519 lines
21 KiB
Python
519 lines
21 KiB
Python
#!/usr/bin/env python3
|
||
"""
|
||
IwoooS K8s / ArgoCD GitOps 變更證據驗收只讀帳本產生器。
|
||
|
||
本工具讀取 repo-only K8s / ArgoCD manifest inventory 與 owner response
|
||
acceptance snapshot,建立未來 GitOps 變更證據如何收件、補件、拒收或進入
|
||
人工 reviewer review 的 metadata-only ledger。它不讀 live cluster、不呼叫
|
||
ArgoCD API、不 sync、不執行 kubectl、不套用 manifest、不讀 secret value。
|
||
"""
|
||
|
||
from __future__ import annotations
|
||
|
||
import argparse
|
||
import json
|
||
import subprocess
|
||
import sys
|
||
from collections import Counter
|
||
from datetime import datetime, timedelta, timezone
|
||
from pathlib import Path
|
||
from typing import Any
|
||
|
||
|
||
TAIPEI = timezone(timedelta(hours=8))
|
||
|
||
CHANGE_EVIDENCE_FIELDS = [
|
||
"change_evidence_candidate_id",
|
||
"acceptance_candidate_id",
|
||
"group_id",
|
||
"root",
|
||
"control_tier",
|
||
"proposed_commit_ref",
|
||
"rendered_manifest_diff_ref",
|
||
"argocd_application_readback_ref",
|
||
"argocd_sync_revision_ref",
|
||
"health_before_ref",
|
||
"health_after_ref",
|
||
"rollout_status_ref",
|
||
"service_route_smoke_ref",
|
||
"metrics_alert_ref",
|
||
"secret_metadata_parity_ref",
|
||
"blast_radius",
|
||
"maintenance_window",
|
||
"rollback_revision",
|
||
"postcheck_owner",
|
||
"reviewer_outcome",
|
||
"not_approval",
|
||
]
|
||
|
||
REQUIRED_EVIDENCE_FIELDS = [
|
||
"proposed_commit_ref",
|
||
"rendered_manifest_diff_ref",
|
||
"argocd_application_readback_ref",
|
||
"argocd_sync_revision_ref",
|
||
"health_before_ref",
|
||
"health_after_ref",
|
||
"rollout_status_ref",
|
||
"service_route_smoke_ref",
|
||
"metrics_alert_ref",
|
||
"secret_metadata_parity_ref",
|
||
"blast_radius",
|
||
"maintenance_window",
|
||
"rollback_revision",
|
||
"postcheck_owner",
|
||
"affected_scope",
|
||
"redacted_evidence_refs",
|
||
"reviewer_outcome",
|
||
"not_approval",
|
||
]
|
||
|
||
REVIEWER_CHECKS = [
|
||
{
|
||
"check_id": "change_ref_present",
|
||
"instruction": "必須有 proposed commit / PR / patch ref,不能只寫聊天同意。",
|
||
},
|
||
{
|
||
"check_id": "group_scope_matches_inventory",
|
||
"instruction": "affected scope 必須能對回 manifest inventory group 與 root path。",
|
||
},
|
||
{
|
||
"check_id": "rendered_manifest_diff_ref_only",
|
||
"instruction": "只能收 rendered manifest diff ref,不保存完整 manifest payload。",
|
||
},
|
||
{
|
||
"check_id": "argocd_readback_ref_shape",
|
||
"instruction": "ArgoCD app / sync revision / health readback 只能是 owner-provided redacted ref。",
|
||
},
|
||
{
|
||
"check_id": "secret_value_absent",
|
||
"instruction": "不得出現 Secret value、token、kubeconfig、private key、cookie、DSN 或 credential derivative。",
|
||
},
|
||
{
|
||
"check_id": "network_policy_impact_called_out",
|
||
"instruction": "涉及 NetworkPolicy、Service、Ingress 或 NodePort 時必須標出 route / port 影響。",
|
||
},
|
||
{
|
||
"check_id": "rbac_impact_called_out",
|
||
"instruction": "涉及 RBAC / ServiceAccount 時必須標出權限影響與 rollback revision。",
|
||
},
|
||
{
|
||
"check_id": "workload_rollout_plan_present",
|
||
"instruction": "涉及 Deployment、CronJob、HPA 或 image 時必須有 rollout / rollback / smoke plan。",
|
||
},
|
||
{
|
||
"check_id": "health_before_after_present",
|
||
"instruction": "需有 health before / after evidence ref;沒有 before evidence 只能要求補件。",
|
||
},
|
||
{
|
||
"check_id": "route_smoke_or_not_applicable",
