@umacloud/knowledge 1.0.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/00-governance/governance-capabilities.md +557 -0
- package/00-governance/knowledge-map.md +39 -0
- package/00-governance/maintenance-policy.md +76 -0
- package/00-governance/review-checklist.md +81 -0
- package/README.md +13 -0
- package/ai/01-standards/agent-development-complete.md +691 -0
- package/ai/01-standards/llm-application-complete.md +488 -0
- package/ai/01-standards/mlops-complete.md +798 -0
- package/ai/01-standards/prompt-engineering-complete.md +646 -0
- package/ai/01-standards/rag-architecture-complete.md +649 -0
- package/ai/02-playbooks/llm-evaluation-playbook.md +847 -0
- package/ai/03-checklists/ai-project-checklist.md +215 -0
- package/ai/04-antipatterns/ai-antipatterns.md +661 -0
- package/ai/05-cases/case-rag-production.md +147 -0
- package/ai/06-glossary/ai-glossary.md +162 -0
- package/ai/agent-evaluation-benchmark.md +53 -0
- package/ai/ai-agent-memory-context-management.md +41 -0
- package/ai/ai-cost-capacity-optimization-playbook.md +42 -0
- package/ai/ai-data-security-and-compliance-playbook.md +37 -0
- package/ai/ai-domain-index-and-checklist.md +40 -0
- package/ai/ai-governance-maturity-model.md +50 -0
- package/ai/ai-model-selection-and-routing-strategy.md +47 -0
- package/ai/ai-observability-and-oncall-runbook.md +52 -0
- package/ai/ai-rag-engineering-playbook.md +42 -0
- package/ai/ai-red-team-and-safety-evaluation.md +42 -0
- package/ai/ai-release-readiness-and-rollback-gate.md +42 -0
- package/ai/llm-agent-engineering-deep-dive.md +57 -0
- package/ai/prompt-and-tool-guardrails.md +52 -0
- package/api/01-standards/enterprise-api-standards.md +198 -0
- package/api/01-standards/rest-api-design-guide.md +63 -0
- package/api/02-playbooks/api-pagination-playbook.md +93 -0
- package/api/02-playbooks/graphql-production-playbook.md +176 -0
- package/api/03-checklists/api-review-checklist.md +55 -0
- package/api/04-antipatterns/api-antipatterns.md +112 -0
- package/architecture/01-standards/api-gateway-patterns.md +496 -0
- package/architecture/01-standards/cloud-native-patterns.md +644 -0
- package/architecture/01-standards/distributed-systems-patterns.md +591 -0
- package/architecture/01-standards/event-driven-architecture.md +595 -0
- package/architecture/01-standards/microservices-patterns-complete.md +968 -0
- package/architecture/01-standards/microservices-patterns.md +495 -0
- package/architecture/01-standards/system-design-interview.md +664 -0
- package/architecture/02-playbooks/microservices-patterns-playbook.md +137 -0
- package/architecture/02-playbooks/migration-playbook.md +780 -0
- package/architecture/02-playbooks/system-design-playbook.md +779 -0
- package/architecture/03-checklists/architecture-decision-checklist.md +297 -0
- package/architecture/04-antipatterns/architecture-antipatterns.md +417 -0
- package/architecture/05-cases/case-netflix-microservices.md +413 -0
- package/architecture/06-glossary/architecture-glossary.md +164 -0
- package/architecture/adr-template-and-examples.md +38 -0
- package/architecture/api-gateway-deep-dive.md +1291 -0
- package/architecture/configuration-management.md +1162 -0
- package/architecture/distributed-transactions.md +1220 -0
- package/architecture/microservices-complete.md +735 -0
- package/architecture/resilience-and-disaster-patterns.md +37 -0
- package/architecture/service-governance.md +1198 -0
- package/architecture/system-architecture-deep-dive.md +37 -0
- package/backend/01-standards/analytics-and-growth.md +65 -0
- package/backend/01-standards/api-and-error-conventions.md +120 -0
- package/backend/01-standards/application-layering-and-packaging.md +160 -0
- package/backend/01-standards/auth-implementation.md +104 -0
- package/backend/01-standards/backend-framework-idioms.md +74 -0
- package/backend/01-standards/background-jobs-and-async.md +66 -0
- package/backend/01-standards/caching-strategies-complete.md +390 -0
- package/backend/01-standards/config-and-observability.md +77 -0
- package/backend/01-standards/data-modeling-and-persistence.md +94 -0
- package/backend/01-standards/django-complete.md +1765 -0
- package/backend/01-standards/email-and-notifications.md +64 -0
- package/backend/01-standards/fastapi-complete.md +925 -0
- package/backend/01-standards/file-upload-and-storage.md +66 -0
- package/backend/01-standards/graphql-api-complete.md +416 -0
- package/backend/01-standards/llm-application-standard.md +78 -0
- package/backend/01-standards/message-queue-patterns.md +379 -0
- package/backend/01-standards/microservices-and-distributed.md +78 -0
- package/backend/01-standards/nestjs-complete.md +2167 -0
- package/backend/01-standards/payment-integration.md +80 -0
- package/backend/01-standards/rate-limiting-complete.md +451 -0
- package/backend/01-standards/realtime-and-websocket.md +65 -0
- package/backend/01-standards/search-and-filtering.md +64 -0
- package/backend/01-standards/spring-boot-complete.md +445 -0
- package/backend/02-playbooks/api-design-playbook.md +718 -0
- package/backend/02-playbooks/email-send-playbook.md +130 -0
- package/backend/02-playbooks/file-upload-s3-playbook.md +153 -0
- package/backend/02-playbooks/typescript-enterprise-playbook.md +133 -0
- package/backend/02-playbooks/websocket-realtime-playbook.md +154 -0
- package/backend/03-checklists/api-launch-checklist.md +189 -0
- package/backend/04-antipatterns/backend-antipatterns.md +1051 -0
- package/blockchain/01-standards/blockchain-basics.md +557 -0
- package/blockchain/01-standards/smart-contract-development.md +1315 -0
- package/cicd/01-standards/deployment-and-delivery-standard.md +96 -0
- package/cicd/01-standards/github-actions-complete.md +473 -0
- package/cicd/01-standards/release-and-store-submission.md +75 -0
- package/cicd/02-playbooks/cicd-pipeline-playbook.md +144 -0
- package/cicd/02-playbooks/release-management-playbook.md +605 -0
- package/cicd/03-checklists/pipeline-security-checklist.md +168 -0
- package/cicd/04-antipatterns/cicd-antipatterns.md +589 -0
- package/cicd/05-cases/case-deployment-automation.md +221 -0
- package/cicd/05-cases/case-gitops-transformation.md +212 -0
- package/cicd/06-glossary/cicd-glossary.md +114 -0
- package/cicd/cicd-blueprint-deep-dive.md +38 -0
- package/cicd/release-readiness-gate.md +37 -0
- package/cloud-native/01-standards/container-security.md +741 -0
- package/cloud-native/01-standards/kubernetes-complete.md +812 -0
- package/cloud-native/02-playbooks/api-gateway-playbook.md +155 -0
- package/cloud-native/02-playbooks/gitops-with-argocd.md +760 -0
- package/cloud-native/02-playbooks/k8s-troubleshooting-playbook.md +1942 -0
- package/cloud-native/02-playbooks/message-queue-playbook.md +129 -0
- package/cloud-native/02-playbooks/multicloud-governance.md +726 -0
- package/cloud-native/02-playbooks/serverless-patterns.md +788 -0
- package/cloud-native/02-playbooks/service-mesh-playbook.md +612 -0
- package/cloud-native/02-playbooks/terraform-iac-playbook.md +143 -0
- package/cloud-native/03-checklists/container-security-checklist.md +431 -0
