wooo/awoooi
1
1
Fork 0
Code Issues 2 Pull Requests 1 Actions 4 Packages Projects Releases Wiki Activity
Files
7c8bb3645bdf1fa5ac1aaa7041c237fce8c19c0e
awoooi/docs/security/ssh-network-access-inventory.snapshot.json
Your Name bc7e5e05ce
All checks were successful
CD Pipeline / tests (push) Successful in 1m31s
Details
Code Review / ai-code-review (push) Successful in 14s
Details
CD Pipeline / build-and-deploy (push) Successful in 4m25s
Details
CD Pipeline / post-deploy-checks (push) Successful in 1m45s
Details
feat(security): 新增 SSH network access 只讀清冊
2026-06-11 22:19:01 +08:00

572 lines
22 KiB
JSON
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
{
"access_surfaces": [
{
"access_scope": [
"192.168.0.110",
"192.168.0.111",
"192.168.0.112",
"192.168.0.120",
"192.168.0.121",
"192.168.0.188"
],
"action_buttons_allowed": false,
"config_kind": "ssh_target_inventory",
"control_tier": "C1",
"current_state": "repo_source_visible_needs_pinned_host_key_policy",
"expected_scope": "110_111_112_120_121_188",
"label": "Ansible inventory SSH targets",
"line_count": 48,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 host owner、pinned known_hosts disposition、ProxyJump policy、key owner 與 rollback owner。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "86108dce9174b5c0a794d240dd40518966d9c340950fc6306845b704f12e6536",
"source_exists": true,
"source_path": "infra/ansible/inventory/hosts.yml",
"surface_id": "ansible_inventory_ssh_targets"
},
{
"access_scope": [
"StrictHostKeyChecking=accept-new",
"ConnectTimeout=10"
],
"action_buttons_allowed": false,
"config_kind": "ssh_client_policy",
"control_tier": "C1",
"current_state": "accept_new_policy_visible_needs_owner_disposition",
"expected_scope": "multi_host",
"label": "Ansible common SSH host key policy",
"line_count": 20,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "確認 accept-new 是否只限 bootstrap補升級 pinned known_hosts 的 owner 與時間窗。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "c3d5cb63cf84dea98195aa075e69ca90be7422b5805c0cfc50c1d97b832ad86e",
"source_exists": true,
"source_path": "infra/ansible/inventory/group_vars/all.yml",
"surface_id": "ansible_common_ssh_args"
},
{
"access_scope": [
"192.168.0.110",
"192.168.0.120",
"192.168.0.121",
"192.168.0.188"
],
"action_buttons_allowed": false,
"config_kind": "known_hosts_secret_workflow",
"control_tier": "C1",
"current_state": "repo_guard_visible_live_secret_not_verified",
"expected_scope": "110_120_121_188_known_hosts",
"label": "Gitea CD repair known_hosts secret",
"line_count": 1562,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 owner-provided known_hosts secret metadata、缺 120 時的處置、key rotation owner 與失敗通知 owner。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "5b41cdc34c954a383ebea9e4109d10165ceb40589d55df9ee6e808d4092bf593",
"source_exists": true,
"source_path": ".gitea/workflows/cd.yaml",
"surface_id": "gitea_cd_known_hosts_secret"
},
{
"access_scope": [
"K8S_SSH_HOST",
"deploy_key",
"kubectl apply",
"ArgoCD sync"
],
"action_buttons_allowed": false,
"config_kind": "ci_deploy_ssh",
"control_tier": "C1",
"current_state": "write_capable_deploy_path_visible_gate_closed",
"expected_scope": "k8s_ssh_host",
"label": "Gitea CD K8s deploy SSH path",
"line_count": 1562,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 deploy SSH host owner、maintenance window、rollback owner、post-check 指標與 break-glass policy。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "5b41cdc34c954a383ebea9e4109d10165ceb40589d55df9ee6e808d4092bf593",
"source_exists": true,
"source_path": ".gitea/workflows/cd.yaml",
"surface_id": "gitea_cd_deploy_ssh"
},
{
"access_scope": [
"192.168.0.120",
"deploy_key",
"kubectl apply"
],
"action_buttons_allowed": false,
"config_kind": "ci_deploy_ssh",
"control_tier": "C1",
"current_state": "dev_write_capable_deploy_path_visible_gate_closed",
"expected_scope": "192.168.0.120",
"label": "Gitea CD dev deploy SSH path",
"line_count": 262,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "確認 dev deploy key scope、host key policy、rollback owner 與 dev/prod 邊界。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "e344a4672cb543979c3bb8ea67967c103332587b4a52a939c837457aaeae686d",
