6.9 KiB
IwoooS SSH / network access 只讀清冊
| 項目 | 內容 |
|---|---|
| 日期 | 2026-06-11 |
| 狀態 | repo_only_inventory_ready |
| 工具 | scripts/security/ssh-network-access-inventory.py |
| Snapshot | docs/security/ssh-network-access-inventory.snapshot.json |
| Schema | docs/schemas/ssh_network_access_inventory_v1.schema.json |
| runtime gate | 0 |
1. 目的
這份清冊補齊高價值配置覆蓋矩陣中的 ssh_firewall_network_access 類別,把 repo 內會影響 SSH、sudoers、known_hosts、firewall / NetworkPolicy、NodePort 與 WireGuard 的配置來源先集中成可重跑 snapshot。
本階段仍是 repo-only 只讀清冊。它不是 live host truth,不是 firewall approval,不是 known_hosts patch approval,不是 NetworkPolicy apply approval,也不是 WireGuard cutover approval。
2026-06-14 已新增 docs/security/SSH-NETWORK-OWNER-REQUEST-DRAFT.md 與 docs/security/ssh-network-owner-request-draft.snapshot.json,將 16 個 SSH / network access surface 轉成 owner request draft。固定 request_draft_count=16、write_capable_request_draft_count=6、live_evidence_required_request_count=16、required_owner_field_count=13、blocked_action_count=16、request_sent_count=0、owner_response_received_count=0、runtime_gate_count=0。
2026-06-15 已新增 docs/security/SSH-NETWORK-OWNER-RESPONSE-ACCEPTANCE.md 與 docs/security/ssh-network-owner-response-acceptance.snapshot.json,將 16 份 request draft 轉成 owner response acceptance 只讀帳本。固定 acceptance_candidate_count=16、write_capable_acceptance_candidate_count=6、live_evidence_required_candidate_count=16、required_owner_field_count=13、reviewer_check_count=15、outcome_lane_count=7、blocked_action_count=22、owner_response_received_count=0、owner_response_accepted_count=0、runtime_gate_count=0。
此 artifact 只表示 owner request 的 required shape,不代表 request sent、recipient confirmed、owner response received / accepted、live host read、host keyscan、known_hosts patch、firewall / port change、NetworkPolicy apply、NodePort change、WireGuard change、sudo、deploy SSH、secret collection、host write、production write 或 runtime gate。
2. 覆蓋摘要
| 指標 | 目前值 | 說明 |
|---|---|---|
| repo surface | 16 |
已納入 SSH / network access 相關 committed source |
| source exists / hash | 16 |
每個 source path 皆存在並有 SHA-256 |
| expected scope | 16 |
已整理每個 surface 的預期影響範圍 |
| SSH source surface | 11 |
包含 inventory、CI deploy、monitoring、backup、alert action |
| NetworkPolicy surface | 2 |
production 與 ArgoCD metrics policy |
| NodePort surface | 2 |
ArgoCD metrics 與 Velero metrics |
| sudoers surface | 1 |
awoooi-wrapper.sudoers |
| WireGuard surface | 1 |
GCP Ollama WireGuard mesh runbook |
| write-capable surface | 6 |
CI deploy、monitoring deploy、sudoers、alert action catalog |
| owner response received / accepted | 0 / 0 |
尚未收到或接受 owner response |
| live evidence received | 0 |
尚未取得 owner-provided live evidence |
| runtime / action | 0 / 0 |
未開 runtime gate,未提供操作按鈕 |
| SSH / network 類別成熟度 | 48% -> 54% |
只代表 repo-only 清冊完成,不代表 live 授權 |
3. 已納入 surface
| Surface | 類型 | 範圍 | 寫入能力 |
|---|---|---|---|
ansible_inventory_ssh_targets |
SSH target inventory | 110_111_112_120_121_188 |
否 |
ansible_common_ssh_args |
SSH client policy | multi_host |
否 |
gitea_cd_known_hosts_secret |
known_hosts workflow | 110_120_121_188_known_hosts |
否 |
gitea_cd_deploy_ssh |
CI deploy SSH | k8s_ssh_host |
是 |
gitea_cd_dev_ssh |
CI deploy SSH | 192.168.0.120 |
是 |
deploy_alerts_ssh_path |
CI deploy SSH | 192.168.0.110 |
是 |
monitoring_discover_docker_ssh |
SSH discovery script | 110_188_docker_hosts |
否 |
monitoring_exporter_deploy_ssh |
monitoring SSH deploy script | 192.168.0.188 |
是 |
backup_config_ssh_capture |
SSH backup capture | 110_188_120_121_cluster |
否 |
host_ops_sudoers_wrapper |
sudoers policy | host_ops_minimal_sudo |
是 |
k8s_prod_network_policy |
K8s NetworkPolicy | awoooi_prod_namespace |
否 |
argocd_metrics_network_policy |
K8s NetworkPolicy | argocd_namespace |
否 |
argocd_metrics_nodeport |
K8s NodePort service | argocd_nodeport_30882_30883 |
否 |
velero_metrics_nodeport |
K8s NodePort service | velero_nodeport_30885 |
否 |
wireguard_mesh_runbook |
WireGuard runbook | 110_111_120_121_gcp_a_gcp_b |
否 |
alert_rules_ssh_actions |
alert SSH action rules | ssh_mcp_action_catalog |
是 |
4. 固定 0 / false 邊界
runtime_execution_authorized=false
host_write_authorized=false
ssh_read_authorized=false
ssh_write_authorized=false
sudo_action_authorized=false
firewall_change_authorized=false
network_policy_apply_authorized=false
nodeport_change_authorized=false
wireguard_change_authorized=false
known_hosts_patch_authorized=false
host_keyscan_authorized=false
live_host_read_authorized=false
secret_value_collection_allowed=false
ssh_key_collection_allowed=false
active_scan_authorized=false
action_buttons_allowed=false
5. 判讀規則
source_exists=true只代表 repo 檔案存在,不代表 live host 與 repo 一致。sha256是 committed source 的 hash,不是 live/etc/ssh、firewall、sudoers、NetworkPolicy 或 WireGuard hash。write_capable_surface_count=6代表需要 owner review 的高風險入口,不代表可執行。accept-new、known_hosts、NodePort、NetworkPolicy 與 WireGuard 只能先形成 owner 問題,不得自動 patch、keyscan、apply 或 cutover。- 後續若要取得 live evidence,只能走 owner-provided redacted evidence、維護窗口與 rollback owner;不得在本階段主動 SSH、sudo、掃描或讀 secret。
6. 指令
python3 scripts/security/ssh-network-access-inventory.py \
--root . \
--output docs/security/ssh-network-access-inventory.snapshot.json
固定 committed snapshot 時間:
python3 scripts/security/ssh-network-access-inventory.py \
--root . \
--generated-at 2026-06-11T23:55:00+08:00 \
--output docs/security/ssh-network-access-inventory.snapshot.json
7. 完成度
| 工作 | 完成度 | 說明 |
|---|---|---|
| repo-only surface 註冊 | 100% |
已納入 16 個 SSH / network access surface |
| source existence / hash | 100% |
16 個 source path 皆已驗證存在並產生 hash |
| owner response 收件 | 0% |
尚未收到或接受 owner response |
| live evidence collection | 0% |
未 SSH、未 keyscan、未讀 live firewall、未讀 live sudoers |
| SSH / sudo / firewall / NetworkPolicy / NodePort / WireGuard gate | 0% |
全部維持未授權 |
| owner request draft | 100% |
已新增 16 份 request draft、snapshot、文件與 guard;request sent / received / accepted 仍為 0 |