docs(security): 新增 K8s ArgoCD manifest 清冊 [skip ci]
This commit is contained in:
@@ -26,6 +26,12 @@
|
||||
|
||||
此同步只修正長期覆蓋矩陣與變更 Gate 的一致性,不代表 live evidence 已收到,也不代表可執行 `nginx -t`、reload、certbot renew 或 DNS / TLS 變更。
|
||||
|
||||
## 1.2 2026-06-14 K8s / ArgoCD manifest repo-only 清冊
|
||||
|
||||
已新增 `docs/security/K8S-ARGOCD-MANIFEST-INVENTORY.md` 與 `docs/security/k8s-argocd-manifest-inventory.snapshot.json`,將 `k8s/awoooi-prod`、`k8s/argocd`、`k8s/velero`、`k8s/monitoring` 轉成 repo-only manifest inventory。
|
||||
|
||||
目前固定為 `file_count=49`、`c0_file_count=36`、`yaml_manifest_file_count=45`、`unique_kind_count=20`、`top_level_kind_marker_count=56`、`blocked_action_count=13`、`runtime_gate_count=0`。此 artifact 只補上 K8s / ArgoCD source inventory 的可重跑基線;owner request、rendered manifest diff、ArgoCD health readback、ArgoCD sync、kubectl action、live cluster read 與 production write 仍全部未授權。
|
||||
|
||||
## 2. 覆蓋摘要
|
||||
|
||||
| 指標 | 目前值 | 說明 |
|
||||
|
||||
@@ -146,6 +146,8 @@ Nginx 是目前必須最先資安控管的配置,原因是它同時控制公
|
||||
| P2 | Package / supply-chain baselines | `pnpm-lock.yaml`、`package.json`、Dockerfiles、inventory snapshots | repo owner | lockfile drift, CVE / license policy, image digest evidence |
|
||||
| P3 | Runbook / endpoint docs / snapshots | `docs/reference/*`、`docs/runbooks/*`、`docs/security/*.snapshot.json` | doc owner | no secret value, stale endpoint flag, owner-reviewed evidence refs |
|
||||
|
||||
2026-06-14 P0-20 已新增 `docs/security/K8S-ARGOCD-MANIFEST-INVENTORY.md` 與 `docs/security/k8s-argocd-manifest-inventory.snapshot.json`,把 K8s / ArgoCD / Velero / monitoring repo source 固定為 `files=49`、`c0=36`、`yaml=45`、`unique_kinds=20`、`blocked_actions=13` 的只讀清冊。這只是 repo-only manifest inventory,不是 live cluster read、ArgoCD API read、ArgoCD sync、kubectl action、Helm upgrade、secret collection、manual pod restart、scale workload、RBAC / NetworkPolicy change、restore backup、production write 或 runtime gate。
|
||||
|
||||
## 4. 新增規範
|
||||
|
||||
1. 高價值配置必須先分級:C0 / C1 / C2 / C3。
|
||||
|
||||
118
docs/security/K8S-ARGOCD-MANIFEST-INVENTORY.md
Normal file
118
docs/security/K8S-ARGOCD-MANIFEST-INVENTORY.md
Normal file
@@ -0,0 +1,118 @@
|
||||
# IwoooS K8s / ArgoCD Production Manifest Repo-only 清冊
|
||||
|
||||
| 項目 | 內容 |
|
||||
|------|------|
|
||||
| 日期 | 2026-06-14 |
|
||||
| 狀態 | `repo_only_inventory_ready_no_live_cluster_read` |
|
||||
| 工具 | `scripts/security/k8s-argocd-manifest-inventory.py` |
|
||||
| Snapshot | `docs/security/k8s-argocd-manifest-inventory.snapshot.json` |
|
||||
| runtime gate | `0` |
|
||||
|
||||
## 1. 目的
|
||||
|
||||
K8s / ArgoCD / production manifests 會直接影響部署、replica、cronjob、RBAC、NetworkPolicy、Secret metadata、Velero restore、PrometheusRule 與 public service exposure。這些配置一旦被未審查修改,可能造成壞部署、自動同步、權限擴張、告警失效或備援誤操作。
|
||||
|
||||
本清冊只讀 repo 內 `k8s/awoooi-prod`、`k8s/argocd`、`k8s/velero`、`k8s/monitoring` source files,整理 path、SHA256、top-level `kind:` marker 與 owner gate 缺口。它不做 `kubectl`、不連 ArgoCD、不讀 live cluster、不套用 manifest、不 sync、不改 secret。
|
||||
|
||||
## 2. 摘要
|
||||
|
||||
| 指標 | 值 | 說明 |
|
||||
|------|----|------|
|
||||
| scan group count | `4` | production、ArgoCD、Velero、monitoring |
|
||||
| file count | `49` | 四個 root 下所有 source files |
|
||||