- package/cloud-native/03-checklists/k8s-production-readiness-checklist.md +460 -0
- package/cloud-native/04-antipatterns/container-antipatterns.md +660 -0
- package/cloud-native/04-antipatterns/k8s-antipatterns.md +743 -0
- package/cloud-native/05-cases/case-k8s-migration.md +478 -0
- package/cloud-native/05-cases/case-k8s-scaling.md +642 -0
- package/cloud-native/05-cases/case-k8s-security-incident.md +397 -0
- package/cloud-native/06-glossary/cloud-native-glossary.md +337 -0
- package/cross-platform/01-standards/cross-platform-frameworks.md +83 -0
- package/cross-platform/01-standards/platform-selection-and-architecture.md +77 -0
- package/data/01-standards/elasticsearch-complete.md +2098 -0
- package/data/01-standards/postgresql-complete.md +1613 -0
- package/data/01-standards/redis-complete.md +1527 -0
- package/data/02-playbooks/database-optimization-playbook.md +403 -0
- package/data/02-playbooks/elasticsearch-production-playbook.md +132 -0
- package/data/03-checklists/database-launch-checklist.md +187 -0
- package/data/04-antipatterns/database-antipatterns.md +873 -0
- package/data/05-cases/case-database-migration.md +310 -0
- package/data/06-glossary/database-glossary.md +440 -0
- package/data/data-governance-and-modeling-deep-dive.md +39 -0
- package/data-engineering/01-standards/airflow-complete.md +523 -0
- package/data-engineering/01-standards/kafka-complete.md +1521 -0
- package/data-engineering/02-playbooks/spark-etl-playbook.md +496 -0
- package/data-engineering/03-checklists/pipeline-launch-checklist.md +194 -0
- package/data-engineering/04-antipatterns/data-pipeline-antipatterns.md +684 -0
- package/data-engineering/05-cases/case-real-time-pipeline.md +355 -0
- package/data-engineering/06-glossary/data-engineering-glossary.md +429 -0
- package/database/01-standards/database-schema-standards.md +147 -0
- package/database/02-playbooks/postgresql-optimization-quick.md +52 -0
- package/database/02-playbooks/postgresql-performance-optimization.md +58 -0
- package/database/02-playbooks/postgresql-production-playbook.md +146 -0
- package/database/02-playbooks/redis-caching-playbook.md +117 -0
- package/database/03-checklists/database-review-checklist.md +50 -0
- package/database/04-antipatterns/database-antipatterns.md +112 -0
- package/design/01-standards/ui-design-system-complete.md +423 -0
- package/design/02-playbooks/design-handoff-playbook.md +254 -0
- package/design/02-playbooks/design-review-playbook.md +388 -0
- package/design/03-checklists/design-review-checklist.md +246 -0
- package/design/04-antipatterns/design-antipatterns.md +378 -0
- package/design/05-cases/case-design-system-adoption.md +328 -0
- package/design/06-glossary/design-glossary.md +329 -0
- package/design/ui-full-lifecycle-cross-platform-playbook.md +571 -0
- package/design/ux-system-deep-dive.md +38 -0
- package/design-systems/00-craft-rules.md +71 -0
- package/design-systems/aesthetic-families.md +43 -0
- package/design-systems/anti-ai-slop.md +162 -0
- package/design-systems/bold-geometric.md +120 -0
- package/design-systems/brutalist-bold.md +103 -0
- package/design-systems/editorial-clean.md +109 -0
- package/design-systems/glass-aurora.md +108 -0
- package/design-systems/modern-minimal.md +145 -0
- package/design-systems/premium-luxury.md +106 -0
- package/design-systems/product-type-design-map.md +48 -0
- package/design-systems/soft-warm.md +123 -0
- package/design-systems/tech-utility.md +113 -0
- package/desktop/01-standards/desktop-app-standard.md +72 -0
- package/desktop/01-standards/desktop-design.md +71 -0
- package/development/00-governance/document-template.md +41 -0
- package/development/01-standards/api-versioning-strategies.md +432 -0
- package/development/01-standards/authentication-patterns-complete.md +479 -0
- package/development/01-standards/css-architecture-complete.md +550 -0
- package/development/01-standards/database-migration-strategies.md +484 -0
- package/development/01-standards/elasticsearch-complete.md +347 -0
- package/development/01-standards/git-complete.md +371 -0
- package/development/01-standards/golang-complete.md +1565 -0
- package/development/01-standards/graphql-complete.md +298 -0
- package/development/01-standards/javascript-bundlers-complete.md +469 -0
- package/development/01-standards/javascript-typescript-complete.md +528 -0
- package/development/01-standards/jest-complete.md +275 -0
- package/development/01-standards/linux-complete.md +234 -0
- package/development/01-standards/logging-observability-complete.md +526 -0
- package/development/01-standards/microservices-communication.md +502 -0
- package/development/01-standards/mongodb-complete.md +406 -0
- package/development/01-standards/oauth2-complete.md +285 -0
- package/development/01-standards/performance-optimization-complete.md +289 -0
- package/development/01-standards/playwright-complete.md +247 -0
- package/development/01-standards/postgresql-complete.md +456 -0
- package/development/01-standards/pytest-complete.md +340 -0
- package/development/01-standards/python-async-programming.md +902 -0
- package/development/01-standards/python-complete.md +956 -0
- package/development/01-standards/python-decorators-complete.md +799 -0
- package/development/01-standards/python-design-patterns.md +2854 -0
- package/development/01-standards/python-packaging-distribution.md +420 -0
- package/development/01-standards/python-testing-strategies.md +607 -0
- package/development/01-standards/python-web-frameworks-comparison.md +471 -0
- package/development/01-standards/redis-complete.md +317 -0
- package/development/01-standards/rest-api-complete.md +316 -0
- package/development/01-standards/rust-complete.md +578 -0
- package/development/01-standards/typescript-advanced-types.md +1513 -0
- package/development/01-standards/web-security-complete.md +292 -0
- package/development/02-playbooks/api-design-playbook.md +810 -0
- package/development/02-playbooks/database-migration-playbook.md +580 -0
- package/development/02-playbooks/debugging-playbook.md +692 -0
- package/development/02-playbooks/feature-delivery-playbook.md +430 -0
- package/development/02-playbooks/incident-hotfix-playbook.md +387 -0
- package/development/02-playbooks/performance-optimization-playbook.md +531 -0
- package/development/02-playbooks/performance-tuning-playbook.md +652 -0
- package/development/02-playbooks/refactor-playbook.md +403 -0
- package/development/02-playbooks/release-playbook.md +469 -0
- package/development/03-checklists/architecture-review-checklist.md +168 -0
- package/development/03-checklists/data-migration-checklist.md +157 -0
- package/development/03-checklists/oncall-handover-checklist.md +173 -0
- package/development/03-checklists/pr-checklist.md +158 -0
- package/development/03-checklists/production-readiness-checklist.md +190 -0
- package/development/03-checklists/release-readiness-checklist.md +154 -0
- package/development/03-checklists/security-review-checklist.md +182 -0
- package/development/04-antipatterns/api-antipatterns.md +657 -0
