audit work, fixed StellaOps.sln warnings/errors, fixed tests, sprints work, new advisories
This commit is contained in:
master
49
docs/operations/devops/runbooks/zastava-deployment.md
Normal file
49
docs/operations/devops/runbooks/zastava-deployment.md
Normal file
@@ -0,0 +1,49 @@
|
||||
# Zastava Deployment Runbook
|
||||
|
||||
> **Audience:** DevOps, Zastava Guild
|
||||
>
|
||||
> **Purpose:** Provide steps for deploying Zastava Observer + Webhook in connected and air-gapped clusters.
|
||||
|
||||
## 1. Prerequisites
|
||||
|
||||
- Kubernetes 1.26+ with admission registration permissions.
|
||||
- Access to StellaOps Container Registry or offline bundle with Zastava images.
|
||||
- Authority scopes and certificates configured for Zastava identities.
|
||||
- Surface.FS cache endpoint (RustFS/S3) reachable from nodes.
|
||||
|
||||
## 2. Installation Steps
|
||||
|
||||
1. **Prepare namespace & secrets**
|
||||
- Create Kubernetes namespace (default `stellaops-runtime`).
|
||||
- Provision secrets (`zastava-mtls`, `zastava-op-token`, `surface-secrets`).
|
||||
2. **Deploy Observer**
|
||||
- Apply Helm chart `helm/zastava` with values aligning to Surface.Env settings.
|
||||
- Confirm DaemonSet pods schedule on all nodes; check `/healthz` endpoints.
|
||||
3. **Deploy Webhook**
|
||||
- Install ValidatingWebhookConfiguration with CA bundle and service reference.
|
||||
- Enable dry-run mode first, monitor logs, then switch `enforce=true` once validations pass.
|
||||
4. **Configure policies**
|
||||
- Populate admission policies in Policy Engine; ensure tokens contain `runtime:read` scopes.
|
||||
- Update CLI/Console settings for runtime posture view.
|
||||
5. **Observability**
|
||||
- Scrape metrics (`zastava_observer_*`, `zastava_webhook_*`).
|
||||
- Stream logs to central collector.
|
||||
|
||||
## 3. Air-Gapped Deployment Notes
|
||||
|
||||
- Use Offline Kit bundle (`offline/zastava/`) to load images and configuration.
|
||||
- Validate Surface.FS bundles before enabling enforcement.
|
||||
- Replace webhook CA with offline authority; document rotation schedule.
|
||||
|
||||
## 4. Validation
|
||||
|
||||
- Run `stella runtime policy test` against sample workloads.
|
||||
- Trigger deployment denial for unsigned images; verify Notifier emits alerts.
|
||||
- Check timeline events for observer telemetry.
|
||||
|
||||
## 5. References
|
||||
|
||||
- `docs/modules/zastava/architecture.md`
|
||||
- `docs/modules/scanner/architecture.md`
|
||||
- `docs/airgap/airgap-mode.md`
|
||||
- `docs/forensics/timeline.md`
|
||||
Reference in New Issue
Block a user