-
Notifications
You must be signed in to change notification settings - Fork 16
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Extend c2p for Kyverno as PVP/PEP (#7)
* Add cmd to create policy resources from kyverno policy collection Signed-off-by: Takumi Yanagawa <[email protected]> * Add oscal2policy cmd for kyverno to c2pcli Signed-off-by: Takumi Yanagawa <[email protected]> * Implement results2oscal for kyverno Signed-off-by: Takumi Yanagawa <[email protected]> * Implement sample oscal2posture Signed-off-by: Takumi Yanagawa <[email protected]> * Consolidate commands relating with kyverno plugin Signed-off-by: Takumi Yanagawa <[email protected]> * Rename composer to oscal2policy and fix name and description of CLI args Signed-off-by: Takumi Yanagawa <[email protected]> * Consolidate command for tools for kyverno into kyverno plugin Signed-off-by: Takumi Yanagawa <[email protected]> * Rename former c2p ocm plugins Signed-off-by: Takumi Yanagawa <[email protected]> * Add sample cronjob for upsync Signed-off-by: Takumi Yanagawa <[email protected]> * Move assessment-results from c2p-config to command args Signed-off-by: Takumi Yanagawa <[email protected]> * Add coommand usage of C2P for Kyverno to readme Signed-off-by: Takumi Yanagawa <[email protected]> * Move former c2p description for OCM to doc/ocm.md Signed-off-by: Takumi Yanagawa <[email protected]> --------- Signed-off-by: Takumi Yanagawa <[email protected]>
- Loading branch information
Showing
69 changed files
with
5,143 additions
and
334 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,167 +1,105 @@ | ||
# compliance-to-policy | ||
Compliance-to-Policy (C2P) provides the framework to bridge the gap between compliance and policy administration. | ||
Compliance-to-Policy (C2P) provides the framework to bridge Compliance administration and Policy administration by [OSCAL](https://pages.nist.gov/OSCAL/). OSCAL (Open Security Controls Assessment Language) is a standardized framework developed by NIST for expressing and automating the assessment and management of security controls in machine-readable format (xml, json, yaml) | ||
|
||
## C2P as pipeline task | ||
## Continuous Compliance by C2P | ||
|
||
https://github.com/IBM/compliance-to-policy/assets/113283236/da3518d0-53de-4bd6-8703-04ce94e9dfba | ||
|
||
### Setup pipeline | ||
1. Create two repositories (one is configuration repository that's used for pipeline from OSCAL to Policy and another is evidence repository that's used for pipeline from OCM statuses to Compliance result) | ||
- For example, c2p-for-ocm-pipeline01-config and c2p-for-ocm-pipeline01-evidence | ||
1. Create Github Personal Access Token having following permissions | ||
- Repository permission of `Contents`, `Pull Requests`, and `Workflows` with read-and-write against both the configuration repository and the evidence repository. | ||
1. Fork C2P repository (yana1205/compliance-to-policy.git) and checkout `template` | ||
1. Set required parameters for github action to initialize your configuration and evidence repo | ||
1. Go to Settings tab | ||
1. Go to `Actions` under `Secrets and variables` | ||
1. Create `New repository secret` | ||
- Name: PAT | ||
- Secret: Created Github Personal Access Token | ||
1. Go to `Variables` tab to create `New repository variable` | ||
1. Create `CONFIGURATION_REPOSITORY` variable | ||
- Name: CONFIGURATION_REPOSITORY | ||
- Value: `<configuration repository org>/<configuration repository name> (e.g. yana1205/c2p-for-ocm-pipeline01-config)` | ||
1. Create `EVIDENCE_REPOSITORY` variable | ||
- Name: EVIDENCE_REPOSITORY | ||
- Value: `<evidence repository org>/<evidence repository name> (e.g. yana1205/c2p-for-ocm-pipeline01-evidence)` | ||
1. Run Action `Initialize repositories` with branch `template` | ||
