Create a resource in kubernetes domain #408
Comments
|
I agree with the intent of the problem statement. Having a way to "challenge" that something is both configured properly AND operating as expected is what the project should continue to develop. I do want to challenge/discuss what this means for Lula runtime. This sounds like a tipping-point for needing to establish and document guardrails for what is required. Optimally what Lula performs is read-only - allowing for the portability of validations to not perform a write-operations unintentionally. that said - I do see value here and there are other scenarios where I have wanted to enable "executing" some process for the purpose of collecting the output for validation. Is there a possibility that we can explicitly define a validation is "executable" (via a flag?) which requires explicit opt-in? Something to help provide guardrails such that Lula isn't used for malicious purposes for which we can help control. |
|
@brandtkeller all good points - yeah I do agree that this does feel a little extra and possibly an inflection point for Lula. I would maybe offer the counterargument that what Lula is able to do in a cluster could(/should?) be a function of the RBAC roles defined for Lula. I think it's probably important to document that you should never be running Lula on a prod cluster with like an Admin kubeconfig - I would hope that's already obvious to any users haha. I think this might also be venturing into a realm that looks more like sonobuoy, which seems like an acceptable tool used to do these kinds of cluster-write ops for testing. For the cases where this is simply run in a pipeline, does it matter if Lula adds/mutates resources in the cluster if it's executing at the end of the pipeline? I think at baseline what you said about adding a flag or something specific to call out k8s write things would be beneficial. I'm not entirely sure how this manifests - is it something where there's an additional CLI "is this ok" check when you try to |
|
@meganwolf0 agree with the documentation of recommendations for Lula runtime. One of the undocumented assumptions to this point is that domains offer a way to help control what is happening. IE we could have shelled-out to Kubectl but instead wanted explicit control over read operations with the kubernetes domain - it shouldn't be possible to create a resource with the kubernetes resource currently and as such we haven't been too concerned about the read-only vs admin RBAC.
I don't see an issue here - but the workflow shouldn't need to delineate between dev/prod. Optimally these are validations that can be used/re-used across many clusters. This can still be done as described in the issue - but we just have to cover all the bases for how this could potentially impact a production environment.
This would be the part to prototype - something to set the standard as an indicator that the feature being used CAN be used for write operations. I was brainstorming a few examples such as |
Sounds good - I will include something as a flag to users. I'm kinda thinking it'll be along the lines of what I mentioned above (plus addition of like --confirm flag to skip the verification check, similar to how zarf operates). Or do you have another way you think it should be implemented? |
|
Is the addition of supporting write-operations something that should warrant an ADR? I'm not sure we can get away with not eventually supporting the extensibility for doing something that can potentially modify the environment -> but I do want to emphasize the weight of potential concerns this may raise from personas involved. |
* refactor!(common): #388 update common/types (and all references) to use pointers * refactor!(common): #388 update Domain struct to use pointers * refactor!(common): #388 update Provider struct to use pointers * refactor!(evaluate): #388 EvaluateResults now uses pointers refactor!(component): change NewOscalComponentDefinitionFromBytes to return a pointer * refactor!(resource-store): #388 changed AddFromLink params to use pointers, updated references * refactor!(assessment-results): #388 NewAssessmentResults now returns a pointer * refactor!(catalog): now runs validation rather than requiring the source for the extension refactor!(catalog): now uses pointers * refactor!(component): #388 NewOscalComponentDefinition no longer uses source in favor of oscal validation refactor!(component): delete the NewOscalComponentDefinitionFromBytes method in favor of NewOscalComponentDefinition refactor!(common): rename WriteFile -> WriteOscalModel refactor(generate): WriteFile -> WriteOscalModel refactor(composition): removed validation logic in favor of NewOscalCOmponentDefinition handling it feat(common): WriteOscalModel now handles json file extensions feat(evaluate): now runs file extension validation for json/yaml feat(validate): now checks input file for extension tests: update tests, update test data to pass oscal validation * refactor!