150b3730ef
Some checks failed
AOC Guard CI / aoc-guard (push) Has been cancelled
AOC Guard CI / aoc-verify (push) Has been cancelled
Docs CI / lint-and-preview (push) Has been cancelled
Mirror Thin Bundle Sign & Verify / mirror-sign (push) Has been cancelled
api-governance / spectral-lint (push) Has been cancelled
1.5 KiB
1.5 KiB
Sealing and Egress (Airgap 56-002)
Guidance for enforcing deny-all egress and validating sealed-mode posture.
Network policies
- Kubernetes: apply namespace-scoped
NetworkPolicywith default deny; allow only:- DNS to internal resolver
- Object storage/mirror endpoints on allowlist
- OTLP/observability endpoints if permitted for sealed monitoring
- Docker Compose: use firewall rules or
extra_hoststo block outbound except mirrors; shipiptablestemplate in ops bundle.
EgressPolicy facade
- Services MUST read
Excititor:Network:EgressPolicy(or module equivalent) to decide runtime behavior:sealed→ deny outbound HTTP/S except allowlist; fail fast on unexpected hosts.constrained→ allow allowlist + time/NTP if required.
- Log policy decisions and surface
X-Sealed-Mode: true|falseon HTTP responses for diagnostics.
Verification checklist
- Confirm policy manifests applied (kubectl/compose diff) and pods restarted.
- Run connectivity probe from each pod:
- Allowed endpoints respond (200/OK or 403 expected).
- Disallowed domains return immediate failure.
- Attempt bundle import; verify timeline event emitted with
sealed=true. - Check observability: counters for denied egress should increment (export or console log).
- Record mirrorGeneration + manifest hash in audit log.
Determinism & offline posture
- No external CRLs/OCSP in sealed mode; rely on bundled trust roots.
- Keep allowlist minimal and declared in config; no implicit fallbacks.
- All timestamps UTC; avoid calling external time APIs.