docs(security): 新增 K8s ArgoCD manifest 清冊 [skip ci]

This commit is contained in:
Your Name
2026-06-14 19:14:12 +08:00
parent 551d814442
commit e8876c453f
10 changed files with 2185 additions and 4 deletions

View File

@@ -26,6 +26,12 @@
此同步只修正長期覆蓋矩陣與變更 Gate 的一致性,不代表 live evidence 已收到,也不代表可執行 `nginx -t`、reload、certbot renew 或 DNS / TLS 變更。
## 1.2 2026-06-14 K8s / ArgoCD manifest repo-only 清冊
已新增 `docs/security/K8S-ARGOCD-MANIFEST-INVENTORY.md``docs/security/k8s-argocd-manifest-inventory.snapshot.json`,將 `k8s/awoooi-prod``k8s/argocd``k8s/velero``k8s/monitoring` 轉成 repo-only manifest inventory。
目前固定為 `file_count=49``c0_file_count=36``yaml_manifest_file_count=45``unique_kind_count=20``top_level_kind_marker_count=56``blocked_action_count=13``runtime_gate_count=0`。此 artifact 只補上 K8s / ArgoCD source inventory 的可重跑基線owner request、rendered manifest diff、ArgoCD health readback、ArgoCD sync、kubectl action、live cluster read 與 production write 仍全部未授權。
## 2. 覆蓋摘要
| 指標 | 目前值 | 說明 |

View File

@@ -146,6 +146,8 @@ Nginx 是目前必須最先資安控管的配置,原因是它同時控制公
| P2 | Package / supply-chain baselines | `pnpm-lock.yaml``package.json`、Dockerfiles、inventory snapshots | repo owner | lockfile drift, CVE / license policy, image digest evidence |
| P3 | Runbook / endpoint docs / snapshots | `docs/reference/*``docs/runbooks/*``docs/security/*.snapshot.json` | doc owner | no secret value, stale endpoint flag, owner-reviewed evidence refs |
2026-06-14 P0-20 已新增 `docs/security/K8S-ARGOCD-MANIFEST-INVENTORY.md``docs/security/k8s-argocd-manifest-inventory.snapshot.json`,把 K8s / ArgoCD / Velero / monitoring repo source 固定為 `files=49``c0=36``yaml=45``unique_kinds=20``blocked_actions=13` 的只讀清冊。這只是 repo-only manifest inventory不是 live cluster read、ArgoCD API read、ArgoCD sync、kubectl action、Helm upgrade、secret collection、manual pod restart、scale workload、RBAC / NetworkPolicy change、restore backup、production write 或 runtime gate。
## 4. 新增規範
1. 高價值配置必須先分級C0 / C1 / C2 / C3。

View File

@@ -0,0 +1,118 @@
# IwoooS K8s / ArgoCD Production Manifest Repo-only 清冊
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-14 |
| 狀態 | `repo_only_inventory_ready_no_live_cluster_read` |
| 工具 | `scripts/security/k8s-argocd-manifest-inventory.py` |
| Snapshot | `docs/security/k8s-argocd-manifest-inventory.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
K8s / ArgoCD / production manifests 會直接影響部署、replica、cronjob、RBAC、NetworkPolicy、Secret metadata、Velero restore、PrometheusRule 與 public service exposure。這些配置一旦被未審查修改可能造成壞部署、自動同步、權限擴張、告警失效或備援誤操作。
本清冊只讀 repo 內 `k8s/awoooi-prod``k8s/argocd``k8s/velero``k8s/monitoring` source files整理 path、SHA256、top-level `kind:` marker 與 owner gate 缺口。它不做 `kubectl`、不連 ArgoCD、不讀 live cluster、不套用 manifest、不 sync、不改 secret。
## 2. 摘要
| 指標 | 值 | 說明 |
|------|----|------|
| scan group count | `4` | production、ArgoCD、Velero、monitoring |
| file count | `49` | 四個 root 下所有 source files |
| C0 / C1 file count | `36 / 13` | production / ArgoCD / Velero 為 C0monitoring 為 C1 |
