# K8s / ArgoCD 事故後回讀計畫 > 狀態:只讀計畫完成,等待 GitOps / K8s owner 提供脫敏事故回讀包。 > 範圍:K8s production manifests、ArgoCD、Velero、monitoring manifests。 > 邊界:本文件不是 ArgoCD API read、sync、rollback、`kubectl`、Helm、Kustomize、NetworkPolicy / NodePort / RBAC 變更、route smoke、secret 收集、production write 或 runtime gate。 ## 1. 為什麼新增這一層 `k8s_argocd_change_evidence_acceptance_v1` 已經定義 proposed commit、rendered manifest diff、ArgoCD app / sync revision、health before / after、rollout、route smoke、metrics / alert、secret metadata parity、blast radius、maintenance window、rollback revision 與 post-check owner 的收件規則。 本輪再補 `k8s_argocd_post_incident_readback_plan_v1`,原因是事故中可能同時出現: - ArgoCD 顯示 `Synced / Degraded`,但服務局部仍未恢復。 - Pod、Job 或 CronJob 持續 `Pending`,可能卡在 image pull、scheduling、quota、node、PVC 或 RBAC。 - drift-scanner、備份排程、監控告警與 public / admin route 互相影響。 - CD success、deploy marker、route 200、Pod Running 或 UI 可見被誤讀成資安驗收完成。 因此這一層只建立事故後回讀欄位、reviewer checks、結果分流與禁止動作,讓 owner evidence 可以被低摩擦收件;在 reviewer record 出現前,所有 accepted / runtime count 必須維持 `0`。 ## 2. 固定摘要 | 欄位 | 值 | |------|----| | schema | `k8s_argocd_post_incident_readback_plan_v1` | | 來源 schema | `k8s_argocd_change_evidence_acceptance_v1` | | readback candidates | `4` | | C0 candidates | `3` | | C1 candidates | `1` | | write-capable candidates | `4` | | source manifest files | `49` | | source YAML manifest files | `45` | | source C0 files | `36` | | Deployment objects | `5` | | CronJob objects | `5` | | Secret objects | `6` | | NetworkPolicy objects | `6` | | RBAC objects | `5` | | ArgoCD Application objects | `1` | | PrometheusRule objects | `4` | | readback fields | `36` | | required readback fields | `31` | | reviewer checks | `28` | | outcome lanes | `10` | | blocked actions | `41` | | coverage after plan | `66%` | | post-incident readback received / accepted | `0 / 0` | | runtime gate | `0` | | action buttons | `0` | ## 3. Readback candidates | Candidate | Scope | |-----------|-------| | `k8s_argocd_post_incident_readback:awoooi_prod` | AWOOOI production manifests、Deployment、Service、NetworkPolicy、Secret metadata、route 與 rollout 影響 | | `k8s_argocd_post_incident_readback:argocd` | ArgoCD Application、sync / health、revision、degraded 狀態與 rollback evidence | | `k8s_argocd_post_incident_readback:velero` | Velero、backup / restore、CronJob / schedule、PVC / object storage 與 DR 影響 | | `k8s_argocd_post_incident_readback:monitoring` | PrometheusRule、monitoring manifests、alert health、drift-scanner 與 receiver route 影響 | ## 4. 必填事故後回讀欄位 1. `k8s_incident_or_change_ref` 2. `actor_attribution_ref` 3. `argocd_app_health_ref` 4. `argocd_sync_status_ref` 5. `degraded_state_ref` 6. `pending_workload_ref` 7. `image_pull_or_scheduling_ref` 8. `rollout_before_ref` 9. `rollout_after_ref` 10. `event_summary_ref` 11. `metrics_alert_ref` 12. `drift_scanner_ref` 13. `cronjob_schedule_ref` 14. `secret_metadata_parity_ref` 15. `network_policy_service_impact_ref` 16. `rbac_serviceaccount_impact_ref` 17. `public_admin_route_impact_ref` 18. `ai_provider_monitoring_impact_ref` 19. `operator_notification_ref` 20. `cross_project_sync_ref` 21. `recovery_or_still_degraded_ref` 22. `postcheck_readback_ref` 23. `recurrence_guard_ref` 24. `maintenance_window` 25. `rollback_revision` 26. `rollback_owner` 27. `followup_owner` 28. `redacted_evidence_refs` 29. `no_secret_value_attestation` 30. `no_raw_manifest_or_kubeconfig_attestation` 31. `no_false_green_attestation` ## 5. Reviewer checks Reviewer 必須確認: - incident / change / deploy marker ref 可追溯。 - actor role / team 可追溯,不能接受匿名 sync、rollback、kubectl、Helm、rollout 或 image 變更。 - ArgoCD sync status、health status、revision 與 degraded state 有脫敏 ref。 - Pending workload 已回讀 image pull、scheduling、quota、node、PVC、RBAC 或其他原因摘要。 - rollout before / after、event summary、metrics / alert、drift-scanner、CronJob schedule 與 route / AI provider / monitoring 影響可讀。 - Secret 只提供 metadata parity,不含 value、hash、partial token、DSN、cookie 或 kubeconfig。 - NetworkPolicy、Service、Ingress、NodePort、RBAC、ServiceAccount 影響已列清楚。 - post-check 獨立於原操作人與 UI 卡片。 - recurrence guard、maintenance window、rollback revision、rollback owner 與 followup owner 可追溯。 - 不用 route 200、Pod Running、ArgoCD Synced、CD success、dashboard up 或 UI 可見當作事故驗收。 ## 6. Outcome lanes | Lane | 意義 | |------|------| | `waiting_post_incident_readback` | 尚未收到 K8s / ArgoCD 事故回讀包;所有 accepted / runtime count 維持 0 | | `request_actor_or_revision_supplement` | 缺 actor、deploy marker、ArgoCD revision 或 rollback revision 時要求補件 | | `request_degraded_pending_supplement` | 缺 Degraded / Pending / image pull / scheduling / rollout before-after 時要求補件 | | `request_event_metric_supplement` | 缺 event summary、metrics、alert、drift scanner 或 CronJob schedule 時要求補件 | | `request_route_dependency_supplement` | 缺 route、AI provider、monitoring、backup / restore、network / RBAC 影響時要求補件 | | `quarantine_raw_payload` | 收到 Secret value、kubeconfig、raw manifest、raw log、raw event 或未脫敏截圖時隔離 | | `reject_runtime_claim` | 把 CD success、ArgoCD Synced、route 200、Pod Running 或 UI 可見當驗收時拒收 | | `ready_for_k8s_post_incident_review` | metadata 合格後,只能進 reviewer review | | `recurrence_guard_backfill_required` | 需補防再發 guard、owner review、change freeze 或 automation block | | `waiting_runtime_gate` | 即使 readback accepted,runtime gate 仍需獨立人工批准 | ## 7. 禁止動作 本計畫固定 `blocked_actions=41`。其中包含: - `argocd_api_read`、`argocd_sync`、`argocd_rollback` - `live_cluster_read`、`kubectl_get_live`、`kubectl_apply`、`kubectl_patch`、`kubectl_delete`、`kubectl_rollout_restart`、`kubectl_scale` - `helm_upgrade`、`helm_rollback`、`kustomize_image_set` - `change_network_policy`、`change_nodeport`、`change_service_type`、`change_ingress_route`、`change_rbac`、`change_serviceaccount` - `change_configmap_runtime`、`change_secret_metadata` - `secret_value_collection`、`kubeconfig_collection`、`raw_manifest_storage`、`raw_event_dump_storage`、`raw_pod_log_storage`、`raw_secret_storage` - `velero_restore`、`restore_backup`、`prometheus_rule_apply`、`alertmanager_reload` - `route_smoke`、`production_write` - `accept_synced_as_healthy`、`accept_route_200_as_all_green`、`accept_pod_running_as_all_green`、`accept_cd_success_as_security_acceptance` - `skip_degraded_pending_review`、`mark_readback_accepted_without_reviewer_record`、`open_runtime_gate`、`add_action_button` ## 8. 下一步 下一步只能收 GitOps / K8s owner 提供的脫敏事故回讀包,欄位至少包含: - incident / change / deploy marker ref - actor role / team - ArgoCD sync / health / revision 摘要 - Degraded / Pending / image pull / scheduling 摘要 - rollout before / after - event summary、metrics / alert、drift scanner、CronJob schedule - NetworkPolicy / Service / Ingress / NodePort / RBAC / ServiceAccount 影響 - public / admin route、AI provider、monitoring、backup / restore 影響 - operator notification 與 cross-project sync ref - recovery 或 still-degraded ref - post-check、recurrence guard、maintenance window、rollback revision、rollback owner、followup owner - no-secret-value、no-raw-manifest-or-kubeconfig、no-false-green attestation 在 reviewer record 前,`post_incident_readback_received_count=0`、`post_incident_readback_accepted_count=0`、`runtime_gate_count=0`、`action_button_count=0` 必須維持不變。