Files
awoooi/docs/security/PORT-FIREWALL-CHANGE-EVIDENCE-ACCEPTANCE.md
Your Name b9b61e5001
All checks were successful
Code Review / ai-code-review (push) Successful in 13s
CD Pipeline / tests (push) Successful in 1m33s
CD Pipeline / build-and-deploy (push) Successful in 4m4s
CD Pipeline / post-deploy-checks (push) Successful in 1m56s
feat(iwooos): 強化端口防火牆事故證據驗收
2026-06-15 13:30:23 +08:00

9.0 KiB
Raw Blame History

IwoooS 端口 / 防火牆變更證據驗收

項目 內容
日期 2026-06-15
狀態 change_evidence_acceptance_ready_no_runtime_action
工具 scripts/security/port-firewall-change-evidence-acceptance.py
Snapshot docs/security/port-firewall-change-evidence-acceptance.snapshot.json
Source acceptance docs/security/ssh-network-owner-response-acceptance.snapshot.json
runtime gate 0

1. 目的

本文件承接 SSH / Firewall / Network Access owner response acceptance把端口關閉、端口開放、防火牆規則、NodePort、NetworkPolicy、WireGuard 與 host access 類變更轉成 evidence acceptance 只讀帳本。

這層專門補上事故型控管缺口未來若發生端口被關閉、agent route 斷線、公開入口不可達、monitoring exporter 不通或 NodePort / firewall policy 被改動,必須先收集「誰改、為什麼、影響哪裡、怎麼回復、怎麼驗證、是否已同步其他產品」的脫敏證據,不能只靠 UI 卡片或口頭說明。

這不是 SSH 授權、不是 live firewall read、不是 firewall change、不是 port close / open、不是 route smoke、不是 host restart也不是 runtime gate。

2. 摘要

指標 目前值 說明
source acceptance candidate 16 來源為既有 SSH / network owner response acceptance
change evidence candidate 14 聚焦端口、防火牆、NodePort、NetworkPolicy、WireGuard、deploy SSH 與 sudo / alert action surface
write-capable change evidence candidate 6 CI deploy SSH、monitoring deploy、sudoers、alert action catalog
policy / exposure candidate 5 NetworkPolicy、NodePort、WireGuard exposure 相關候選
change evidence field 40 evidence 欄位總數,已包含事故嚴重度、恢復時間、服務健康影響與通知 refs
required evidence field 21 change / incident evidence 必填欄位
reviewer check 21 actor、scope、before/after、impact、health、notification、rollback、post-check 與 no-runtime 檢查
outcome lane 9 waiting、quarantine、reject、supplement、review、incident backfill、emergency backfill、ledger-only、runtime gate
blocked action 28 SSH、firewall、port、NodePort、NetworkPolicy、WireGuard、route smoke、reload、restart、secret、runtime gate 與事故誤收斂等
change evidence received / accepted 0 / 0 尚未收到或驗收
firewall / port change authorized 0 / 0 不改防火牆,不開關端口
runtime gate / action button 0 / 0 不提供操作入口

3. Evidence Candidate 範圍

Candidate 類型 範圍 驗收焦點
port_firewall_change_evidence:ansible_inventory_ssh_targets SSH target inventory 110_111_112_120_121_188 host access 變更、端口影響、維護窗口、rollback
port_firewall_change_evidence:gitea_cd_deploy_ssh CI deploy SSH k8s_ssh_host deploy access 斷線、回滾 owner、post-check
port_firewall_change_evidence:gitea_cd_dev_ssh CI deploy SSH 192.168.0.120 dev/prod 邊界、端口 policy、host access impact
port_firewall_change_evidence:deploy_alerts_ssh_path CI deploy SSH 192.168.0.110 alert deploy path、port close impact、通知鏈路
port_firewall_change_evidence:monitoring_discover_docker_ssh SSH discovery script 110_188_docker_hosts monitoring discovery 可達性、read-only window
port_firewall_change_evidence:monitoring_exporter_deploy_ssh monitoring SSH deploy 192.168.0.188 exporter deploy access、firewall owner、post-check
port_firewall_change_evidence:backup_config_ssh_capture SSH backup capture 110_188_120_121_cluster backup access、restore validation、service dependency
port_firewall_change_evidence:host_ops_sudoers_wrapper sudoers policy host_ops_minimal_sudo sudo 授權邊界、firewall recovery 權限、break-glass
port_firewall_change_evidence:k8s_prod_network_policy K8s NetworkPolicy awoooi_prod_namespace ingress / egress policy、route smoke plan
port_firewall_change_evidence:argocd_metrics_network_policy K8s NetworkPolicy argocd_namespace metrics scrape、NodePort exposure、source whitelist
port_firewall_change_evidence:argocd_metrics_nodeport K8s NodePort argocd_nodeport_30882_30883 NodePort exposure、firewall owner、rollback
port_firewall_change_evidence:velero_metrics_nodeport K8s NodePort velero_nodeport_30885 backup metrics exposure、access policy
port_firewall_change_evidence:wireguard_mesh_runbook WireGuard runbook 110_111_120_121_gcp_a_gcp_b mesh cutover、firewall rule owner、canary / rollback
port_firewall_change_evidence:alert_rules_ssh_actions alert SSH action rules ssh_mcp_action_catalog alert action catalog、read/write/admin 分級、cooldown