- package/development/04-antipatterns/architecture-antipatterns.md +686 -0
- package/development/04-antipatterns/backend-antipatterns.md +648 -0
- package/development/04-antipatterns/cicd-antipatterns.md +540 -0
- package/development/04-antipatterns/code-smell-antipatterns.md +571 -0
- package/development/04-antipatterns/data-antipatterns.md +658 -0
- package/development/04-antipatterns/database-antipatterns.md +578 -0
- package/development/04-antipatterns/frontend-antipatterns.md +635 -0
- package/development/04-antipatterns/reliability-antipatterns.md +700 -0
- package/development/04-antipatterns/security-antipatterns.md +747 -0
- package/development/05-cases/case-api-version-migration.md +428 -0
- package/development/05-cases/case-authorization-hardening.md +383 -0
- package/development/05-cases/case-bluegreen-rollback.md +466 -0
- package/development/05-cases/case-cache-snowball-protection.md +485 -0
- package/development/05-cases/case-ci-cd-pipeline.md +544 -0
- package/development/05-cases/case-database-scaling.md +500 -0
- package/development/05-cases/case-db-hotspot-optimization.md +487 -0
- package/development/05-cases/case-incident-mttr-reduction.md +563 -0
- package/development/05-cases/case-microservice-migration.md +375 -0
- package/development/05-cases/case-performance-optimization.md +406 -0
- package/development/05-cases/case-security-incident-response.md +345 -0
- package/development/06-glossary/full-stack-glossary.md +166 -0
- package/development/09-maturity/quarterly-audit-template.md +35 -0
- package/development/11-ui-excellence/ui-aesthetic-system.md +41 -0
- package/development/11-ui-excellence/ui-engineering-excellence.md +435 -0
- package/development/12-scenarios/development-scenarios-guide.md +565 -0
- package/development/13-implementation-assets/implementation-toolkit.md +282 -0
- package/development/13-implementation-assets/knowledge-gates-execution.md +43 -0
- package/development/14-full-lifecycle/software-lifecycle-gates.md +511 -0
- package/development/15-lifecycle-templates/project-templates-collection.md +791 -0
- package/development/api-contract-and-versioning-guide.md +36 -0
- package/development/api-governance-complete.md +43 -0
- package/development/backend-engineering-complete.md +43 -0
- package/development/code-review-quality-complete.md +43 -0
- package/development/concurrency-reliability-complete.md +43 -0
- package/development/database-engineering-complete.md +43 -0
- package/development/engineering-effectiveness-complete.md +43 -0
- package/development/engineering-standards-deep-dive.md +38 -0
- package/development/frontend-engineering-complete.md +43 -0
- package/development/performance-capacity-complete.md +43 -0
- package/development/refactor-migration-complete.md +42 -0
- package/development/refactoring-and-techdebt-playbook.md +37 -0
- package/development/security-in-development-complete.md +43 -0
- package/devops/01-standards/cicd-pipeline-complete.md +262 -0
- package/devops/01-standards/docker-complete.md +1490 -0
- package/devops/01-standards/github-actions-complete.md +337 -0
- package/devops/01-standards/kubernetes-complete.md +638 -0
- package/devops/01-standards/terraform-complete.md +2117 -0
- package/devops/02-playbooks/docker-compose-playbook.md +233 -0
- package/devops/02-playbooks/docker-k8s-production-playbook.md +186 -0
- package/devops/02-playbooks/docker-production-playbook.md +952 -0
- package/edge-iot/01-standards/edge-iot-complete.md +473 -0
- package/experts/architect/api-design.md +178 -0
- package/experts/architect/methodology.md +124 -0
- package/experts/architect/security.md +75 -0
- package/experts/backend-lead/methodology.md +216 -0
- package/experts/devops/methodology.md +160 -0
- package/experts/frontend-lead/methodology.md +178 -0
- package/experts/product-manager/industry/ecommerce.md +43 -0
- package/experts/product-manager/industry/saas.md +40 -0
- package/experts/product-manager/methodology.md +97 -0
- package/experts/qa-lead/methodology.md +123 -0
- package/experts/qa-lead/test-strategy.md +128 -0
- package/experts/uiux-designer/methodology.md +125 -0
- package/frontend/01-standards/accessibility-complete.md +532 -0
- package/frontend/01-standards/accessibility-standard.md +74 -0
- package/frontend/01-standards/admin-dashboard-and-crud.md +72 -0
- package/frontend/01-standards/design-tokens-complete.md +444 -0
- package/frontend/01-standards/forms-and-validation.md +77 -0
- package/frontend/01-standards/frontend-architecture-and-layering.md +119 -0
- package/frontend/01-standards/i18n-and-localization.md +65 -0
- package/frontend/01-standards/nextjs-complete.md +451 -0
- package/frontend/01-standards/react-complete.md +713 -0
- package/frontend/01-standards/react-hooks-complete-guide.md +1100 -0
- package/frontend/01-standards/react-hooks-complete.md +1171 -0
- package/frontend/01-standards/seo-and-web-vitals.md +77 -0
- package/frontend/01-standards/state-management-complete.md +444 -0
- package/frontend/01-standards/vue-complete.md +499 -0
- package/frontend/01-standards/vue3-complete.md +2002 -0
- package/frontend/01-standards/web-framework-best-practices.md +64 -0
- package/frontend/01-standards/web-performance-complete.md +495 -0
- package/frontend/02-playbooks/accessibility-a11y-playbook.md +161 -0
- package/frontend/02-playbooks/frontend-performance-playbook.md +707 -0
- package/frontend/02-playbooks/i18n-internationalization-playbook.md +120 -0
- package/frontend/02-playbooks/performance-optimization-playbook.md +163 -0
- package/frontend/02-playbooks/react-nextjs-production-playbook.md +167 -0
- package/frontend/02-playbooks/react-state-management-playbook.md +173 -0
- package/frontend/03-checklists/component-quality-checklist.md +166 -0
- package/frontend/03-checklists/frontend-launch-checklist.md +299 -0
- package/frontend/04-antipatterns/frontend-antipatterns.md +886 -0
- package/frontend/05-cases/case-performance-optimization.md +274 -0
- package/harmony/01-standards/harmonyos-arkts-standard.md +75 -0
- package/harmony/01-standards/harmonyos-design.md +65 -0
- package/high-quality-engineering-playbook.md +54 -0
- package/incident/01-standards/incident-response-complete.md +303 -0
- package/incident/02-playbooks/chaos-engineering-playbook.md +883 -0
- package/incident/02-playbooks/postmortem-playbook.md +398 -0
- package/incident/03-checklists/incident-readiness-checklist.md +181 -0
- package/incident/04-antipatterns/incident-antipatterns.md +490 -0
- package/incident/05-cases/case-cascade-failure.md +176 -0
- package/incident/06-glossary/incident-glossary.md +114 -0
- package/incident/postmortem-and-response-deep-dive.md +39 -0
- package/industries/ecommerce/ecommerce-complete.md +631 -0
- package/industries/education/education-complete.md +555 -0
- package/industries/fintech/fintech-complete.md +501 -0
- package/industries/gaming/gaming-complete.md +587 -0
- package/industries/healthcare/healthcare-complete.md +452 -0
- package/low-code/01-standards/low-code-complete.md +944 -0
- package/miniprogram/01-standards/ai-common-mistakes.md +61 -0
- package/miniprogram/01-standards/miniprogram-custom-navbar-capsule.md +77 -0
