Files
awoooi/docs/security/K8S-ARGOCD-MANIFEST-INVENTORY.md

127 lines
5.4 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS K8s / ArgoCD Production Manifest Repo-only 清冊
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-14 |
| 狀態 | `repo_only_inventory_ready_no_live_cluster_read` |
| 工具 | `scripts/security/k8s-argocd-manifest-inventory.py` |
| Snapshot | `docs/security/k8s-argocd-manifest-inventory.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
K8s / ArgoCD / production manifests 會直接影響部署、replica、cronjob、RBAC、NetworkPolicy、Secret metadata、Velero restore、PrometheusRule 與 public service exposure。這些配置一旦被未審查修改可能造成壞部署、自動同步、權限擴張、告警失效或備援誤操作。
本清冊只讀 repo 內 `k8s/awoooi-prod``k8s/argocd``k8s/velero``k8s/monitoring` source files整理 path、SHA256、top-level `kind:` marker 與 owner gate 缺口。它不做 `kubectl`、不連 ArgoCD、不讀 live cluster、不套用 manifest、不 sync、不改 secret。
## 2. 摘要
| 指標 | 值 | 說明 |
|------|----|------|
| scan group count | `4` | production、ArgoCD、Velero、monitoring |
| file count | `49` | 四個 root 下所有 source files |
| C0 / C1 file count | `36 / 13` | production / ArgoCD / Velero 為 C0monitoring 為 C1 |
| YAML manifest / supporting source | `45 / 4` | `.yaml` / `.yml` 與 README / shell / patch 類支援檔 |
| unique kind count | `20` | repo-only top-level `kind:` marker |
| top-level kind marker count | `56` | 非完整 schema validation只記 repo marker |
| Deployment / CronJob | `5 / 5` | workload 與排程會影響 runtime |
| Secret / RBAC / NetworkPolicy | `6 / 5 / 6` | 權限與流量控管面 |
| Autoscaling / PrometheusRule | `6 / 4` | HPA / VPA 與告警規則 |
| ArgoCD Application | `1` | `k8s/argocd/awoooi-prod-app.yaml` |
| owner response received / accepted | `0 / 0` | 尚未收到,尚未驗收 |
| rendered manifest diff / ArgoCD health readback | `0 / 0` | 尚未產生或接收 |
| ArgoCD sync / kubectl action | `0 / 0` | 尚未批准且未執行 |
| runtime gate / action button | `0 / 0` | 未開啟 |
## 3. 掃描分組
| Group | Tier | Files | YAML | Supporting | 邊界 |
|-------|------|-------|------|------------|------|
| `awoooi_prod` | `C0` | `25` | `24` | `1` | production namespace manifests不得由清冊直接套用 |
| `argocd` | `C0` | `4` | `3` | `1` | ArgoCD application 與 metrics exposure不得由清冊直接 sync |
| `velero` | `C0` | `7` | `6` | `1` | backup / restore manifests不得由清冊直接 restore |
| `monitoring` | `C1` | `13` | `12` | `1` | alert source 與 monitoring config不得由清冊直接 reload |
## 4. Owner 必填欄位
任何 production manifest change、ArgoCD sync、kubectl action、secret metadata 變更、Velero restore 或 monitoring rule reload 候選,都至少要具備:
1. `owner_role_or_team`
2. `decision`
3. `decision_reason`
4. `affected_scope`
5. `redacted_evidence_refs`
6. `argocd_health_readback_ref`
7. `argocd_sync_revision_ref`
8. `rollback_revision`
9. `followup_owner`
10. `maintenance_window`
11. `validation_plan`
## 5. Evidence 缺口
| 缺口 | 目前狀態 |
|------|----------|
| owner response | `0` |
| rendered manifest diff | `0` |
| ArgoCD health readback | `0` |
| ArgoCD sync revision | `0` |
| kubectl dry-run / server validation plan | `0` |
| rollout blast radius | `0` |
| rollback revision | `0` |
| postcheck metrics | `0` |
## 6. 阻擋動作
本清冊不得被用來授權以下動作:
1. `argocd_sync`
2. `kubectl_apply`
3. `kubectl_patch`
4. `kubectl_delete`
5. `helm_upgrade`
6. `secret_value_collection`
7. `live_cluster_write`
8. `manual_pod_restart`
9. `scale_workload`
10. `change_network_policy`
11. `change_rbac`
12. `restore_backup`
13. `open_runtime_gate`
## 7. 2026-06-14 Owner Request Draft
已新增 `docs/security/K8S-ARGOCD-OWNER-REQUEST-DRAFT.md``docs/security/k8s-argocd-owner-request-draft.snapshot.json`,將四個 scan group 轉成人工送件前 request draft。
目前固定為 `request_draft_count=4``c0_request_draft_count=3``c1_request_draft_count=1``request_field_count=20``required_owner_field_count=11``evidence_gap_count=8``blocked_action_count=13``request_sent_count=0``owner_response_received_count=0``owner_response_accepted_count=0``runtime_gate_count=0`
此 artifact 只表示 owner request 的 required shape不代表 request sent、recipient confirmed、owner response received / accepted、rendered manifest diff、ArgoCD API read、ArgoCD sync、kubectl action、live cluster read、secret collection、production write 或 runtime gate。
## 8. 指令
產生 committed snapshot
```bash
python3 scripts/security/k8s-argocd-manifest-inventory.py \
--root . \
--output docs/security/k8s-argocd-manifest-inventory.snapshot.json \
--generated-at 2026-06-14T21:05:00+08:00
```
驗證 guard
```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
```
## 9. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| repo-only manifest inventory | `100%` | 49 個 source files、45 個 YAML manifest、20 類 top-level kind marker 已固定 |
| owner request draft | `100%` | 已新增 4 份 request draft、snapshot、文件與 guardrequest sent / received / accepted 仍為 0 |
| live ArgoCD / K8s readback | `0%` | 尚未批准且未執行 |
| rendered manifest diff | `0%` | 尚未產生 |
| ArgoCD sync / kubectl action | `0%` | 未授權且未執行 |
| runtime gate / production write | `0%` | 未授權且未執行 |