wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 3 Packages Projects Releases Wiki Activity
Files
1ca806fd5d287c143f09c8d6c82d3a228cc0ef2a
awoooi/docs/security/SSH-NETWORK-OWNER-REQUEST-DRAFT.md
Your Name 33b4608117
All checks were successful
Code Review / ai-code-review (push) Successful in 14s
Details
CD Pipeline / tests (push) Successful in 1m31s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m13s
Details
CD Pipeline / post-deploy-checks (push) Successful in 2m2s
Details
fix(iwooos): 新增 ssh network owner acceptance ledger
2026-06-14 21:52:13 +08:00

122 lines
6.7 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# IwoooS SSH / Firewall / Network Access Owner Request Draft
| 項目 | 內容 |
|------|------|
| 日期 | 2026-06-14 |
| 狀態 | `owner_request_draft_ready_not_dispatched` |
| 工具 | `scripts/security/ssh-network-owner-request-draft.py` |
| Snapshot | `docs/security/ssh-network-owner-request-draft.snapshot.json` |
| Source inventory | `docs/security/ssh-network-access-inventory.snapshot.json` |
| runtime gate | `0` |
## 1. 目的
本文件承接 SSH / network access repo-only 清冊,把 16 個 surface 轉成人工送件前 request draft。它讓 SSH target、known_hosts、CI deploy SSH、monitoring SSH、backup SSH、sudoers、NetworkPolicy、NodePort、WireGuard 與 alert SSH action catalog 有一致的 owner 回覆欄位。
這不是 live firewall 真相、不是端口關閉 / 開放批准、不是 known_hosts patch、不是 host keyscan、不是 NetworkPolicy apply也不是 WireGuard cutover。
## 2. 摘要
| 指標 | 目前值 | 說明 |
|------|--------|------|
| request draft | `16` | 每個 SSH / network access surface 一份草稿 |
| write-capable request draft | `6` | CI deploy SSH、monitoring deploy、sudoers、alert action catalog |
| live evidence required request | `16` | 全部都需 owner 提供脫敏 live access evidence |
| request field | `23` | 草稿欄位總數 |
| required owner field | `13` | owner 必填欄位 |
| blocked action | `16` | SSH、keyscan、known_hosts、firewall、port、NetworkPolicy、NodePort、WireGuard、sudo、deploy SSH、active scan、runtime gate 等 |
| request sent / recipient confirmed | `0 / 0` | 尚未送件 |
| owner response received / accepted | `0 / 0` | 尚未收到或驗收 |
| live evidence received | `0` | 不 SSH、不 keyscan、不讀 live firewall |
| maintenance window / rollback owner / validation accepted | `0 / 0 / 0` | 不得改端口、套 policy 或 cutover |
| runtime gate / action button | `0 / 0` | 不提供操作入口 |
## 3. Request Draft 範圍
| Request | 類型 | 範圍 | 風險焦點 |
|---------|------|------|----------|
| `ssh_network_owner_request:ansible_inventory_ssh_targets` | SSH target inventory | `110_111_112_120_121_188` | host owner、pinned known_hosts、ProxyJump、key owner |
| `ssh_network_owner_request:ansible_common_ssh_args` | SSH client policy | `multi_host` | `accept-new` 是否只限 bootstrap |
| `ssh_network_owner_request:gitea_cd_known_hosts_secret` | known_hosts workflow | `110_120_121_188_known_hosts` | known_hosts secret metadata、缺 120 處置、key rotation owner |
| `ssh_network_owner_request:gitea_cd_deploy_ssh` | CI deploy SSH | `k8s_ssh_host` | deploy SSH host owner、rollback、break-glass |
| `ssh_network_owner_request:gitea_cd_dev_ssh` | CI deploy SSH | `192.168.0.120` | dev/prod 邊界、deploy key scope、host key policy |
| `ssh_network_owner_request:deploy_alerts_ssh_path` | CI deploy SSH | `192.168.0.110` | alert deploy owner、known_hosts pinning、通知路徑 |
| `ssh_network_owner_request:monitoring_discover_docker_ssh` | SSH discovery script | `110_188_docker_hosts` | read-only window、輸出脫敏、失敗處置 |
