fix: harden d601 k3s guards

This commit is contained in:
Codex
2026-05-23 16:21:45 +00:00
parent 026a718a24
commit c93fb275c5
14 changed files with 353 additions and 57 deletions
+21 -3
View File
@@ -149,9 +149,27 @@ code_queue_image=""
trap 'code=$?; if [ "$code" -ne 0 ] && [ ! -f "$result_json" ]; then write_result false failed "runner exited with code $code" || true; fi' EXIT
export KUBECONFIG=/etc/rancher/k3s/k3s.yaml
kubectl get nodes >/dev/null
test "$(kubectl get nodes -o jsonpath='{.items[*].metadata.name}')" = "d601"
! kubectl config current-context | grep -Eq 'docker-desktop|desktop-control-plane'
if ! context=$(kubectl config current-context 2>&1); then
echo "d601_native_k3s_guard=blocked reason=context-read-failed detail=$context" >&2
exit 1
fi
if ! server=$(kubectl config view --minify -o 'jsonpath={.clusters[0].cluster.server}' 2>&1); then
echo "d601_native_k3s_guard=blocked reason=server-read-failed detail=$server" >&2
exit 1
fi
if ! nodes=$(kubectl get nodes -o 'jsonpath={range .items[*]}{.metadata.name}{"\n"}{end}' 2>&1); then
echo "d601_native_k3s_guard=blocked reason=nodes-read-failed detail=$nodes" >&2
exit 1
fi
if printf '%s\n%s\n%s\n' "$context" "$server" "$nodes" | grep -Eiq 'docker-desktop|desktop-control-plane|127\.0\.0\.1:11700'; then
echo "d601_native_k3s_guard=refused reason=forbidden-control-plane context=$context server=$server" >&2
exit 1
fi
if ! printf '%s\n' "$nodes" | grep -Fx d601 >/dev/null; then
echo "d601_native_k3s_guard=blocked reason=missing-d601-node nodes=$(printf '%s' "$nodes" | tr '\n' ',')" >&2
exit 1
fi
echo "d601_native_k3s_guard=pass kubeconfig=$KUBECONFIG context=$context server=$server node=d601"
log_json runner_started run_id "$run_id" manifest_commit "$manifest_commit"
kubectl get pipeline/unidesk-dev-namespace-e2e -n unidesk-ci >/dev/null