(common): #388 moved WriteOscalModel to the oscal package (complete-schema) * feat(oscal): create the multiModelValidate method for use in oscal constructors and updated all relavant constructors * refactor!(component): #388 update mergeComponents and ComponentFromCatalog to use pointers refactor(generate): update all refs to ComponentFromCatalog * initial resource creation * refactor(component): pointer refactor * fix(component): failing e2e * refactor(component): ControlToImplementRequirement now takes pointer to control * fix(common): add omitempty to the marshalling for Validation * refactor!(domains/kubernetes): #388 KubernetesSpec.Wait and Resource.ResourceRule are now pointers and have omitempty, updated all references * refactor!(domains/kubernetes): #388 ResourceRule.Field is now a pointer and has omitempty tag * refactor!(providers/kyverno): #388 KyvernoSpec is now a pointer * refactor!(providers/opa): #388 OpaSpec is now a pointer * refactor(providers): add omitempty to Kyverno and opa spec tags * refactor!(providers): update output fields to be pointers * refactor!(domains): update api and k8s domain specs to be pointers * refactor!(types): #388 update LulaValidation provider, domain, domain-resources and result to use pointers * fix(evaluate): add nil check on thresholdResult and newResult to top of method to prevent nil pointer * chore(validate): add TODO to remove WriteReport as it is unused (question) * fix: graceful exit conditions, empty result pointer * feat: merged pointers * feat: updated error handling, initial docs and flag functions * feat: added flags to lula validate * feat: added requirement-store, updated validation * feat(validate): updated validation refactor, other small fixes * feat: added tests, dev command updates * fix(dev): updated tests, fixed dev cmd issues * fix: refactor yaml multi doc functionality * fix: get-resources read from stdin * fix: remove debug file * fix: clean-up per comments * Update src/pkg/message/interactive.go clarifying confirmation text Co-authored-by: Brandt Keller <[email protected]> * docs: description of assessments and failure conditions * feat(validate): non-interactive flag added * fix(dev): get-resources missing validation opt * fix: clean-up create resources * add staticResources check before execution * fix: updated create observation fcn and usage --------- Co-authored-by: Cole (Mike) Winberry <[email protected]> Co-authored-by: Cole (Mike) Winberry <[email protected]> Co-authored-by: Brandt Keller <[email protected]>
* refactor!(common): #388 update common/types (and all references) to use pointers * refactor!(common): #388 update Domain struct to use pointers * refactor!(common): #388 update Provider struct to use pointers * refactor!(evaluate): #388 EvaluateResults now uses pointers refactor!(component): change NewOscalComponentDefinitionFromBytes to return a pointer * refactor!(resource-store): #388 changed AddFromLink params to use pointers, updated references * refactor!(assessment-results): #388 NewAssessmentResults now returns a pointer * refactor!(catalog): now runs validation rather than requiring the source for the extension refactor!(catalog): now uses pointers * refactor!(component): #388 NewOscalComponentDefinition no longer uses source in favor of oscal validation refactor!(component): delete the NewOscalComponentDefinitionFromBytes method in favor of NewOscalComponentDefinition refactor!(common): rename WriteFile -> WriteOscalModel refactor(generate): WriteFile -> WriteOscalModel refactor(composition): removed validation logic in favor of NewOscalCOmponentDefinition handling it feat(common): WriteOscalModel now handles json file extensions feat(evaluate): now runs file extension validation for json/yaml feat(validate): now checks input file for extension tests: update tests, update test data to pass oscal validation * refactor!(common): #388 moved WriteOscalModel to the oscal package (complete-schema) * feat(oscal): create the multiModelValidate method for use in oscal constructors and updated all relavant constructors * refactor!(component): #388 update mergeComponents and ComponentFromCatalog to use pointers refactor(generate): update all refs to ComponentFromCatalog * initial resource creation * refactor(component): pointer refactor * fix(component): failing e2e * refactor(component): ControlToImplementRequirement now takes pointer to control * fix(common): add omitempty to the marshalling for Validation * refactor!(domains/kubernetes): #388 KubernetesSpec.Wait and Resource.ResourceRule are now pointers and have omitempty, updated all references * refactor!