16 @@ rules:
resources: ["namespaces"]
verbs: ["get", "list"]
# drift_detector: 讀取 services/configmaps/ingresses 做 Git vs K8s 漂移比對
# 2026-04-10 Claude Sonnet 4.6 Asia/Taipei: 補齊 drift scan 所需 RBAC
- apiGroups: [""]
resources: ["services", "configmaps"]
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources: ["ingresses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources: ["deployments", "deployments/status", "replicasets"]
verbs: ["get", "list", "watch"]