add --results option to specify path to the directory of Policy Results

Signed-off-by: Takumi Yanagawa <[email protected]>
oscal-compass · Dec 7, 2023 · 4352401 · 4352401
1 parent 87450ea
commit 4352401
Show file tree

Hide file tree

Showing 14 changed files with 54 additions and 80 deletions.
diff --git a/cmd/kyverno/result2oscal/cmd/cmd.go b/cmd/kyverno/result2oscal/cmd/cmd.go
@@ -49,7 +49,7 @@ func New() *cobra.Command {
 }
 
 func Run(options *options.Options) error {
-	outputPath, c2pcrPath, tempDirPath := options.OutputPath, options.C2PCRPath, options.TempDirPath
+	outputPath, c2pcrPath, policyResultsDir, tempDirPath := options.OutputPath, options.C2PCRPath, options.PolicyResultsDir, options.TempDirPath
 
 	var c2pcrSpec typec2pcr.Spec
 	if err := pkg.LoadYamlFileToObject(c2pcrPath, &c2pcrSpec); err != nil {
@@ -63,7 +63,7 @@ func Run(options *options.Options) error {
 		panic(err)
 	}
 
-	r := kyverno.NewResultToOscal(c2pcrParsed)
+	r := kyverno.NewResultToOscal(c2pcrParsed, policyResultsDir)
 	ar, err := r.GenerateAssessmentResults()
 	if err != nil {
 		return err

diff --git a/cmd/kyverno/result2oscal/options/options.go b/cmd/kyverno/result2oscal/options/options.go
@@ -23,9 +23,10 @@ import (
 )
 
 type Options struct {
-	C2PCRPath   string
-	TempDirPath string
-	OutputPath  string
+	C2PCRPath        string
+	PolicyResultsDir string
+	TempDirPath      string
+	OutputPath       string
 }
 
 func NewOptions() *Options {
@@ -34,6 +35,7 @@ func NewOptions() *Options {
 
 func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVarP(&o.C2PCRPath, "config", "c", "", "path to c2p-config.yaml")
+	fs.StringVar(&o.PolicyResultsDir, "results", "", "path to directory containing Kyverno Policies List (policies.kyverno.io.yaml), ClusterPolicies List (clusterpolicies.kyverno.io.yaml), PolicyReports List (policyreports.wgpolicyk8s.io.yaml), and ClusterPolicyReports List (clusterpolicyreports.wgpolicyk8s.io.yaml)")
 	fs.StringVar(&o.TempDirPath, "temp-dir", "", "path to temp directory")
 	fs.StringVarP(&o.OutputPath, "out", "o", "./assessment-results.json", "path to output OSCAL Assessment Results")
 }
@@ -46,5 +48,8 @@ func (o *Options) Validate() error {
 	if o.C2PCRPath == "" {
 		return errors.New("-c or --config <c2p-config.yaml> is required")
 	}
+	if o.PolicyResultsDir == "" {
+		return errors.New("--results is required")
+	}
 	return nil
 }
diff --git a/cmd/ocm/oscal2policy/c2p-config.yaml b/cmd/ocm/oscal2policy/c2p-config.yaml
diff --git a/cmd/ocm/result2oscal/c2p-config.yaml b/cmd/ocm/result2oscal/c2p-config.yaml
diff --git a/cmd/ocm/result2oscal/cmd/cmd.go b/cmd/ocm/result2oscal/cmd/cmd.go
@@ -49,7 +49,7 @@ func New() *cobra.Command {
 }
 
 func Run(options *options.Options) error {
-	outputPath, c2pcrPath, tempDirPath := options.OutputPath, options.C2PCRPath, options.TempDirPath
+	outputPath, c2pcrPath, policyResultsDir, tempDirPath := options.OutputPath, options.C2PCRPath, options.PolicyResultsDir, options.TempDirPath
 
 	var c2pcrSpec typec2pcr.Spec
 	if err := pkg.LoadYamlFileToObject(c2pcrPath, &c2pcrSpec); err != nil {
@@ -63,7 +63,7 @@ func Run(options *options.Options) error {
 		panic(err)
 	}
 
-	r := ocm.NewResultToOscal(c2pcrParsed)
+	r := ocm.NewResultToOscal(c2pcrParsed, policyResultsDir)
 	arRoot, err := r.Generate()
 	if err != nil {
 		panic(err)

diff --git a/cmd/ocm/result2oscal/options/options.go b/cmd/ocm/result2oscal/options/options.go
@@ -23,9 +23,10 @@ import (
 )
 
 type Options struct {
-	C2PCRPath   string
-	TempDirPath string
-	OutputPath  string
+	C2PCRPath        string
+	PolicyResultsDir string
+	TempDirPath      string
+	OutputPath       string
 }
 