- package/miniprogram/01-standards/miniprogram-design.md +61 -0
- package/miniprogram/01-standards/miniprogram-standard.md +81 -0
- package/mobile/01-standards/android-material-design.md +70 -0
- package/mobile/01-standards/flutter-complete.md +384 -0
- package/mobile/01-standards/ios-design-hig.md +78 -0
- package/mobile/01-standards/mobile-app-standard.md +85 -0
- package/mobile/01-standards/react-native-complete.md +352 -0
- package/mobile/02-playbooks/mobile-cross-platform-playbook.md +175 -0
- package/mobile/02-playbooks/mobile-performance.md +473 -0
- package/mobile/03-checklists/mobile-release-checklist.md +234 -0
- package/mobile/04-antipatterns/mobile-antipatterns.md +798 -0
- package/mobile/05-cases/case-app-performance.md +500 -0
- package/mobile/05-cases/case-app-startup-optimization.md +218 -0
- package/mobile/06-glossary/mobile-glossary.md +484 -0
- package/observability/01-standards/observability-standards.md +103 -0
- package/observability/02-playbooks/prometheus-grafana-playbook.md +135 -0
- package/observability/02-playbooks/structured-logging-playbook.md +73 -0
- package/observability/03-checklists/observability-checklist.md +54 -0
- package/observability/04-antipatterns/observability-antipatterns.md +106 -0
- package/operations/01-standards/prometheus-monitoring-complete.md +1578 -0
- package/operations/02-playbooks/capacity-planning-playbook.md +620 -0
- package/operations/03-checklists/production-launch-checklist.md +365 -0
- package/operations/04-antipatterns/operations-antipatterns.md +664 -0
- package/operations/05-cases/case-sre-practices.md +581 -0
- package/operations/06-glossary/operations-glossary.md +120 -0
- package/operations/aiops-anomaly-detection.md +758 -0
- package/operations/capacity-planning.md +1061 -0
- package/operations/chaos-engineering.md +659 -0
- package/operations/incident-command-system.md +38 -0
- package/operations/observability-complete.md +442 -0
- package/operations/slo-sli-playbook.md +517 -0
- package/operations/sre-operations-deep-dive.md +39 -0
- package/package.json +8 -0
- package/performance/01-standards/performance-and-scalability.md +80 -0
- package/performance/01-standards/performance-standards.md +156 -0
- package/performance/02-playbooks/query-optimization-playbook.md +103 -0
- package/performance/03-checklists/performance-checklist.md +56 -0
- package/performance/04-antipatterns/performance-antipatterns.md +146 -0
- package/product/01-standards/product-management-complete.md +285 -0
- package/product/02-playbooks/feature-launch-playbook.md +207 -0
- package/product/02-playbooks/user-research-playbook.md +532 -0
- package/product/03-checklists/feature-launch-checklist.md +275 -0
- package/product/04-antipatterns/product-antipatterns.md +355 -0
- package/product/05-cases/case-mvp-to-scale.md +384 -0
- package/product/06-glossary/product-glossary.md +462 -0
- package/product/feature-prioritization-framework.md +40 -0
- package/product/kpi-and-metric-tree.md +37 -0
- package/product/product-discovery-and-prd-deep-dive.md +41 -0
- package/quantum/01-standards/quantum-complete.md +1186 -0
- package/security/01-standards/api-security-complete.md +511 -0
- package/security/01-standards/container-runtime-security.md +574 -0
- package/security/01-standards/data-protection-gdpr.md +543 -0
- package/security/01-standards/owasp-top10-complete.md +1890 -0
- package/security/01-standards/secure-coding-baseline.md +90 -0
- package/security/01-standards/supply-chain-security.md +441 -0
- package/security/01-standards/web-security-checklist.md +108 -0
- package/security/01-standards/zero-trust-architecture.md +521 -0
- package/security/02-playbooks/auth-sso-playbook.md +166 -0
- package/security/02-playbooks/incident-response-security-playbook.md +588 -0
- package/security/02-playbooks/owasp-api-security-playbook.md +129 -0
- package/security/02-playbooks/payment-integration-playbook.md +119 -0
- package/security/02-playbooks/penetration-testing-playbook.md +517 -0
- package/security/03-checklists/security-audit-checklist.md +356 -0
- package/security/04-antipatterns/security-coding-antipatterns.md +580 -0
- package/security/05-cases/case-log4shell-incident.md +537 -0
- package/security/05-cases/case-major-breaches.md +468 -0
- package/security/06-glossary/security-glossary.md +212 -0
- package/security/compliance-automation.md +993 -0
- package/security/container-security.md +680 -0
- package/security/devsecops-complete.md +426 -0
- package/security/sast-dast-sca.md +775 -0
- package/security/secrets-management.md +594 -0
- package/security/security-architecture-deep-dive.md +37 -0
- package/security/threat-modeling-stride-playbook.md +40 -0
- package/seed-templates/auth-system.md +59 -0
- package/seed-templates/blog-content.md +94 -0
- package/seed-templates/dashboard.md +89 -0
- package/seed-templates/docs-site.md +73 -0
- package/seed-templates/e-commerce.md +50 -0
- package/seed-templates/saas-landing.md +92 -0
- package/seed-templates/settings-page.md +51 -0
- package/testing/01-standards/test-strategy-and-layering.md +83 -0
- package/testing/01-standards/testing-strategy-complete.md +422 -0
- package/testing/01-standards/unit-testing-best-practices.md +118 -0
- package/testing/02-playbooks/e2e-testing-playbook.md +988 -0
- package/testing/02-playbooks/testing-strategy-playbook.md +126 -0
- package/testing/03-checklists/test-strategy-checklist.md +208 -0
- package/testing/04-antipatterns/testing-antipatterns.md +718 -0
- package/testing/05-cases/case-testing-transformation.md +300 -0
- package/testing/06-glossary/testing-glossary.md +110 -0
- package/testing/risk-based-test-matrix.md +36 -0
- package/testing/testing-strategy-deep-dive.md +37 -0
|
@@ -0,0 +1,143 @@
|
|
|
1
|
+
---
|
|
2
|
+
id: terraform-iac-playbook
|
|
3
|
+
title: Terraform IaC 生产实战手册
|
|
4
|
+
domain: cloud-native
|
|
5
|
+
category: 02-playbooks
|
|
6
|
+
difficulty: advanced
|
|
7
|
+
tags: [terraform, iac, infrastructure-as-code, modules, state, remote-state, aws, azure, gcp, production, enterprise]
|
|
8
|
+
quality_score: 94
|
|
9
|
+
maintainer: devops-team@umadev.com
|
|
10
|
+
last_updated: 2026-06-15
|
|
11
|
+
---
|
|
12
|
+
|
|
13
|
+
# Terraform IaC 生产实战手册
|
|
14
|
+
|
|
15
|
+
> 基于 [Spacelift 21 Best Practices](https://spacelift.io/blog/terraform-best-practices) + [Terrateam 2025 Practices](https://terrateam.io/blog/terraform-best-practices) + [Dev.to State Management Deep Dive](https://dev.to/zopdev/the-terraform-state-management-challenge-a-deep-dive-into-its-pitfalls-and-solutions-2025)
|
|
16
|
+
|
|
17
|
+
## State 管理(最关键)
|
|
18
|
+
|
|
19
|
+
### 远程 State(必须!)
|
|
20
|
+
```hcl
|
|
21
|
+
# ❌ 本地 state(团队协作灾难:覆盖、丢失、冲突)
|
|
22
|
+
terraform apply # 写 terraform.tfstate 到本地
|
|
23
|
+
|
|
24
|
+
# ✅ 远程 state(S3 + DynamoDB 锁)
|
|
25
|
+
terraform {
|
|
26
|
+
backend "s3" {
|
|
27
|
+
bucket = "my-tf-state"
|
|
28
|
+
key = "prod/terraform.tfstate"
|
|
29
|
+
region = "us-east-1"
|
|
30
|
+
dynamodb_table = "tf-locks" # 防并发写入
|
|
31
|
+
encrypt = true # 加密 state(含密钥!)
