88696dba9b
Layer 0 - K8s RBAC: - k8s/rbac/api-velero-reader.yaml: awoooi-executor SA Velero backup reader Layer 1 - DB Migration (已在 188 執行): - M-002: approval_records 新增 approval_level/votes/required_votes - M-003: alert_event_type ENUM 新增 8 個值 Layer 2 - IaC: - ops/config/service-registry.yaml: 全服務 Stateful 分級清單 (BLOCK/CRITICAL_HITL/STANDARD_HITL/AUTO) Layer 3 - Python Services: - service_registry.py: 讀取 YAML,提供 is_blocked/requires_multisig/get_required_votes - velero_client.py: kubectl 查詢 Velero 備份年齡,失敗 fallback 999h - preflight_service.py: Pre-flight 安全檢查 (Q2/Q4 決策) Layer 1-M001 - Playbook model: - playbook.py: 新增 requires_approval_level/stateful_targets/requires_pre_backup Layer 4 - 業務邏輯: - alert_operation_log_repository.py: 新增 8 個 event_type (Guardrail/Pre-flight/MultiSig/備份) - auto_repair_service.py: 注入 Service Registry Guardrail 檢查 (BLOCK → 直接拒絕) - webhooks.py: ALERT_RECEIVED 溯源記錄 + auto_repair flag Q9 + Langfuse trace_id Q10 - db/models.py: ApprovalRecord 同步 approval_level/votes/required_votes 欄位 - docker-health-monitor.sh: 純感知層改造(移除所有 docker restart 邏輯) Layer 5 - Telegram 通知: - telegram_gateway.py: T1-T6 六個新通知方法 (Guardrail/Pre-flight/Backup/MultiSig/ChangeApplied) 參考: ADR-062 Data Safety Guardrails, ADR-063 Service Registry IaC Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
37 lines
1021 B
YAML
37 lines
1021 B
YAML
# k8s/rbac/api-velero-reader.yaml
|
||
# API Pod 讀取 Velero backup 資源的 RBAC
|
||
# Sprint 5.1 K-001 / 2026-04-08 Asia/Taipei
|
||
# 說明: awoooi-executor ServiceAccount 需要讀取 velero namespace 的 backup 資源
|
||
# 用於 Pre-flight Check 查詢最近備份時間(Q7 決策:kubectl 方式)
|
||
# 注意: ServiceAccount 名稱為 awoooi-executor(非 awoooi-api,經 L0 確認)
|
||
---
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: ClusterRole
|
||
metadata:
|
||
name: awoooi-velero-backup-reader
|
||
labels:
|
||
app: awoooi
|
||
component: api
|
||
sprint: "5.1"
|
||
rules:
|
||
- apiGroups: ["velero.io"]
|
||
resources: ["backups"]
|
||
verbs: ["get", "list"]
|
||
---
|
||
apiVersion: rbac.authorization.k8s.io/v1
|
||
kind: ClusterRoleBinding
|
||
metadata:
|
||
name: awoooi-velero-backup-reader
|
||
labels:
|
||
app: awoooi
|
||
component: api
|
||
sprint: "5.1"
|
||
subjects:
|
||
- kind: ServiceAccount
|
||
name: awoooi-executor
|
||
namespace: awoooi-prod
|
||
roleRef:
|
||
kind: ClusterRole
|
||
name: awoooi-velero-backup-reader
|
||
apiGroup: rbac.authorization.k8s.io
|