diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile index da9a44c6..e8a3499e 100644 --- a/apps/api/Dockerfile +++ b/apps/api/Dockerfile @@ -58,9 +58,14 @@ COPY apps/api/alert_rules.yaml ./alert_rules.yaml # 2026-04-10 Claude Sonnet 4.6: drift_detector 需要 k8s/ YAML 做 Git state 比對 COPY k8s/ ./k8s/ -# Install openssh-client — SSH_COMMAND Playbook 執行路徑需要 ssh binary +# Install openssh-client + curl — SSH_COMMAND Playbook + healthcheck +# Install kubectl — drift_detector 需要 kubectl 讀取 K8s 實際狀態 # (2026-04-09 Claude Sonnet 4.6 Asia/Taipei, Bug #6 修正 — python:3.11-slim 無 openssh-client) -RUN apt-get update && apt-get install -y --no-install-recommends openssh-client && rm -rf /var/lib/apt/lists/* +# (2026-04-10 Claude Sonnet 4.6 Asia/Taipei: drift kubectl_error — No such file or directory: 'kubectl') +RUN apt-get update && apt-get install -y --no-install-recommends openssh-client curl && \ + curl -LO "https://dl.k8s.io/release/v1.29.0/bin/linux/amd64/kubectl" && \ + chmod +x kubectl && mv kubectl /usr/local/bin/kubectl && \ + rm -rf /var/lib/apt/lists/* # Create non-root user RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app diff --git a/k8s/awoooi-prod/07-rbac.yaml b/k8s/awoooi-prod/07-rbac.yaml index c97e7964..75959f2c 100644 --- a/k8s/awoooi-prod/07-rbac.yaml +++ b/k8s/awoooi-prod/07-rbac.yaml @@ -56,6 +56,16 @@ rules: resources: ["namespaces"] verbs: ["get", "list"] + # drift_detector: 讀取 services/configmaps/ingresses 做 Git vs K8s 漂移比對 + # 2026-04-10 Claude Sonnet 4.6 Asia/Taipei: 補齊 drift scan 所需 RBAC + - apiGroups: [""] + resources: ["services", "configmaps"] + verbs: ["get", "list", "watch"] + + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] resources: ["deployments", "deployments/status", "replicasets"] verbs: ["get", "list", "watch"]