 func NewOptions() *Options {
@@ -34,6 +35,7 @@ func NewOptions() *Options {
 
 func (o *Options) AddFlags(fs *pflag.FlagSet) {
 	fs.StringVarP(&o.C2PCRPath, "config", "c", "", "path to c2p config file")
+	fs.StringVar(&o.PolicyResultsDir, "results", "", "path to directory containing OCM Policy List (placementdecisions.cluster.open-cluster-management.io.yaml), OCM PolicySet List (policysets.policy.open-cluster-management.io.yaml), and OCM PlacementDecisions List (placementdecisions.cluster.open-cluster-management.io.yaml)")
 	fs.StringVar(&o.TempDirPath, "temp-dir", "", "path to temp directory")
 	fs.StringVarP(&o.OutputPath, "out", "o", "./assessment-results.json", "path to output OSCAL Assessment Results")
 }
@@ -46,5 +48,8 @@ func (o *Options) Validate() error {
 	if o.C2PCRPath == "" {
 		return errors.New("-c or --config is required")
 	}
+	if o.PolicyResultsDir == "" {
+		return errors.New("--results is required")
+	}
 	return nil
 }
diff --git a/docs/ocm.md b/docs/ocm.md
@@ -3,6 +3,31 @@
 ### Prerequisites
 1. Install [Policy Generator Plugin](https://github.com/open-cluster-management-io/policy-generator-plugin#as-a-kustomize-plugin)
 
+### Manual end-to-end use case
+1. Run oscal2policy
+    ```
+    c2pcli ocm oscal2policy -c c2p-config.yaml -o ./ocm-policies
+    ```
+1. Deploy generated OCM Policies to OCM Hub
+    ```
+    kubectl create -f ./ocm-policies
+    ```
+1. Get OCM Policies from OCM Hub
+    ```
+    mkdir results
+    kubectl get policies.policy.open-cluster-management.io -A -o yaml > ./results/policies.policy.open-cluster-management.io.yaml
+    kubectl get policies.policy.open-cluster-management.io -A -o yaml > ./results/policies.policy.open-cluster-management.io.yaml
+    kubectl get policysets.policy.open-cluster-management.io -A -o yaml > ./results/policysets.policy.open-cluster-management.io.yaml
+    ```
+1. Run result2oscal
+    ```
+    c2pcli ocm result2oscal -c c2p-config.yaml --results ./results -o ./assessment-results.json
+    ```
+1. (Optional) Prettify OSCAL Assessment Results in .md format
+    ```
+    c2pcli ocm oscal2posture -c c2p-config.yaml --assessment-results ./assessment-results.json -o compliance-posture.md
+    ```
+
 ### C2P Decomposer
 Decompose OCM poicy collection to kubernetes resources composing each OCM policy (we call it policy resource).
 

diff --git a/pkg/kyverno/configparser.go b/pkg/kyverno/configparser.go
@@ -46,10 +46,6 @@ func (p *C2PCRParser) Parse(c2pcrSpec c2pcr.Spec) (c2pcr.C2PCRParsed, error) {
 	if err != nil {
 		return parsed, err
 	}
-	parsed.PolicyResultsDir, err = p.loadResourceFromUrl(c2pcrSpec.PolicyRersults.Url)
-	if err != nil {
-		return parsed, err
-	}
 
 	logger.Info(fmt.Sprintf("Component-definition is loaded from %s", c2pcrSpec.Compliance.ComponentDefinition.Url))
 	if err := p.gitUtils.LoadFromGit(c2pcrSpec.Compliance.ComponentDefinition.Url, &parsed.ComponentDefinition); err != nil {

diff --git a/pkg/kyverno/oscal2policy_test.go b/pkg/kyverno/oscal2policy_test.go
@@ -55,9 +55,6 @@ func TestOscal2Policy(t *testing.T) {
 		PolicyResources: typec2pcr.ResourceRef{
 			Url: policyDir,
 		},
-		PolicyRersults: typec2pcr.ResourceRef{
-			Url: "/1/2/3",
-		},
 		ClusterGroups: []typec2pcr.ClusterGroup{{
 			Name:        "test-group",
 			MatchLabels: &map[string]string{"environment": "test"},

diff --git a/pkg/kyverno/result2oscal.go b/pkg/kyverno/result2oscal.go
@@ -35,6 +35,7 @@ import (
 type ResultToOscal struct {
 	logger                  *zap.Logger
 	c2pParsed               typec2pcr.C2PCRParsed
+	policyResultsDir        string
 	policyReportList        *typepolr.PolicyReportList
 	clusterPolicyReportList *typepolr.ClusterPolicyReportList
 	policyList              *kyvernov1.PolicyList
@@ -51,10 +52,11 @@ type PolicyResourceIndexContainer struct {
 	ControlIds          []string
 }
 