|
||
"instruction": "公開 / admin / API route 受影響時需有 smoke ref;不適用時要說明原因。",
|
||
},
|
||
{
|
||
"check_id": "metric_alert_postcheck_present",
|
||
"instruction": "需有 metric、alert、事件或 log post-check evidence ref。",
|
||
},
|
||
{
|
||
"check_id": "blast_radius_present",
|
||
"instruction": "必須列 namespace、workload、route、port、secret metadata、backup / restore 影響範圍。",
|
||
},
|
||
{
|
||
"check_id": "maintenance_window_present",
|
||
"instruction": "任何 future sync / apply / rollout 都必須另有維護窗口。",
|
||
},
|
||
{
|
||
"check_id": "rollback_revision_present",
|
||
"instruction": "必須有 rollback revision 或明確禁止窗口與 follow-up owner。",
|
||
},
|
||
{
|
||
"check_id": "postcheck_owner_present",
|
||
"instruction": "post-check owner 必須可追溯,不能只寫 team generic approval。",
|
||
},
|
||
{
|
||
"check_id": "no_runtime_action_claim",
|
||
"instruction": "不能把本帳本、owner response、CD success 或 deploy marker 當 runtime approval。",
|
||
},
|
||
{
|
||
"check_id": "counts_transition_safe",
|
||
"instruction": "只有 reviewer record 可更新 received / accepted / rejected;不得同時開 runtime gate。",
|
||
},
|
||
{
|
||
"check_id": "cross_project_sync_noted",
|
||
"instruction": "若影響 AwoooP、agent-bounty、監控、公開 gateway 或外部產品,需有跨專案同步 ref。",
|
||
},
|
||
]
|
||
|
||
OUTCOME_LANES = [
|
||
{
|
||
"lane_id": "waiting_change_evidence",
|
||
"meaning": "尚未收到 GitOps 變更證據;所有 accepted / runtime count 維持 0。",
|
||
},
|
||
{
|
||
"lane_id": "quarantine_sensitive_payload",
|
||
"meaning": "收到 manifest payload、kubeconfig、Secret value 或可還原 credential 時只能隔離。",
|
||
},
|
||
{
|
||
"lane_id": "reject_unredacted_or_runtime_claim",
|
||
"meaning": "出現未脫敏 payload、secret value 或把 evidence 誤當執行批准時直接拒收。",
|
||
},
|
||
{
|
||
"lane_id": "request_supplement",
|
||
"meaning": "缺 before / after、rollback、blast radius、post-check 或 route smoke 時要求補件。",
|
||
},
|
||
{
|
||
"lane_id": "ready_for_reviewer_acceptance",
|
||
"meaning": "metadata 合格後,只能進 reviewer acceptance,不得自動 sync 或 apply。",
|
||
},
|
||
{
|
||
"lane_id": "ready_for_runtime_approval_package",
|
||
"meaning": "reviewer 接受後也只能形成 runtime approval package,不自動打開 gate。",
|
||
},
|
||
{
|
||
"lane_id": "waiting_maintenance_window",
|
||
"meaning": "若未來要 sync / rollout / rollback,仍需獨立維護窗口。",
|
||
},
|
||
{
|
||
"lane_id": "waiting_runtime_gate",
|
||
"meaning": "即使 change evidence accepted,runtime gate 仍等待獨立人工批准。",
|
||
},
|
||
]
|
||
|
||
BLOCKED_ACTIONS = [
|
||
"argocd_api_read_without_approval",
|
||
"live_cluster_read_without_approval",
|
||
"argocd_sync",
|
||
"argocd_rollback",
|
||
"kubectl_apply",
|
||
"kubectl_patch",
|
||
"kubectl_delete",
|
||
"kubectl_rollout_restart",
|
||
"helm_upgrade",
|
||
"kustomize_image_set",
|
||
"secret_value_collection",
|
||
"kubeconfig_collection",
|
||
"live_cluster_write",
|
||
"manual_pod_restart",
|
||
"scale_workload",
|
||
"change_network_policy",
|
||
"change_rbac",
|
||
"change_service_type",
|
||
"change_nodeport",
|
||
"change_ingress_route",
|
||
"change_configmap_runtime",
|
||
"change_secret_metadata_without_owner",
|
||
"restore_backup",
|
||
"velero_restore",
|
||
"prometheus_rule_apply",
|
||
"mark_change_evidence_accepted_without_reviewer_record",
|
||
"open_runtime_gate",
|
||
"add_action_button",
|
||
]
|
||
|
||
|
||
def git_short_sha(root: Path) -> str:
|
||
try:
|
||
result = subprocess.run(
|
||
["git", "rev-parse", "--short", "HEAD"],