"source_exists": true,
"source_path": ".gitea/workflows/cd-dev.yaml",
"surface_id": "gitea_cd_dev_ssh"
},
{
"access_scope": [
"192.168.0.110",
"deploy alert scripts"
],
"action_buttons_allowed": false,
"config_kind": "ci_deploy_ssh",
"control_tier": "C1",
"current_state": "write_capable_alert_deploy_path_visible_gate_closed",
"expected_scope": "192.168.0.110",
"label": "Deploy alerts SSH path",
"line_count": 72,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 alert deploy owner、known_hosts pinning、rollback owner、post-check 與通知路徑。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "b0389fa65da643d411f6961928a276d555ad6a416366bf87f3f5c2c06ee45d13",
"source_exists": true,
"source_path": ".gitea/workflows/deploy-alerts.yaml",
"surface_id": "deploy_alerts_ssh_path"
},
{
"access_scope": [
"192.168.0.110",
"192.168.0.188",
"docker ps"
],
"action_buttons_allowed": false,
"config_kind": "ssh_discovery_script",
"control_tier": "C1",
"current_state": "accept_new_scanner_visible_needs_read_only_gate",
"expected_scope": "110_188_docker_hosts",
"label": "Monitoring Docker discovery SSH scanner",
"line_count": 314,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 scanner 執行 owner、read-only window、pinned known_hosts、輸出脫敏與失敗處置。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "563faf8efcfdbd5a79cc87e0d43c2ba11bebf755a773c97b9c0778f1f0634a15",
"source_exists": true,
"source_path": "ops/monitoring/discover_docker.py",
"surface_id": "monitoring_discover_docker_ssh"
},
{
"access_scope": [
"192.168.0.188",
"scp",
"docker compose up -d"
],
"action_buttons_allowed": false,
"config_kind": "monitoring_ssh_deploy_script",
"control_tier": "C1",
"current_state": "write_capable_script_visible_gate_closed",
"expected_scope": "192.168.0.188",
"label": "Monitoring exporter deploy SSH script",
"line_count": 76,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 exporter deploy owner、maintenance window、rollback owner、host key policy 與 post-check 指標。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "dbcbca21cf6fd5083177cb8a12c008c1aefed8e6ed05b70d738b3db37699cef3",
"source_exists": true,
"source_path": "ops/monitoring/deploy-exporters.sh",
"surface_id": "monitoring_exporter_deploy_ssh"
},
{
"access_scope": [
"/etc/ssh",
"/etc/nginx",
"systemd",
"docker",
"k8s"
],
"action_buttons_allowed": false,
"config_kind": "ssh_backup_capture",
"control_tier": "C1",
"current_state": "read_capable_capture_visible_not_executed",
"expected_scope": "110_188_120_121_cluster",
"label": "Backup config SSH capture",
"line_count": 359,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 backup execution owner、secret redaction proof、retention owner 與 restore validation。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "d24301cff44e464bd19ce0792362be16916ccde8c92f92351a19ef4ee988f15e",
"source_exists": true,
"source_path": "scripts/backup/backup-configs.sh",
"surface_id": "backup_config_ssh_capture"
},
{
"access_scope": [
"awoooi-hosts-add",
"docker kill SIGHUP",
"promtool",
"amtool"
],
"action_buttons_allowed": false,
"config_kind": "sudoers_policy",
"control_tier": "C1",
"current_state": "sudoers_source_visible_needs_live_owner_evidence",
"expected_scope": "host_ops_minimal_sudo",
"label": "Host ops sudoers wrapper",
"line_count": 27,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 live sudoers hash、visudo validation、command owner、rollback owner 與 forbidden command proof。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "eff02c67402d2f5b2ac8d112dca26a15dc34f03593ca490a0682a6dfa9b0394d",
"source_exists": true,
"source_path": "scripts/host-ops/awoooi-wrapper.sudoers",
"surface_id": "host_ops_sudoers_wrapper"
},
{
"access_scope": [
"default deny",
"ingress",
"egress",
"SSH egress",
"Ollama",
"monitoring"
],
"action_buttons_allowed": false,
"config_kind": "k8s_network_policy",
"control_tier": "C1",
"current_state": "repo_policy_visible_needs_live_cluster_diff",
"expected_scope": "awoooi_prod_namespace",
"label": "K8s production NetworkPolicy",