(domains/kubernetes): #388 ResourceRule.Field is now a pointer and has omitempty tag * refactor!(providers/kyverno): #388 KyvernoSpec is now a pointer * refactor!(providers/opa): #388 OpaSpec is now a pointer * refactor(providers): add omitempty to Kyverno and opa spec tags * refactor!(providers): update output fields to be pointers * refactor!(domains): update api and k8s domain specs to be pointers * refactor!(types): #388 update LulaValidation provider, domain, domain-resources and result to use pointers * fix(evaluate): add nil check on thresholdResult and newResult to top of method to prevent nil pointer * chore(validate): add TODO to remove WriteReport as it is unused (question) * fix: graceful exit conditions, empty result pointer * feat: merged pointers * feat: updated error handling, initial docs and flag functions * feat: added flags to lula validate * feat: added requirement-store, updated validation * feat(validate): updated validation refactor, other small fixes * feat: added tests, dev command updates * fix(dev): updated tests, fixed dev cmd issues * fix: refactor yaml multi doc functionality * fix: get-resources read from stdin * fix: remove debug file * fix: clean-up per comments * Update src/pkg/message/interactive.go clarifying confirmation text Co-authored-by: Brandt Keller <[email protected]> * docs: description of assessments and failure conditions * feat(validate): non-interactive flag added * fix(dev): get-resources missing validation opt * fix: clean-up create resources * add staticResources check before execution * fix: updated create observation fcn and usage --------- Co-authored-by: Cole (Mike) Winberry <[email protected]> Co-authored-by: Cole (Mike) Winberry <[email protected]> Co-authored-by: Brandt Keller <[email protected]>
* feat: add looping for lint * updated to handle errors without exiting. * added conditional for success/fail * need a wrapper in go-oscal but should work * feat(validate)!: #408 create resources in kubernetes domain (#415) * refactor!(common): #388 update common/types (and all references) to use pointers * refactor!(common): #388 update Domain struct to use pointers * refactor!(common): #388 update Provider struct to use pointers * refactor!(evaluate): #388 EvaluateResults now uses pointers refactor!(component): change NewOscalComponentDefinitionFromBytes to return a pointer * refactor!(resource-store): #388 changed AddFromLink params to use pointers, updated references * refactor!(assessment-results): #388 NewAssessmentResults now returns a pointer * refactor!(catalog): now runs validation rather than requiring the source for the extension refactor!(catalog): now uses pointers * refactor!(component): #388 NewOscalComponentDefinition no longer uses source in favor of oscal validation refactor!(component): delete the NewOscalComponentDefinitionFromBytes method in favor of NewOscalComponentDefinition refactor!(common): rename WriteFile -> WriteOscalModel refactor(generate): WriteFile -> WriteOscalModel refactor(composition): removed validation logic in favor of NewOscalCOmponentDefinition handling it feat(common): WriteOscalModel now handles json file extensions feat(evaluate): now runs file extension validation for json/yaml feat(validate): now checks input file for extension tests: update tests, update test data to pass oscal validation * refactor!(common): #388 moved WriteOscalModel to the oscal package (complete-schema) * feat(oscal): create the multiModelValidate method for use in oscal constructors and updated all relavant constructors * refactor!(component): #388 update mergeComponents and ComponentFromCatalog to use pointers refactor(generate): update all refs to ComponentFromCatalog * initial resource creation * refactor(component): pointer refactor * fix(component): failing e2e * refactor(component): ControlToImplementRequirement now takes pointer to control * fix(common): add omitempty to the marshalling for Validation * refactor!(domains/kubernetes): #388 KubernetesSpec.Wait and Resource.ResourceRule are now pointers and have omitempty, updated all references * refactor!(domains/kubernetes): #388 ResourceRule.Field is now a pointer and has omitempty tag * refactor!(providers/kyverno): #388 KyvernoSpec is now a pointer * refactor!(providers/opa): #388 OpaSpec is now a pointer * refactor(providers): add omitempty to Kyverno and opa spec tags * refactor!(providers): update output fields to be pointers * refactor!(domains): update api and k8s domain specs to be pointers * refactor!