|
||
cwd=root,
|
||
check=True,
|
||
capture_output=True,
|
||
text=True,
|
||
)
|
||
return result.stdout.strip()
|
||
except Exception:
|
||
return "unknown"
|
||
|
||
|
||
def load_json(path: Path) -> dict[str, Any]:
|
||
return json.loads(path.read_text(encoding="utf-8"))
|
||
|
||
|
||
def tags_by_group(inventory: dict[str, Any]) -> dict[str, list[str]]:
|
||
grouped: dict[str, set[str]] = {}
|
||
for row in inventory.get("manifest_rows", []):
|
||
group_id = row["group_id"]
|
||
grouped.setdefault(group_id, set()).update(row.get("gate_tags", []))
|
||
return {key: sorted(value) for key, value in grouped.items()}
|
||
|
||
|
||
def summary_by_group(inventory: dict[str, Any]) -> dict[str, dict[str, Any]]:
|
||
return {item["group_id"]: item for item in inventory.get("group_summaries", [])}
|
||
|
||
|
||
def change_candidate(
|
||
acceptance: dict[str, Any],
|
||
group_summary: dict[str, Any],
|
||
group_tags: list[str],
|
||
) -> dict[str, Any]:
|
||
group_id = acceptance["group_id"]
|
||
is_write_capable = bool(
|
||
{"network_policy", "rbac", "workload_or_schedule", "backup_restore", "apply_capable_script"}
|
||
& set(group_tags)
|
||
)
|
||
return {
|
||
"change_evidence_candidate_id": f"k8s_argocd_change_evidence:{group_id}",
|
||
"status": "waiting_change_evidence",
|
||
"acceptance_candidate_id": acceptance["acceptance_candidate_id"],
|
||
"group_id": group_id,
|
||
"root": acceptance["root"],
|
||
"control_tier": acceptance["control_tier"],
|
||
"file_count": group_summary.get("file_count", 0),
|
||
"yaml_manifest_file_count": group_summary.get("yaml_manifest_file_count", 0),
|
||
"supporting_source_file_count": group_summary.get("supporting_source_file_count", 0),
|
||
"top_level_kind_marker_count": group_summary.get("top_level_kind_marker_count", 0),
|
||
"gate_tags": group_tags,
|
||
"write_capable": is_write_capable,
|
||
"requires_runtime_approval_package": True,
|
||
"change_evidence_fields": CHANGE_EVIDENCE_FIELDS,
|
||
"required_evidence_fields": REQUIRED_EVIDENCE_FIELDS,
|
||
"reviewer_checks": [item["check_id"] for item in REVIEWER_CHECKS],
|
||
"outcome_lanes": [item["lane_id"] for item in OUTCOME_LANES],
|
||
"blocked_actions": BLOCKED_ACTIONS,
|
||
"proposed_commit_ref": None,
|
||
"rendered_manifest_diff_ref": None,
|
||
"argocd_application_readback_ref": None,
|
||
"argocd_sync_revision_ref": None,
|
||
"health_before_ref": None,
|
||
"health_after_ref": None,
|
||
"rollout_status_ref": None,
|
||
"service_route_smoke_ref": None,
|
||
"metrics_alert_ref": None,
|
||
"secret_metadata_parity_ref": None,
|
||
"blast_radius": "pending_change_evidence",
|
||
"maintenance_window": "pending_change_evidence",
|
||
"rollback_revision": "pending_change_evidence",
|
||
"postcheck_owner": "pending_change_evidence",
|
||
"reviewer_outcome": "waiting_change_evidence",
|
||
"not_approval": True,
|
||
"change_evidence_received": False,
|
||
"change_evidence_accepted": False,
|
||
"change_evidence_rejected": False,
|
||
"change_evidence_quarantined": False,
|
||
"supplement_requested": False,
|
||
"proposed_commit_ref_accepted": False,
|
||
"rendered_manifest_diff_accepted": False,
|
||
"argocd_application_readback_accepted": False,
|
||
"argocd_sync_revision_accepted": False,
|
||
"health_before_accepted": False,
|
||
"health_after_accepted": False,