"line_count": 306,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 live NetworkPolicy diff、ingress / egress owner、rollback owner 與 route smoke。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "f5ea6a9f5fb0cc44664d97a3ed639fa4b43ffd9bcfd70a1f6b44640791b7859f",
"source_exists": true,
"source_path": "k8s/awoooi-prod/02-network-policy.yaml",
"surface_id": "k8s_prod_network_policy"
},
{
"access_scope": [
"192.168.0.188",
"argocd metrics",
"192.168.0.0/24 UI"
],
"action_buttons_allowed": false,
"config_kind": "k8s_network_policy",
"control_tier": "C1",
"current_state": "repo_policy_visible_needs_prometheus_owner_confirmation",
"expected_scope": "argocd_namespace",
"label": "ArgoCD metrics NetworkPolicy",
"line_count": 80,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 Prometheus scrape owner、NodePort exposure owner、live policy diff 與 rollback owner。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "41ccd0bb22410c48adc84eae74391106c3f28fe181786cfe4128a07f99d2942c",
"source_exists": true,
"source_path": "k8s/argocd/argocd-metrics-network-policy.yaml",
"surface_id": "argocd_metrics_network_policy"
},
{
"access_scope": [
"nodePort 30882",
"nodePort 30883"
],
"action_buttons_allowed": false,
"config_kind": "k8s_nodeport_service",
"control_tier": "C1",
"current_state": "nodeport_source_visible_needs_exposure_review",
"expected_scope": "argocd_nodeport_30882_30883",
"label": "ArgoCD metrics NodePort",
"line_count": 47,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 NodePort exposure owner、firewall owner、Prometheus source whitelist 與 rollback owner。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "7f4a8f09206ce0afc185fe11d5e55265bb553b671471724cdcd83c259ec7d266",
"source_exists": true,
"source_path": "k8s/argocd/argocd-metrics-nodeport.yaml",
"surface_id": "argocd_metrics_nodeport"
},
{
"access_scope": [
"nodePort 30885",
"backup metrics"
],
"action_buttons_allowed": false,
"config_kind": "k8s_nodeport_service",
"control_tier": "C1",
"current_state": "nodeport_source_visible_needs_exposure_review",
"expected_scope": "velero_nodeport_30885",
"label": "Velero metrics NodePort",
"line_count": 26,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 Velero metrics exposure owner、firewall owner、Prometheus source whitelist 與 rollback owner。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "684959def32b792e2bca34b477afcdfe2b0c6dfd0cb90f4b681a514922d62b75",
"source_exists": true,
"source_path": "k8s/velero/velero-metrics-service.yaml",
"surface_id": "velero_metrics_nodeport"
},
{
"access_scope": [
"10.77.114.0/24",
"51820/udp",
"GCP-A",
"GCP-B"
],
"action_buttons_allowed": false,
"config_kind": "wireguard_runbook",
"control_tier": "C1",
"current_state": "target_architecture_documented_not_applied",
"expected_scope": "110_111_120_121_gcp_a_gcp_b",
"label": "GCP Ollama WireGuard mesh runbook",
"line_count": 280,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 WireGuard owner、public-key metadata、firewall rule owner、canary plan、rollback owner 與 cutover gate。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "0af082698c727176ca82c79f95f3950f4c32ed6aabc91c88aff41831fbf0c044",
"source_exists": true,
"source_path": "docs/runbooks/GCP-OLLAMA-WIREGUARD-MESH.md",
"surface_id": "wireguard_mesh_runbook"
},
{
"access_scope": [
"ssh_diagnose",
"docker restart",
"systemctl restart",
"docker compose",
"docker prune"
],
"action_buttons_allowed": false,
"config_kind": "alert_ssh_action_rules",
"control_tier": "C1",
"current_state": "ssh_action_catalog_visible_gate_closed",
"expected_scope": "ssh_mcp_action_catalog",
"label": "Alert rules SSH action surface",
"line_count": 889,
"live_evidence_received": false,
"maintenance_window_accepted": false,
"next_owner_action": "補 action owner、read/write/admin 分級、approval gate、cooldown、rollback owner 與 post-check 指標。",
"owner_response_accepted": false,
"owner_response_received": false,
"requires_live_evidence": true,
"requires_owner_response": true,
"rollback_owner_accepted": false,
"runtime_gate_open": false,
"sha256": "5786505aa05073bbb2069203a443a75c8337a289dc015630792d0c201c85cafb",
"source_exists": true,
"source_path": "apps/api/alert_rules.yaml",
"surface_id": "alert_rules_ssh_actions"
}
],
"execution_boundaries": {