|
|
32
|
+
}
|
|
33
|
+
}
|
|
34
|
+
```
|
|
35
|
+
|
|
36
|
+
### State 隔离
|
|
37
|
+
```hcl
|
|
38
|
+
# ❌ 所有环境共用一个 state(改 prod 意外影响 dev)
|
|
39
|
+
# prod/terraform.tfstate 包含 dev + staging + prod 资源
|
|
40
|
+
|
|
41
|
+
# ✅ 按环境隔离 state
|
|
42
|
+
# dev/terraform.tfstate
|
|
43
|
+
# staging/terraform.tfstate
|
|
44
|
+
# prod/terraform.tfstate
|
|
45
|
+
# 用 Terragrunt 或 workspaces 管理
|
|
46
|
+
```
|
|
47
|
+
|
|
48
|
+
### State 安全
|
|
49
|
+
- [ ] State 文件加密(`encrypt = true`)
|
|
50
|
+
- [ ] State 不入 Git(`.gitignore` 加 `*.tfstate`)
|
|
51
|
+
- [ ] S3 bucket 版本控制(误删可恢复)
|
|
52
|
+
- [ ] DynamoDB 锁(防并发 `apply`)
|
|
53
|
+
- [ ] IAM 限制访问(只有 CI 能写 prod state)
|
|
54
|
+
|
|
55
|
+
## Module 最佳实践
|
|
56
|
+
|
|
57
|
+
```hcl
|
|
58
|
+
# ✅ 模块化(可复用 + 可测试)
|
|
59
|
+
module "web_app" {
|
|
60
|
+
source = "./modules/web-app" # 本地模块
|
|
61
|
+
# 或 source = "terraform-aws-modules/ec2-instance/aws" # 社区模块
|
|
62
|
+
|
|
63
|
+
name = "prod-app"
|
|
64
|
+
instance_type = "t3.medium"
|
|
65
|
+
min_size = 2
|
|
66
|
+
max_size = 10
|
|
67
|
+
environment = "prod"
|
|
68
|
+
}
|
|
69
|
+
|
|
70
|
+
# modules/web-app/main.tf — 模块内只声明资源
|
|
71
|
+
resource "aws_launch_template" "app" {
|
|
72
|
+
name = var.name
|
|
73
|
+
image_id = data.aws_ami.app.id
|
|
74
|
+
instance_type = var.instance_type
|
|
75
|
+
user_data = base64encode(templatefile("${path.module}/userdata.sh", {
|
|
76
|
+
environment = var.environment
|
|
77
|
+
}))
|
|
78
|
+
}
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
### 模块原则
|
|
82
|
+
- **单一职责**:一个模块管一类资源(VPC / DB / App)
|
|
83
|
+
- **版本化**:`source = "git::https://...?ref=v1.2.0"`
|
|
84
|
+
- **变量有默认值** + **输出明确**
|
|
85
|
+
- **不用 `count` 控制资源有无**(用条件表达式)
|
|
86
|
+
- **`terraform validate` + `fmt` 在 CI 强制**
|
|
87
|
+
|
|
88
|
+
## 变量与环境管理
|
|
89
|
+
|
|
90
|
+
```hcl
|
|
91
|
+
# ✅ 每个环境有独立的 tfvars
|
|
92
|
+
# environments/dev.tfvars
|
|
93
|
+
instance_type = "t3.small"
|
|
94
|
+
min_size = 1
|
|
95
|
+
|
|
96
|
+
# environments/prod.tfvars
|
|
97
|
+
instance_type = "t3.large"
|
|
98
|
+
min_size = 3
|
|
99
|
+
|
|
100
|
+
# 部署
|
|
101
|
+
terraform plan -var-file="environments/prod.tfvars"
|
|
102
|
+
```
|
|
103
|
+
|
|
104
|
+
### 密钥处理
|
|
105
|
+
```hcl
|
|
106
|
+
# ❌ 密钥写在 tfvars(会进 state 文件!明文!)
|
|
107
|
+
db_password = "super_secret_123"
|
|
108
|
+
|
|
109
|
+
# ✅ 密钥从 Secrets Manager / SSM 读取(不进 state)
|
|
110
|
+
data "aws_secretsmanager_secret_version" "db" {
|
|
111
|
+
secret_id = "prod/db-password"
|
|
112
|
+
}
|
|
113
|
+
resource "aws_db_instance" "main" {
|
|
114
|
+
password = jsondecode(data.aws_secretsmanager_secret_version.db.secret_string)["password"]
|
|
115
|
+
}
|
|
116
|
+
```
|
|
117
|
+
|
|
118
|
+
## CI/CD 集成
|
|
119
|
+
|
|
120
|
+
```yaml
|
|
121
|
+
# .github/workflows/terraform.yml
|
|
122
|
+
- name: Terraform Format
|
|
123
|
+
run: terraform fmt -check
|
|
124
|
+
- name: Terraform Validate
|
|
125
|
+
run: terraform validate
|
|
126
|
+
- name: Terraform Plan
|
|
127
|
+
run: terraform plan -var-file="prod.tfvars"
|
|
128
|
+
# PR 上显示 plan 结果(人类审查)
|
|
129
|
+
- name: Terraform Apply (only on merge to main)
|
|
130
|
+
if: github.ref == 'refs/heads/main'
|
|
131
|
+
run: terraform apply -auto-approve -var-file="prod.tfvars"
|
|
132
|
+
```
|
|
133
|
+
|
|
134
|
+
## 生产检查清单
|
|
135
|
+
- [ ] 远程 state(S3 + DynamoDB lock)
|
|
136
|
+
- [ ] State 加密 + 不入 Git
|
|
137
|
+
- [ ] 按环境隔离 state
|
|
138
|
+
- [ ] 密钥从 Secrets Manager 读取(不进 tfvars/state)
|
|
139
|
+
- [ ] 模块化(自定义模块或社区模块)
|
|
140
|
+
- [ ] CI 强制 `fmt` + `validate` + `plan` 审查
|
|
141
|
+
- [ ] `terraform import` 导入已有资源(不用手动重建)
|
|
142
|
+
- [ ] `terraform state rm` 清理残留
|
|
143
|
+
- [ ] 定期 `terraform plan` 检查 drift
|
|
@@ -0,0 +1,431 @@
|
|
|
1
|
+
---
|
|
2
|
+
title: 容器安全检查清单
|
|
3
|
+
version: 1.0.0
|
|
4
|
+
last_updated: 2025-03-20
|
|
5
|
+
owner: security-team
|
|
6
|
+
tags: [container, security, docker, checklist]
|
|
7
|
+
status: production
|
|
8
|
+
domain: cloud-native
|
|
9
|
+
difficulty: intermediate
|
|
10
|
+
quality_score: 70
|
|
11
|
+
---
|
|
12
|
+
|
|
13
|
+
# 开发:Excellent(11964948@qq.com)
|
|
14
|
+
# 功能:容器安全全面检查清单
|
|
15
|
+
# 作用:确保容器镜像和运行时满足安全标准
|
|
16
|
+
# 创建时间:2025-03-20
|
|
17
|
+
# 最后修改:2025-03-20
|
|
18
|
+
|
|
19
|
+
## 概述
|
|
20
|
+
|
|
21
|
+
本检查清单覆盖容器安全的全生命周期,包括镜像构建、运行时配置、网络安全和持续监控。
|
|
22
|
+
|
|
23
|
+
**检查项分类:**
|
|
24
|
+
- [P0] 必须完成(阻塞发布)
|
|
25
|
+
- [P1] 强烈建议(应在发布前完成)
|
|
26
|
+
- [P2] 推荐完成(可后续迭代)
|
|
27
|
+
|
|
28
|
+
---
|
|
29
|
+
|
|
30
|
+
## 1. 镜像安全
|
|
31
|
+
|
|
32
|
+
### 1.1 基础镜像 [P0]
|
|
33
|
+
|
|
34
|
+
- [ ] **官方镜像**:使用官方维护的基础镜像
|
|
35
|
+
- [ ] **版本固定**:使用确定版本标签(如 `python:3.11-slim`),禁止 `latest`
|
|
36
|
+
- [ ] **Digest 验证**:使用镜像 digest 进行完整性验证
|
|
37
|
+
- [ ] **最小化镜像**:优先选择 alpine/distroless 等小镜像
|
|
38
|
+
- [ ] **镜像来源可信**:镜像来自可信仓库
|
|
39
|
+
|
|
40
|
+
```dockerfile
|
|
41
|
+
# [DONE] 正确示例
|
|
42
|
+
FROM python:3.11-slim-bookworm@sha256:abc123...