|
||
"rollout_status_accepted": False,
|
||
"service_route_smoke_accepted": False,
|
||
"metrics_alert_accepted": False,
|
||
"secret_metadata_parity_accepted": False,
|
||
"blast_radius_accepted": False,
|
||
"maintenance_window_accepted": False,
|
||
"rollback_revision_accepted": False,
|
||
"postcheck_owner_accepted": False,
|
||
"cross_project_sync_accepted": False,
|
||
"runtime_approval_package_ready": False,
|
||
"argocd_api_read_authorized": False,
|
||
"argocd_api_read_executed": False,
|
||
"argocd_sync_authorized": False,
|
||
"argocd_sync_executed": False,
|
||
"kubectl_action_authorized": False,
|
||
"kubectl_action_executed": False,
|
||
"helm_upgrade_authorized": False,
|
||
"helm_upgrade_executed": False,
|
||
"live_cluster_read_authorized": False,
|
||
"live_cluster_read_executed": False,
|
||
"network_policy_apply_authorized": False,
|
||
"nodeport_change_authorized": False,
|
||
"rbac_change_authorized": False,
|
||
"secret_value_collection_allowed": False,
|
||
"production_write_authorized": False,
|
||
"runtime_gate": False,
|
||
"action_buttons_allowed": False,
|
||
}
|
||
|
||
|
||
def build_report(
|
||
root: Path,
|
||
inventory: dict[str, Any],
|
||
owner_acceptance: dict[str, Any],
|
||
generated_at: str | None,
|
||
) -> dict[str, Any]:
|
||
report_time = generated_at or datetime.now(TAIPEI).isoformat(timespec="seconds")
|
||
tag_map = tags_by_group(inventory)
|
||
group_map = summary_by_group(inventory)
|
||
candidates = [
|
||
change_candidate(item, group_map.get(item["group_id"], {}), tag_map.get(item["group_id"], []))
|
||
for item in owner_acceptance.get("acceptance_candidates", [])
|
||
]
|
||
c0_candidates = [item for item in candidates if item["control_tier"] == "C0"]
|
||
c1_candidates = [item for item in candidates if item["control_tier"] == "C1"]
|
||
tag_counter: Counter[str] = Counter(tag for item in candidates for tag in item["gate_tags"])
|
||
write_capable_candidates = [item for item in candidates if item["write_capable"]]
|
||
|
||
inventory_summary = inventory.get("summary", {})
|
||
return {
|
||
"schema_version": "k8s_argocd_change_evidence_acceptance_v1",
|
||
"generated_at": report_time,
|
||
"git_commit": git_short_sha(root),
|
||
"source_inventory_schema_version": inventory.get("schema_version"),
|
||
"source_inventory_status": inventory.get("status"),
|
||
"source_acceptance_schema_version": owner_acceptance.get("schema_version"),
|
||
"source_acceptance_status": owner_acceptance.get("status"),
|
||
"status": "change_evidence_acceptance_ledger_ready_no_runtime_action",
|
||
"summary": {
|
||
"source_scan_group_count": inventory_summary.get("scan_group_count", 0),
|
||
"source_manifest_file_count": inventory_summary.get("file_count", 0),
|
||
"source_yaml_manifest_file_count": inventory_summary.get("yaml_manifest_file_count", 0),
|
||
"source_c0_file_count": inventory_summary.get("c0_file_count", 0),
|
||
"source_acceptance_candidate_count": owner_acceptance.get("summary", {}).get(
|
||
"acceptance_candidate_count", 0
|
||
),
|
||
"deployment_object_count": inventory_summary.get("deployment_object_count", 0),
|
||
"cronjob_object_count": inventory_summary.get("cronjob_object_count", 0),
|
||
"secret_object_count": inventory_summary.get("secret_object_count", 0),
|
||