| C0 / C1 file count | `36 / 13` | production / ArgoCD / Velero 為 C0;monitoring 為 C1 |
|
||||
| YAML manifest / supporting source | `45 / 4` | `.yaml` / `.yml` 與 README / shell / patch 類支援檔 |
|
||||
| unique kind count | `20` | repo-only top-level `kind:` marker |
|
||||
| top-level kind marker count | `56` | 非完整 schema validation,只記 repo marker |
|
||||
| Deployment / CronJob | `5 / 5` | workload 與排程會影響 runtime |
|
||||
| Secret / RBAC / NetworkPolicy | `6 / 5 / 6` | 權限與流量控管面 |
|
||||
| Autoscaling / PrometheusRule | `6 / 4` | HPA / VPA 與告警規則 |
|
||||
| ArgoCD Application | `1` | `k8s/argocd/awoooi-prod-app.yaml` |
|
||||
| owner response received / accepted | `0 / 0` | 尚未收到,尚未驗收 |
|
||||
| rendered manifest diff / ArgoCD health readback | `0 / 0` | 尚未產生或接收 |
|
||||
| ArgoCD sync / kubectl action | `0 / 0` | 尚未批准且未執行 |
|
||||
| runtime gate / action button | `0 / 0` | 未開啟 |
|
||||
|
||||
## 3. 掃描分組
|
||||
|
||||
| Group | Tier | Files | YAML | Supporting | 邊界 |
|
||||
|-------|------|-------|------|------------|------|
|
||||
| `awoooi_prod` | `C0` | `25` | `24` | `1` | production namespace manifests;不得由清冊直接套用 |
|
||||
| `argocd` | `C0` | `4` | `3` | `1` | ArgoCD application 與 metrics exposure;不得由清冊直接 sync |
|
||||
| `velero` | `C0` | `7` | `6` | `1` | backup / restore manifests;不得由清冊直接 restore |
|
||||
| `monitoring` | `C1` | `13` | `12` | `1` | alert source 與 monitoring config;不得由清冊直接 reload |
|
||||
|
||||
## 4. Owner 必填欄位
|
||||
|
||||
任何 production manifest change、ArgoCD sync、kubectl action、secret metadata 變更、Velero restore 或 monitoring rule reload 候選,都至少要具備:
|
||||
|
||||
1. `owner_role_or_team`
|
||||
2. `decision`
|
||||
3. `decision_reason`
|
||||
4. `affected_scope`
|
||||
5. `redacted_evidence_refs`
|
||||
6. `argocd_health_readback_ref`
|
||||
7. `argocd_sync_revision_ref`
|
||||
8. `rollback_revision`
|
||||
9. `followup_owner`
|
||||
10. `maintenance_window`
|
||||
11. `validation_plan`
|
||||
|
||||
## 5. Evidence 缺口
|
||||
|
||||
| 缺口 | 目前狀態 |
|
||||
|------|----------|
|
||||
| owner response | `0` |
|
||||
| rendered manifest diff | `0` |
|
||||
| ArgoCD health readback | `0` |
|
||||
| ArgoCD sync revision | `0` |
|
||||
| kubectl dry-run / server validation plan | `0` |
|
||||
| rollout blast radius | `0` |
|
||||
| rollback revision | `0` |
|
||||
| postcheck metrics | `0` |
|
||||
|
||||
## 6. 阻擋動作
|
||||
|
||||
本清冊不得被用來授權以下動作:
|
||||
|
||||
1. `argocd_sync`
|
||||
2. `kubectl_apply`
|
||||
3. `kubectl_patch`
|
||||
4. `kubectl_delete`
|
||||
5. `helm_upgrade`
|
||||
6. `secret_value_collection`
|
||||
7. `live_cluster_write`
|
||||
8. `manual_pod_restart`
|
||||
9. `scale_workload`
|
||||
10. `change_network_policy`
|
||||
11. `change_rbac`
|
||||
12. `restore_backup`
|
||||
13. `open_runtime_gate`
|
||||
|
||||
## 7. 指令
|
||||
|
||||
產生 committed snapshot:
|
||||
|
||||
```bash
|
||||
python3 scripts/security/k8s-argocd-manifest-inventory.py \
|
||||
--root . \
|
||||
--output docs/security/k8s-argocd-manifest-inventory.snapshot.json \
|
||||
--generated-at 2026-06-14T21:05:00+08:00
|
||||
```
|
||||
|
||||
驗證 guard:
|
||||
|
||||
```bash
|
||||
python3 scripts/security/security-mirror-progress-guard.py --root .
