Skip to content

Commit

Permalink
Merge pull request #9 from yana1205/up-to-date-ocm-plugin
Browse files Browse the repository at this point in the history
Up to date ocm plugin
  • Loading branch information
yana1205 authored Dec 7, 2023
2 parents 67dd6b9 + c3c2bb6 commit 36a42c8
Show file tree
Hide file tree
Showing 150 changed files with 62,628 additions and 2,678 deletions.
104 changes: 20 additions & 84 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,98 +1,34 @@
# compliance-to-policy
Compliance-to-Policy (C2P) provides the framework to bridge Compliance administration and Policy administration by [OSCAL](https://pages.nist.gov/OSCAL/). OSCAL (Open Security Controls Assessment Language) is a standardized framework developed by NIST for expressing and automating the assessment and management of security controls in machine-readable format (xml, json, yaml)

## Continuous Compliance by C2P
![C2P Overview](/docs/images/e2e-pm.png)

https://github.com/IBM/compliance-to-policy/assets/113283236/4b0b5357-4025-46c8-8d88-1f4c00538795

## Usage of C2P commands

### C2P for Kyverno
Prepare Kyverno Policy Resources
- You can use [policy-resources for test](/pkg/testdata/kyverno/policy-resources)
- For bring your own policies, please see [Bring your own Kyverno Policy Resources](#bring-your-own-kyverno-policy-resources)

#### Convert OSCAL to Kyverno Policy
```
$ go run cmd/c2pcli/main.go kyverno oscal2policy -c ./pkg/testdata/kyverno/c2p-config.yaml -o /tmp/kyverno-policies
2023-10-31T07:23:56.291+0900 INFO kyverno/c2pcr kyverno/configparser.go:53 Component-definition is loaded from ./pkg/testdata/kyverno/component-definition.json
$ tree /tmp/kyverno-policies
/tmp/kyverno-policies
└── allowed-base-images
├── 02-setup-cm.yaml
└── allowed-base-images.yaml
```

#### Convert Policy Report to OSCAL Assessment Results
## Usage of C2P CLI
```
$ go run cmd/c2pcli/main.go kyverno result2oscal -c ./pkg/testdata/kyverno/c2p-config.yaml -o /tmp/assessment-results
$ c2pcli -h
C2P CLI
$ tree /tmp/assessment-results
/tmp/assessment-results
└── assessment-results.json
```
Usage:
c2pcli [flags]
c2pcli [command]
#### Reformat in human-friendly format (markdown file)
```
$ go run cmd/c2pcli/main.go kyverno oscal2posture -c ./pkg/testdata/kyverno/c2p-config.yaml --assessment-results /tmp/assessment-results/assessment-results.json -o /tmp/compliance-report.md
```
Available Commands:
completion Generate the autocompletion script for the specified shell
help Help about any command
kyverno C2P CLI Kyverno plugin
ocm C2P CLI OCM plugin
version Display version
```
$ head -n 15 /tmp/compliance-report.md
## Catalog
Flags:
-h, --help help for c2pcli
## Component: Kubernetes
#### Result of control: cm-8.3_smt.a
Rule ID: allowed-base-images
<details><summary>Details</summary>
- Subject UUID: 0b1adf1c-f6e2-46af-889e-39255e669655
- Title: ApiVersion: v1, Kind: Pod, Namespace: argocd, Name: argocd-application-controller-0
- Result: fail
- Reason:
```
validation failure: This container image&#39;s base is not in the approved list or is not specified. Only pre-approved base images may be used. Please contact the platform team for assistance.
```
Use "c2pcli [command] --help" for more information about a command.
```

### Bring your own Kyverno Policy Resources
- You can download Kyverno Policies (https://github.com/kyverno/policies) as Policy Resources and modify them
1. Run `kyverno tools load-policy-resources` command
```
$ go run cmd/c2pcli/main.go kyverno tools load-policy-resources --src https://github.com/kyverno/policies --dest /tmp/policies
```
```
$ tree /tmp/policies
/tmp/policies
├── add-apparmor-annotations
│ └── add-apparmor-annotations.yaml
├── add-capabilities
│ └── add-capabilities.yaml
├── add-castai-removal-disabled
│ └── add-castai-removal-disabled.yaml
├── add-certificates-volume
│ └── add-certificates-volume.yaml
├── add-default-resources
...
```
- You can check result.json about what resources are downloaded.
```
$ cat /tmp/policies/result.json
```
- There are some policies that depend on context. Please add the context resources manually. result.json contains list of the policies that have context field
```
$ jq -r .summary.resourcesHavingContext /tmp/policies/result.json
[
"allowed-podpriorities",
"allowed-base-images",
"advanced-restrict-image-registries",
...
"require-linkerd-server"
]
```
C2P is targeting a plugin architecture to cover not only OCM Policy Framework but also other types of PVPs.
Please go to the docs for each usage.
- [C2P for OCM](/docs/ocm/README.md)
- [C2P for Kyverno](/docs/kyverno/README.md)