"network_policy_object_count": inventory_summary.get("network_policy_object_count", 0),
|
||
"rbac_object_count": inventory_summary.get("rbac_object_count", 0),
|
||
"argocd_application_count": inventory_summary.get("argocd_application_count", 0),
|
||
"prometheus_rule_count": inventory_summary.get("prometheus_rule_count", 0),
|
||
"change_evidence_candidate_count": len(candidates),
|
||
"c0_change_evidence_candidate_count": len(c0_candidates),
|
||
"c1_change_evidence_candidate_count": len(c1_candidates),
|
||
"write_capable_candidate_count": len(write_capable_candidates),
|
||
"gate_tag_count": len(tag_counter),
|
||
"required_evidence_field_count": len(REQUIRED_EVIDENCE_FIELDS),
|
||
"change_evidence_field_count": len(CHANGE_EVIDENCE_FIELDS),
|
||
"reviewer_check_count": len(REVIEWER_CHECKS),
|
||
"outcome_lane_count": len(OUTCOME_LANES),
|
||
"blocked_action_count": len(BLOCKED_ACTIONS),
|
||
"change_evidence_received_count": 0,
|
||
"change_evidence_accepted_count": 0,
|
||
"change_evidence_rejected_count": 0,
|
||
"change_evidence_quarantined_count": 0,
|
||
"supplement_requested_count": 0,
|
||
"rendered_manifest_diff_accepted_count": 0,
|
||
"argocd_application_readback_accepted_count": 0,
|
||
"argocd_sync_revision_accepted_count": 0,
|
||
"health_before_accepted_count": 0,
|
||
"health_after_accepted_count": 0,
|
||
"rollout_status_accepted_count": 0,
|
||
"service_route_smoke_accepted_count": 0,
|
||
"metrics_alert_accepted_count": 0,
|
||
"secret_metadata_parity_accepted_count": 0,
|
||
"blast_radius_accepted_count": 0,
|
||
"maintenance_window_accepted_count": 0,
|
||
"rollback_revision_accepted_count": 0,
|
||
"postcheck_owner_accepted_count": 0,
|
||
"cross_project_sync_accepted_count": 0,
|
||
"runtime_approval_package_ready_count": 0,
|
||
"argocd_api_read_authorized_count": 0,
|
||
"argocd_api_read_executed_count": 0,
|
||
"argocd_sync_authorized_count": 0,
|
||
"argocd_sync_executed_count": 0,
|
||
"kubectl_action_authorized_count": 0,
|
||
"kubectl_action_executed_count": 0,
|
||
"helm_upgrade_authorized_count": 0,
|
||
"helm_upgrade_executed_count": 0,
|
||
"live_cluster_read_authorized_count": 0,
|
||
"live_cluster_read_executed_count": 0,
|
||
"network_policy_apply_authorized_count": 0,
|
||
"nodeport_change_authorized_count": 0,
|
||
"rbac_change_authorized_count": 0,
|
||
"secret_value_collection_allowed_count": 0,
|
||
"production_write_authorized_count": 0,
|
||
"runtime_gate_count": 0,
|
||
"action_button_count": 0,
|
||
"coverage_percent_before_acceptance": 62,
|
||
"coverage_percent_after_acceptance": 64,
|
||
},
|
||
"execution_boundaries": {
|
||
"change_evidence_received": False,
|
||
"change_evidence_accepted": False,
|
||
"rendered_manifest_diff_accepted": False,
|
||
"argocd_application_readback_accepted": False,
|
||
"argocd_sync_revision_accepted": False,
|
||
"health_before_after_accepted": False,
|
||
"rollout_status_accepted": False,
|
||
"service_route_smoke_accepted": False,
|
||
"metrics_alert_accepted": False,
|
||
"secret_metadata_parity_accepted": False,
|
||
"blast_radius_accepted": False,
|
||
"maintenance_window_accepted": False,
|
||
"rollback_revision_accepted": False,
|
||
"postcheck_owner_accepted": False,
|
||
"cross_project_sync_accepted": False,
|
||
"runtime_approval_package_ready": False,
|
||
"argocd_api_read_authorized": False,
|
||