| `ssh_network_owner_request:monitoring_exporter_deploy_ssh` | monitoring SSH deploy | `192.168.0.188` | exporter deploy owner、maintenance window、post-check |
| `ssh_network_owner_request:backup_config_ssh_capture` | SSH backup capture | `110_188_120_121_cluster` | backup execution owner、secret redaction、restore validation |
| `ssh_network_owner_request:host_ops_sudoers_wrapper` | sudoers policy | `host_ops_minimal_sudo` | live sudoers hash、visudo validation、forbidden command proof |
| `ssh_network_owner_request:k8s_prod_network_policy` | K8s NetworkPolicy | `awoooi_prod_namespace` | ingress / egress owner、live policy diff、route smoke |
| `ssh_network_owner_request:argocd_metrics_network_policy` | K8s NetworkPolicy | `argocd_namespace` | Prometheus scrape owner、NodePort exposure owner |
| `ssh_network_owner_request:argocd_metrics_nodeport` | K8s NodePort | `argocd_nodeport_30882_30883` | NodePort exposure owner、firewall owner、source whitelist |
| `ssh_network_owner_request:velero_metrics_nodeport` | K8s NodePort | `velero_nodeport_30885` | backup metrics exposure、firewall owner |
| `ssh_network_owner_request:wireguard_mesh_runbook` | WireGuard runbook | `110_111_120_121_gcp_a_gcp_b` | WireGuard owner、firewall rule owner、canary / rollback |
| `ssh_network_owner_request:alert_rules_ssh_actions` | alert SSH action rules | `ssh_mcp_action_catalog` | action owner、read/write/admin 分級、cooldown、post-check |
## 4. Owner 必填欄位
1. `owner_role_or_team`
2. `decision`
3. `decision_reason`
4. `affected_scope`
5. `redacted_evidence_refs`
6. `live_access_state_ref`
7. `allowed_source_cidrs_ref`
8. `maintenance_window`
9. `rollback_owner`
10. `validation_plan`
11. `break_glass_owner`
12. `change_freeze_rule`
13. `followup_owner`
## 5. 禁止動作
1. `ssh_read`
2. `ssh_write`
3. `host_keyscan`
4. `known_hosts_patch`
5. `firewall_change`
6. `port_close`
7. `port_open`
8. `network_policy_apply`
9. `nodeport_change`
10. `wireguard_change`
11. `sudo_action`
12. `deploy_ssh_action`
13. `secret_value_collection`
14. `ssh_key_collection`
15. `active_scan`
16. `runtime_gate_open`
## 6. 指令
產生 committed snapshot
```bash
python3 scripts/security/ssh-network-owner-request-draft.py \
--root . \
--inventory-report docs/security/ssh-network-access-inventory.snapshot.json \
--output docs/security/ssh-network-owner-request-draft.snapshot.json \
--generated-at 2026-06-14T22:45:00+08:00
```
驗證 guard
```bash
python3 scripts/security/security-mirror-progress-guard.py --root .
```
## 7. 完成度
| 工作 | 完成度 | 說明 |
|------|--------|------|
| owner request draft artifact | `100%` | 16 份 request draft、snapshot、文件與 guard 已固定 |
| request dispatch | `0%` | 尚未送件 |
| owner response received / accepted | `0%` | 尚未收到,尚未驗收 |
| live evidence collection | `0%` | 未 SSH、未 keyscan、未讀 live firewall |
| SSH / firewall / NetworkPolicy / NodePort / WireGuard gate | `0%` | 未授權且未執行 |
| runtime gate / production write | `0%` | 未授權且未執行 |
## 8. 後續 Acceptance Ledger
2026-06-15 已新增 `docs/security/SSH-NETWORK-OWNER-RESPONSE-ACCEPTANCE.md``docs/security/ssh-network-owner-response-acceptance.snapshot.json`,把本文件的 16 份 request draft 轉成 owner response acceptance 只讀帳本。該帳本只定義收到回覆後如何收件、隔離、拒收、補件或送 network / firewall reviewer review不代表 request sent、owner response received / accepted、SSH、keyscan、known_hosts patch、firewall / port change、NetworkPolicy apply、NodePort change、WireGuard cutover、host write、production write 或 runtime gate。
Reference in New Issue View Git Blame Copy Permalink