|
||||
```
|
||||
|
||||
## 8. 完成度
|
||||
|
||||
| 工作 | 完成度 | 說明 |
|
||||
|------|--------|------|
|
||||
| repo-only manifest inventory | `100%` | 49 個 source files、45 個 YAML manifest、20 類 top-level kind marker 已固定 |
|
||||
| owner request draft | `0%` | 尚未把清冊轉成逐 group owner request |
|
||||
| live ArgoCD / K8s readback | `0%` | 尚未批准且未執行 |
|
||||
| rendered manifest diff | `0%` | 尚未產生 |
|
||||
| ArgoCD sync / kubectl action | `0%` | 未授權且未執行 |
|
||||
| runtime gate / production write | `0%` | 未授權且未執行 |
|
||||
@@ -7,7 +7,7 @@
|
||||
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 |
|
||||
| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP 執行監控 IwoooS 執行狀態只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub 主要來源就緒度只讀狀態板 + AwoooP 工作鏈路 GitHub 主要來源就緒度只讀工作項 + AwoooP 合約儀表板 GitHub 主要來源就緒度合約只讀候選 + AwoooP 審批佇列 GitHub 主要來源就緒度審批邊界 + AwoooP 首頁 GitHub 主要來源就緒度只讀摘要 + AwoooP 租戶管理 GitHub 主要來源就緒度租戶範圍 + AwoooP 執行監控 GitHub 主要來源就緒度執行邊界 + IwoooS / AwoooP 資安可視區塊繁體中文呈現防護檢查 + AwoooP 執行詳情 / 審批詳情繁體中文呈現防護檢查 + AwoooP 首頁負責人回覆驗收總覽 + AwoooP 工作鏈路負責人回覆驗收只讀工作項 + AwoooP 合約儀表板負責人回覆驗收契約只讀候選 + AwoooP 審批佇列負責人回覆驗收只讀審查邊界 + AwoooP 租戶管理負責人回覆驗收租戶範圍 + AwoooP 執行監控負責人回覆驗收執行邊界 + AwoooP 執行詳情負責人回覆驗收詳情邊界 + AwoooP 審批決策負責人回覆驗收審批邊界 + IwoooS AwoooP 資安入口覆蓋狀態板 + IwoooS 階段式資安收斂節奏圖 + IwoooS 下一步人工收件作戰板 + IwoooS 人工回覆安全驗收閘道 + IwoooS 人工回覆審查結果分流 + IwoooS 人工決策準備佇列 + IwoooS 人工決策紀錄草稿防誤用 + IwoooS 人工決策正式紀錄負責人指派確認準備包 + IwoooS 人工決策正式紀錄負責人指派確認清單 + IwoooS 人工決策正式紀錄負責人指派確認結果分流 + IwoooS 人工決策正式紀錄負責人指派決策準備包 + IwoooS 人工決策正式紀錄負責人指派決策檢查清單 + IwoooS S4.9 負責人回覆封套欄位 + IwoooS S4.9 負責人回覆封套送件前檢查 + IwoooS S4.9 負責人回覆封套送件前結果分流 + IwoooS S4.9 負責人回覆送件請求草稿 + IwoooS S4.9 負責人回覆送件鏈路摘要 + IwoooS 低摩擦分階段收斂主控 + IwoooS 低摩擦下一步行動邊界 + IwoooS 64% 進度移動訊號驗收條 + IwoooS 第一個進度解鎖路徑 + IwoooS 第一解鎖證據包 + IwoooS 第一解鎖證據包預檢分流 + IwoooS 第一解鎖證據包補件路徑 + IwoooS 第一解鎖證據包補件送審前檢查 + IwoooS 第一解鎖證據包補件送審結果分流 + IwoooS 第一解鎖證據包 reviewer 指派準備包 + IwoooS 第一解鎖證據包 reviewer 指派前檢查 + IwoooS 第一解鎖證據包 reviewer 指派前檢查結果分流 + IwoooS 正式只讀 landing 與 Kali 112 只讀證據進度重估 |
|
||||
| 本階段追加補充 | IwoooS 目前具體工作地圖 + IwoooS 目前具體交付清單 + IwoooS 目前阻塞與解除條件 + IwoooS 三軸進度與全產品套用範圍 + IwoooS 全產品分階段套用台帳 + IwoooS 全產品 rollout 波次驗收門檻 + IwoooS 全產品 rollout 驗收結果分流 + IwoooS 全產品證據接線地圖 + IwoooS 全產品證據接線預檢 + IwoooS 全產品證據接線預檢結果分流 + IwoooS 全產品預檢補件回收台帳 + IwoooS 全產品補件重試門檻 + IwoooS 全產品重試結果分流 + IwoooS 全產品人工審查候選準備 + IwoooS 全產品人工審查候選預檢 + IwoooS 全產品人工審查候選預檢結果分流 + IwoooS 全產品人工審查候選預檢補件回收台帳 + IwoooS 全產品人工審查候選預檢補件重試門檻 + IwoooS 全產品只讀套用快照 + P2-145 owner response acceptance gate 正式驗證完成 |
|
||||
| P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成;Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置;高價值配置 Gate 已補上 `k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*`,sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`;Gate 預設工作樹 preflight 已可讀取 staged / unstaged / untracked,本地 smoke 對臨時 `k8s/nginx/*` 檔命中 C0;Owner Packet snapshot 已同步為 `packets=3 / c0=2`,Coverage snapshot 已同步最新 patterns;IwoooS / AwoooP 前台 Owner Packet 摘要已正式驗證 `packet=3 / c0=2`,feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` success;IwoooS