Skip to content

Commit

Permalink
Add images for example use case
Browse files Browse the repository at this point in the history 
Signed-off-by: Takumi Yanagawa <[email protected]>
  • Loading branch information
@yana1205
yana1205 committed Dec 7, 2023
1 parent 84d3e4b commit c3c2bb6
Show file tree
Hide file tree
Showing 3 changed files with 169 additions and 69 deletions.
162 changes: 93 additions & 69 deletions docs/ocm/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,19 @@ Use "c2pcli ocm [command] --help" for more information about a command.

### Manual end-to-end use case

#### Outline
1. Create OSCAL Component Definition
- Use example one. In real cases, a user writes OSCAL by Authoring tool like [Trestle](https://ibm.github.io/compliance-trestle/))
1. Run oscal2policy to generate OCM Policies from OSCAL
1. Deploy generated OCM Policies to OCM Hub
1. Get OCM Policies from OCM Hub
1. Run result2oscal to generate OSCAL Assessment Results from the OCM Policy Results
1. Prettify OSCAL Assessment Results
- Use C2P tools. In real cases, it's responsible of GRC tools.

![manual-end-to-end-use-case.png](/docs/ocm/images/manual-end-to-end-use-case.png)

#### Steps
1. Prerequisites
1. OCM is configured to manage two k8s clusters (cluster1 and cluster2) and installed Policy Governance Framework.
1. Namespace `c2p` is created in OCM Hub
Expand All @@ -48,12 +61,12 @@ Use "c2pcli ocm [command] --help" for more information about a command.
└── <Status> 2 ManagedClusters selected
└── <Clusters> [cluster1 cluster2]
```
1. Run oscal2policy
1. Run oscal2policy to generate OCM Policies from OSCAL
```
c2pcli ocm oscal2policy -c ./docs/ocm/c2p-config.yaml -o /tmp/ocm-policies
```
- The generated ocm-policies directory looks like [./final-outputs/ocm-policies](./final-outputs/ocm-policies)
1. Deploy generated OCM Policies to OCM Hub
1. Deploy the generated OCM Policies to OCM Hub
```
kubectl create -f /tmp/ocm-policies
```
Expand All @@ -76,12 +89,12 @@ Use "c2pcli ocm [command] --help" for more information about a command.
```
1. Get OCM Policy Results (Policy, PolicySet, PlacementDecision) from OCM Hub
```
mkdir /tmp/results
mkdir -p /tmp/results
kubectl get policies.policy.open-cluster-management.io -A -o yaml > /tmp/results/policies.policy.open-cluster-management.io.yaml
kubectl get policysets.policy.open-cluster-management.io -A -o yaml > /tmp/results/policysets.policy.open-cluster-management.io.yaml
kubectl get placementdecisions.cluster.open-cluster-management.io -A -o yaml > /tmp/results/placementdecisions.cluster.open-cluster-management.io.yaml
```
1. Run result2oscal
1. Run result2oscal to generate OSCAL Assessment Results from the OCM Policy Results
```
c2pcli ocm result2oscal -c ./docs/ocm/c2p-config.yaml --results /tmp/results -o /tmp/assessment-results.json
```
Expand All @@ -91,71 +104,15 @@ Use "c2pcli ocm [command] --help" for more information about a command.
```
- You can view the compliance posture like [./final-outputs/compliance-posture.md](./final-outputs/compliance-posture.md)
### C2P Decomposer
Decompose OCM poicy collection to kubernetes resources composing each OCM policy (we call it policy resource).
### GitOps automation use case
1. Clone [Policy Collection](https://github.com/open-cluster-management-io/policy-collection)
```
git clone --depth 1 https://github.com/open-cluster-management-io/policy-collection.git /tmp/policy-collection
```
1. Run C2P Decomposer
```
go run ./cmd/decompose/decompose.go --policy-collection-dir=/tmp/policy-collection --out=/tmp/c2p-output
```
1. Decomposed policy resources are ouput in `/tmp/c2p-output/decomposed/resources`
```
$ tree -L 1 /tmp/c2p-output/decomposed
/tmp/c2p-output/decomposed
├── _sources
└── resources
```
