Files
awoooi/docs/security/K8S-ARGOCD-OWNER-RESPONSE-ACCEPTANCE.md

6.8 KiB
Raw Blame History

IwoooS K8s / ArgoCD Owner Response Acceptance 只讀帳本

項目 內容
日期 2026-06-15
狀態 owner_response_acceptance_ledger_ready_no_runtime_action
工具 scripts/security/k8s-argocd-owner-response-acceptance.py
Snapshot docs/security/k8s-argocd-owner-response-acceptance.snapshot.json
來源 k8s-argocd-manifest-inventory.snapshot.jsonk8s-argocd-owner-request-draft.snapshot.json
runtime gate 0

1. 目的

本文件把 K8s / ArgoCD manifest repo-only 清冊與 owner request draft 串成 owner response acceptance 只讀帳本。目的不是讀 live cluster也不是執行 ArgoCD sync 或 kubectl,而是固定未來 owner 回覆要如何被 reviewer 收件、補件、隔離、拒收或進入 rendered manifest review。

本階段不呼叫 ArgoCD API、不讀 live cluster、不執行 kubectl、不套用 manifest、不跑 Helm、不讀 Secret value、不重啟 Pod、不 scale workload、不改 RBAC / NetworkPolicy、不 restore backup、不寫 production。

2. 摘要

指標 目前值 說明
source scan group 4 production、ArgoCD、Velero、monitoring
source request draft 4 承接 owner request draft
acceptance candidate 4 對應四個 scan group
C0 / C1 acceptance candidate 3 / 1 production、ArgoCD、Velero 為 C0monitoring 為 C1
acceptance field 20 每份 acceptance candidate 固定欄位數
required owner field 11 承接 owner request draft 的必填欄位
reviewer check 12 reviewer 收件前必檢項
outcome lane 7 等待、隔離、拒收、補件、review、只讀更新、等待 runtime gate
blocked action 18 驗收前全部禁止
owner response received / accepted 0 / 0 不得假性拉高
ArgoCD API read / sync / kubectl 0 未授權且未執行
runtime gate / action button 0 / 0 不開任何執行入口

3. Owner 必填欄位

欄位 說明
owner_role_or_team GitOps / Kubernetes / ArgoCD owner role 或 team
decision 對本 scan group 的回覆判定
decision_reason 決策理由,不得包含機敏值
affected_scope 受影響 namespace、Application、manifest group 或 workload scope
redacted_evidence_refs 文件、hash、ticket、commit 或脫敏 artifact pointer
argocd_health_readback_ref owner-provided health readback ref不得觸發 live API read
argocd_sync_revision_ref sync revision / desired revision ref不代表 sync 授權
rollback_revision rollback revision 或明確禁止窗口
followup_owner 補件、隔離、拒收或下一步 review owner
maintenance_window 維護窗口或禁止窗口
validation_plan health、rollout、metric、alert、rollback post-check plan

4. Reviewer Checks

Check 規則
owner_identity_present owner role / team 必須可追溯
decision_reason_present decision 與 decision reason 必須同時存在
affected_scope_matches_group affected scope 必須能對回 committed scan group 與 root path
redacted_refs_only evidence 只能是脫敏 ref、hash、ticket、commit 或 artifact pointer
secret_value_absent 不得出現 Secret value、token、cookie、private key、完整 kubeconfig 或 credential derivative
argocd_health_readback_ref_shape ArgoCD health readback 只能是 owner-provided redacted ref
argocd_sync_revision_ref_not_execution sync revision ref 只做 rollback / diff 判讀,不得自動 sync
rollback_revision_present C0 / C1 回覆都必須有 rollback revision 或明確禁止窗口
rendered_manifest_diff_ref_not_payload rendered manifest diff 只能是 ref不得貼 manifest payload
maintenance_window_present 未來 ArgoCD sync / kubectl action 必須另有維護窗口
validation_plan_present validation plan 必須列 health、rollout、metric、alert 與 rollback post-check
counts_transition_safe 只有 reviewer record 可更新 received / accepted / rejected不得同時開 runtime gate

5. Outcome Lanes

Lane 意義
waiting_owner_response 尚未收到 owner response所有 accepted / runtime count 維持 0
quarantine_raw_payload 收到 raw manifest、kubeconfig、Secret value 或不可保存內容時只能隔離
reject_secret_or_unredacted_manifest 出現 secret value、未脫敏 manifest payload 或 credential derivative 時直接拒收
request_supplement 欄位不足、scope 不清、rollback 缺失或 evidence ref 不可追溯時要求補件
ready_for_rendered_manifest_review metadata 合格後,只能進 rendered manifest diff reviewer review
owner_review_only_update 只允許更新只讀 owner review ledger
waiting_runtime_gate 即使 owner response acceptedruntime gate 仍等待獨立人工批准

6. Blocked Actions

argocd_api_read_without_approval
live_cluster_read_without_approval
argocd_sync
kubectl_apply
kubectl_patch
kubectl_delete
helm_upgrade
secret_value_collection
live_cluster_write
manual_pod_restart
scale_workload
change_network_policy
change_rbac
restore_backup
render_manifest_diff_from_untrusted_payload
mark_owner_response_accepted_without_reviewer_record
open_runtime_gate
add_action_button

7. 指令

固定 committed snapshot

python3 scripts/security/k8s-argocd-owner-response-acceptance.py \
  --root . \
  --output docs/security/k8s-argocd-owner-response-acceptance.snapshot.json \
  --generated-at 2026-06-15T00:08:00+08:00

只讀 guard

python3 scripts/security/security-mirror-progress-guard.py --root .
python3 scripts/security/source-control-owner-response-guard.py --root .

8. 完成度

工作 完成度 說明
owner response acceptance ledger artifact 100% 4 個 scan group 已有只讀收件判定帳本
owner response received / accepted 0% 尚未收到或接受任何 owner response
rendered manifest diff / ArgoCD readback 0% 未產生、未接收、未讀 live API
ArgoCD sync / kubectl / Helm 0% 未授權且未執行
Secret / live cluster / production write 0% 未讀 Secret value、未寫 cluster
runtime gate / production write 0% 無 action button無 production write

9. 邊界

這份帳本不是 live cluster truth、不是 ArgoCD health readback、不是 ArgoCD sync 批准、不是 kubectl 授權、不是 Helm upgrade、不是 Secret collection、不是 RBAC / NetworkPolicy 變更,也不是 restore backup 或 runtime gate。不得把 owner response acceptance ledger、snapshot、LOGBOOK、IwoooS UI 或 AwoooP approval 解讀成可以讀 live cluster、sync ArgoCD、套用 manifest、重啟 Pod、scale workload、讀 secret、寫 production 或開 action button。