1. Go to the configuration repository and create `New repository secret` | ||
- Name: PAT | ||
- Secret: Created Github Personal Access Token | ||
1. Go to the evidence repository and create `New repository secret` | ||
- Name: PAT | ||
- Secret: Created Github Personal Access Token | ||
|
||
### Run oscal-to-pocliy | ||
1. Go to the configuration repository | ||
1. Go to `Actions` tab | ||
1. Run `OSCAL to Policy` | ||
1. This action generates manifests from OSCAL and then generate a PR of changes for a directory `ocm-policy-manifests` containing the generated manifests. | ||
1. Merge the PR | ||
|
||
### Integrate with GitOps | ||
1. Sync `ocm-policy-manifests` directory with your OCM Hub by OCM GitOps (OCM Channel and Subscription addon) | ||
|
||
### Deploy collector to your OCM Hub | ||
1. Apply RBAC for collector | ||
``` | ||
kubectl apply -f https://raw.githubusercontent.com/yana1205/compliance-to-policy/redesign.0622/scripts/collect/rbac.yaml | ||
``` | ||
1. Create Secret for Github access | ||
``` | ||
kubectl -n c2p create secret generic --save-config collect-ocm-status-secret --from-literal=user=<github user> --from-literal=token=<github PAT> --from-literal=org=<evidence org name> --from-literal=repo=<evidence repo name> | ||
``` | ||
e.g. | ||
``` | ||
kubectl -n c2p create secret generic --save-config collect-ocm-status-secret --from-literal=user=yana1205 --from-literal=token=github_pat_xxx --from-literal=org=yana1205 --from-literal=repo=c2p-for-ocm-pipeline01-evidence | ||
``` | ||
1. Deploy collector cronjob | ||
``` | ||
kubectl apply -f https://raw.githubusercontent.com/IBM/compliance-to-policy/main/scripts/collect/cronjob.yaml | ||
``` | ||
### Cleanup | ||
## Usage of C2P commands | ||
|
||
### C2P for Kyverno | ||
Prepare Kyverno Policy Resources | ||
- You can use [policy-resources for test](/pkg/testdata/kyverno/policy-resources) | ||
- For bring your own policies, please see [Bring your own Kyverno Policy Resources](#bring-your-own-kyverno-policy-resources) | ||
|
||
#### Convert OSCAL to Kyverno Policy | ||
``` | ||
$ go run cmd/c2pcli/main.go kyverno oscal2policy -c ./pkg/testdata/kyverno/c2p-config.yaml -o /tmp/kyverno-policies | ||
2023-10-31T07:23:56.291+0900 INFO kyverno/c2pcr kyverno/configparser.go:53 Component-definition is loaded from ./pkg/testdata/kyverno/component-definition.json | ||
$ tree /tmp/kyverno-policies | ||
/tmp/kyverno-policies | ||
└── allowed-base-images | ||
├── 02-setup-cm.yaml | ||
└── allowed-base-images.yaml | ||
``` | ||
|
||
#### Convert Policy Report to OSCAL Assessment Results | ||
``` | ||
$ go run cmd/c2pcli/main.go kyverno result2oscal -c ./pkg/testdata/kyverno/c2p-config.yaml -o /tmp/assessment-results | ||
$ tree /tmp/assessment-results | ||
/tmp/assessment-results | ||
└── assessment-results.json | ||
``` | ||
|
||
#### Reformat in human-friendly format (markdown file) | ||
``` | ||
$ go run cmd/c2pcli/main.go kyverno oscal2posture -c ./pkg/testdata/kyverno/c2p-config.yaml --assessment-results /tmp/assessment-results/assessment-results.json -o /tmp/compliance-report.md | ||
``` | ||
kubectl delete -f https://raw.githubusercontent.com/IBM/compliance-to-policy/main/scripts/collect/cronjob.yaml | ||
kubectl -n c2p delete secret collect-ocm-status-secret | ||
kubectl delete -f https://raw.githubusercontent.com/IBM/compliance-to-policy/main/scripts/collect/rbac.yaml | ||
|
||
``` | ||
$ head -n 15 /tmp/compliance-report.md | ||
## Catalog | ||
## Component: Kubernetes | ||
#### Result of control: cm-8.3_smt.a | ||
Rule ID: allowed-base-images | ||
<details><summary>Details</summary> | ||
- Subject UUID: 0b1adf1c-f6e2-46af-889e-39255e669655 | ||
- Title: ApiVersion: v1, Kind: Pod, Namespace: argocd, Name: argocd-application-controller-0 | ||
