From dbb810455788402053f376677c3aa3ceac9213be Mon Sep 17 00:00:00 2001 From: OG T Date: Fri, 10 Apr 2026 00:49:56 +0800 Subject: [PATCH] fix(drift): kubectl not found + RBAC services/configmaps/ingresses MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit drift_detector 用 kubectl 比對 Git YAML vs K8s 實際狀態,但: 1. API image 沒有 kubectl binary → No such file or directory: 'kubectl' 2. awoooi-executor ClusterRole 缺少 services/configmaps/ingresses list 權限 修復: - Dockerfile: apt install curl + download kubectl v1.29.0 amd64 - 07-rbac.yaml: 加入 services/configmaps (core) + ingresses (networking.k8s.io) get/list/watch Co-Authored-By: Claude Sonnet 4.6 --- apps/api/Dockerfile | 9 +++++++-- k8s/awoooi-prod/07-rbac.yaml | 10 ++++++++++ 2 files changed, 17 insertions(+), 2 deletions(-) diff --git a/apps/api/Dockerfile b/apps/api/Dockerfile index da9a44c6..e8a3499e 100644 --- a/apps/api/Dockerfile +++ b/apps/api/Dockerfile @@ -58,9 +58,14 @@ COPY apps/api/alert_rules.yaml ./alert_rules.yaml # 2026-04-10 Claude Sonnet 4.6: drift_detector 需要 k8s/ YAML 做 Git state 比對 COPY k8s/ ./k8s/ -# Install openssh-client — SSH_COMMAND Playbook 執行路徑需要 ssh binary +# Install openssh-client + curl — SSH_COMMAND Playbook + healthcheck +# Install kubectl — drift_detector 需要 kubectl 讀取 K8s 實際狀態 # (2026-04-09 Claude Sonnet 4.6 Asia/Taipei, Bug #6 修正 — python:3.11-slim 無 openssh-client) -RUN apt-get update && apt-get install -y --no-install-recommends openssh-client && rm -rf /var/lib/apt/lists/* +# (2026-04-10 Claude Sonnet 4.6 Asia/Taipei: drift kubectl_error — No such file or directory: 'kubectl') +RUN apt-get update && apt-get install -y --no-install-recommends openssh-client curl && \ + curl -LO "https://dl.k8s.io/release/v1.29.0/bin/linux/amd64/kubectl" && \ + chmod +x kubectl && mv kubectl /usr/local/bin/kubectl && \ + rm -rf /var/lib/apt/lists/* # Create non-root user RUN useradd -m -u 1000 appuser && chown -R appuser:appuser /app diff --git a/k8s/awoooi-prod/07-rbac.yaml b/k8s/awoooi-prod/07-rbac.yaml index c97e7964..75959f2c 100644 --- a/k8s/awoooi-prod/07-rbac.yaml +++ b/k8s/awoooi-prod/07-rbac.yaml @@ -56,6 +56,16 @@ rules: resources: ["namespaces"] verbs: ["get", "list"] + # drift_detector: 讀取 services/configmaps/ingresses 做 Git vs K8s 漂移比對 + # 2026-04-10 Claude Sonnet 4.6 Asia/Taipei: 補齊 drift scan 所需 RBAC + - apiGroups: [""] + resources: ["services", "configmaps"] + verbs: ["get", "list", "watch"] + + - apiGroups: ["networking.k8s.io"] + resources: ["ingresses"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] resources: ["deployments", "deployments/status", "replicasets"] verbs: ["get", "list", "watch"]