(types): #388 update LulaValidation provider, domain, domain-resources and result to use pointers * fix(evaluate): add nil check on thresholdResult and newResult to top of method to prevent nil pointer * chore(validate): add TODO to remove WriteReport as it is unused (question) * fix: graceful exit conditions, empty result pointer * feat: merged pointers * feat: updated error handling, initial docs and flag functions * feat: added flags to lula validate * feat: added requirement-store, updated validation * feat(validate): updated validation refactor, other small fixes * feat: added tests, dev command updates * fix(dev): updated tests, fixed dev cmd issues * fix: refactor yaml multi doc functionality * fix: get-resources read from stdin * fix: remove debug file * fix: clean-up per comments * Update src/pkg/message/interactive.go clarifying confirmation text Co-authored-by: Brandt Keller <[email protected]> * docs: description of assessments and failure conditions * feat(validate): non-interactive flag added * fix(dev): get-resources missing validation opt * fix: clean-up create resources * add staticResources check before execution * fix: updated create observation fcn and usage --------- Co-authored-by: Cole (Mike) Winberry <[email protected]> Co-authored-by: Cole (Mike) Winberry <[email protected]> Co-authored-by: Brandt Keller <[email protected]> * chore(deps): update module github.com/spf13/cobra to v1.8.1 (#485) | datasource | package | from | to | | ---------- | ---------------------- | ------ | ------ | | go | github.com/spf13/cobra | v1.8.0 | v1.8.1 | Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update googleapis/release-please-action digest to 7987652 (#472) Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update github/codeql-action action to v3.25.10 (#476) | datasource | package | from | to | | ----------- | -------------------- | ------- | -------- | | github-tags | github/codeql-action | v3.25.8 | v3.25.10 | Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore: fix documentation links (#487) * chore(docs): cleanup unused readme conflicting in docs build (#489) * chore(deps): update module github.com/defenseunicorns/go-oscal to v0.4.3 (#470) | datasource | package | from | to | | ---------- | ----------------------------------- | ------ | ------ | | go | github.com/defenseunicorns/go-oscal | v0.4.1 | v0.4.3 | Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update actions/checkout action to v4.1.7 (#479) | datasource | package | from | to | | ----------- | ---------------- | ------ | ------ | | github-tags | actions/checkout | v4.1.6 | v4.1.7 | Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> * chore(deps): update module github.com/defenseunicorns/go-oscal to v0.5.0 (#492) * chore(deps): update module github.com/defenseunicorns/go-oscal to v0.5.0 | datasource | package | from | to | | ---------- | ----------------------------------- | ------ | ------ | | go | github.com/defenseunicorns/go-oscal | v0.4.3 | v0.5.0 | * chore(lint): update lint with new go-oscal ValidationCommand changes * chore(tests): update pod_validation_test with new usage of ValidationCommand * chore(tests): update e2e pod_validation_test to use JsonSchemaError for validation failures --------- Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Cole (Mike) Winberry <[email protected]> * added conditional for success/fail * need a wrapper in go-oscal but should work * updating loop * fixing local branch * fixed my loop logic * fix(lint): lint now waits until exiting the loop to write to file and now handles multiple validation results * fix(tools): lint command properly handles attempting all validations prior to deciding exit state, still bails on non-validation errors as they happen * fix(tools): lint fatal error message validation -> linting * fix(tools): lint messaging updated with linting where it makes sense --------- Co-authored-by: Megan Wolf <[email protected]> Co-authored-by: Cole (Mike) Winberry <[email protected]> Co-authored-by: Cole (Mike) Winberry <[email protected]> Co-authored-by: Brandt Keller <[email protected]> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> Co-authored-by: Bryan Finster <[email protected]>
Is your feature request related to a problem? Please describe.
Looking at the pepr (or kyverno, gatekeeper, etc) validations, it would be useful to create a dummy resource to test policy enforcement then measure the outcome (ideally denied if some policy you're testing is implemented correctly). Wondering if this feature might have other use cases - thinking along the lines of probing networking and/or making api requests.
This might also have some baggage associated - because you're not really fully providing "direct proof" via explicit manifest data, you're doing like a proof by non-occurrence - e.g., if a resource is blocked, then the policy is working. That's maybe something that could be interesting to capture as different Lula workflows or reporting?
Describe the solution you'd like
Describe alternatives you've considered
None
Additional context
None
The text was updated successfully, but these errors were encountered: