Skip to content

Commit

Permalink
Extend c2p for Kyverno as PVP/PEP (#7)
Browse files Browse the repository at this point in the history
* Add cmd to create policy resources from kyverno policy collection

Signed-off-by: Takumi Yanagawa <[email protected]>

* Add oscal2policy cmd for kyverno to c2pcli

Signed-off-by: Takumi Yanagawa <[email protected]>

* Implement results2oscal for kyverno

Signed-off-by: Takumi Yanagawa <[email protected]>

* Implement sample oscal2posture

Signed-off-by: Takumi Yanagawa <[email protected]>

* Consolidate commands relating with kyverno plugin

Signed-off-by: Takumi Yanagawa <[email protected]>

* Rename composer to oscal2policy and fix name and description of CLI args

Signed-off-by: Takumi Yanagawa <[email protected]>

* Consolidate command for tools for kyverno into kyverno plugin

Signed-off-by: Takumi Yanagawa <[email protected]>

* Rename former c2p ocm plugins

Signed-off-by: Takumi Yanagawa <[email protected]>

* Add sample cronjob for upsync

Signed-off-by: Takumi Yanagawa <[email protected]>

* Move assessment-results from c2p-config to command args

Signed-off-by: Takumi Yanagawa <[email protected]>

* Add coommand usage of C2P for Kyverno to readme

Signed-off-by: Takumi Yanagawa <[email protected]>

* Move former c2p description for OCM to doc/ocm.md

Signed-off-by: Takumi Yanagawa <[email protected]>

---------

Signed-off-by: Takumi Yanagawa <[email protected]>
  • Loading branch information
yana1205 authored Oct 31, 2023
1 parent c66ed08 commit f6a2831
Show file tree
Hide file tree
Showing 69 changed files with 5,143 additions and 334 deletions.
256 changes: 97 additions & 159 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,167 +1,105 @@
# compliance-to-policy
Compliance-to-Policy (C2P) provides the framework to bridge the gap between compliance and policy administration.
Compliance-to-Policy (C2P) provides the framework to bridge Compliance administration and Policy administration by [OSCAL](https://pages.nist.gov/OSCAL/). OSCAL (Open Security Controls Assessment Language) is a standardized framework developed by NIST for expressing and automating the assessment and management of security controls in machine-readable format (xml, json, yaml)

## C2P as pipeline task
## Continuous Compliance by C2P

https://github.com/IBM/compliance-to-policy/assets/113283236/da3518d0-53de-4bd6-8703-04ce94e9dfba

### Setup pipeline
1. Create two repositories (one is configuration repository that's used for pipeline from OSCAL to Policy and another is evidence repository that's used for pipeline from OCM statuses to Compliance result)
- For example, c2p-for-ocm-pipeline01-config and c2p-for-ocm-pipeline01-evidence
1. Create Github Personal Access Token having following permissions
- Repository permission of `Contents`, `Pull Requests`, and `Workflows` with read-and-write against both the configuration repository and the evidence repository.
1. Fork C2P repository (yana1205/compliance-to-policy.git) and checkout `template`
1. Set required parameters for github action to initialize your configuration and evidence repo
1. Go to Settings tab
1. Go to `Actions` under `Secrets and variables`
1. Create `New repository secret`
- Name: PAT
- Secret: Created Github Personal Access Token
1. Go to `Variables` tab to create `New repository variable`
1. Create `CONFIGURATION_REPOSITORY` variable
- Name: CONFIGURATION_REPOSITORY
- Value: `<configuration repository org>/<configuration repository name> (e.g. yana1205/c2p-for-ocm-pipeline01-config)`
1. Create `EVIDENCE_REPOSITORY` variable
- Name: EVIDENCE_REPOSITORY
- Value: `<evidence repository org>/<evidence repository name> (e.g. yana1205/c2p-for-ocm-pipeline01-evidence)`
1. Run Action `Initialize repositories` with branch `template`
1. Go to the configuration repository and create `New repository secret`
- Name: PAT
- Secret: Created Github Personal Access Token
1. Go to the evidence repository and create `New repository secret`
- Name: PAT
- Secret: Created Github Personal Access Token

### Run oscal-to-pocliy
1. Go to the configuration repository
1. Go to `Actions` tab
1. Run `OSCAL to Policy`
1. This action generates manifests from OSCAL and then generate a PR of changes for a directory `ocm-policy-manifests` containing the generated manifests.
1. Merge the PR

### Integrate with GitOps
1. Sync `ocm-policy-manifests` directory with your OCM Hub by OCM GitOps (OCM Channel and Subscription addon)

### Deploy collector to your OCM Hub
1. Apply RBAC for collector
```
kubectl apply -f https://raw.githubusercontent.com/yana1205/compliance-to-policy/redesign.0622/scripts/collect/rbac.yaml
```
1. Create Secret for Github access
```
kubectl -n c2p create secret generic --save-config collect-ocm-status-secret --from-literal=user=<github user> --from-literal=token=<github PAT> --from-literal=org=<evidence org name> --from-literal=repo=<evidence repo name>
```
e.g.
```
kubectl -n c2p create secret generic --save-config collect-ocm-status-secret --from-literal=user=yana1205 --from-literal=token=github_pat_xxx --from-literal=org=yana1205 --from-literal=repo=c2p-for-ocm-pipeline01-evidence
```
1. Deploy collector cronjob
```
kubectl apply -f https://raw.githubusercontent.com/IBM/compliance-to-policy/main/scripts/collect/cronjob.yaml
```
### Cleanup
## Usage of C2P commands

### C2P for Kyverno
Prepare Kyverno Policy Resources
- You can use [policy-resources for test](/pkg/testdata/kyverno/policy-resources)
- For bring your own policies, please see [Bring your own Kyverno Policy Resources](#bring-your-own-kyverno-policy-resources)

#### Convert OSCAL to Kyverno Policy
```
$ go run cmd/c2pcli/main.go kyverno oscal2policy -c ./pkg/testdata/kyverno/c2p-config.yaml -o /tmp/kyverno-policies
2023-10-31T07:23:56.291+0900 INFO kyverno/c2pcr kyverno/configparser.go:53 Component-definition is loaded from ./pkg/testdata/kyverno/component-definition.json
$ tree /tmp/kyverno-policies
/tmp/kyverno-policies
└── allowed-base-images
├── 02-setup-cm.yaml
└── allowed-base-images.yaml
```

#### Convert Policy Report to OSCAL Assessment Results
```
$ go run cmd/c2pcli/main.go kyverno result2oscal -c ./pkg/testdata/kyverno/c2p-config.yaml -o /tmp/assessment-results
$ tree /tmp/assessment-results
/tmp/assessment-results
└── assessment-results.json
```

#### Reformat in human-friendly format (markdown file)
```
$ go run cmd/c2pcli/main.go kyverno oscal2posture -c ./pkg/testdata/kyverno/c2p-config.yaml --assessment-results /tmp/assessment-results/assessment-results.json -o /tmp/compliance-report.md
```
kubectl delete -f https://raw.githubusercontent.com/IBM/compliance-to-policy/main/scripts/collect/cronjob.yaml
kubectl -n c2p delete secret collect-ocm-status-secret
kubectl delete -f https://raw.githubusercontent.com/IBM/compliance-to-policy/main/scripts/collect/rbac.yaml

```
$ head -n 15 /tmp/compliance-report.md
## Catalog
## Component: Kubernetes
#### Result of control: cm-8.3_smt.a
Rule ID: allowed-base-images
<details><summary>Details</summary>
- Subject UUID: 0b1adf1c-f6e2-46af-889e-39255e669655
- Title: ApiVersion: v1, Kind: Pod, Namespace: argocd, Name: argocd-application-controller-0
- Result: fail
- Reason:
```
validation failure: This container image&#39;s base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance.
```
```

---
## Utilities
### Prerequisites
1. Install [Policy Generator Plugin](https://github.com/open-cluster-management-io/policy-generator-plugin#as-a-kustomize-plugin)
### C2P Decomposer
Decompose OCM poicy collection to kubernetes resources composing each OCM policy (we call it policy resource).
1. Clone [Policy Collection](https://github.com/open-cluster-management-io/policy-collection)
```
git clone --depth 1 https://github.com/open-cluster-management-io/policy-collection.git /tmp/policy-collection
```
1. Run C2P Decomposer
```
go run ./cmd/decompose/decompose.go --policy-collection-dir=/tmp/policy-collection --out=/tmp/c2p-output
```
1. Decomposed policy resources are ouput in `/tmp/c2p-output/decomposed/resources`
```
$ tree -L 1 /tmp/c2p-output/decomposed
/tmp/c2p-output/decomposed
├── _sources
└── resources
```
Individual decomposed resource contains k8s manifests and configuration files (policy-generator.yaml and kustomization.yaml) for PolicyGenerator.
```
$ tree -L 3 /tmp/c2p-output/decomposed/resources
/tmp/c2p-output/decomposed/resources
├── add-chrony
│   ├── add-chrony-worker
│   │   └── MachineConfig.50-worker-chrony.0.yaml
│   ├── kustomization.yaml
│   └── policy-generator.yaml
├── add-tvk-license
│   ├── add-tvk-license
│   │   └── License.triliovault-license.0.yaml
│   ├── kustomization.yaml
```
### C2P Composer
Compose OCM Policy from policy resources from compliance information (for example, [compliance.yaml](cmd/compose/compliance.yaml))
1. Run C2P Composer
```
go run cmd/compose-by-c2pcr/main.go --c2pcr ./cmd/compose-by-c2pcr/c2pcr.yaml --out /tmp/c2p-output
```
1. Composed OCM policies are output in `/tmp/c2p-output`
```
$ tree /tmp/c2p-output
/tmp/c2p-output
├── add-chrony
│ ├── add-chrony-worker
│ │ └── MachineConfig.50-worker-chrony.0.yaml
│ ├── kustomization.yaml
│ └── policy-generator.yaml
├── install-odf-lvm-operator
│ ├── kustomization.yaml
│ ├── odf-lvmcluster
│ │ └── LVMCluster.odf-lvmcluster.0.yaml
│ ├── policy-generator.yaml
│ └── policy-odf-lvm-operator
│ ├── Namespace.openshift-storage.0.yaml
│ ├── OperatorGroup.openshift-storage-operatorgroup.0.yaml
│ └── Subscription.lvm-operator.0.yaml
├── kustomization.yaml
├── policy-generator.yaml
└── policy-sets.yaml
```
## C2P as controller (deprecated)
1. Build image
```
make docker-build docker-push IMG=<controller image>
```
1. Create KinD cluster
```
kind create cluster
```
1. Install (if you use OCM, install-ocm-related-crds may fail since the required CRDs are already there.)
```
make install
make install-ocm-related-crds
```
1. Deploy
```
make deploy IMG=<controller image>
```
1. Create CR
```
kubectl apply -f ./config/samples/compliance-to-policy_v1alpha1_compliancedeployment.yaml -n compliance-to-policy-system
```
1. Check if Policy, PlacmenetBinding/Rule are created
```
kubectl get policies,placementbindings,placementrules -n compliance-high
```
1. Cleanup
```
make undeploy
make uninstall
```
### Bring your own Kyverno Policy Resources
- You can download Kyverno Policies (https://github.com/kyverno/policies) as Policy Resources and modify them
1. Run `kyverno tools load-policy-resources` command
```
$ go run cmd/c2pcli/main.go kyverno tools load-policy-resources --src https://github.com/kyverno/policies --dest /tmp/policies
```
```
$ tree /tmp/policies
/tmp/policies
├── add-apparmor-annotations
│ └── add-apparmor-annotations.yaml
├── add-capabilities
│ └── add-capabilities.yaml
├── add-castai-removal-disabled
│ └── add-castai-removal-disabled.yaml
├── add-certificates-volume
│ └── add-certificates-volume.yaml
├── add-default-resources
...
```
- You can check result.json about what resources are downloaded.
```
$ cat /tmp/policies/result.json
```
- There are some policies that depend on context. Please add the context resources manually. result.json contains list of the policies that have context field
```
$ jq -r .summary.resourcesHavingContext /tmp/policies/result.json
[
"allowed-podpriorities",
"allowed-base-images",
"advanced-restrict-image-registries",
...
"require-linkerd-server"
]
```
## Build at local
```
goreleaser release --snapshot --clean
```
## Test
```
make test-pkg
```
9 changes: 3 additions & 6 deletions cmd/c2pcli/cmd/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,9 +20,7 @@ import (
"github.com/spf13/cobra"

