Mayne0213/mas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FEAT(app): add rbac and kubectl for mcp tools

Browse Source 
- ServiceAccount for mas pod
- ClusterRole with read-only permissions
- ClusterRoleBinding
- kubectl installed in Docker image
- Now mas can query Kubernetes API!
This commit is contained in:
Mayne0213
2025-12-24 00:29:14 +09:00
parent e8dbec804b
commit 6196393eb2
3 changed files with 76 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
deploy/docker/Dockerfile
View File

@@ -2,15 +2,21 @@ FROM python:3.11-slim
WORKDIR /app WORKDIR /app
# 시스템 의존성 설치 # 시스템 의존성 설치 (kubectl 포함)
RUN apt-get update && apt-get install -y \ RUN apt-get update && apt-get install -y \
build-essential \ build-essential \
curl \ curl \
git \ git \
libpq-dev \ libpq-dev \
postgresql-client \ postgresql-client \
wget \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# kubectl 설치
RUN curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" \
&& install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl \
&& rm kubectl
# pip 업그레이드 # pip 업그레이드
RUN pip install --no-cache-dir --upgrade pip setuptools wheel RUN pip install --no-cache-dir --upgrade pip setuptools wheel

1
deploy/k8s/base/deployment.yaml
View File

@@ -15,6 +15,7 @@ spec:
labels: labels:
app: mas app: mas
spec: spec:
serviceAccountName: mas
containers: containers:
- name: mas - name: mas
image: gitea0213.kro.kr/bluemayne/mas:latest image: gitea0213.kro.kr/bluemayne/mas:latest

68
deploy/k8s/overlays/prod/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,68 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: mas
namespace: mas
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: mas-viewer
rules:
# Read-only access to most resources
- apiGroups: [""]
resources:
- pods
- pods/log
- services
- endpoints
- namespaces
- nodes
- persistentvolumeclaims
- configmaps
verbs: ["get", "list", "watch"]
- apiGroups: ["apps"]
resources:
- deployments
- statefulsets
- daemonsets
- replicasets
verbs: ["get", "list", "watch"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["get", "list", "watch"]
- apiGroups: ["networking.k8s.io"]
resources:
- ingresses
verbs: ["get", "list", "watch"]
- apiGroups: ["argoproj.io"]
resources:
- applications
verbs: ["get", "list", "watch"]
# Describe resources
- apiGroups: [""]
resources:
- pods/status
- services/status
verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: mas-viewer-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: mas-viewer
subjects:
- kind: ServiceAccount
name: mas
namespace: mas