"action_buttons_allowed": false,
"active_scan_authorized": false,
"firewall_change_authorized": false,
"host_keyscan_authorized": false,
"host_write_authorized": false,
"known_hosts_patch_authorized": false,
"live_host_read_authorized": false,
"network_policy_apply_authorized": false,
"nodeport_change_authorized": false,
"runtime_execution_authorized": false,
"secret_value_collection_allowed": false,
"ssh_key_collection_allowed": false,
"ssh_read_authorized": false,
"ssh_write_authorized": false,
"sudo_action_authorized": false,
"wireguard_change_authorized": false
},
"expected_scopes": [
"110_111_112_120_121_188",
"110_111_120_121_gcp_a_gcp_b",
"110_120_121_188_known_hosts",
"110_188_120_121_cluster",
"110_188_docker_hosts",
"192.168.0.110",
"192.168.0.120",
"192.168.0.188",
"argocd_namespace",
"argocd_nodeport_30882_30883",
"awoooi_prod_namespace",
"host_ops_minimal_sudo",
"k8s_ssh_host",
"multi_host",
"ssh_mcp_action_catalog",
"velero_nodeport_30885"
],
"generated_at": "2026-06-11T23:55:00+08:00",
"git_commit": "7cd47558",
"next_collection_order": [
"gitea_cd_known_hosts_secret",
"ansible_inventory_ssh_targets",
"host_ops_sudoers_wrapper",
"k8s_prod_network_policy",
"alert_rules_ssh_actions",
"argocd_metrics_nodeport",
"velero_metrics_nodeport",
"wireguard_mesh_runbook",
"monitoring_discover_docker_ssh",
"backup_config_ssh_capture"
],
"operator_interpretation": [
"這是 repo-only SSH / network access 清冊,不是 live host、firewall 或 cluster truth。",
"source_exists=true 只代表 repo 檔案存在;不代表 known_hosts、sudoers、NetworkPolicy、NodePort 或 WireGuard 已套用。",
"write-capable SSH / sudoers / alert action surface 可見代表需被管控,不代表 SSH、sudo、docker、systemctl 或 kubectl 已授權。",
"所有 live hash、pinned host key、maintenance window、rollback owner、firewall owner 與 post-check 指標都仍需 owner response。"
],
"schema_version": "ssh_network_access_inventory_v1",
"source_scope": "committed_repo_files_only",
"status": "repo_only_inventory_ready",
"summary": {
"action_button_count": 0,
"coverage_percent_after_inventory": 54,
"coverage_percent_before_inventory": 48,
"expected_scope_count": 16,
"live_evidence_received_count": 0,
"maintenance_window_accepted_count": 0,
"network_policy_surface_count": 2,
"nodeport_surface_count": 2,
"owner_response_accepted_count": 0,
"owner_response_received_count": 0,
"rollback_owner_accepted_count": 0,
"runtime_gate_count": 0,
"source_exists_count": 16,
"ssh_source_surface_count": 11,
"sudoers_surface_count": 1,
"surface_count": 16,
"surfaces_requiring_live_evidence_count": 16,
"surfaces_requiring_owner_response_count": 16,
"wireguard_surface_count": 1,
"write_capable_surface_count": 6
},
"write_capable_surfaces": [
{
"config_kind": "ci_deploy_ssh",
"expected_scope": "k8s_ssh_host",
"label": "Gitea CD K8s deploy SSH path",
"required_gate": "owner_response_plus_maintenance_window_plus_rollback_owner",
"surface_id": "gitea_cd_deploy_ssh"
},
{
"config_kind": "ci_deploy_ssh",
"expected_scope": "192.168.0.120",
"label": "Gitea CD dev deploy SSH path",
"required_gate": "owner_response_plus_maintenance_window_plus_rollback_owner",
"surface_id": "gitea_cd_dev_ssh"
},
{
"config_kind": "ci_deploy_ssh",
"expected_scope": "192.168.0.110",
"label": "Deploy alerts SSH path",
"required_gate": "owner_response_plus_maintenance_window_plus_rollback_owner",
"surface_id": "deploy_alerts_ssh_path"
},
{
"config_kind": "monitoring_ssh_deploy_script",
"expected_scope": "192.168.0.188",
"label": "Monitoring exporter deploy SSH script",
"required_gate": "owner_response_plus_maintenance_window_plus_rollback_owner",
"surface_id": "monitoring_exporter_deploy_ssh"
},
{
"config_kind": "sudoers_policy",
"expected_scope": "host_ops_minimal_sudo",
"label": "Host ops sudoers wrapper",
"required_gate": "owner_response_plus_maintenance_window_plus_rollback_owner",
"surface_id": "host_ops_sudoers_wrapper"
},
{
"config_kind": "alert_ssh_action_rules",
"expected_scope": "ssh_mcp_action_catalog",
"label": "Alert rules SSH action surface",
"required_gate": "owner_response_plus_maintenance_window_plus_rollback_owner",
"surface_id": "alert_rules_ssh_actions"
}
]
}
Reference in New Issue View Git Blame Copy Permalink