## Build at local
```
Expand Down
25 changes: 24 additions & 1 deletion cmd/c2pcli/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,13 +17,36 @@ limitations under the License.
package main

import (
"fmt"
"os"

"github.com/IBM/compliance-to-policy/cmd/c2pcli/cmd"
"github.com/spf13/cobra"
)

var (
version = "none"
commit = "none"
date = "unknown"
)

func newVersionSubCommand() *cobra.Command {
command := &cobra.Command{
Use: "version",
Short: "Display version",
RunE: func(cmd *cobra.Command, args []string) error {
message := fmt.Sprintf("version: %s, commit: %s, date: %s", version, commit, date)
fmt.Fprintln(os.Stdout, message)
return nil
},
}
return command
}

func main() {
err := cmd.New().Execute()
command := cmd.New()
command.AddCommand(newVersionSubCommand())
err := command.Execute()
if err != nil {
os.Exit(1)
}
Expand Down
2 changes: 0 additions & 2 deletions cmd/c2pcli/subcommands/kyverno.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ import (

"github.com/IBM/compliance-to-policy/cmd/c2pcli/options"
oscal2policycmd "github.com/IBM/compliance-to-policy/cmd/kyverno/oscal2policy/cmd"
oscal2posturecmd "github.com/IBM/compliance-to-policy/cmd/kyverno/oscal2posture/cmd"
result2oscalcmd "github.com/IBM/compliance-to-policy/cmd/kyverno/result2oscal/cmd"
toolscmd "github.com/IBM/compliance-to-policy/cmd/kyverno/tools/cmd"
)
Expand All @@ -38,7 +37,6 @@ func NewKyvernoSubCommand() *cobra.Command {

command.AddCommand(oscal2policycmd.New())
command.AddCommand(result2oscalcmd.New())
command.AddCommand(oscal2posturecmd.New())
command.AddCommand(toolscmd.New())

return command
Expand Down
4 changes: 2 additions & 2 deletions cmd/c2pcli/subcommands/ocm.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,8 @@ import (

"github.com/IBM/compliance-to-policy/cmd/c2pcli/options"
oscal2policycmd "github.com/IBM/compliance-to-policy/cmd/ocm/oscal2policy/cmd"
oscal2posturecmd "github.com/IBM/compliance-to-policy/cmd/ocm/oscal2posture/cmd"
result2oscalcmd "github.com/IBM/compliance-to-policy/cmd/ocm/result2oscal/cmd"
toolscmd "github.com/IBM/compliance-to-policy/cmd/ocm/tools/cmd"
)

func NewOcmSubCommand() *cobra.Command {
Expand All @@ -37,7 +37,7 @@ func NewOcmSubCommand() *cobra.Command {

command.AddCommand(oscal2policycmd.New())
command.AddCommand(result2oscalcmd.New())
command.AddCommand(oscal2posturecmd.New())
command.AddCommand(toolscmd.New())

return command
}
30 changes: 0 additions & 30 deletions cmd/kyverno/oscal2posture/main.go

This file was deleted.

11 changes: 3 additions & 8 deletions cmd/kyverno/result2oscal/cmd/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,8 +17,6 @@ limitations under the License.
package cmd

import (
"os"

"github.com/spf13/cobra"

"github.com/IBM/compliance-to-policy/cmd/kyverno/result2oscal/options"
Expand Down Expand Up @@ -51,10 +49,7 @@ func New() *cobra.Command {
}

func Run(options *options.Options) error {
outputDir, c2pcrPath, tempDirPath := options.OutputDir, options.C2PCRPath, options.TempDirPath
if err := os.MkdirAll(outputDir, os.ModePerm); err != nil {
panic(err)
}
outputPath, c2pcrPath, policyResultsDir, tempDirPath := options.OutputPath, options.C2PCRPath, options.PolicyResultsDir, options.TempDirPath

var c2pcrSpec typec2pcr.Spec
if err := pkg.LoadYamlFileToObject(c2pcrPath, &c2pcrSpec); err != nil {
Expand All @@ -68,13 +63,13 @@ func Run(options *options.Options) error {
