Files
awoooi/docs/security/SSH-NETWORK-OWNER-RESPONSE-ACCEPTANCE.md
Your Name 33b4608117
All checks were successful
Code Review / ai-code-review (push) Successful in 14s
CD Pipeline / tests (push) Successful in 1m31s
CD Pipeline / build-and-deploy (push) Successful in 4m13s
CD Pipeline / post-deploy-checks (push) Successful in 2m2s
fix(iwooos): 新增 ssh network owner acceptance ledger
2026-06-14 21:52:13 +08:00

141 lines
8.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS SSH / Firewall / Network Access Owner Response Acceptance
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-15 |
| 狀態 | `owner_response_acceptance_ledger_ready_no_runtime_action` |
| 工具 | `scripts/security/ssh-network-owner-response-acceptance.py` |
| Snapshot | `docs/security/ssh-network-owner-response-acceptance.snapshot.json` |
| Source inventory | `docs/security/ssh-network-access-inventory.snapshot.json` |
| Source owner request | `docs/security/ssh-network-owner-request-draft.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
本文件承接 SSH / network access repo-only 清冊與 owner request draft把 16 個 surface 轉成 owner response acceptance 只讀帳本。它定義收到 owner 回覆後必須如何做欄位完整性、脫敏證據、live access state、allowed source CIDR、host key pinning、port impact、firewall owner、NetworkPolicy / NodePort、WireGuard cutover、維護窗口、rollback 與 validation plan 檢查。
這不是 SSH 授權、不是 host keyscan、不是 known_hosts patch、不是 firewall / port change、不是 NetworkPolicy apply、不是 NodePort change、不是 WireGuard cutover也不是 runtime gate。
## 2. 摘要
| 指標 | 目前值 | 說明 |
|------|--------|------|
| acceptance candidate | `16` | 每個 SSH / network request draft 一份 acceptance candidate |
| write-capable acceptance candidate | `6` | CI deploy SSH、monitoring deploy、sudoers、alert action catalog |
| live evidence required candidate | `16` | 全部都需 owner 提供脫敏 live access evidence |
| acceptance field | `29` | acceptance 欄位總數 |
| required owner field | `13` | owner 必填欄位,沿用 request draft |
| reviewer check | `15` | owner、scope、secret、CIDR、host key、port impact、firewall、NetworkPolicy、WireGuard、rollback 檢查 |
| outcome lane | `7` | waiting、quarantine、reject、supplement、review、ledger-only、runtime gate |
| blocked action | `22` | SSH、keyscan、known_hosts、firewall、port、NetworkPolicy、NodePort、WireGuard、sudo、secret、active scan、runtime gate 等 |
| request sent / recipient confirmed | `0 / 0` | 尚未送件 |
| owner response received / accepted | `0 / 0` | 尚未收到或驗收 |
| live evidence received | `0` | 不 SSH、不 keyscan、不讀 live firewall |
| runtime gate / action button | `0 / 0` | 不提供操作入口 |
## 3. Acceptance Candidate 範圍
| Candidate | 類型 | 範圍 | 驗收焦點 |
|-----------|------|------|----------|
| `ssh_network_owner_response_acceptance:ansible_inventory_ssh_targets` | SSH target inventory | `110_111_112_120_121_188` | host owner、pinned known_hosts、ProxyJump、key owner |
| `ssh_network_owner_response_acceptance:ansible_common_ssh_args` | SSH client policy | `multi_host` | `accept-new` 是否只限 bootstrap |
| `ssh_network_owner_response_acceptance:gitea_cd_known_hosts_secret` | known_hosts workflow | `110_120_121_188_known_hosts` | known_hosts secret metadata、缺 120 處置、key rotation owner |
| `ssh_network_owner_response_acceptance:gitea_cd_deploy_ssh` | CI deploy SSH | `k8s_ssh_host` | deploy SSH host owner、rollback、break-glass |
| `ssh_network_owner_response_acceptance:gitea_cd_dev_ssh` | CI deploy SSH | `192.168.0.120` | dev/prod 邊界、deploy key scope、host key policy |
| `ssh_network_owner_response_acceptance:deploy_alerts_ssh_path` | CI deploy SSH | `192.168.0.110` | alert deploy owner、known_hosts pinning、通知路徑 |
| `ssh_network_owner_response_acceptance:monitoring_discover_docker_ssh` | SSH discovery script | `110_188_docker_hosts` | read-only window、輸出脫敏、失敗處置 |
| `ssh_network_owner_response_acceptance:monitoring_exporter_deploy_ssh` | monitoring SSH deploy | `192.168.0.188` | exporter deploy owner、maintenance window、post-check |