4. 必填 Evidence 欄位

  1. change_or_incident_ref
  2. actor_role_or_team
  3. decision
  4. decision_reason
  5. affected_scope
  6. affected_ports_or_paths_ref
  7. before_state_ref
  8. after_state_ref
  9. service_dependency_ref
  10. customer_impact_ref
  11. incident_severity
  12. restoration_time_ref
  13. service_health_impact_refs
  14. operator_notification_refs
  15. incident_commander_or_owner
  16. maintenance_window
  17. rollback_owner
  18. rollback_plan_ref
  19. validation_plan
  20. postcheck_evidence_refs
  21. cross_project_sync_ref

5. Reviewer Checks

  1. change_ref_present
  2. actor_role_traceable
  3. decision_reason_present
  4. affected_scope_matches_surface
  5. ports_or_paths_redacted
  6. before_after_state_refs
  7. firewall_diff_metadata_only
  8. dependency_impact_present
  9. customer_impact_review
  10. cross_project_sync_present
  11. incident_severity_present
  12. service_health_impact_present
  13. restoration_time_present
  14. operator_notification_present
  15. break_glass_classification_present
  16. maintenance_window_present
  17. rollback_owner_present
  18. postcheck_evidence_present
  19. secret_or_key_value_absent
  20. no_runtime_authorization
  21. counts_transition_safe

6. Outcome Lanes

Lane 說明
waiting_change_evidence 尚未收到端口 / 防火牆變更證據;所有 accepted / runtime count 維持 0
quarantine_raw_firewall_dump 收到 raw firewall dump、secret 或 key material 時只能隔離
reject_unattributed_change 無 actor、無 owner、無 affected scope 或無 rollback 的變更不得驗收
request_impact_supplement 缺 before/after、impact、dependency、post-check 或 cross-project sync 時要求補件
ready_for_network_review metadata 合格後,只能進 network / firewall reviewer review
incident_backfill_only 事故回補只能更新只讀 ledger不得反向視為已批准操作
emergency_change_backfill_required 緊急端口 / 防火牆變更需補 actor、severity、health impact、通知、恢復與 rollback evidence
owner_review_only_update 只允許更新 reviewer ledger不改 firewall、port、route 或 host
waiting_runtime_gate 即使證據 acceptedruntime gate 仍需獨立人工批准

7. 禁止動作

  1. ssh_read
  2. ssh_write
  3. live_firewall_read
  4. firewall_change
  5. port_change
  6. port_close
  7. port_open
  8. network_policy_apply
  9. nodeport_change
  10. wireguard_change
  11. sudo_action
  12. deploy_ssh_action
  13. route_smoke
  14. public_gateway_reload
  15. nginx_reload
  16. host_restart
  17. secret_value_collection
  18. ssh_key_collection
  19. raw_firewall_dump_storage
  20. raw_key_material_storage
  21. mark_change_evidence_accepted_without_reviewer_record
  22. mark_incident_resolved_without_health_evidence
  23. hide_cross_project_impact
  24. close_management_port_without_owner
  25. treat_break_glass_as_approval
  26. open_runtime_gate
  27. add_action_button
  28. production_write

8. 指令

產生 committed snapshot

python3 scripts/security/port-firewall-change-evidence-acceptance.py \
  --root . \
  --source-acceptance-report docs/security/ssh-network-owner-response-acceptance.snapshot.json \
  --output docs/security/port-firewall-change-evidence-acceptance.snapshot.json \
  --generated-at 2026-06-15T00:36:00+08:00

驗證 guard

python3 scripts/security/security-mirror-progress-guard.py --root .

9. 完成度

工作 完成度 說明
port / firewall change evidence acceptance ledger artifact 100% 14 份候選、snapshot、文件與 guard 已固定;事故型欄位已納入 health impact、notification、restoration、severity 與 break-glass backfill
change evidence received / accepted 0% 尚未收到或驗收
actor / impact / before-after evidence 0% 尚未收到 owner-provided evidence
cross-project sync evidence 0% 尚未收到同步證據
firewall / port / NetworkPolicy / NodePort / WireGuard change 0% 未授權且未執行
runtime gate / production write 0% 未授權且未執行