"argocd_api_read_executed": False,
|
||
"argocd_sync_authorized": False,
|
||
"argocd_sync_executed": False,
|
||
"kubectl_action_authorized": False,
|
||
"kubectl_action_executed": False,
|
||
"helm_upgrade_authorized": False,
|
||
"helm_upgrade_executed": False,
|
||
"live_cluster_read_authorized": False,
|
||
"live_cluster_read_executed": False,
|
||
"network_policy_apply_authorized": False,
|
||
"nodeport_change_authorized": False,
|
||
"rbac_change_authorized": False,
|
||
"secret_value_collection_allowed": False,
|
||
"production_write_authorized": False,
|
||
"runtime_execution_authorized": False,
|
||
"action_buttons_allowed": False,
|
||
"not_authorization": True,
|
||
},
|
||
"change_evidence_fields": CHANGE_EVIDENCE_FIELDS,
|
||
"required_evidence_fields": REQUIRED_EVIDENCE_FIELDS,
|
||
"reviewer_checks": REVIEWER_CHECKS,
|
||
"outcome_lanes": OUTCOME_LANES,
|
||
"blocked_actions": BLOCKED_ACTIONS,
|
||
"gate_tag_counts": dict(sorted(tag_counter.items())),
|
||
"change_evidence_candidates": candidates,
|
||
"next_steps": [
|
||
"要求 owner 提供 proposed commit、rendered manifest diff、ArgoCD app / sync revision、health before / after、rollout、route smoke、metrics / alert、rollback 與 post-check evidence ref。",
|
||
"收到資料後先做敏感 payload 隔離與 reviewer acceptance,不得自動 sync、apply、restart、scale 或改 NetworkPolicy / RBAC / NodePort。",
|
||
"若未來要進 runtime approval package,必須另有維護窗口、rollback revision、跨專案同步與 production post-check gate。",
|
||
],
|
||
}
|
||
|
||
|
||
def main() -> int:
|
||
parser = argparse.ArgumentParser(description="IwoooS K8s / ArgoCD 變更證據驗收只讀帳本產生器")
|
||
parser.add_argument("--root", default=".", help="repo root")
|
||
parser.add_argument(
|
||
"--inventory-report",
|
||
default="docs/security/k8s-argocd-manifest-inventory.snapshot.json",
|
||
help="k8s-argocd-manifest-inventory.py 輸出的 JSON",
|
||
)
|
||
parser.add_argument(
|
||
"--acceptance-report",
|
||
default="docs/security/k8s-argocd-owner-response-acceptance.snapshot.json",
|
||
help="k8s-argocd-owner-response-acceptance.py 輸出的 JSON",
|
||
)
|
||
parser.add_argument("--output", help="寫出 JSON 報告")
|
||
parser.add_argument("--generated-at", help="固定報告時間,供 committed snapshot 使用")
|
||
args = parser.parse_args()
|
||
|
||
root = Path(args.root).resolve()
|
||
inventory = load_json(root / args.inventory_report)
|
||
acceptance = load_json(root / args.acceptance_report)
|
||
report = build_report(root, inventory, acceptance, args.generated_at)
|
||
payload = json.dumps(report, ensure_ascii=False, indent=2, sort_keys=True)
|
||
|
||
if args.output:
|
||
output = Path(args.output)
|
||
output.parent.mkdir(parents=True, exist_ok=True)
|
||
output.write_text(payload + "\n", encoding="utf-8")
|
||
else:
|
||
print(payload)
|
||
|
||
summary = report["summary"]
|
||
print(
|
||
"K8S_ARGOCD_CHANGE_EVIDENCE_ACCEPTANCE_OK "
|
||
f"candidates={summary['change_evidence_candidate_count']} "
|
||
f"c0={summary['c0_change_evidence_candidate_count']} "
|
||
f"write_capable={summary['write_capable_candidate_count']} "
|
||
f"checks={summary['reviewer_check_count']} "
|
||
f"lanes={summary['outcome_lane_count']} "
|
||
f"accepted={summary['change_evidence_accepted_count']} "
|
||
f"runtime_gate={summary['runtime_gate_count']}",
|
||
file=sys.stderr,
|
||
)
|
||
return 0
|
||
|
||
|
||
if __name__ == "__main__":
|
||
sys.exit(main())
|