| YAML manifest / supporting source | `45 / 4` | `.yaml` / `.yml` 與 README / shell / patch 類支援檔 |
| unique kind count | `20` | repo-only top-level `kind:` marker |
| top-level kind marker count | `56` | 非完整 schema validation只記 repo marker |
| Deployment / CronJob | `5 / 5` | workload 與排程會影響 runtime |
| Secret / RBAC / NetworkPolicy | `6 / 5 / 6` | 權限與流量控管面 |
| Autoscaling / PrometheusRule | `6 / 4` | HPA / VPA 與告警規則 |
| ArgoCD Application | `1` | `k8s/argocd/awoooi-prod-app.yaml` |
| owner response received / accepted | `0 / 0` | 尚未收到,尚未驗收 |
| rendered manifest diff / ArgoCD health readback | `0 / 0` | 尚未產生或接收 |
| ArgoCD sync / kubectl action | `0 / 0` | 尚未批准且未執行 |
| runtime gate / action button | `0 / 0` | 未開啟 |
## 3. 掃描分組
| Group | Tier | Files | YAML | Supporting | 邊界 |
|-------|------|-------|------|------------|------|
| `awoooi_prod` | `C0` | `25` | `24` | `1` | production namespace manifests不得由清冊直接套用 |
| `argocd` | `C0` | `4` | `3` | `1` | ArgoCD application 與 metrics exposure不得由清冊直接 sync |
| `velero` | `C0` | `7` | `6` | `1` | backup / restore manifests不得由清冊直接 restore |
| `monitoring` | `C1` | `13` | `12` | `1` | alert source 與 monitoring config不得由清冊直接 reload |
## 4. Owner 必填欄位
任何 production manifest change、ArgoCD sync、kubectl action、secret metadata 變更、Velero restore 或 monitoring rule reload 候選,都至少要具備:
1. `owner_role_or_team`
2. `decision`
3. `decision_reason`
4. `affected_scope`
5. `redacted_evidence_refs`
6. `argocd_health_readback_ref`
7. `argocd_sync_revision_ref`
8. `rollback_revision`
9. `followup_owner`
10. `maintenance_window`
11. `validation_plan`
## 5. Evidence 缺口
| 缺口 | 目前狀態 |
|------|----------|
| owner response | `0` |
| rendered manifest diff | `0` |
| ArgoCD health readback | `0` |
| ArgoCD sync revision | `0` |
| kubectl dry-run / server validation plan | `0` |
| rollout blast radius | `0` |
| rollback revision | `0` |
| postcheck metrics | `0` |
## 6. 阻擋動作
本清冊不得被用來授權以下動作:
1. `argocd_sync`
2. `kubectl_apply`
3. `kubectl_patch`
4. `kubectl_delete`
5. `helm_upgrade`
6. `secret_value_collection`
7. `live_cluster_write`
8. `manual_pod_restart`
9. `scale_workload`
10. `change_network_policy`
11. `change_rbac`
12. `restore_backup`
13. `open_runtime_gate`
## 7. 指令
產生 committed snapshot
```bash
python3 scripts/security/k8s-argocd-manifest-inventory.py \
--root . \
--output docs/security/k8s-argocd-manifest-inventory.snapshot.json \
--generated-at 2026-06-14T21:05:00+08:00
```
驗證 guard
```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
```
## 8. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| repo-only manifest inventory | `100%` | 49 個 source files、45 個 YAML manifest、20 類 top-level kind marker 已固定 |
| owner request draft | `0%` | 尚未把清冊轉成逐 group owner request |
| live ArgoCD / K8s readback | `0%` | 尚未批准且未執行 |
| rendered manifest diff | `0%` | 尚未產生 |
| ArgoCD sync / kubectl action | `0%` | 未授權且未執行 |
| runtime gate / production write | `0%` | 未授權且未執行 |