Individual decomposed resource contains k8s manifests and configuration files (policy-generator.yaml and kustomization.yaml) for PolicyGenerator.
```
$ tree -L 3 /tmp/c2p-output/decomposed/resources
/tmp/c2p-output/decomposed/resources
├── add-chrony
│   ├── add-chrony-worker
│   │   └── MachineConfig.50-worker-chrony.0.yaml
│   ├── kustomization.yaml
│   └── policy-generator.yaml
├── add-tvk-license
│   ├── add-tvk-license
│   │   └── License.triliovault-license.0.yaml
│   ├── kustomization.yaml
```
### C2P Composer
Compose OCM Policy from policy resources from compliance information (for example, [compliance.yaml](cmd/compose/compliance.yaml))
#### Outline
1. Run C2P Composer
```
go run cmd/compose-by-c2pcr/main.go --c2pcr ./cmd/compose-by-c2pcr/c2pcr.yaml --out /tmp/c2p-output
```
1. Composed OCM policies are output in `/tmp/c2p-output`
```
$ tree /tmp/c2p-output
/tmp/c2p-output
├── add-chrony
│ ├── add-chrony-worker
│ │ └── MachineConfig.50-worker-chrony.0.yaml
│ ├── kustomization.yaml
│ └── policy-generator.yaml
├── install-odf-lvm-operator
│ ├── kustomization.yaml
│ ├── odf-lvmcluster
│ │ └── LVMCluster.odf-lvmcluster.0.yaml
│ ├── policy-generator.yaml
│ └── policy-odf-lvm-operator
│ ├── Namespace.openshift-storage.0.yaml
│ ├── OperatorGroup.openshift-storage-operatorgroup.0.yaml
│ └── Subscription.lvm-operator.0.yaml
├── kustomization.yaml
├── policy-generator.yaml
└── policy-sets.yaml
```
https://github.com/IBM/compliance-to-policy/assets/113283236/da3518d0-53de-4bd6-8703-04ce94e9dfba
### GitOps automation use case
#### Steps
https://github.com/IBM/compliance-to-policy/assets/113283236/da3518d0-53de-4bd6-8703-04ce94e9dfba
Setup Github Repos
1. Create two repositories (one is configuration repository that's used for pipeline from OSCAL to Policy and another is evidence repository that's used for pipeline from OCM statuses to Compliance result)
- For example, c2p-for-ocm-pipeline01-config and c2p-for-ocm-pipeline01-evidence
Expand Down Expand Up @@ -183,17 +140,20 @@ https://github.com/IBM/compliance-to-policy/assets/113283236/da3518d0-53de-4bd6-
- Name: PAT
- Secret: Created Github Personal Access Token
### Run oscal-to-pocliy
Run oscal-to-pocliy
1. Go to the configuration repository
1. Go to `Actions` tab
1. Run `OSCAL to Policy`
1. This action generates manifests from OSCAL and then generate a PR of changes for a directory `ocm-policy-manifests` containing the generated manifests.
1. Merge the PR
### Integrate with GitOps
Integrate with GitOps
1. Sync `ocm-policy-manifests` directory with your OCM Hub by OCM GitOps (OCM Channel and Subscription addon)
### Deploy collector to your OCM Hub
Deploy collector to your OCM Hub
1. Apply RBAC for collector
```
kubectl apply -f https://raw.githubusercontent.com/yana1205/compliance-to-policy/redesign.0622/scripts/collect/rbac.yaml
Expand All @@ -211,13 +171,77 @@ https://github.com/IBM/compliance-to-policy/assets/113283236/da3518d0-53de-4bd6-
kubectl apply -f https://raw.githubusercontent.com/IBM/compliance-to-policy/main/scripts/collect/cronjob.yaml
```
### Cleanup
Cleanup
```
kubectl delete -f https://raw.githubusercontent.com/IBM/compliance-to-policy/main/scripts/collect/cronjob.yaml
kubectl -n c2p delete secret collect-ocm-status-secret
kubectl delete -f https://raw.githubusercontent.com/IBM/compliance-to-policy/main/scripts/collect/rbac.yaml
```
### C2P Decomposer
Decompose OCM poicy collection to kubernetes resources composing each OCM policy (we call it policy resource).
1. Clone [Policy Collection](https://github.com/open-cluster-management-io/policy-collection)
```
git clone --depth 1 https://github.com/open-cluster-management-io/policy-collection.git /tmp/policy-collection
```
1. Run C2P Decomposer
```
go run ./cmd/decompose/decompose.go --policy-collection-dir=/tmp/policy-collection --out=/tmp/c2p-output
