K8s gotcha sweep C7 — extend lint + cover Track A allowlist + scope Notes/k8s

Follow-up to 0b52093 (K8s manifest hardening) closing two real gaps the prior sweep didn't catch: 1. Public read-write allowlist regression guard (Track A) - New PublicReadWriteAllowlistHosts set tracks updatecenter.iamworkin.lan + updates.iamworkin.lan. The allowlist on those hosts is GET||HEAD||POST||OPTIONS — POST is required for the bootstrap-JWT check-in endpoint. PUT/PATCH/DELETE must still 404 at the route. - New PublicReadWriteIngressRoutes_MustPinGetHeadPostOptionsAllowlist test enforces the allowlist invariant (3 required methods present, 3 forbidden methods absent). - Companion conftest.dev policy 08_public_readwrite_allowlist.rego. 2. Selenium NetworkPolicy DNAT backend port audit - FlowerCore.Notes/k8s/selenium/06-networkpolicy.yaml allowed Traefik VIP 10.0.56.200:443 + :80 but its 10.42.0.0/16 + 10.43.0.0/16 egress rules didn't include the post-DNAT backend ports (8443 for Traefik TLS, 8080 for HTTP). Per feedback_netpol_dnat_backend_port: kube-proxy DNATs the destination to a backend pod IP+port BEFORE Calico evaluates the FORWARD chain, so without those backend ports in the pod CIDR rule, Selenium-driven browser AAT calls to https://*.iamworkin.lan time out at connect. - Lint inventory now includes FlowerCore.Notes/k8s/selenium/ so regressions in this manifest fail fast. Lint scope notes: - FlowerCore.Notes/k8s/guacamole/ + monitoring/ are historical scaffolds that have diverged from the live state (bluejay-infra/apps/ is canonical). Operator review is required before bringing them in line OR decommissioning them — kept out of lint scope until that decision lands (see xxl-regroup-2026-05-03-followup.md "Codex 7 §0"). README hardening: - New "Public read-write allowlist hosts" entry under "Known gotchas" documenting the GET||HEAD||POST||OPTIONS pattern + linking the lint. Tests: 8/8 lint tests pass. Companion fix in FlowerCore.Updater repo on branch codex/k8s-gotcha-fleet-sweep-c7 (k8s/web-deployment.yaml: localhost/ image needs imagePullPolicy: Never). The FlowerCore.Updater fix applies to a deploy that's currently live but bites only on first scheduled-pod landing on a fresh node — not a live production-impact regression. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-04 22:57:59 -05:00
parent 0b52093b36
commit 6b9cf3d12c
3 changed files with 103 additions and 0 deletions
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -17,6 +17,17 @@ public sealed class FleetManifestLintTests
        "dns.iamworkin.lan",
    };

+    // Public hosts that allow a tightly bounded write surface in addition to
+    // GET/HEAD. updatecenter.iamworkin.lan accepts POST /api/v1/checkin/{id}
+    // (bootstrap-JWT) so its allowlist is GET||HEAD||POST||OPTIONS — but
+    // PUT/PATCH/DELETE must still 404 at the route. Anything wider than this
+    // set should fail this lint.
+    private static readonly HashSet<string> PublicReadWriteAllowlistHosts = new(StringComparer.Ordinal)
+    {
+        "updatecenter.iamworkin.lan",
+        "updates.iamworkin.lan",
+    };
+
    private static readonly HashSet<string> ApiKeyProtectedDeployments = new(StringComparer.Ordinal)
    {
        "messageboard-web",
@@ -82,6 +93,52 @@ public sealed class FleetManifestLintTests
        violations.Should().BeEmpty();
    }

+    [Fact]
+    public void PublicReadWriteIngressRoutes_MustPinGetHeadPostOptionsAllowlist()
+    {
+        // For hosts in PublicReadWriteAllowlistHosts, the route match MUST
+        // contain Method(`GET`), Method(`HEAD`), Method(`POST`), and
+        // Method(`OPTIONS`) AND MUST NOT contain Method(`PUT`),
+        // Method(`PATCH`), or Method(`DELETE`). This keeps the public
+        // allowlist invariant against regression — see Track A's
+        // updatecenter-web ingressroute hardening.
+        var violations = Inventory.Documents
+            .Where(document => document.Kind == "IngressRoute")
+            .SelectMany(document =>
+                document.MappingSequence("spec", "routes")
+                    .Select(route => new
+                    {
+                        Document = document,
+                        Match = ManifestNodeExtensions.Scalar(route, "match") ?? string.Empty,
+                    }))
+            .Where(entry => PublicReadWriteAllowlistHosts.Any(host => entry.Match.Contains($"Host(`{host}`)", StringComparison.Ordinal)))
+            .SelectMany(entry =>
+            {
+                var localViolations = new List<string>();
+
+                foreach (var required in new[] { "GET", "HEAD", "POST", "OPTIONS" })
+                {
+                    if (!entry.Match.Contains($"Method(`{required}`)", StringComparison.Ordinal))
+                    {
+                        localViolations.Add($"{entry.Document.Descriptor} is missing required Method(`{required}`).");
+                    }
+                }
+
+                foreach (var forbidden in new[] { "PUT", "PATCH", "DELETE" })
+                {
+                    if (entry.Match.Contains($"Method(`{forbidden}`)", StringComparison.Ordinal))
+                    {
+                        localViolations.Add($"{entry.Document.Descriptor} must not include Method(`{forbidden}`) on a public host.");
+                    }
+                }
+
+                return localViolations;
+            })
+            .ToList();
+
+        violations.Should().BeEmpty();
+    }
+
    [Fact]
    public void TraefikVipNetworkPolicies_MustAllowPostDnatBackendPorts()
    {
@@ -311,6 +368,16 @@ internal sealed class ManifestInventory
            Path.Combine(workspaceRoot, "FlowerCore.Media", "k8s"),
            Path.Combine(workspaceRoot, "FlowerCore.MenuBoard", "k8s"),
            Path.Combine(workspaceRoot, "FlowerCore.MessageBoard", "k8s"),
+            // FlowerCore.Notes/k8s/selenium/ is the live Selenium Grid
+            // manifest tree (consumed by deploy-selenium scripts).
+            // FlowerCore.Notes/k8s/guacamole/ + FlowerCore.Notes/k8s/monitoring/
+            // are historical scaffolds that have diverged from the live state
+            // (bluejay-infra/apps/guacamole + bluejay-infra/apps/monitoring are
+            // canonical). Operator review is required before bringing them in
+            // line OR decommissioning them — keep them out of the lint scope
+            // until that decision lands. See xxl-regroup-2026-05-03-followup.md
+            // "Codex 7 §0 stop conditions" + the C7 close-session output.
+            Path.Combine(workspaceRoot, "FlowerCore.Notes", "k8s", "selenium"),
            Path.Combine(workspaceRoot, "FlowerCore.MySQL", "k8s"),
            Path.Combine(workspaceRoot, "FlowerCore.PHP", "k8s"),
            Path.Combine(workspaceRoot, "FlowerCore.Presentations", "k8s"),