-func NewResultToOscal(c2pParsed typec2pcr.C2PCRParsed) *ResultToOscal {
+func NewResultToOscal(c2pParsed typec2pcr.C2PCRParsed, policyResultsDir string) *ResultToOscal {
 	r := ResultToOscal{
 		logger:                  pkg.GetLogger("kyverno/result2oscal"),
 		c2pParsed:               c2pParsed,
+		policyResultsDir:        policyResultsDir,
 		policyReportList:        &typepolr.PolicyReportList{},
 		clusterPolicyReportList: &typepolr.ClusterPolicyReportList{},
 		policyList:              &kyvernov1.PolicyList{},
@@ -121,7 +123,7 @@ func (r *ResultToOscal) retrievePolicyReportResults(name string) []*typepolr.Pol
 }
 
 func (r *ResultToOscal) loadData(path string, out interface{}) error {
-	if err := pkg.LoadYamlFileToK8sTypedObject(r.c2pParsed.PolicyResultsDir+path, &out); err != nil {
+	if err := pkg.LoadYamlFileToK8sTypedObject(r.policyResultsDir+"/"+path, &out); err != nil {
 		return err
 	}
 	return nil

diff --git a/pkg/ocm/configparser.go b/pkg/ocm/configparser.go
@@ -43,10 +43,6 @@ func (p *C2PCRParser) Parse(c2pcrSpec c2pcr.Spec) (c2pcr.C2PCRParsed, error) {
 	if err != nil {
 		return parsed, err
 	}
-	parsed.PolicyResultsDir, err = p.loadResourceFromUrl(c2pcrSpec.PolicyRersults.Url)
-	if err != nil {
-		return parsed, err
-	}
 
 	logger.Info(fmt.Sprintf("Component-definition is loaded from %s", c2pcrSpec.Compliance.ComponentDefinition.Url))
 	if err := p.gitUtils.LoadFromGit(c2pcrSpec.Compliance.ComponentDefinition.Url, &parsed.ComponentDefinition); err != nil {

diff --git a/pkg/ocm/oscal2policy_test.go b/pkg/ocm/oscal2policy_test.go
@@ -54,9 +54,6 @@ func TestOscal2Policy(t *testing.T) {
 		PolicyResources: typec2pcr.ResourceRef{
 			Url: policyDir,
 		},
-		PolicyRersults: typec2pcr.ResourceRef{
-			Url: "/1/2/3",
-		},
 		ClusterGroups: []typec2pcr.ClusterGroup{{
 			Name:        "test-group",
 			MatchLabels: &map[string]string{"environment": "test"},

diff --git a/pkg/ocm/result2oscal.go b/pkg/ocm/result2oscal.go
@@ -37,6 +37,7 @@ import (
 
 type ResultToOscal struct {
 	c2pParsed          typec2pcr.C2PCRParsed
+	policyResultsDir   string
 	policies           []*typepolicy.Policy
 	policySets         []*typepolicy.PolicySet
 	placementDecisions []*typeplacementdecision.PlacementDecision
@@ -55,9 +56,10 @@ const (
 	GenerationTypePolicyReport GenerationType = "policy-report"
 )
 
-func NewResultToOscal(c2pParsed typec2pcr.C2PCRParsed) *ResultToOscal {
+func NewResultToOscal(c2pParsed typec2pcr.C2PCRParsed, policyResultsDir string) *ResultToOscal {
 	r := ResultToOscal{
 		c2pParsed:          c2pParsed,
+		policyResultsDir:   policyResultsDir,
 		policies:           []*typepolicy.Policy{},
 		policySets:         []*typepolicy.PolicySet{},
 		placementDecisions: []*typeplacementdecision.PlacementDecision{},
@@ -276,7 +278,7 @@ func (r *ResultToOscal) GenerateReasonsFromRawPolicies(policy typepolicy.Policy)
 }
 
 func (r *ResultToOscal) loadData(path string, out interface{}) error {
-	if err := pkg.LoadYamlFileToK8sTypedObject(r.c2pParsed.PolicyResultsDir+path, &out); err != nil {
+	if err := pkg.LoadYamlFileToK8sTypedObject(r.policyResultsDir+"/"+path, &out); err != nil {
 		return err
 	}
 	return nil

diff --git a/pkg/ocm/result2oscal_test.go b/pkg/ocm/result2oscal_test.go
@@ -59,17 +59,10 @@ func TestResult2Oscal(t *testing.T) {
 		PolicyResources: typec2pcr.ResourceRef{
 			Url: policyDir,
 		},
-		PolicyRersults: typec2pcr.ResourceRef{
-			Url: policyResultsDir,
-		},
 		ClusterGroups: []typec2pcr.ClusterGroup{{
 			Name:        "test-group",
 			MatchLabels: &map[string]string{"environment": "test"},
 		}},
-		Binding: typec2pcr.Binding{
-			Compliance:    "Test Compliance",
-			ClusterGroups: []string{"test-group"},
-		},
 		Target: typec2pcr.Target{
 			Namespace: "c2p",
 		},
@@ -78,7 +71,7 @@ func TestResult2Oscal(t *testing.T) {
 	c2pcrParsed, err := c2pcrParser.Parse(c2pcrSpec)
 	assert.NoError(t, err, "Should not happen")
 
-	reporter := NewResultToOscal(c2pcrParsed)
+	reporter := NewResultToOscal(c2pcrParsed, policyResultsDir)
 	arRoot, err := reporter.Generate()
 	assert.NoError(t, err, "Should not happen")