|
|
43
|
+
|
|
44
|
+
# [FAIL] 错误示例
|
|
45
|
+
FROM python:latest
|
|
46
|
+
FROM ubuntu # 无版本标签
|
|
47
|
+
```
|
|
48
|
+
|
|
49
|
+
### 1.2 漏洞扫描 [P0]
|
|
50
|
+
|
|
51
|
+
- [ ] **扫描工具配置**:配置漏洞扫描工具(Trivy/Clair/Grype)
|
|
52
|
+
- [ ] **无严重漏洞**:无 Critical 级别漏洞
|
|
53
|
+
- [ ] **无高危漏洞**:无 High 级别漏洞(或已评估风险)
|
|
54
|
+
- [ ] **定期扫描**:配置定期扫描计划
|
|
55
|
+
- [ ] **基线镜像扫描**:基础镜像更新时重新扫描
|
|
56
|
+
|
|
57
|
+
```bash
|
|
58
|
+
# Trivy 扫描示例
|
|
59
|
+
trivy image --severity HIGH,CRITICAL --exit-code 1 myimage:v1.0.0
|
|
60
|
+
|
|
61
|
+
# 输出示例
|
|
62
|
+
# Total: 0 (CRITICAL: 0, HIGH: 0)
|
|
63
|
+
```
|
|
64
|
+
|
|
65
|
+
### 1.3 镜像签名 [P1]
|
|
66
|
+
|
|
67
|
+
- [ ] **签名工具**:配置镜像签名工具(cosign/Notary)
|
|
68
|
+
- [ ] **镜像已签名**:所有生产镜像已签名
|
|
69
|
+
- [ ] **签名验证**:部署时验证签名
|
|
70
|
+
- [ ] **密钥管理**:签名密钥安全存储
|
|
71
|
+
- [ ] **签名策略**:定义签名策略
|
|
72
|
+
|
|
73
|
+
```bash
|
|
74
|
+
# cosign 签名
|
|
75
|
+
cosign sign --key cosign.key myimage:v1.0.0
|
|
76
|
+
|
|
77
|
+
# cosign 验证
|
|
78
|
+
cosign verify --key cosign.pub myimage:v1.0.0
|
|
79
|
+
```
|
|
80
|
+
|
|
81
|
+
### 1.4 敏感信息 [P0]
|
|
82
|
+
|
|
83
|
+
- [ ] **无硬编码密钥**:镜像中无硬编码密码/密钥
|
|
84
|
+
- [ ] **无敏感文件**:.env、credentials 等文件已排除
|
|
85
|
+
- [ ] **.dockerignore 配置**:正确配置 .dockerignore
|
|
86
|
+
- [ ] **构建参数安全**:ARG 参数不包含敏感信息
|
|
87
|
+
- [ ] **历史记录清理**:镜像层中无敏感信息
|
|
88
|
+
|
|
89
|
+
```dockerfile
|
|
90
|
+
# .dockerignore 示例
|
|
91
|
+
.env
|
|
92
|
+
.env.*
|
|
93
|
+
credentials.json
|
|
94
|
+
*.key
|
|
95
|
+
*.pem
|
|
96
|
+
.git
|
|
97
|
+
```
|
|
98
|
+
|
|
99
|
+
---
|
|
100
|
+
|
|
101
|
+
## 2. 构建安全
|
|
102
|
+
|
|
103
|
+
### 2.1 Dockerfile 安全 [P0]
|
|
104
|
+
|
|
105
|
+
- [ ] **非 root 用户**:创建并切换到非 root 用户
|
|
106
|
+
- [ ] **最小权限**:仅安装必要软件包
|
|
107
|
+
- [ ] **层优化**:减少镜像层数
|
|
108
|
+
- [ ] **缓存清理**:安装后清理包管理器缓存
|
|
109
|
+
- [ ] **无敏感信息**:Dockerfile 中无密码/密钥
|
|
110
|
+
|
|
111
|
+
```dockerfile
|
|
112
|
+
# [DONE] 安全 Dockerfile
|
|
113
|
+
FROM python:3.11-slim AS builder
|
|
114
|
+
WORKDIR /app
|
|
115
|
+
COPY requirements.txt .
|
|
116
|
+
RUN pip install --no-cache-dir -r requirements.txt
|
|
117
|
+
|
|
118
|
+
FROM python:3.11-slim
|
|
119
|
+
RUN groupadd -r appgroup && useradd -r -g appgroup appuser
|
|
120
|
+
WORKDIR /app
|
|
121
|
+
COPY --from=builder /usr/local/lib/python3.11/site-packages /usr/local/lib/python3.11/site-packages
|
|
122
|
+
COPY --chown=appuser:appgroup . .
|
|
123
|
+
USER appuser
|
|
124
|
+
CMD ["python", "app.py"]
|
|
125
|
+
```
|
|
126
|
+
|
|
127
|
+
### 2.2 多阶段构建 [P1]
|
|
128
|
+
|
|
129
|
+
- [ ] **使用多阶段构建**:分离构建和运行环境
|
|
130
|
+
- [ ] **构建工具隔离**:构建工具不进入最终镜像
|
|
131
|
+
- [ ] **最小化最终镜像**:最终镜像仅包含运行时必需文件
|
|
132
|
+
|
|
133
|
+
```dockerfile
|
|
134
|
+
# 多阶段构建示例
|
|
135
|
+
FROM golang:1.21 AS builder
|
|
136
|
+
WORKDIR /app
|
|
137
|
+
COPY . .