- Result: fail | ||
- Reason: | ||
``` | ||
validation failure: This container image's base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance. | ||
``` | ||
``` | ||
|
||
--- | ||
## Utilities | ||
### Prerequisites | ||
1. Install [Policy Generator Plugin](https://github.com/open-cluster-management-io/policy-generator-plugin#as-a-kustomize-plugin) | ||
### C2P Decomposer | ||
Decompose OCM poicy collection to kubernetes resources composing each OCM policy (we call it policy resource). | ||
1. Clone [Policy Collection](https://github.com/open-cluster-management-io/policy-collection) | ||
``` | ||
git clone --depth 1 https://github.com/open-cluster-management-io/policy-collection.git /tmp/policy-collection | ||
``` | ||
1. Run C2P Decomposer | ||
``` | ||
go run ./cmd/decompose/decompose.go --policy-collection-dir=/tmp/policy-collection --out=/tmp/c2p-output | ||
``` | ||
1. Decomposed policy resources are ouput in `/tmp/c2p-output/decomposed/resources` | ||
``` | ||
$ tree -L 1 /tmp/c2p-output/decomposed | ||
/tmp/c2p-output/decomposed | ||
├── _sources | ||
└── resources | ||
``` | ||
Individual decomposed resource contains k8s manifests and configuration files (policy-generator.yaml and kustomization.yaml) for PolicyGenerator. | ||
``` | ||
$ tree -L 3 /tmp/c2p-output/decomposed/resources | ||
/tmp/c2p-output/decomposed/resources | ||
├── add-chrony | ||
│ ├── add-chrony-worker | ||
│ │ └── MachineConfig.50-worker-chrony.0.yaml | ||
│ ├── kustomization.yaml | ||
│ └── policy-generator.yaml | ||
├── add-tvk-license | ||
│ ├── add-tvk-license | ||
│ │ └── License.triliovault-license.0.yaml | ||
│ ├── kustomization.yaml | ||
``` | ||
### C2P Composer | ||
Compose OCM Policy from policy resources from compliance information (for example, [compliance.yaml](cmd/compose/compliance.yaml)) | ||
1. Run C2P Composer | ||
``` | ||
go run cmd/compose-by-c2pcr/main.go --c2pcr ./cmd/compose-by-c2pcr/c2pcr.yaml --out /tmp/c2p-output | ||
``` | ||
1. Composed OCM policies are output in `/tmp/c2p-output` | ||
``` | ||
$ tree /tmp/c2p-output | ||
/tmp/c2p-output | ||
├── add-chrony | ||
│ ├── add-chrony-worker | ||
│ │ └── MachineConfig.50-worker-chrony.0.yaml | ||
│ ├── kustomization.yaml | ||
│ └── policy-generator.yaml | ||
├── install-odf-lvm-operator | ||
│ ├── kustomization.yaml | ||
│ ├── odf-lvmcluster | ||
│ │ └── LVMCluster.odf-lvmcluster.0.yaml | ||
│ ├── policy-generator.yaml | ||
│ └── policy-odf-lvm-operator | ||
│ ├── Namespace.openshift-storage.0.yaml | ||
│ ├── OperatorGroup.openshift-storage-operatorgroup.0.yaml | ||
│ └── Subscription.lvm-operator.0.yaml | ||
├── kustomization.yaml | ||
├── policy-generator.yaml | ||
└── policy-sets.yaml | ||
``` | ||
## C2P as controller (deprecated) | ||
1. Build image | ||
``` | ||
make docker-build docker-push IMG=<controller image> | ||
``` | ||
1. Create KinD cluster | ||
``` | ||
kind create cluster | ||
``` | ||
1. Install (if you use OCM, install-ocm-related-crds may fail since the required CRDs are already there.) | ||
``` | ||
make install | ||
make install-ocm-related-crds | ||
``` | ||
1. Deploy | ||
``` | ||
make deploy IMG=<controller image> | ||
``` | ||
1. Create CR | ||
``` | ||
kubectl apply -f ./config/samples/compliance-to-policy_v1alpha1_compliancedeployment.yaml -n compliance-to-policy-system | ||
``` | ||
1. Check if Policy, PlacmenetBinding/Rule are created | ||
``` | ||
kubectl get policies,placementbindings,placementrules -n compliance-high | ||
``` | ||
1. Cleanup | ||
``` | ||
make undeploy | ||
make uninstall | ||
``` | ||
### Bring your own Kyverno Policy Resources | ||
- You can download Kyverno Policies (https://github.com/kyverno/policies) as Policy Resources and modify them | ||
1. Run `kyverno tools load-policy-resources` command | ||
