Compare commits
5 Commits
auto-updat
...
main
| Author | SHA1 | Date | |
|---|---|---|---|
|
a7aaa3e4a5 | ||
|
|
5f882c7beb | ||
|
|
72cf9902d4 | ||
|
|
a4b2eb8ab9 | ||
|
|
80b7b0a7f7 |
@@ -5,6 +5,7 @@ kind: Kustomization
|
||||
resources:
|
||||
- external-secrets.yaml
|
||||
- storage.yaml
|
||||
- rbac.yaml
|
||||
|
||||
helmCharts:
|
||||
- name: n8n
|
||||
|
||||
71
k8s/apps/n8n/rbac.yaml
Normal file
71
k8s/apps/n8n/rbac.yaml
Normal file
@@ -0,0 +1,71 @@
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRole
|
||||
metadata:
|
||||
name: n8n-readonly
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources:
|
||||
- pods
|
||||
- services
|
||||
- endpoints
|
||||
- persistentvolumeclaims
|
||||
- persistentvolumes
|
||||
- configmaps
|
||||
- secrets
|
||||
- nodes
|
||||
- namespaces
|
||||
- events
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["apps"]
|
||||
resources:
|
||||
- deployments
|
||||
- replicasets
|
||||
- statefulsets
|
||||
- daemonsets
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["networking.k8s.io"]
|
||||
resources:
|
||||
- ingresses
|
||||
- networkpolicies
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["extensions"]
|
||||
resources:
|
||||
- ingresses
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["autoscaling"]
|
||||
resources:
|
||||
- horizontalpodautoscalers
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["batch"]
|
||||
resources:
|
||||
- jobs
|
||||
- cronjobs
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["metrics.k8s.io"]
|
||||
resources:
|
||||
- pods
|
||||
- nodes
|
||||
verbs: ["get", "list"]
|
||||
- apiGroups: ["storage.k8s.io"]
|
||||
resources:
|
||||
- storageclasses
|
||||
verbs: ["get", "list", "watch"]
|
||||
- apiGroups: ["policy"]
|
||||
resources:
|
||||
- poddisruptionbudgets
|
||||
verbs: ["get", "list", "watch"]
|
||||
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: n8n-readonly
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: n8n-readonly
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: n8n-readonly
|
||||
namespace: n8n
|
||||
@@ -18,30 +18,30 @@ main:
|
||||
mountPath: /home/node/.n8n
|
||||
|
||||
podSecurityContext:
|
||||
fsGroup: 1000
|
||||
fsGroupChangePolicy: "OnRootMismatch"
|
||||
runAsUser: 1000
|
||||
runAsGroup: 1000
|
||||
runAsNonRoot: true
|
||||
|
||||
# Configure health probes for slow startup
|
||||
main:
|
||||
livenessProbe:
|
||||
httpGet:
|
||||
path: /healthz
|
||||
port: http
|
||||
initialDelaySeconds: 120 # Дать время на запуск
|
||||
periodSeconds: 30
|
||||
timeoutSeconds: 10
|
||||
failureThreshold: 6
|
||||
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /healthz/readiness
|
||||
port: http
|
||||
initialDelaySeconds: 60
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
failureThreshold: 10
|
||||
|
||||
# Fix NFS permission issues - required for NFS volumes
|
||||
initContainers:
|
||||
- name: fix-permissions
|
||||
image: busybox:1.35
|
||||
command:
|
||||
- sh
|
||||
- -c
|
||||
- |
|
||||
echo "Fixing permissions for NFS volume..."
|
||||
if [ ! -d "/home/node/.n8n" ]; then
|
||||
mkdir -p /home/node/.n8n
|
||||
fi
|
||||
chown -R 1000:1000 /home/node/.n8n
|
||||
chmod -R 775 /home/node/.n8n
|
||||
echo "Permissions fixed: $(ls -ld /home/node/.n8n)"
|
||||
volumeMounts:
|
||||
- name: node-modules
|
||||
mountPath: /home/node/.n8n
|
||||
securityContext:
|
||||
runAsUser: 0
|
||||
runAsGroup: 0
|
||||
|
||||
worker:
|
||||
mode: regular
|
||||
@@ -54,6 +54,12 @@ redis:
|
||||
|
||||
existingEncryptionKeySecret: credentials
|
||||
|
||||
serviceAccount:
|
||||
create: true
|
||||
automount: true
|
||||
annotations: {}
|
||||
name: "n8n-readonly"
|
||||
|
||||
externalPostgresql:
|
||||
existingSecret: credentials
|
||||
host: "psql.psql.svc"
|
||||
|
||||
Reference in New Issue
Block a user