|
|
138
|
+
RUN CGO_ENABLED=0 go build -o app
|
|
139
|
+
|
|
140
|
+
FROM gcr.io/distroless/static-debian12
|
|
141
|
+
COPY --from=builder /app/app /
|
|
142
|
+
USER nonroot:nonroot
|
|
143
|
+
ENTRYPOINT ["/app"]
|
|
144
|
+
```
|
|
145
|
+
|
|
146
|
+
### 2.3 依赖管理 [P0]
|
|
147
|
+
|
|
148
|
+
- [ ] **依赖锁定**:使用 lock 文件固定依赖版本
|
|
149
|
+
- [ ] **依赖扫描**:扫描依赖漏洞
|
|
150
|
+
- [ ] **最小依赖**:仅安装必要依赖
|
|
151
|
+
- [ ] **可信源**:依赖来自可信源
|
|
152
|
+
|
|
153
|
+
---
|
|
154
|
+
|
|
155
|
+
## 3. 运行时安全
|
|
156
|
+
|
|
157
|
+
### 3.1 用户权限 [P0]
|
|
158
|
+
|
|
159
|
+
- [ ] **非 root 运行**:容器以非 root 用户运行
|
|
160
|
+
- [ ] **用户 ID 固定**:指定确定的 UID/GID
|
|
161
|
+
- [ ] **禁止 root 容器**:禁止使用 root 用户
|
|
162
|
+
- [ ] **用户命名空间**:启用用户命名空间(如可能)
|
|
163
|
+
|
|
164
|
+
```yaml
|
|
165
|
+
# Kubernetes Pod 安全配置
|
|
166
|
+
securityContext:
|
|
167
|
+
runAsNonRoot: true
|
|
168
|
+
runAsUser: 1000
|
|
169
|
+
runAsGroup: 1000
|
|
170
|
+
fsGroup: 1000
|
|
171
|
+
```
|
|
172
|
+
|
|
173
|
+
### 3.2 能力限制 [P0]
|
|
174
|
+
|
|
175
|
+
- [ ] **丢弃所有能力**:`capabilities.drop: [ALL]`
|
|
176
|
+
- [ ] **最小能力**:仅添加必需能力
|
|
177
|
+
- [ ] **禁止特权**:`privileged: false`
|
|
178
|
+
- [ ] **禁止特权提升**:`allowPrivilegeEscalation: false`
|
|
179
|
+
|
|
180
|
+
```yaml
|
|
181
|
+
# 能力限制配置
|
|
182
|
+
securityContext:
|
|
183
|
+
allowPrivilegeEscalation: false
|
|
184
|
+
capabilities:
|
|
185
|
+
drop:
|
|
186
|
+
- ALL
|
|
187
|
+
# add: [] # 仅在必要时添加
|
|
188
|
+
```
|
|
189
|
+
|
|
190
|
+
### 3.3 文件系统 [P0]
|
|
191
|
+
|
|
192
|
+
- [ ] **只读根文件系统**:`readOnlyRootFilesystem: true`
|
|
193
|
+
- [ ] **临时目录挂载**:需要写入的目录挂载 emptyDir
|
|
194
|
+
- [ ] **禁止挂载主机**:不挂载主机敏感目录
|
|
195
|
+
- [ ] **文件系统类型限制**:限制文件系统类型
|
|
196
|
+
|
|
197
|
+
```yaml
|
|
198
|
+
# 只读根文件系统
|
|
199
|
+
securityContext:
|
|
200
|
+
readOnlyRootFilesystem: true
|
|
201
|
+
volumeMounts:
|
|
202
|
+
- name: tmp
|
|
203
|
+
mountPath: /tmp
|
|
204
|
+
- name: cache
|
|
205
|
+
mountPath: /var/cache
|
|
206
|
+
volumes:
|
|
207
|
+
- name: tmp
|
|
208
|
+
emptyDir: {}
|
|
209
|
+
- name: cache
|
|
210
|
+
emptyDir:
|
|
211
|
+
sizeLimit: "100Mi"
|
|
212
|
+
```
|
|
213
|
+
|
|
214
|
+
### 3.4 Seccomp/AppArmor [P1]
|
|
215
|
+
|
|
216
|
+
- [ ] **Seccomp 配置**:启用 seccomp 配置
|
|
217
|
+
- [ ] **AppArmor 配置**:启用 AppArmor 配置
|
|
218
|
+
- [ ] **默认配置使用**:使用 RuntimeDefault
|
|
219
|
+
|
|
220
|
+
```yaml
|
|
221
|
+
# Seccomp 配置
|
|
222
|
+
securityContext:
|
|
223
|
+
seccompProfile:
|
|
224
|
+
type: RuntimeDefault
|
|
225
|
+
|
|
226
|
+
# AppArmor 注解
|
|
227
|
+
annotations:
|
|
228
|
+
container.apparmor.security.beta.kubernetes.io/app: localhost/apparmor-profile
|
|
229
|
+
```
|
|
230
|
+
|
|
231
|
+
---
|
|
232
|
+
|
|
233
|
+
## 4. 网络安全
|
|
234
|
+
|
|
235
|
+
### 4.1 网络隔离 [P0]
|
|
236
|
+
|
|
237
|
+
- [ ] **网络策略配置**:NetworkPolicy 已配置
|
|
238
|
+
- [ ] **默认拒绝入站**:入站流量默认拒绝
|
|
239
|
+
- [ ] **默认拒绝出站**:出站流量默认拒绝
|
|
240
|
+
- [ ] **最小访问**:仅允许必要通信
|
|
241
|
+
- [ ] **命名空间隔离**:跨命名空间访问控制
|
|
242
|
+
|
|
243
|
+
```yaml
|
|
244
|
+
# 默认拒绝策略
|
|
245
|
+
apiVersion: networking.k8s.io/v1
|
|
246
|
+
kind: NetworkPolicy
|
|
247
|
+
metadata:
|
|
248
|
+
name: default-deny-all
|
|
249
|
+
spec:
|
|
250
|
+
podSelector: {}
|
|
251
|
+
policyTypes:
|
|
252
|
+
- Ingress
|
|
253
|
+
- Egress
|
|
254
|
+
```
|
|
255
|
+
|
|
256
|
+
### 4.2 端口管理 [P0]
|
|
257
|
+
|
|
258
|
+
- [ ] **最小暴露端口**:仅暴露必要端口
|
|
259
|
+
- [ ] **端口范围**:不使用特权端口(< 1024)
|
|
260
|
+
- [ ] **端口命名**:端口有明确命名
|
|
261
|
+
|
|
262
|
+
### 4.3 服务访问 [P0]
|
|
263
|
+
|
|
264
|
+
- [ ] **服务网格**:使用服务网格进行 mTLS
|
|
265
|
+
- [ ] **Ingress 安全**:Ingress 配置 TLS
|
|
266
|
+
- [ ] **API 网关**:通过 API 网关访问
|
|
267
|
+
- [ ] **限流配置**:配置 API 限流
|
|
268
|
+
|
|
269
|
+
---
|
|
270
|
+
|
|
271
|
+
## 5. Secret 管理
|
|
272
|
+
|
|
273
|
+
### 5.1 Secret 存储 [P0]
|
|
274
|
+
|
|
275
|
+
- [ ] **无明文 Secret**:Secret 不以明文存储
|
|
276
|
+
- [ ] **etcd 加密**:etcd 启用加密
|
|
277
|
+
- [ ] **外部密钥管理**:敏感 Secret 使用外部 KMS
|
|
278
|
+
- [ ] **Secret 轮换**:定期轮换 Secret
|
|
279
|
+
|
|
280
|
+
```yaml
|
|
281
|
+
# External Secrets 配置
|
|
282
|
+
apiVersion: external-secrets.io/v1beta1
|
|
283
|
+
kind: ExternalSecret
|
|
284
|
+
metadata:
|
|
285
|
+
name: db-credentials
|
|
286
|
+
spec:
|
|
287
|
+
secretStoreRef:
|
|
288
|
+
name: vault-backend
|
|
289
|
+
target:
|
|
290
|