```
1. Decomposed policy resources are ouput in `/tmp/c2p-output/decomposed/resources`
```
$ tree -L 1 /tmp/c2p-output/decomposed
/tmp/c2p-output/decomposed
├── _sources
└── resources
```
Individual decomposed resource contains k8s manifests and configuration files (policy-generator.yaml and kustomization.yaml) for PolicyGenerator.
```
$ tree -L 3 /tmp/c2p-output/decomposed/resources
/tmp/c2p-output/decomposed/resources
├── add-chrony
│   ├── add-chrony-worker
│   │   └── MachineConfig.50-worker-chrony.0.yaml
│   ├── kustomization.yaml
│   └── policy-generator.yaml
├── add-tvk-license
│   ├── add-tvk-license
│   │   └── License.triliovault-license.0.yaml
│   ├── kustomization.yaml
```
### C2P Composer
Compose OCM Policy from policy resources from compliance information (for example, [compliance.yaml](cmd/compose/compliance.yaml))
1. Run C2P Composer
```
go run cmd/compose-by-c2pcr/main.go --c2pcr ./cmd/compose-by-c2pcr/c2pcr.yaml --out /tmp/c2p-output
```
1. Composed OCM policies are output in `/tmp/c2p-output`
```
$ tree /tmp/c2p-output
/tmp/c2p-output
├── add-chrony
│ ├── add-chrony-worker
│ │ └── MachineConfig.50-worker-chrony.0.yaml
│ ├── kustomization.yaml
│ └── policy-generator.yaml
├── install-odf-lvm-operator
│ ├── kustomization.yaml
│ ├── odf-lvmcluster
│ │ └── LVMCluster.odf-lvmcluster.0.yaml
│ ├── policy-generator.yaml
│ └── policy-odf-lvm-operator
│ ├── Namespace.openshift-storage.0.yaml
│ ├── OperatorGroup.openshift-storage-operatorgroup.0.yaml
│ └── Subscription.lvm-operator.0.yaml
├── kustomization.yaml
├── policy-generator.yaml
└── policy-sets.yaml
```
## C2P as controller (deprecated)
1. Build image
```
Expand Down
76 changes: 76 additions & 0 deletions docs/ocm/images/manual-end-to-end-use-case.drawio
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
<mxfile host="65bd71144e">
<diagram id="uLfyup0coWNS7o469vWR" name="Page-1">
<mxGraphModel dx="1260" dy="708" grid="1" gridSize="10" guides="1" tooltips="1" connect="1" arrows="1" fold="1" page="1" pageScale="1" pageWidth="1169" pageHeight="827" math="0" shadow="0">
<root>
<mxCell id="0"/>
<mxCell id="1" parent="0"/>
<mxCell id="13" value="" style="endArrow=classic;html=1;fontSize=22;entryX=0.997;entryY=0.815;entryDx=0;entryDy=0;entryPerimeter=0;exitX=-0.008;exitY=0.815;exitDx=0;exitDy=0;exitPerimeter=0;" edge="1" parent="1" source="10" target="5">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="520" y="220.5" as="sourcePoint"/>
<mxPoint x="818.5699999999999" y="220.5" as="targetPoint"/>
</mxGeometry>
</mxCell>
<mxCell id="5" value="C2P" style="rounded=0;whiteSpace=wrap;html=1;fontSize=22;fillColor=#ffe6cc;strokeColor=#d79b00;" vertex="1" parent="1">
<mxGeometry x="400" y="160" width="110" height="250" as="geometry"/>
</mxCell>
<mxCell id="6" value="OSCAL&lt;br&gt;(Component Definition)" style="shape=note;whiteSpace=wrap;html=1;backgroundOutline=1;darkOpacity=0.05;fontSize=22;size=22;" vertex="1" parent="1">
<mxGeometry x="150" y="160" width="150" height="90" as="geometry"/>
</mxCell>
<mxCell id="7" value="OSCAL&lt;br&gt;(Assessment Results)" style="shape=note;whiteSpace=wrap;html=1;backgroundOutline=1;darkOpacity=0.05;fontSize=22;size=23;" vertex="1" parent="1">
<mxGeometry x="150" y="310" width="150" height="90" as="geometry"/>
</mxCell>
<mxCell id="9" value="OCM Policy Results" style="shape=note;whiteSpace=wrap;html=1;backgroundOutline=1;darkOpacity=0.05;fontSize=22;size=21;" vertex="1" parent="1">
<mxGeometry x="570" y="320" width="140" height="80" as="geometry"/>
</mxCell>
<mxCell id="10" value="OCM" style="rounded=0;whiteSpace=wrap;html=1;fontSize=22;fillColor=#dae8fc;strokeColor=#6c8ebf;" vertex="1" parent="1">
<mxGeometry x="750" y="160" width="110" height="250" as="geometry"/>
