Files
awoooi/docs/security/K8S-ARGOCD-MANIFEST-INVENTORY.md

5.4 KiB
Raw Permalink Blame History

IwoooS K8s / ArgoCD Production Manifest Repo-only 清冊

項目 內容
日期 2026-06-14
狀態 repo_only_inventory_ready_no_live_cluster_read
工具 scripts/security/k8s-argocd-manifest-inventory.py
Snapshot docs/security/k8s-argocd-manifest-inventory.snapshot.json
runtime gate 0

1. 目的

K8s / ArgoCD / production manifests 會直接影響部署、replica、cronjob、RBAC、NetworkPolicy、Secret metadata、Velero restore、PrometheusRule 與 public service exposure。這些配置一旦被未審查修改可能造成壞部署、自動同步、權限擴張、告警失效或備援誤操作。

本清冊只讀 repo 內 k8s/awoooi-prodk8s/argocdk8s/velerok8s/monitoring source files整理 path、SHA256、top-level kind: marker 與 owner gate 缺口。它不做 kubectl、不連 ArgoCD、不讀 live cluster、不套用 manifest、不 sync、不改 secret。

2. 摘要

指標 說明
scan group count 4 production、ArgoCD、Velero、monitoring
file count 49 四個 root 下所有 source files
C0 / C1 file count 36 / 13 production / ArgoCD / Velero 為 C0monitoring 為 C1
YAML manifest / supporting source 45 / 4 .yaml / .yml 與 README / shell / patch 類支援檔
unique kind count 20 repo-only top-level kind: marker
top-level kind marker count 56 非完整 schema validation只記 repo marker
Deployment / CronJob 5 / 5 workload 與排程會影響 runtime
Secret / RBAC / NetworkPolicy 6 / 5 / 6 權限與流量控管面
Autoscaling / PrometheusRule 6 / 4 HPA / VPA 與告警規則
ArgoCD Application 1 k8s/argocd/awoooi-prod-app.yaml
owner response received / accepted 0 / 0 尚未收到,尚未驗收
rendered manifest diff / ArgoCD health readback 0 / 0 尚未產生或接收
ArgoCD sync / kubectl action 0 / 0 尚未批准且未執行
runtime gate / action button 0 / 0 未開啟

3. 掃描分組

Group Tier Files YAML Supporting 邊界
awoooi_prod C0 25 24 1 production namespace manifests不得由清冊直接套用
argocd C0 4 3 1 ArgoCD application 與 metrics exposure不得由清冊直接 sync
velero C0 7 6 1 backup / restore manifests不得由清冊直接 restore
monitoring C1 13 12 1 alert source 與 monitoring config不得由清冊直接 reload

4. Owner 必填欄位

任何 production manifest change、ArgoCD sync、kubectl action、secret metadata 變更、Velero restore 或 monitoring rule reload 候選,都至少要具備:

  1. owner_role_or_team
  2. decision
  3. decision_reason
  4. affected_scope
  5. redacted_evidence_refs
  6. argocd_health_readback_ref
  7. argocd_sync_revision_ref
  8. rollback_revision
  9. followup_owner
  10. maintenance_window
  11. validation_plan

5. Evidence 缺口

缺口 目前狀態
owner response 0
rendered manifest diff 0
ArgoCD health readback 0
ArgoCD sync revision 0
kubectl dry-run / server validation plan 0
rollout blast radius 0
rollback revision 0
postcheck metrics 0

6. 阻擋動作

本清冊不得被用來授權以下動作:

  1. argocd_sync
  2. kubectl_apply
  3. kubectl_patch
  4. kubectl_delete
  5. helm_upgrade
  6. secret_value_collection
  7. live_cluster_write
  8. manual_pod_restart
  9. scale_workload
  10. change_network_policy
  11. change_rbac
  12. restore_backup
  13. open_runtime_gate

7. 2026-06-14 Owner Request Draft

已新增 docs/security/K8S-ARGOCD-OWNER-REQUEST-DRAFT.mddocs/security/k8s-argocd-owner-request-draft.snapshot.json,將四個 scan group 轉成人工送件前 request draft。

目前固定為 request_draft_count=4c0_request_draft_count=3c1_request_draft_count=1request_field_count=20required_owner_field_count=11evidence_gap_count=8blocked_action_count=13request_sent_count=0owner_response_received_count=0owner_response_accepted_count=0runtime_gate_count=0

此 artifact 只表示 owner request 的 required shape不代表 request sent、recipient confirmed、owner response received / accepted、rendered manifest diff、ArgoCD API read、ArgoCD sync、kubectl action、live cluster read、secret collection、production write 或 runtime gate。

8. 指令

產生 committed snapshot

python3 scripts/security/k8s-argocd-manifest-inventory.py \
  --root . \
  --output docs/security/k8s-argocd-manifest-inventory.snapshot.json \
  --generated-at 2026-06-14T21:05:00+08:00

驗證 guard

python3 scripts/security/security-mirror-progress-guard.py --root .

9. 完成度

工作 完成度 說明
repo-only manifest inventory 100% 49 個 source files、45 個 YAML manifest、20 類 top-level kind marker 已固定
owner request draft 100% 已新增 4 份 request draft、snapshot、文件與 guardrequest sent / received / accepted 仍為 0
live ArgoCD / K8s readback 0% 尚未批准且未執行
rendered manifest diff 0% 尚未產生
ArgoCD sync / kubectl action 0% 未授權且未執行
runtime gate / production write 0% 未授權且未執行