+
name: db-credentials
|
|
291
|
+
data:
|
|
292
|
+
- secretKey: password
|
|
293
|
+
remoteRef:
|
|
294
|
+
key: secret/data/production/database
|
|
295
|
+
property: password
|
|
296
|
+
```
|
|
297
|
+
|
|
298
|
+
### 5.2 Secret 访问 [P0]
|
|
299
|
+
|
|
300
|
+
- [ ] **最小访问**:RBAC 限制 Secret 访问
|
|
301
|
+
- [ ] **命名空间隔离**:Secret 不跨命名空间共享
|
|
302
|
+
- [ ] **审计日志**:Secret 访问有审计日志
|
|
303
|
+
|
|
304
|
+
---
|
|
305
|
+
|
|
306
|
+
## 6. 资源限制
|
|
307
|
+
|
|
308
|
+
### 6.1 资源配额 [P0]
|
|
309
|
+
|
|
310
|
+
- [ ] **CPU 限制**:limits.cpu 已配置
|
|
311
|
+
- [ ] **内存限制**:limits.memory 已配置
|
|
312
|
+
- [ ] **资源请求**:requests 已配置
|
|
313
|
+
- [ ] **合理配置**:资源配置经过测试验证
|
|
314
|
+
|
|
315
|
+
```yaml
|
|
316
|
+
# 资源配置
|
|
317
|
+
resources:
|
|
318
|
+
requests:
|
|
319
|
+
cpu: "100m"
|
|
320
|
+
memory: "128Mi"
|
|
321
|
+
limits:
|
|
322
|
+
cpu: "500m"
|
|
323
|
+
memory: "512Mi"
|
|
324
|
+
```
|
|
325
|
+
|
|
326
|
+
### 6.2 限制范围 [P1]
|
|
327
|
+
|
|
328
|
+
- [ ] **LimitRange 配置**:命名空间配置 LimitRange
|
|
329
|
+
- [ ] **ResourceQuota 配置**:命名空间配置 ResourceQuota
|
|
330
|
+
- [ ] **防止资源耗尽**:防止资源过度使用
|
|
331
|
+
|
|
332
|
+
---
|
|
333
|
+
|
|
334
|
+
## 7. 监控与审计
|
|
335
|
+
|
|
336
|
+
### 7.1 运行时监控 [P0]
|
|
337
|
+
|
|
338
|
+
- [ ] **容器运行时安全**:部署运行时安全工具(Falco)
|
|
339
|
+
- [ ] **异常检测**:检测异常行为
|
|
340
|
+
- [ ] **实时告警**:安全事件实时告警
|
|
341
|
+
- [ ] **日志采集**:安全日志集中采集
|
|
342
|
+
|
|
343
|
+
```yaml
|
|
344
|
+
# Falco 规则示例
|
|
345
|
+
- rule: Container Drift Detected
|
|
346
|
+
desc: Detect if a container has been modified at runtime
|
|
347
|
+
condition: >
|
|
348
|
+
spawned_process and container and
|
|
349
|
+
proc.name in (apt, apt-get, yum, dnf, apk, pip, npm, gem)
|
|
350
|
+
output: >
|
|
351
|
+
Container drift detected (user=%user.name container=%container.id
|
|
352
|
+
process=%proc.name parent=%proc.pname)
|
|
353
|
+
priority: WARNING
|
|
354
|
+
```
|
|
355
|
+
|
|
356
|
+
### 7.2 审计日志 [P0]
|
|
357
|
+
|
|
358
|
+
- [ ] **Kubernetes 审计**:启用 API Server 审计
|
|
359
|
+
- [ ] **日志完整性**:日志不可篡改
|
|
360
|
+
- [ ] **日志保留**:日志保留符合合规要求
|
|
361
|
+
- [ ] **日志分析**:定期分析审计日志
|
|
362
|
+
|
|
363
|
+
```yaml
|
|
364
|
+
# 审计策略配置
|
|
365
|
+
apiVersion: audit.k8s.io/v1
|
|
366
|
+
kind: Policy
|
|
367
|
+
rules:
|
|
368
|
+
- level: RequestResponse
|
|
369
|
+
resources:
|
|
370
|
+
- group: ""
|
|
371
|
+
resources: ["secrets"]
|
|
372
|
+
verbs: ["get", "create", "update", "delete"]
|
|
373
|
+
```
|
|
374
|
+
|
|
375
|
+
### 7.3 合规检查 [P1]
|
|
376
|
+
|
|
377
|
+
- [ ] **CIS Benchmark**:通过 CIS Benchmark 检查
|
|
378
|
+
- [ ] **合规扫描**:定期合规扫描
|
|
379
|
+
- [ ] **修复追踪**:合规问题追踪修复
|
|
380
|
+
|
|
381
|
+
---
|
|
382
|
+
|
|
383
|
+
## 8. 供应链安全
|
|
384
|
+
|
|
385
|
+
### 8.1 来源验证 [P0]
|
|
386
|
+
|
|
387
|
+
- [ ] **镜像来源可信**:镜像来源可信
|
|
388
|
+
- [ ] **签名验证**:验证镜像签名
|
|
389
|
+
- [ ] **SBOM 生成**:生成软件物料清单
|
|
390
|
+
- [ ] **依赖来源**:依赖来源可信
|
|
391
|
+
|
|
392
|
+
### 8.2 构建安全 [P0]
|
|
393
|
+
|
|
394
|
+
- [ ] **构建隔离**:构建环境隔离
|
|
395
|
+
- [ ] **构建日志**:构建日志保存
|
|
396
|
+
- [ ] **构建可追溯**:构建可追溯
|
|
397
|
+
|
|
398
|
+
---
|
|
399
|
+
|
|
400
|
+
## 检查评分
|
|
401
|
+
|
|
402
|
+
### 评分标准
|
|
403
|
+
|
|
404
|
+
- **通过**:所有 [P0] 检查项完成
|
|
405
|
+
- **有条件通过**:所有 [P0] 完成,[P1] 完成率 >= 80%
|
|
406
|
+
- **不通过**:存在未完成的 [P0] 检查项
|
|
407
|
+
|
|
408
|
+
### 检查结果
|
|
409
|
+
|
|
410
|
+
| 类别 | P0 完成 | P1 完成 | 状态 |
|
|
411
|
+
|------|---------|---------|------|
|
|
412
|
+
| 镜像安全 | /10 | /5 | [ ] |
|
|
413
|
+
| 构建安全 | /5 | /3 | [ ] |
|
|
414
|
+
| 运行时安全 | /10 | /4 | [ ] |
|
|
415
|
+
| 网络安全 | /8 | /0 | [ ] |
|
|
416
|
+
| Secret 管理 | /5 | /0 | [ ] |
|
|
417
|
+
| 资源限制 | /4 | /3 | [ ] |
|
|
418
|
+
| 监控与审计 | /5 | /3 | [ ] |
|
|
419
|
+
| 供应链安全 | /4 | /0 | [ ] |
|
|
420
|
+
| **总计** | **/51** | **/18** | [ ] |
|
|
421
|
+
|
|
422
|
+
---
|
|
423
|
+
|
|
424
|
+
## 参考资料
|
|
425
|
+
|
|
426
|
+
- [CIS Docker Benchmark](https://www.cisecurity.org/benchmark/docker)
|
|
427
|
+
- [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes)
|
|
428
|
+
- [OWASP Docker Security](https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html)
|
|
429
|
+
- [NIST SP 800-190](https://csrc.nist.gov/publications/detail/sp/800-190/final)
|
|
430
|
+
- [Trivy 文档](https://aquasecurity.github.io/trivy/)
|
|
431
|
+
- [Falco 文档](https://falco.org/docs/)
|