lula is a tool written to bridge the gap between expected configuration required for compliance and actual configuration.
Cloud Native Infrastructure, Platforms, and applications can establish OSCAL documents that live beside source-of-truth code bases. Providing an inheritance model for when a control that the technology can satisfy IS satisfied in a live-environment.
This can be well established and regulated standards such as NIST 800-53. It can also be best practices, Enterprise Standards, or simply team development standards that need to be continuously monitored and validated.
The primary functionality is leveraging Kyverno CLI/Engine. lula:
- Ingests a
oscal-component.yaml
and creates an object in memory - Queries all
implemented-requirements
for arules
field- This rules block is a strict port from the rules of a Kyverno ClusterPolicy resource
- If a rules field exists:
- Generate a
ClusterPolicy
resource on the filesystem - Execute the
applyCommandHelper
function from Kyverno CLI- This will return the number of passing/failing resources in the cluster (or optionally static manifests on the filesystem)
- If any fail, given valid exclusions that may be present, the control is declared as
Fail
- Remove
ClusterPolicy
from the filesystem - This is done for each
implemented-requirement
that has arules
field
- Generate a
- Generate a report of the findings (
Pass
orfail
for each control) on the filesystem (optional - can be run with--dry-run
in order to not write to filesystem)
- A running Kubernetes cluster
- GoLang version 1.19.1
-
Clone the repository to your local machine and change into the
lula
directorygit clone https://github.com/defenseunicorns/lula.git && cd lula
-
While in the
lula
directory, compile the tool into an executable binary. This outputs thelula
binary to the current working directory.go build .
-
Apply the
./demo/namespace.yaml
file to create a namespace for the demokubectl apply -f ./demo/namespace.yaml
-
Apply the
./demo/pod.fail.yaml
to create a pod in your clusterkubectl apply -f ./demo/pod.fail.yaml
-
Run the following command in the
lula
directory:./lula validate ./demo/oscal-component.yaml
The output in your terminal should inform you that there is at least one failing pod in the cluster:
Applying 1 policy rule to 19 resources... policy 42c2ffdc-5f05-44df-a67f-eec8660aeffd -> resource foo/Pod/demo-pod failed: 1. ID-1: validation error: Every pod in namespace 'foo' should have 'foo=bar' label. rule ID-1 failed at path /metadata/labels/foo/ UUID: 42C2FFDC-5F05-44DF-A67F-EEC8660AEFFD Resources Passing: 0 Resources Failing: 1 Status: Fail
-
Now, apply the
./demo/pod.pass.yaml
file to your cluster to configure the pod to pass compliance validation:kubectl apply -f ./demo/pod.pass.yaml
-
Run the following command in the
lula
directory:./lula validate ./demo/oscal-component.yaml
The output should now show the pod as passing the compliance requirement:
Applying 1 policy rule to 19 resources... UUID: 42C2FFDC-5F05-44DF-A67F-EEC8660AEFFD Resources Passing: 1 Resources Failing: 0 Status: Pass
- Support for cloud infrastructure state queries
- Support for API validation
- Go 1.19