5.4 KiB
IwoooS K8s / ArgoCD Production Manifest Repo-only 清冊
| 項目 | 內容 |
|---|---|
| 日期 | 2026-06-14 |
| 狀態 | repo_only_inventory_ready_no_live_cluster_read |
| 工具 | scripts/security/k8s-argocd-manifest-inventory.py |
| Snapshot | docs/security/k8s-argocd-manifest-inventory.snapshot.json |
| runtime gate | 0 |
1. 目的
K8s / ArgoCD / production manifests 會直接影響部署、replica、cronjob、RBAC、NetworkPolicy、Secret metadata、Velero restore、PrometheusRule 與 public service exposure。這些配置一旦被未審查修改,可能造成壞部署、自動同步、權限擴張、告警失效或備援誤操作。
本清冊只讀 repo 內 k8s/awoooi-prod、k8s/argocd、k8s/velero、k8s/monitoring source files,整理 path、SHA256、top-level kind: marker 與 owner gate 缺口。它不做 kubectl、不連 ArgoCD、不讀 live cluster、不套用 manifest、不 sync、不改 secret。
2. 摘要
| 指標 | 值 | 說明 |
|---|---|---|
| scan group count | 4 |
production、ArgoCD、Velero、monitoring |
| file count | 49 |
四個 root 下所有 source files |
| C0 / C1 file count | 36 / 13 |
production / ArgoCD / Velero 為 C0;monitoring 為 C1 |
| YAML manifest / supporting source | 45 / 4 |
.yaml / .yml 與 README / shell / patch 類支援檔 |
| unique kind count | 20 |
repo-only top-level kind: marker |
| top-level kind marker count | 56 |
非完整 schema validation,只記 repo marker |
| Deployment / CronJob | 5 / 5 |
workload 與排程會影響 runtime |
| Secret / RBAC / NetworkPolicy | 6 / 5 / 6 |
權限與流量控管面 |
| Autoscaling / PrometheusRule | 6 / 4 |
HPA / VPA 與告警規則 |
| ArgoCD Application | 1 |
k8s/argocd/awoooi-prod-app.yaml |
| owner response received / accepted | 0 / 0 |
尚未收到,尚未驗收 |
| rendered manifest diff / ArgoCD health readback | 0 / 0 |
尚未產生或接收 |
| ArgoCD sync / kubectl action | 0 / 0 |
尚未批准且未執行 |
| runtime gate / action button | 0 / 0 |
未開啟 |
3. 掃描分組
| Group | Tier | Files | YAML | Supporting | 邊界 |
|---|---|---|---|---|---|
awoooi_prod |
C0 |
25 |
24 |
1 |
production namespace manifests;不得由清冊直接套用 |
argocd |
C0 |
4 |
3 |
1 |
ArgoCD application 與 metrics exposure;不得由清冊直接 sync |
velero |
C0 |
7 |
6 |
1 |
backup / restore manifests;不得由清冊直接 restore |
monitoring |
C1 |
13 |
12 |
1 |
alert source 與 monitoring config;不得由清冊直接 reload |
4. Owner 必填欄位
任何 production manifest change、ArgoCD sync、kubectl action、secret metadata 變更、Velero restore 或 monitoring rule reload 候選,都至少要具備:
owner_role_or_teamdecisiondecision_reasonaffected_scoperedacted_evidence_refsargocd_health_readback_refargocd_sync_revision_refrollback_revisionfollowup_ownermaintenance_windowvalidation_plan
5. Evidence 缺口
| 缺口 | 目前狀態 |
|---|---|
| owner response | 0 |
| rendered manifest diff | 0 |
| ArgoCD health readback | 0 |
| ArgoCD sync revision | 0 |
| kubectl dry-run / server validation plan | 0 |
| rollout blast radius | 0 |
| rollback revision | 0 |
| postcheck metrics | 0 |
6. 阻擋動作
本清冊不得被用來授權以下動作:
argocd_synckubectl_applykubectl_patchkubectl_deletehelm_upgradesecret_value_collectionlive_cluster_writemanual_pod_restartscale_workloadchange_network_policychange_rbacrestore_backupopen_runtime_gate
7. 2026-06-14 Owner Request Draft
已新增 docs/security/K8S-ARGOCD-OWNER-REQUEST-DRAFT.md 與 docs/security/k8s-argocd-owner-request-draft.snapshot.json,將四個 scan group 轉成人工送件前 request draft。
目前固定為 request_draft_count=4、c0_request_draft_count=3、c1_request_draft_count=1、request_field_count=20、required_owner_field_count=11、evidence_gap_count=8、blocked_action_count=13、request_sent_count=0、owner_response_received_count=0、owner_response_accepted_count=0、runtime_gate_count=0。
此 artifact 只表示 owner request 的 required shape,不代表 request sent、recipient confirmed、owner response received / accepted、rendered manifest diff、ArgoCD API read、ArgoCD sync、kubectl action、live cluster read、secret collection、production write 或 runtime gate。
8. 指令
產生 committed snapshot:
python3 scripts/security/k8s-argocd-manifest-inventory.py \
--root . \
--output docs/security/k8s-argocd-manifest-inventory.snapshot.json \
--generated-at 2026-06-14T21:05:00+08:00
驗證 guard:
python3 scripts/security/security-mirror-progress-guard.py --root .
9. 完成度
| 工作 | 完成度 | 說明 |
|---|---|---|
| repo-only manifest inventory | 100% |
49 個 source files、45 個 YAML manifest、20 類 top-level kind marker 已固定 |
| owner request draft | 100% |
已新增 4 份 request draft、snapshot、文件與 guard;request sent / received / accepted 仍為 0 |
| live ArgoCD / K8s readback | 0% |
尚未批准且未執行 |
| rendered manifest diff | 0% |
尚未產生 |
| ArgoCD sync / kubectl action | 0% |
未授權且未執行 |
| runtime gate / production write | 0% |
未授權且未執行 |