posture projection snapshot / schema / guard 已同步 `packet=3 / c0=2`,不再保留舊 `1 / 0` 口徑;高價值配置 Owner Packet 收件預檢已新增 `checks=9 / lanes=5 / required_fields=27 / blocked_requests=16`;高價值配置 Owner Request 草稿包已新增 `drafts=3 / handoff_fields=11 / forbidden_payloads=12 / sent=0`;Public Gateway live conf 匯出請求包已新增 `requests=3 / c0=2 / redaction_rules=8 / received=0`;Public Gateway redacted export 收件預檢已新增 `candidates=3 / c0=2 / checks=10 / rejection_guards=12 / received=0 / accepted=0`;Public Gateway rendered diff / nginx gate 草稿已新增 `candidates=3 / c0=2 / stages=7 / blocked=14 / rendered_diff=0 / runtime=0`;DNS / TLS / certbot Owner Confirmation Request 已新增 `requests=4 / c0=4 / fields=9 / questions=5 / guards=12 / received=0 / accepted=0`;owner response / live evidence / runtime gate / action buttons 仍全部為 0 |
|
||||
| P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成;Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置;高價值配置 Gate 已補上 `k8s/nginx/**`、`scripts/ops/**/*cert*`、`scripts/ops/**/*tls*`,sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`;Gate 預設工作樹 preflight 已可讀取 staged / unstaged / untracked,本地 smoke 對臨時 `k8s/nginx/*` 檔命中 C0;Owner Packet snapshot 已同步為 `packets=3 / c0=2`,Coverage snapshot 已同步最新 patterns;IwoooS / AwoooP 前台 Owner Packet 摘要已正式驗證 `packet=3 / c0=2`,feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` success;IwoooS posture projection snapshot / schema / guard 已同步 `packet=3 / c0=2`,不再保留舊 `1 / 0` 口徑;高價值配置 Owner Packet 收件預檢已新增 `checks=9 / lanes=5 / required_fields=27 / blocked_requests=16`;高價值配置 Owner Request 草稿包已新增 `drafts=3 / handoff_fields=11 / forbidden_payloads=12 / sent=0`;Public Gateway live conf 匯出請求包已新增 `requests=3 / c0=2 / redaction_rules=8 / received=0`;Public Gateway redacted export 收件預檢已新增 `candidates=3 / c0=2 / checks=10 / rejection_guards=12 / received=0 / accepted=0`;Public Gateway rendered diff / nginx gate 草稿已新增 `candidates=3 / c0=2 / stages=7 / blocked=14 / rendered_diff=0 / runtime=0`;DNS / TLS / certbot Owner Confirmation Request 已新增 `requests=4 / c0=4 / fields=9 / questions=5 / guards=12 / received=0 / accepted=0`;K8s / ArgoCD manifest repo-only 清冊已新增 `files=49 / c0=36 / yaml=45 / kinds=20 / blocked=13 / runtime=0`;owner response / live evidence / runtime gate / action buttons 仍全部為 0 |
|
||||
| 原則 | 低摩擦分階段;文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
|
||||
| P0 主控板 | `docs/workplans/2026-06-04-iwooos-security-governance-p0.md` |
|
||||
|
||||
@@ -393,6 +393,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons
|
||||
| Public Gateway redacted export 收件預檢 | 本地完成 | `public-gateway-redacted-export-intake-preflight.snapshot.json` 已固定 `intake_candidate_count=3`、`c0_intake_candidate_count=2`、`validation_check_count=10`、`rejection_guard_count=12`、`reviewer_intake_lane_count=5`、`redacted_export_received_count=0`、`accepted_redacted_export_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 intake ids、validation checks、rejection guards、reviewer lanes 與 false flags | 這是 redacted export 收件前預檢,不是 request sent、recipient confirmed、redacted export received / accepted、raw live conf stored、rendered diff ready、`nginx -t`、Nginx reload、route smoke、DNS / TLS probe、certbot renew、host write、production write 或 runtime gate;不需要 production browser smoke |
