chore(workspace): add hardened startup/security workflows and skill suite
This commit is contained in:
zap
@@ -0,0 +1,46 @@
|
||||
---
|
||||
name: swarm-kubectl-safe
|
||||
description: Safe Kubernetes operations for the homelab cluster using the scoped swarm namespace. Use when deploying, inspecting, debugging, or scaling workloads in namespace swarm while keeping Raspberry Pi resource usage low and avoiding cluster-wide/destructive commands.
|
||||
---
|
||||
|
||||
# Swarm Kubectl Safe
|
||||
|
||||
Use this skill for Kubernetes actions in the shared `swarm` namespace.
|
||||
|
||||
## Defaults
|
||||
|
||||
- Use kubeconfig: `~/.openclaw/credentials/kubeconfig-swarm.yaml`
|
||||
- Use namespace: `swarm`
|
||||
- Prefer lightweight deployments (Pi cluster):
|
||||
- replicas: `1` by default
|
||||
- CPU request: `25m-100m`
|
||||
- Memory request: `64Mi-256Mi`
|
||||
|
||||
## Safe command wrapper
|
||||
|
||||
Use:
|
||||
|
||||
```bash
|
||||
skills/swarm-kubectl-safe/scripts/kubectl-swarm.sh get pods
|
||||
skills/swarm-kubectl-safe/scripts/kubectl-swarm.sh describe pod <name>
|
||||
skills/swarm-kubectl-safe/scripts/kubectl-swarm.sh apply -f <file>
|
||||
```
|
||||
|
||||
The wrapper automatically applies kubeconfig + namespace and blocks obviously dangerous cluster-wide delete operations.
|
||||
|
||||
## Deployment workflow
|
||||
|
||||
1. Inspect current namespace state:
|
||||
- `.../kubectl-swarm.sh get deploy,po,svc,ingress`
|
||||
2. Apply/update manifest with conservative resources.
|
||||
3. Verify rollout:
|
||||
- `.../kubectl-swarm.sh rollout status deploy/<name>`
|
||||
4. Inspect logs/events if unhealthy:
|
||||
- `.../kubectl-swarm.sh logs deploy/<name> --tail=100`
|
||||
- `.../kubectl-swarm.sh get events --sort-by=.lastTimestamp | tail -n 30`
|
||||
|
||||
## Shared-namespace etiquette
|
||||
|
||||
- Use unique, prefixed names (example: `zap-<app>`).
|
||||
- Avoid deleting resources you didn’t create unless explicitly asked.
|
||||
- Prefer `patch`/`rollout restart` over delete/recreate.
|
||||
+27
@@ -0,0 +1,27 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
KUBECONFIG_PATH="${KUBECONFIG_PATH:-$HOME/.openclaw/credentials/kubeconfig-swarm.yaml}"
|
||||
NAMESPACE="${NAMESPACE:-swarm}"
|
||||
|
||||
if [[ ! -f "$KUBECONFIG_PATH" ]]; then
|
||||
echo "Missing kubeconfig: $KUBECONFIG_PATH" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ $# -eq 0 ]]; then
|
||||
echo "Usage: $0 <kubectl args...>" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Block clearly dangerous cluster-wide delete attempts unless explicitly overridden.
|
||||
if [[ "${ALLOW_UNSAFE_KUBECTL:-}" != "1" ]]; then
|
||||
if [[ "$1" == "delete" ]]; then
|
||||
if printf '%s\n' "$*" | grep -Eq '(^| )(-A|--all-namespaces)( |$)|\bnamespaces?\b|\bnodes?\b|\bpv\b|\bpersistentvolumes\b'; then
|
||||
echo "Blocked potentially unsafe delete. Set ALLOW_UNSAFE_KUBECTL=1 to override." >&2
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
exec kubectl --kubeconfig "$KUBECONFIG_PATH" -n "$NAMESPACE" "$@"
|
||||
Reference in New Issue
Block a user