README
¶
compliance-to-policy
Compliance-to-Policy (C2P) provides the framework to bridge the gap between compliance and policy administration.
setup pipeline
- Create two repositories (one is configuration repository that's used for pipeline from OSCAL to Policy and another is evidence repository that's used for pipeline from OCM statuses to Compliance result)
- For example, c2p-for-ocm-pipeline01-config and c2p-for-ocm-pipeline01-evidence
- Create Github Personal Access Token having following permissions
- Repository permission of
Contents,Pull Requests, andWorkflowswith read-and-write against both the configuration repository and the evidence repository.
- Fork C2P repository (yana1205/compliance-to-policy.git) and checkout
template - Set required parameters for github action to initialize your configuration and evidence repo
- Go to Settings tab
- Go to
ActionsunderSecrets and variables - Create
New repository secret- Name: PAT - Secret: Created Github Personal Access Token - Go to
Variablestab to createNew repository variable - Create
CONFIGURATION_REPOSITORYvariable - Name: CONFIGURATION_REPOSITORY - Value:<configuration repository org>/<configuration repository name> (e.g. yana1205/c2p-for-ocm-pipeline01-config) - Create
EVIDENCE_REPOSITORYvariable - Name: EVIDENCE_REPOSITORY - Value:<evidence repository org>/<evidence repository name> (e.g. yana1205/c2p-for-ocm-pipeline01-evidence) - Run Action
Initialize repositorieswith branchtemplate - Go to the configuration repository and create
New repository secret
- Name: PAT
- Secret: Created Github Personal Access Token
- Go to the evidence repository and create
New repository secret
- Name: PAT
- Secret: Created Github Personal Access Token
run oscal-to-pocliy
- Go to the configuration repository
- Go to
Actionstab - Run
OSCAL to Policy - This action generates manifests from OSCAL and then generate a PR of changes for a directory
ocm-policy-manifestscontaining the generated manifests. - Merge the PR
integrate with GitOps
- Sync
ocm-policy-manifestsdirectory with your OCM Hub by OCM GitOps (OCM Channel and Subscription addon)
deploy collector to your OCM Hub
- Apply RBAC for collector
kubectl apply -f https://raw.githubusercontent.com/yana1205/compliance-to-policy/redesign.0622/scripts/collect/rbac.yaml
- Create Secret for Github access
kubectl -n c2p create secret generic --save-config collect-ocm-status-secret --from-literal=user=<github user> --from-literal=token=<github PAT> --from-literal=org=<evidence org name> --from-literal=repo=<evidence repo name>
e.g.
kubectl -n c2p create secret generic --save-config collect-ocm-status-secret --from-literal=user=yana1205 --from-literal=token=github_pat_xxx --from-literal=org=yana1205 --from-literal=repo=c2p-for-ocm-pipeline01-evidence
- Deploy collector cronjob
kubectl apply -f https://raw.githubusercontent.com/yana1205/compliance-to-policy/redesign.0622/scripts/collect/cronjob.yaml
cleanup
kubectl delete -f https://raw.githubusercontent.com/yana1205/compliance-to-policy/redesign.0622/scripts/collect/cronjob.yaml
kubectl -n c2p delete secret collect-ocm-status-secret
kubectl delete -f https://raw.githubusercontent.com/yana1205/compliance-to-policy/redesign.0622/scripts/collect/rbac.yaml
Controller pattern
Prerequisites
- Install Policy Generator Plugin
C2P Decomposer
Decompose OCM poicy collection to kubernetes resources composing each OCM policy (we call it policy resource).