panic(err)
}

r := kyverno.NewResultToOscal(c2pcrParsed)
r := kyverno.NewResultToOscal(c2pcrParsed, policyResultsDir)
ar, err := r.GenerateAssessmentResults()
if err != nil {
return err
}

err = pkg.WriteObjToJsonFile(outputDir+"/assessment-results.json", ar)
err = pkg.WriteObjToJsonFile(outputPath, ar)
if err != nil {
return err
}
Expand Down
13 changes: 9 additions & 4 deletions cmd/kyverno/result2oscal/options/options.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,9 +23,10 @@ import (
)

type Options struct {
C2PCRPath string
TempDirPath string
OutputDir string
C2PCRPath string
PolicyResultsDir string
TempDirPath string
OutputPath string
}

func NewOptions() *Options {
Expand All @@ -34,8 +35,9 @@ func NewOptions() *Options {

func (o *Options) AddFlags(fs *pflag.FlagSet) {
fs.StringVarP(&o.C2PCRPath, "config", "c", "", "path to c2p-config.yaml")
fs.StringVar(&o.PolicyResultsDir, "results", "", "path to directory containing Kyverno Policies List (policies.kyverno.io.yaml), ClusterPolicies List (clusterpolicies.kyverno.io.yaml), PolicyReports List (policyreports.wgpolicyk8s.io.yaml), and ClusterPolicyReports List (clusterpolicyreports.wgpolicyk8s.io.yaml)")
fs.StringVar(&o.TempDirPath, "temp-dir", "", "path to temp directory")
fs.StringVarP(&o.OutputDir, "out", "o", ".", "path to a directory for output files")
fs.StringVarP(&o.OutputPath, "out", "o", "./assessment-results.json", "path to output OSCAL Assessment Results")
}

func (o *Options) Complete() error {
Expand All @@ -46,5 +48,8 @@ func (o *Options) Validate() error {
if o.C2PCRPath == "" {
return errors.New("-c or --config <c2p-config.yaml> is required")
}
if o.PolicyResultsDir == "" {
return errors.New("--results is required")
}
return nil
}
3 changes: 3 additions & 0 deletions cmd/kyverno/tools/cmd/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ import (

"github.com/IBM/compliance-to-policy/cmd/c2pcli/options"
kyvernocmd "github.com/IBM/compliance-to-policy/cmd/kyverno/tools/subcommands/kyverno"
oscal2posturecmd "github.com/IBM/compliance-to-policy/cmd/pvpcommon/oscal2posture/cmd"
"github.com/IBM/compliance-to-policy/pkg"
)

func New() *cobra.Command {
Expand All @@ -44,6 +46,7 @@ func New() *cobra.Command {
opts.AddFlags(command.Flags())

command.AddCommand(kyvernocmd.New())
command.AddCommand(oscal2posturecmd.New(pkg.GetLogger("kyverno/oscal2posture")))

return command
}
22 changes: 0 additions & 22 deletions cmd/ocm/oscal2policy/c2p-config.yaml

This file was deleted.

3 changes: 1 addition & 2 deletions cmd/ocm/oscal2policy/cmd/cmd.go
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,6 @@ import (

"github.com/IBM/compliance-to-policy/cmd/ocm/oscal2policy/options"
"github.com/IBM/compliance-to-policy/pkg"
"github.com/IBM/compliance-to-policy/pkg/c2pcr"
"github.com/IBM/compliance-to-policy/pkg/ocm"
typec2pcr "github.com/IBM/compliance-to-policy/pkg/types/c2pcr"
)
Expand Down Expand Up @@ -63,7 +62,7 @@ func Run(options *options.Options) error {
}

gitUtils := pkg.NewGitUtils(pkg.NewTempDirectory(options.TempDirPath))
c2pcrParser := c2pcr.NewParser(gitUtils)
c2pcrParser := ocm.NewParser(gitUtils)
c2pcrParsed, err := c2pcrParser.Parse(c2pcrSpec)
if err != nil {
panic(err)
Expand Down
30 changes: 0 additions & 30 deletions cmd/ocm/oscal2posture/main.go

This file was deleted.

Loading

0 comments on commit 36a42c8

Please sign in to comment.