chore(workspace): add hardened startup/security workflows and skill suite
This commit is contained in:
zap
27
skills/swarm-kubectl-safe/scripts/kubectl-swarm.sh
Executable file
27
skills/swarm-kubectl-safe/scripts/kubectl-swarm.sh
Executable file
@@ -0,0 +1,27 @@
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
KUBECONFIG_PATH="${KUBECONFIG_PATH:-$HOME/.openclaw/credentials/kubeconfig-swarm.yaml}"
|
||||
NAMESPACE="${NAMESPACE:-swarm}"
|
||||
|
||||
if [[ ! -f "$KUBECONFIG_PATH" ]]; then
|
||||
echo "Missing kubeconfig: $KUBECONFIG_PATH" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [[ $# -eq 0 ]]; then
|
||||
echo "Usage: $0 <kubectl args...>" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Block clearly dangerous cluster-wide delete attempts unless explicitly overridden.
|
||||
if [[ "${ALLOW_UNSAFE_KUBECTL:-}" != "1" ]]; then
|
||||
if [[ "$1" == "delete" ]]; then
|
||||
if printf '%s\n' "$*" | grep -Eq '(^| )(-A|--all-namespaces)( |$)|\bnamespaces?\b|\bnodes?\b|\bpv\b|\bpersistentvolumes\b'; then
|
||||
echo "Blocked potentially unsafe delete. Set ALLOW_UNSAFE_KUBECTL=1 to override." >&2
|
||||
exit 2
|
||||
fi
|
||||
fi
|
||||
fi
|
||||
|
||||
exec kubectl --kubeconfig "$KUBECONFIG_PATH" -n "$NAMESPACE" "$@"
|
||||
Reference in New Issue
Block a user