</mxCell>
<mxCell id="11" value="" style="endArrow=classic;html=1;fontSize=22;entryX=-0.009;entryY=0.214;entryDx=0;entryDy=0;entryPerimeter=0;" edge="1" parent="1" target="5">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="300" y="214" as="sourcePoint"/>
<mxPoint x="480" y="220" as="targetPoint"/>
</mxGeometry>
</mxCell>
<mxCell id="12" value="" style="endArrow=classic;html=1;fontSize=22;entryX=-0.013;entryY=0.202;entryDx=0;entryDy=0;entryPerimeter=0;" edge="1" parent="1" target="10">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="510" y="210.5" as="sourcePoint"/>
<mxPoint x="806" y="209" as="targetPoint"/>
</mxGeometry>
</mxCell>
<mxCell id="8" value="OCM Policy" style="shape=note;whiteSpace=wrap;html=1;backgroundOutline=1;darkOpacity=0.05;fontSize=22;size=21;" vertex="1" parent="1">
<mxGeometry x="570" y="165" width="140" height="80" as="geometry"/>
</mxCell>
<mxCell id="14" value="" style="endArrow=classic;html=1;fontSize=22;entryX=0;entryY=0;entryDx=150;entryDy=56.5;entryPerimeter=0;exitX=-0.015;exitY=0.823;exitDx=0;exitDy=0;exitPerimeter=0;" edge="1" parent="1" source="5" target="7">
<mxGeometry width="50" height="50" relative="1" as="geometry">
<mxPoint x="819.1200000000001" y="373.75" as="sourcePoint"/>
<mxPoint x="519.6699999999998" y="373.75" as="targetPoint"/>
</mxGeometry>
</mxCell>
<mxCell id="15" value="oscal2policy" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=22;" vertex="1" parent="1">
<mxGeometry x="425" y="130" width="60" height="30" as="geometry"/>
</mxCell>
<mxCell id="16" value="result2oscal" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=22;" vertex="1" parent="1">
<mxGeometry x="425" y="410" width="60" height="30" as="geometry"/>
</mxCell>
<mxCell id="17" value="1" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=22;" vertex="1" parent="1">
<mxGeometry x="120" y="120" width="60" height="30" as="geometry"/>
</mxCell>
<mxCell id="19" value="2&lt;span style=&quot;color: rgba(0, 0, 0, 0); font-family: monospace; font-size: 0px; text-align: start;&quot;&gt;%3CmxGraphModel%3E%3Croot%3E%3CmxCell%20id%3D%220%22%2F%3E%3CmxCell%20id%3D%221%22%20parent%3D%220%22%2F%3E%3CmxCell%20id%3D%222%22%20value%3D%221%22%20style%3D%22text%3Bhtml%3D1%3BstrokeColor%3Dnone%3BfillColor%3Dnone%3Balign%3Dcenter%3BverticalAlign%3Dmiddle%3BwhiteSpace%3Dwrap%3Brounded%3D0%3BfontSize%3D22%3B%22%20vertex%3D%221%22%20parent%3D%221%22%3E%3CmxGeometry%20x%3D%2290%22%20y%3D%22330%22%20width%3D%2260%22%20height%3D%2230%22%20as%3D%22geometry%22%2F%3E%3C%2FmxCell%3E%3C%2Froot%3E%3C%2FmxGraphModel%3E&lt;/span&gt;" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=22;" vertex="1" parent="1">
<mxGeometry x="350" y="120" width="60" height="30" as="geometry"/>
</mxCell>
<mxCell id="20" value="3" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=22;" vertex="1" parent="1">
<mxGeometry x="560" y="120" width="60" height="30" as="geometry"/>
</mxCell>
<mxCell id="21" value="4" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=22;" vertex="1" parent="1">
<mxGeometry x="562" y="430" width="56" height="30" as="geometry"/>
</mxCell>
<mxCell id="22" value="5" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=22;" vertex="1" parent="1">
<mxGeometry x="352" y="430" width="56" height="30" as="geometry"/>
</mxCell>
<mxCell id="23" value="6" style="text;html=1;strokeColor=none;fillColor=none;align=center;verticalAlign=middle;whiteSpace=wrap;rounded=0;fontSize=22;" vertex="1" parent="1">
<mxGeometry x="122" y="430" width="56" height="30" as="geometry"/>
</mxCell>
</root>
</mxGraphModel>
</diagram>
</mxfile>
Binary file added docs/ocm/images/manual-end-to-end-use-case.png
View file
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit c3c2bb6

Please sign in to comment.