View File

@@ -7,7 +7,7 @@
| 本階段完成 | 資安供應鏈 contract manifest + Source Control Approval Board + Draft Reconcile Plan + Ref Detail Diff + Ref Truth Classification + Source Control Ref Truth Owner Response 收件包 + GitHub Primary Readiness Gate + GitHub Primary Rollback ADR + GitHub Target Owner Decision Response 收件包 + Gitea 認證清冊匯出請求 + Gitea 認證清冊匯入驗收契約 + Gitea 清冊覆蓋 Owner Attestation + Gitea Owner Attestation Approval Lane 對齊 + Gitea Owner Attestation Response 收件包 + Workflow / Secret Name Inventory + Workflow / Secret Name Local Evidence + Workflow / Secret Name Redacted Export Request + Workflow / Secret Name Owner Response 收件包 + Source Control Owner Response Validation Rollup + Kali 112 live integration status + Security Finding contract + Kali scan scope approval package + Security Approval Queue + S3 人工批准 Gate + S3 人工決策紀錄 + S3 人工審查封包 + S3 人工決策狀態轉移 + S3 後續 runtime gate 準備契約 + 鏡像 readiness index + 鏡像接收計畫 + 鏡像事件信封 + 鏡像路由矩陣 + 鏡像驗收契約 + 鏡像隔離契約 + 鏡像 dry-run 報告契約 + 鏡像狀態彙整契約 + IwoooS 前端態勢入口 + IwoooS posture projection contract + IwoooS 既有前端資安頁面整合 + IwoooS 覆蓋與邊界矩陣 + IwoooS 只讀資安處理旅程 + IwoooS owner evidence readiness board + IwoooS host coverage view + IwoooS host action gate matrix + IwoooS host evidence readiness board + IwoooS host evidence collection order + IwoooS host evidence intake preflight + IwoooS host evidence review outcome lanes + IwoooS host evidence review handoff packets + IwoooS host evidence reviewer checklist + IwoooS host evidence reviewer outcome lanes + IwoooS host owner decision candidate packets + IwoooS host owner decision review checklist + IwoooS host owner decision review outcome lanes + IwoooS host owner decision record draft packets + IwoooS host owner decision record draft review checklist + IwoooS host owner decision record draft review outcome lanes + IwoooS host owner decision record write-up packets + IwoooS host owner decision record write-up review checklist + IwoooS host owner decision record write-up review outcome lanes + IwoooS host owner decision record formal candidate packets + IwoooS host owner decision record formal candidate review checklist + IwoooS host owner decision record formal candidate review outcome lanes + IwoooS host owner decision record formal record queue packets + IwoooS host owner decision record formal record queue review checklist + IwoooS host owner decision record formal record queue review outcome lanes + IwoooS host owner decision record human handoff readiness packets + IwoooS host owner decision record human handoff readiness review checklist + IwoooS host owner decision record human handoff readiness review outcome lanes + IwoooS host owner decision record human record owner review candidate packets + IwoooS host owner decision record human record owner review candidate checklist + IwoooS host owner decision record human record owner review candidate outcome lanes + IwoooS host owner decision record human record owner