|
||||
| Public Gateway rendered diff / nginx gate 草稿 | 本地完成 | `public-gateway-rendered-diff-gate-draft.snapshot.json` 已固定 `diff_gate_candidate_count=3`、`c0_diff_gate_candidate_count=2`、`preflight_stage_count=7`、`blocked_action_count=14`、`redacted_export_accepted_count=0`、`rendered_diff_ready_count=0`、`nginx_test_executed_count=0`、`runtime_gate_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 diff gate ids、preflight stages、blocked actions 與 false flags | 這是 rendered diff / nginx / route smoke 分階段 gate 草稿,不是 redacted export accepted、rendered diff ready、`nginx -t`、Nginx reload、route smoke、DNS / TLS probe、certbot renew、host write、production write 或 runtime gate;不需要 production browser smoke |
|
||||
| DNS / TLS / certbot Owner Confirmation Request | 本地完成 | `domain-tls-certbot-owner-confirmation-request.snapshot.json` 已固定 `owner_confirmation_request_count=4`、`c0_owner_confirmation_request_count=4`、`required_owner_field_count=9`、`confirmation_question_count=5`、`rejection_guard_count=12`、`owner_response_received_count=0`、`owner_response_accepted_count=0`、`runtime_gate_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 request ids、confirmation questions、rejection guards 與 false flags | 這是 SAN / wildcard / 共用憑證覆蓋關係的 owner confirmation request 草稿,不是 request sent、recipient confirmed、owner response received / accepted、DNS query、TLS probe、certbot renew、Nginx reload、route smoke、host write、production write 或 runtime gate;不需要 production browser smoke |
|
||||
| K8s / ArgoCD manifest repo-only 清冊 | 本地完成 | `k8s-argocd-manifest-inventory.snapshot.json` 已固定 `file_count=49`、`c0_file_count=36`、`yaml_manifest_file_count=45`、`unique_kind_count=20`、`top_level_kind_marker_count=56`、`required_owner_field_count=11`、`evidence_gap_count=8`、`blocked_action_count=13`,並由 `security-mirror-progress-guard.py` 鎖住 group ids、kind counts、blocked actions 與 false flags | 這是 repo-only manifest inventory,不是 live cluster read、ArgoCD API read、ArgoCD sync、kubectl apply / patch / delete、Helm upgrade、secret collection、manual pod restart、scale workload、RBAC / NetworkPolicy change、restore backup、production write 或 runtime gate;不需要 production browser smoke |
|
||||
| S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items:7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate |
|
||||
| S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item |
|
||||
| S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 |
|
||||
|
||||
1534
docs/security/k8s-argocd-manifest-inventory.snapshot.json
Normal file
1534
docs/security/k8s-argocd-manifest-inventory.snapshot.json
Normal file
File diff suppressed because it is too large
Load Diff
Reference in New Issue
Block a user