"github.com/IBM/compliance-to-policy/cmd/c2pcli/options"
composecmd "github.com/IBM/compliance-to-policy/cmd/compose/cmd"
reportutilscmd "github.com/IBM/compliance-to-policy/cmd/report-utils/cmd"
reportcmd "github.com/IBM/compliance-to-policy/cmd/report/cmd"
"github.com/IBM/compliance-to-policy/cmd/c2pcli/subcommands"
)

func New() *cobra.Command {
Expand All @@ -45,9 +43,8 @@ func New() *cobra.Command {

opts.AddFlags(command.Flags())

command.AddCommand(composecmd.New())
command.AddCommand(reportcmd.New())
command.AddCommand(reportutilscmd.New())
command.AddCommand(subcommands.NewKyvernoSubCommand())
command.AddCommand(subcommands.NewOcmSubCommand())

return command
}
45 changes: 45 additions & 0 deletions cmd/c2pcli/subcommands/kyverno.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
/*
Copyright 2023 IBM Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package subcommands

import (
"github.com/spf13/cobra"

"github.com/IBM/compliance-to-policy/cmd/c2pcli/options"
oscal2policycmd "github.com/IBM/compliance-to-policy/cmd/kyverno/oscal2policy/cmd"
oscal2posturecmd "github.com/IBM/compliance-to-policy/cmd/kyverno/oscal2posture/cmd"
result2oscalcmd "github.com/IBM/compliance-to-policy/cmd/kyverno/result2oscal/cmd"
toolscmd "github.com/IBM/compliance-to-policy/cmd/kyverno/tools/cmd"
)

func NewKyvernoSubCommand() *cobra.Command {
opts := options.NewOptions()

command := &cobra.Command{
Use: "kyverno",
Short: "C2P CLI Kyverno plugin",
}

opts.AddFlags(command.Flags())

command.AddCommand(oscal2policycmd.New())
command.AddCommand(result2oscalcmd.New())
command.AddCommand(oscal2posturecmd.New())
command.AddCommand(toolscmd.New())

return command
}
43 changes: 43 additions & 0 deletions cmd/c2pcli/subcommands/ocm.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
/*
Copyright 2023 IBM Corporation
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package subcommands

import (
"github.com/spf13/cobra"

"github.com/IBM/compliance-to-policy/cmd/c2pcli/options"
oscal2policycmd "github.com/IBM/compliance-to-policy/cmd/ocm/oscal2policy/cmd"
oscal2posturecmd "github.com/IBM/compliance-to-policy/cmd/ocm/oscal2posture/cmd"
result2oscalcmd "github.com/IBM/compliance-to-policy/cmd/ocm/result2oscal/cmd"
)

func NewOcmSubCommand() *cobra.Command {
opts := options.NewOptions()

command := &cobra.Command{
Use: "ocm",
Short: "C2P CLI OCM plugin",
}

opts.AddFlags(command.Flags())

command.AddCommand(oscal2policycmd.New())
command.AddCommand(result2oscalcmd.New())
command.AddCommand(oscal2posturecmd.New())

return command
}
Loading

0 comments on commit f6a2831

Please sign in to comment.