- Clone Policy Collection
git clone --depth 1 https://github.com/open-cluster-management-io/policy-collection.git /tmp/policy-collection - Run C2P Decomposer
go run ./cmd/decompose/decompose.go --policy-collection-dir=/tmp/policy-collection --out=/tmp/c2p-output - Decomposed policy resources are ouput in
/tmp/c2p-output/decomposed/resources
Individual decomposed resource contains k8s manifests and configuration files (policy-generator.yaml and kustomization.yaml) for PolicyGenerator.$ tree -L 1 /tmp/c2p-output/decomposed /tmp/c2p-output/decomposed ├── _sources └── resources$ tree -L 3 /tmp/c2p-output/decomposed/resources /tmp/c2p-output/decomposed/resources ├── add-chrony │ ├── add-chrony-worker │ │ └── MachineConfig.50-worker-chrony.0.yaml │ ├── kustomization.yaml │ └── policy-generator.yaml ├── add-tvk-license │ ├── add-tvk-license │ │ └── License.triliovault-license.0.yaml │ ├── kustomization.yaml
C2P Composer
Compose OCM Policy from policy resources from compliance information (for example, compliance.yaml)
- Run C2P Composer
go run cmd/compose-by-c2pcr/main.go --c2pcr ./cmd/compose-by-c2pcr/c2pcr.yaml --out /tmp/c2p-output - Composed OCM policies are output in
/tmp/c2p-output$ tree /tmp/c2p-output /tmp/c2p-output ├── add-chrony │ ├── add-chrony-worker │ │ └── MachineConfig.50-worker-chrony.0.yaml │ ├── kustomization.yaml │ └── policy-generator.yaml ├── install-odf-lvm-operator │ ├── kustomization.yaml │ ├── odf-lvmcluster │ │ └── LVMCluster.odf-lvmcluster.0.yaml │ ├── policy-generator.yaml │ └── policy-odf-lvm-operator │ ├── Namespace.openshift-storage.0.yaml │ ├── OperatorGroup.openshift-storage-operatorgroup.0.yaml │ └── Subscription.lvm-operator.0.yaml ├── kustomization.yaml ├── policy-generator.yaml └── policy-sets.yaml
C2P Controller
- Build image
make docker-build docker-push IMG=<controller image> - Create KinD cluster
kind create cluster - Install (if you use OCM, install-ocm-related-crds may fail since the required CRDs are already there.)
make install make install-ocm-related-crds - Deploy
make deploy IMG=<controller image> - Create CR
kubectl apply -f ./config/samples/compliance-to-policy_v1alpha1_compliancedeployment.yaml -n compliance-to-policy-system - Check if Policy, PlacmenetBinding/Rule are created
kubectl get policies,placementbindings,placementrules -n compliance-high - Cleanup
make undeploy make uninstall
Documentation
¶
There is no documentation for this package.
Source Files
Directories
¶
| Path | Synopsis |
|---|---|
|
api
|
|
|
v1alpha1
Package v1alpha1 contains API Schema definitions for the compliance-to-policy v1alpha1 API group +kubebuilder:object:generate=true +groupName=compliance-to-policy.io
|
Package v1alpha1 contains API Schema definitions for the compliance-to-policy v1alpha1 API group +kubebuilder:object:generate=true +groupName=compliance-to-policy.io |
|
cmd
|
|
|
controllers
|
|
|
wgpolicyk8s.io/v1alpha1
Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group +k8s:deepcopy-gen=package +kubebuilder:object:generate=true +groupName=wgpolicyk8s.io
|
Package v1alpha1 contains API Schema definitions for the policy v1alpha1 API group +k8s:deepcopy-gen=package +kubebuilder:object:generate=true +groupName=wgpolicyk8s.io |
|
wgpolicyk8s.io/v1alpha2
Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group +k8s:deepcopy-gen=package +kubebuilder:object:generate=true +groupName=wgpolicyk8s.io
|
Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group +k8s:deepcopy-gen=package +kubebuilder:object:generate=true +groupName=wgpolicyk8s.io |
|
wgpolicyk8s.io/v1beta1
Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group +k8s:deepcopy-gen=package +kubebuilder:object:generate=true +groupName=wgpolicyk8s.io
|
Package v1alpha2 contains API Schema definitions for the policy v1alpha2 API group +k8s:deepcopy-gen=package +kubebuilder:object:generate=true +groupName=wgpolicyk8s.io |
Click to show internal directories.
Click to hide internal directories.