review preparation packets + IwoooS host owner decision record human record owner review preparation checklist + IwoooS progress acceleration lanes + IwoooS owner response next-action focus + IwoooS S4.9 owner response preflight + IwoooS S4.9 owner response request templates + IwoooS progress hold movement gates + IwoooS AwoooP read-only landing readiness + IwoooS AwoooP cross-session handoff packets + AwoooP 首頁 IwoooS 資安鏡像候選 + AwoooP 工作鏈路 IwoooS 資安鏡像候選 + AwoooP 審批佇列 IwoooS owner response 只讀焦點 |
| 本階段追加 | AwoooP 合約儀表板 IwoooS 資安契約只讀候選 + AwoooP 租戶管理 IwoooS 資安租戶範圍只讀候選 + AwoooP 執行監控 IwoooS 執行狀態只讀候選 + 既有安全 / 合規頁面 IwoooS 只讀反向橋接 + 告警 / 錯誤 / 授權 / 治理頁面 IwoooS 只讀反向橋接 + 稽核 / 工程審查頁面 IwoooS 深色只讀反向橋接 + IwoooS 前端資安頁面連接狀態板 + IwoooS GitHub 主要來源就緒度只讀狀態板 + AwoooP 工作鏈路 GitHub 主要來源就緒度只讀工作項 + AwoooP 合約儀表板 GitHub 主要來源就緒度合約只讀候選 + AwoooP 審批佇列 GitHub 主要來源就緒度審批邊界 + AwoooP 首頁 GitHub 主要來源就緒度只讀摘要 + AwoooP 租戶管理 GitHub 主要來源就緒度租戶範圍 + AwoooP 執行監控 GitHub 主要來源就緒度執行邊界 + IwoooS / AwoooP 資安可視區塊繁體中文呈現防護檢查 + AwoooP 執行詳情 / 審批詳情繁體中文呈現防護檢查 + AwoooP 首頁負責人回覆驗收總覽 + AwoooP 工作鏈路負責人回覆驗收只讀工作項 + AwoooP 合約儀表板負責人回覆驗收契約只讀候選 + AwoooP 審批佇列負責人回覆驗收只讀審查邊界 + AwoooP 租戶管理負責人回覆驗收租戶範圍 + AwoooP 執行監控負責人回覆驗收執行邊界 + AwoooP 執行詳情負責人回覆驗收詳情邊界 + AwoooP 審批決策負責人回覆驗收審批邊界 + IwoooS AwoooP 資安入口覆蓋狀態板 + IwoooS 階段式資安收斂節奏圖 + IwoooS 下一步人工收件作戰板 + IwoooS 人工回覆安全驗收閘道 + IwoooS 人工回覆審查結果分流 + IwoooS 人工決策準備佇列 + IwoooS 人工決策紀錄草稿防誤用 + IwoooS 人工決策正式紀錄負責人指派確認準備包 + IwoooS 人工決策正式紀錄負責人指派確認清單 + IwoooS 人工決策正式紀錄負責人指派確認結果分流 + IwoooS 人工決策正式紀錄負責人指派決策準備包 + IwoooS 人工決策正式紀錄負責人指派決策檢查清單 + IwoooS S4.9 負責人回覆封套欄位 + IwoooS S4.9 負責人回覆封套送件前檢查 + IwoooS S4.9 負責人回覆封套送件前結果分流 + IwoooS S4.9 負責人回覆送件請求草稿 + IwoooS S4.9 負責人回覆送件鏈路摘要 + IwoooS 低摩擦分階段收斂主控 + IwoooS 低摩擦下一步行動邊界 + IwoooS 64% 進度移動訊號驗收條 + IwoooS 第一個進度解鎖路徑 + IwoooS 第一解鎖證據包 + IwoooS 第一解鎖證據包預檢分流 + IwoooS 第一解鎖證據包補件路徑 + IwoooS 第一解鎖證據包補件送審前檢查 + IwoooS 第一解鎖證據包補件送審結果分流 + IwoooS 第一解鎖證據包 reviewer 指派準備包 + IwoooS 第一解鎖證據包 reviewer 指派前檢查 + IwoooS 第一解鎖證據包 reviewer 指派前檢查結果分流 + IwoooS 正式只讀 landing 與 Kali 112 只讀證據進度重估 |
| 本階段追加補充 | IwoooS 目前具體工作地圖 + IwoooS 目前具體交付清單 + IwoooS 目前阻塞與解除條件 + IwoooS 三軸進度與全產品套用範圍 + IwoooS 全產品分階段套用台帳 + IwoooS 全產品 rollout 波次驗收門檻 + IwoooS 全產品 rollout 驗收結果分流 + IwoooS 全產品證據接線地圖 + IwoooS 全產品證據接線預檢 + IwoooS 全產品證據接線預檢結果分流 + IwoooS 全產品預檢補件回收台帳 + IwoooS 全產品補件重試門檻 + IwoooS 全產品重試結果分流 + IwoooS 全產品人工審查候選準備 + IwoooS 全產品人工審查候選預檢 + IwoooS 全產品人工審查候選預檢結果分流 + IwoooS 全產品人工審查候選預檢補件回收台帳 + IwoooS 全產品人工審查候選預檢補件重試門檻 + IwoooS 全產品只讀套用快照 + P2-145 owner response acceptance gate 正式驗證完成 |
| P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置;高價值配置 Gate 已補上 `k8s/nginx/**``scripts/ops/**/*cert*``scripts/ops/**/*tls*`sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`Gate 預設工作樹 preflight 已可讀取 staged / unstaged / untracked本地 smoke 對臨時 `k8s/nginx/*` 檔命中 C0Owner Packet snapshot 已同步為 `packets=3 / c0=2`Coverage snapshot 已同步最新 patternsIwoooS / AwoooP 前台 Owner Packet 摘要已正式驗證 `packet=3 / c0=2`feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` successIwoooS posture projection snapshot / schema / guard 已同步 `packet=3 / c0=2`,不再保留舊 `1 / 0` 口徑;高價值配置 Owner Packet 收件預檢已新增 `checks=9 / lanes=5 / required_fields=27 / blocked_requests=16`;高價值配置 Owner Request 草稿包已新增 `drafts=3 / handoff_fields=11 / forbidden_payloads=12 / sent=0`Public Gateway live conf 匯出請求包已新增 `requests=3 / c0=2 / redaction_rules=8 / received=0`Public Gateway redacted export 收件預檢已新增 `candidates=3 / c0=2 / checks=10 / rejection_guards=12 / received=0 / accepted=0`Public Gateway rendered diff / nginx gate 草稿已新增 `candidates=3 / c0=2 / stages=7 / blocked=14 / rendered_diff=0 / runtime=0`DNS / TLS / certbot Owner Confirmation Request 已新增 `requests=4 / c0=4 / fields=9 / questions=5 / guards=12 / received=0 / accepted=0`owner response / live evidence / runtime gate / action buttons 仍全部為 0 |
| P0 追加 | IwoooS P0 配置控管優先序前台正式驗證完成Nginx public gateway、DNS / TLS / certbot、K8s / ArgoCD / production manifests、Workflow / runner / secret metadata、Public / admin / API runtime config、agent-bounty runtime / treasury 六類先列為即時風險配置;高價值配置 Gate 已補上 `k8s/nginx/**``scripts/ops/**/*cert*``scripts/ops/**/*tls*`sample 從 `matched=0 / C0=0` 收斂到 `matched=3 / C0=2`Gate 預設工作樹 preflight 已可讀取 staged / unstaged / untracked本地 smoke 對臨時 `k8s/nginx/*` 檔命中 C0Owner Packet snapshot 已同步為 `packets=3 / c0=2`Coverage snapshot 已同步最新 patternsIwoooS / AwoooP 前台 Owner Packet 摘要已正式驗證 `packet=3 / c0=2`feature commit `e999c16b`、deploy marker `16c6b983`、Gitea code-review `2973` / CD `2972` successIwoooS posture projection snapshot / schema / guard 已同步 `packet=3 / c0=2`,不再保留舊 `1 / 0` 口徑;高價值配置 Owner Packet 收件預檢已新增 `checks=9 / lanes=5 / required_fields=27 / blocked_requests=16`;高價值配置 Owner Request 草稿包已新增 `drafts=3 / handoff_fields=11 / forbidden_payloads=12 / sent=0`Public Gateway live conf 匯出請求包已新增 `requests=3 / c0=2 / redaction_rules=8 / received=0`Public Gateway redacted export 收件預檢已新增 `candidates=3 / c0=2 / checks=10 / rejection_guards=12 / received=0 / accepted=0`Public Gateway rendered diff / nginx gate 草稿已新增 `candidates=3 / c0=2 / stages=7 / blocked=14 / rendered_diff=0 / runtime=0`DNS / TLS / certbot Owner Confirmation Request 已新增 `requests=4 / c0=4 / fields=9 / questions=5 / guards=12 / received=0 / accepted=0`K8s / ArgoCD manifest repo-only 清冊已新增 `files=49 / c0=36 / yaml=45 / kinds=20 / blocked=13 / runtime=0`owner response / live evidence / runtime gate / action buttons 仍全部為 0 |
| 原則 | 低摩擦分階段文件、schema、read-only evidence 優先;不做 runtime enforcement、不切 primary |
| P0 主控板 | `docs/workplans/2026-06-04-iwooos-security-governance-p0.md` |
@@ -393,6 +393,7 @@ headline 要再往上,需要 S4.9 / S4.10 / S4.11 / S4.12 任一 owner respons
| Public Gateway redacted export 收件預檢 | 本地完成 | `public-gateway-redacted-export-intake-preflight.snapshot.json` 已固定 `intake_candidate_count=3``c0_intake_candidate_count=2``validation_check_count=10``rejection_guard_count=12``reviewer_intake_lane_count=5``redacted_export_received_count=0``accepted_redacted_export_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 intake ids、validation checks、rejection guards、reviewer lanes 與 false flags | 這是 redacted export 收件前預檢,不是 request sent、recipient confirmed、redacted export received / accepted、raw live conf stored、rendered diff ready、`nginx -t`、Nginx reload、route smoke、DNS / TLS probe、certbot renew、host write、production write 或 runtime gate不需要 production browser smoke |
