17d45a6d30
- Added `FilesystemPackRunProvenanceWriter` to write provenance manifests to the filesystem. - Introduced `MongoPackRunArtifactReader` to read artifacts from MongoDB. - Created `MongoPackRunProvenanceWriter` to store provenance manifests in MongoDB. - Developed unit tests for filesystem and MongoDB provenance writers. - Established `ITimelineEventStore` and `ITimelineIngestionService` interfaces for timeline event handling. - Implemented `TimelineIngestionService` to validate and persist timeline events with hashing. - Created PostgreSQL schema and migration scripts for timeline indexing. - Added dependency injection support for timeline indexer services. - Developed tests for timeline ingestion and schema validation.
1.3 KiB
1.3 KiB
Air-gap Egress Guard Rails
Artifacts supporting DEVOPS-AIRGAP-56-001:
k8s-deny-egress.yaml— NetworkPolicy template that denies all egress for pods labeledsealed=true, except optional in-cluster DNS when enabled.compose-egress-guard.sh— Idempotent iptables guard for Docker/compose using theDOCKER-USERchain to drop all outbound traffic from a compose project network while allowing loopback and RFC1918 intra-cluster ranges.verify-egress-block.sh— Verification harness that runs curl probes from Docker or Kubernetes and reports JSON results; exits non-zero if any target is reachable.bundle_stage_import.py— Deterministic bundle staging helper: validates sha256 manifest, copies bundles to staging dir as<sha256>-<basename>, emitsstaging-report.jsonfor evidence.stage-bundle.sh— Thin wrapper aroundbundle_stage_import.pywith positional args.build_bootstrap_pack.py— Builds a Bootstrap Pack from images/charts/extras listed in a JSON config, writingbootstrap-manifest.json+checksums.sha256deterministically.build_bootstrap_pack.sh— Wrapper for the bootstrap pack builder.
See also ops/devops/sealed-mode-ci/ for the full sealed-mode compose harness and egress_probe.py, which this verification script wraps.