| `ssh_network_owner_response_acceptance:backup_config_ssh_capture` | SSH backup capture | `110_188_120_121_cluster` | backup execution owner、secret redaction、restore validation |
| `ssh_network_owner_response_acceptance:host_ops_sudoers_wrapper` | sudoers policy | `host_ops_minimal_sudo` | live sudoers hash、visudo validation、forbidden command proof |
| `ssh_network_owner_response_acceptance:k8s_prod_network_policy` | K8s NetworkPolicy | `awoooi_prod_namespace` | ingress / egress owner、live policy diff、route smoke |
| `ssh_network_owner_response_acceptance:argocd_metrics_network_policy` | K8s NetworkPolicy | `argocd_namespace` | Prometheus scrape owner、NodePort exposure owner |
| `ssh_network_owner_response_acceptance:argocd_metrics_nodeport` | K8s NodePort | `argocd_nodeport_30882_30883` | NodePort exposure owner、firewall owner、source whitelist |
| `ssh_network_owner_response_acceptance:velero_metrics_nodeport` | K8s NodePort | `velero_nodeport_30885` | backup metrics exposure、firewall owner |
| `ssh_network_owner_response_acceptance:wireguard_mesh_runbook` | WireGuard runbook | `110_111_120_121_gcp_a_gcp_b` | WireGuard owner、firewall rule owner、canary / rollback |
| `ssh_network_owner_response_acceptance:alert_rules_ssh_actions` | alert SSH action rules | `ssh_mcp_action_catalog` | action owner、read/write/admin 分級、cooldown、post-check |
## 4. Reviewer Checks
1. `owner_identity_present`
2. `decision_reason_present`
3. `affected_scope_matches_surface`
4. `redacted_refs_only`
5. `secret_or_key_value_absent`
6. `live_access_state_metadata_only`
7. `allowed_source_cidr_metadata_only`
8. `host_key_pinning_shape`
9. `port_impact_review`
10. `firewall_owner_present`
11. `network_policy_nodeport_review`
12. `wireguard_cutover_separate_gate`
13. `maintenance_window_present`
14. `rollback_validation_present`
15. `counts_transition_safe`
## 5. Outcome Lanes
| Lane | 說明 |
|------|------|
| `waiting_owner_response` | 尚未收到 owner response所有 accepted / runtime count 維持 0 |
| `quarantine_raw_payload` | 收到 raw firewall dump、SSH key、private key、token 或不可保存內容時只能隔離 |
| `reject_secret_or_key_value` | 出現 secret value、key material、credential derivative 或未脫敏 payload 時直接拒收 |
| `request_supplement` | 欄位不足、scope 不清、CIDR / owner / rollback / validation 缺失時要求補件 |
| `ready_for_network_review` | metadata 合格後,只能進 network / firewall reviewer review |
| `owner_review_only_update` | 只允許更新只讀 owner review ledger不得改 port、firewall、known_hosts 或 policy |
| `waiting_runtime_gate` | 即使 owner response acceptedruntime gate 仍等待獨立人工批准 |
## 6. 禁止動作
1. `ssh_read`
2. `ssh_write`
3. `host_keyscan`
4. `known_hosts_patch`
5. `firewall_change`
6. `port_close`
7. `port_open`
8. `network_policy_apply`
9. `nodeport_change`
10. `wireguard_change`
11. `sudo_action`
12. `deploy_ssh_action`
13. `secret_value_collection`
14. `ssh_key_collection`
15. `active_scan`
16. `runtime_gate_open`
17. `live_firewall_read`
18. `live_sudoers_read`
19. `raw_key_material_storage`
20. `raw_firewall_dump_storage`
21. `mark_owner_response_accepted_without_reviewer_record`
22. `add_action_button`
## 7. 指令
產生 committed snapshot
```bash
python3 scripts/security/ssh-network-owner-response-acceptance.py \
--root . \
--inventory-report docs/security/ssh-network-access-inventory.snapshot.json \
--owner-request-report docs/security/ssh-network-owner-request-draft.snapshot.json \
--output docs/security/ssh-network-owner-response-acceptance.snapshot.json \
--generated-at 2026-06-15T01:18:00+08:00
```
驗證 guard
```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
```
## 8. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| owner response acceptance ledger artifact | `100%` | 16 份 acceptance candidate、snapshot、文件與 guard 已固定 |
| request dispatch | `0%` | 尚未送件 |
| owner response received / accepted | `0%` | 尚未收到,尚未驗收 |
| live evidence collection | `0%` | 未 SSH、未 keyscan、未讀 live firewall |
| SSH / firewall / NetworkPolicy / NodePort / WireGuard gate | `0%` | 未授權且未執行 |
| runtime gate / production write | `0%` | 未授權且未執行 |