| Public Gateway rendered diff / nginx gate 草稿 | 本地完成 | `public-gateway-rendered-diff-gate-draft.snapshot.json` 已固定 `diff_gate_candidate_count=3``c0_diff_gate_candidate_count=2``preflight_stage_count=7``blocked_action_count=14``redacted_export_accepted_count=0``rendered_diff_ready_count=0``nginx_test_executed_count=0``runtime_gate_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 diff gate ids、preflight stages、blocked actions 與 false flags | 這是 rendered diff / nginx / route smoke 分階段 gate 草稿,不是 redacted export accepted、rendered diff ready、`nginx -t`、Nginx reload、route smoke、DNS / TLS probe、certbot renew、host write、production write 或 runtime gate不需要 production browser smoke |
| DNS / TLS / certbot Owner Confirmation Request | 本地完成 | `domain-tls-certbot-owner-confirmation-request.snapshot.json` 已固定 `owner_confirmation_request_count=4``c0_owner_confirmation_request_count=4``required_owner_field_count=9``confirmation_question_count=5``rejection_guard_count=12``owner_response_received_count=0``owner_response_accepted_count=0``runtime_gate_count=0`,並由 `security-mirror-progress-guard.py` 鎖住 request ids、confirmation questions、rejection guards 與 false flags | 這是 SAN / wildcard / 共用憑證覆蓋關係的 owner confirmation request 草稿,不是 request sent、recipient confirmed、owner response received / accepted、DNS query、TLS probe、certbot renew、Nginx reload、route smoke、host write、production write 或 runtime gate不需要 production browser smoke |
| K8s / ArgoCD manifest repo-only 清冊 | 本地完成 | `k8s-argocd-manifest-inventory.snapshot.json` 已固定 `file_count=49``c0_file_count=36``yaml_manifest_file_count=45``unique_kind_count=20``top_level_kind_marker_count=56``required_owner_field_count=11``evidence_gap_count=8``blocked_action_count=13`,並由 `security-mirror-progress-guard.py` 鎖住 group ids、kind counts、blocked actions 與 false flags | 這是 repo-only manifest inventory不是 live cluster read、ArgoCD API read、ArgoCD sync、kubectl apply / patch / delete、Helm upgrade、secret collection、manual pod restart、scale workload、RBAC / NetworkPolicy change、restore backup、production write 或 runtime gate不需要 production browser smoke |
| S3 approval gate | 進行中 | `security_approval_gate_v1` 已建立 8 個人工 gate items7 pending、1 block candidate、0 approved | 不得繞過人工批准;批准後仍需 follow-up runtime gate |
| S3.0 人工批准 Gate 契約 | 完成草案 | 定義批准範圍、決策選項、required reviewers、still forbidden 與 follow-up runtime gate | AwoooP 可記錄決策,不可執行 gate item |
| S3.1 人工決策紀錄契約 | 完成草案 | `security_approval_decision_record_v1` 已建立;目前 0 筆 decision records、0 個 runtime action 授權 | AwoooP 可稽核決策,不可把決策當執行 |

File diff suppressed because it is too large Load Diff