up

2025-11-24 07:52:25 +02:00
parent 5970f0d9bd
commit 150b3730ef
215 changed files with 8119 additions and 740 deletions
--- a/docs/airgap/sealing-and-egress.md
+++ b/docs/airgap/sealing-and-egress.md
@@ -0,0 +1,30 @@
+# Sealing and Egress (Airgap 56-002)
+
+Guidance for enforcing deny-all egress and validating sealed-mode posture.
+
+## Network policies
+- Kubernetes: apply namespace-scoped `NetworkPolicy` with default deny; allow only:
+  - DNS to internal resolver
+  - Object storage/mirror endpoints on allowlist
+  - OTLP/observability endpoints if permitted for sealed monitoring
+- Docker Compose: use firewall rules or `extra_hosts` to block outbound except mirrors; ship `iptables` template in ops bundle.
+
+## EgressPolicy facade
+- Services MUST read `Excititor:Network:EgressPolicy` (or module equivalent) to decide runtime behavior:
+  - `sealed` → deny outbound HTTP/S except allowlist; fail fast on unexpected hosts.
+  - `constrained` → allow allowlist + time/NTP if required.
+- Log policy decisions and surface `X-Sealed-Mode: true|false` on HTTP responses for diagnostics.
+
+## Verification checklist
+1. Confirm policy manifests applied (kubectl/compose diff) and pods restarted.
+2. Run connectivity probe from each pod:
+   - Allowed endpoints respond (200/OK or 403 expected).
+   - Disallowed domains return immediate failure.
+3. Attempt bundle import; verify timeline event emitted with `sealed=true`.
+4. Check observability: counters for denied egress should increment (export or console log).
+5. Record mirrorGeneration + manifest hash in audit log.
+
+## Determinism & offline posture
+- No external CRLs/OCSP in sealed mode; rely on bundled trust roots.
+- Keep allowlist minimal and declared in config; no implicit fallbacks.
+- All timestamps UTC; avoid calling external time APIs.