``` | ||
$ go run cmd/c2pcli/main.go kyverno tools load-policy-resources --src https://github.com/kyverno/policies --dest /tmp/policies | ||
``` | ||
``` | ||
$ tree /tmp/policies | ||
/tmp/policies | ||
├── add-apparmor-annotations | ||
│ └── add-apparmor-annotations.yaml | ||
├── add-capabilities | ||
│ └── add-capabilities.yaml | ||
├── add-castai-removal-disabled | ||
│ └── add-castai-removal-disabled.yaml | ||
├── add-certificates-volume | ||
│ └── add-certificates-volume.yaml | ||
├── add-default-resources | ||
... | ||
``` | ||
- You can check result.json about what resources are downloaded. | ||
``` | ||
$ cat /tmp/policies/result.json | ||
``` | ||
- There are some policies that depend on context. Please add the context resources manually. result.json contains list of the policies that have context field | ||
``` | ||
$ jq -r .summary.resourcesHavingContext /tmp/policies/result.json | ||
[ | ||
"allowed-podpriorities", | ||
"allowed-base-images", | ||
"advanced-restrict-image-registries", | ||
... | ||
"require-linkerd-server" | ||
] | ||
``` | ||
## Build at local | ||
``` | ||
goreleaser release --snapshot --clean | ||
``` | ||
## Test | ||
``` | ||
make test-pkg | ||
``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,45 @@ | ||
/* | ||
Copyright 2023 IBM Corporation | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package subcommands | ||
|
||
import ( | ||
"github.com/spf13/cobra" | ||
|
||
"github.com/IBM/compliance-to-policy/cmd/c2pcli/options" | ||
oscal2policycmd "github.com/IBM/compliance-to-policy/cmd/kyverno/oscal2policy/cmd" | ||
oscal2posturecmd "github.com/IBM/compliance-to-policy/cmd/kyverno/oscal2posture/cmd" | ||
result2oscalcmd "github.com/IBM/compliance-to-policy/cmd/kyverno/result2oscal/cmd" | ||
toolscmd "github.com/IBM/compliance-to-policy/cmd/kyverno/tools/cmd" | ||
) | ||
|
||
func NewKyvernoSubCommand() *cobra.Command { | ||
opts := options.NewOptions() | ||
|
||
command := &cobra.Command{ | ||
Use: "kyverno", | ||
Short: "C2P CLI Kyverno plugin", | ||
} | ||
|
||
opts.AddFlags(command.Flags()) | ||
|
||
command.AddCommand(oscal2policycmd.New()) | ||
command.AddCommand(result2oscalcmd.New()) | ||
command.AddCommand(oscal2posturecmd.New()) | ||
command.AddCommand(toolscmd.New()) | ||
|
||
return command | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
/* | ||
Copyright 2023 IBM Corporation | ||
Licensed under the Apache License, Version 2.0 (the "License"); | ||
you may not use this file except in compliance with the License. | ||
You may obtain a copy of the License at | ||
http://www.apache.org/licenses/LICENSE-2.0 | ||
Unless required by applicable law or agreed to in writing, software | ||
distributed under the License is distributed on an "AS IS" BASIS, | ||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
See the License for the specific language governing permissions and | ||
limitations under the License. | ||
*/ | ||
|
||
package subcommands | ||
|
||
import ( | ||
"github.com/spf13/cobra" | ||
|
||
"github.com/IBM/compliance-to-policy/cmd/c2pcli/options" | ||
oscal2policycmd "github.com/IBM/compliance-to-policy/cmd/ocm/oscal2policy/cmd" | ||
oscal2posturecmd "github.com/IBM/compliance-to-policy/cmd/ocm/oscal2posture/cmd" | ||
result2oscalcmd "github.com/IBM/compliance-to-policy/cmd/ocm/result2oscal/cmd" | ||
) | ||
|
||
func NewOcmSubCommand() *cobra.Command { | ||
opts := options.NewOptions() | ||
|
||
command := &cobra.Command{ | ||
Use: "ocm", | ||
Short: "C2P CLI OCM plugin", | ||
} | ||
|
||
opts.AddFlags(command.Flags()) | ||
|
||
command.AddCommand(oscal2policycmd.New()) | ||
command.AddCommand(result2oscalcmd.New()) | ||
command.AddCommand(oscal2posturecmd.New()) | ||
|
||
return command | ||
} |
Oops, something went wrong.