ops(k8s): known_hosts Secret + Ansible 白名單 ConfigMap (Sprint 3 T2)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-06 14:20:14 +08:00
parent 5e8b2a6894
commit d4cb9a4ac5
3 changed files with 43 additions and 0 deletions
--- a/k8s/awoooi-prod/04-configmap.yaml
+++ b/k8s/awoooi-prod/04-configmap.yaml
@@ -91,3 +91,9 @@ data:
  SENTRY_PROJECT_API: "awoooi-api"
  SENTRY_PROJECT_WEB: "awoooi-web"
  # Note: SENTRY_DSN 在 Secrets 中配置 (含認證 token)
+
+  # 2026-04-06 Claude Code: Sprint 3 — ansible:// 白名單 (Security Fix A2)
+  ANSIBLE_PLAYBOOK_WHITELIST: "restart_docker_service.yml,vacuum_postgres.yml,clear_redis_cache.yml"
+  ANSIBLE_CONTROL_NODE_HOST: "192.168.0.188"
+  ANSIBLE_CONTROL_NODE_USER: "ollama"
+  ANSIBLE_PLAYBOOKS_PATH: "~/openclaw-v5/ansible/playbooks"
--- a/k8s/awoooi-prod/04-repair-known-hosts-template.yaml
+++ b/k8s/awoooi-prod/04-repair-known-hosts-template.yaml
@@ -0,0 +1,28 @@
+# k8s/awoooi-prod/04-repair-known-hosts-template.yaml
+# known_hosts Secret Template — 不含實際主機指紋 (需手動建立)
+# 2026-04-06 Claude Code: Sprint 3 Security Fix A1
+#
+# 建立方式:
+#   ssh-keyscan -H 192.168.0.110 > /tmp/known_hosts
+#   ssh-keyscan -H 192.168.0.188 >> /tmp/known_hosts
+#   kubectl create secret generic awoooi-repair-known-hosts \
+#     -n awoooi-prod \
+#     --from-file=known_hosts=/tmp/known_hosts
+#
+# 驗證:
+#   kubectl get secret awoooi-repair-known-hosts -n awoooi-prod
+#
+# 安全說明:
+#   - known_hosts 存 K8s Secret，掛載至 /etc/repair-ssh/known_hosts
+#   - SSH 命令使用 -o UserKnownHostsFile=/etc/repair-ssh/known_hosts
+#   - 移除 -o StrictHostKeyChecking=no (安全漏洞)
+apiVersion: v1
+kind: Secret
+metadata:
+  name: awoooi-repair-known-hosts
+  namespace: awoooi-prod
+  annotations:
+    awoooi.io/secret-type: "ssh-known-hosts"
+    awoooi.io/created: "2026-04-06"
+type: Opaque
+# data: 不在版控中 — 使用上方 ssh-keyscan 指令建立
--- a/k8s/awoooi-prod/06-deployment-api.yaml
+++ b/k8s/awoooi-prod/06-deployment-api.yaml
@@ -55,6 +55,11 @@ spec:
            - name: repair-ssh-key
              mountPath: /etc/repair-ssh
              readOnly: true
+            # 2026-04-06 Claude Code: Sprint 3 Security Fix A1 — known_hosts
+            - name: repair-known-hosts
+              mountPath: /etc/repair-ssh/known_hosts
+              subPath: known_hosts
+              readOnly: true
          resources:
            requests:
              cpu: "200m"
@@ -103,6 +108,10 @@ spec:
          secret:
            secretName: awoooi-repair-ssh-key
            defaultMode: 0400  # 八進位 0400 = 十進位 256 = r-------- (owner read-only)
+        # 2026-04-06 Claude Code: Sprint 3 Security Fix A1
+        - name: repair-known-hosts
+          secret:
+            secretName: awoooi-repair-known-hosts

 ---
 apiVersion: v1