defenseunicorns / lula

The Compliance Validator
Apache License 2.0
149 stars 22 forks source link

Evaluation of CEL validation #72

Closed brandtkeller closed 1 year ago

brandtkeller commented 1 year ago

Evaluation of CEL (Common Expression Language) as a provider in Lula.

brandtkeller commented 1 year ago

Functionality

Looking to learn from https://github.com/accuknox/kubernetes-cel-validator

I would want to separate the resource "get" logic from this to provide a common interface for OPA/CEL. Which just means using the library to a greater extent than the GetKubernetesResourcePreconditionResult() function.

As it stands - quite a bit has changed in the kubernetes API's for CEL and using the Library referenced above outright incurs some errors for needing to be pinned to older versions of the library. Would like to evaluate updating the library to see if/how dependencies for current versions could be aligned.

Validation

As it stands - CEL has a robust feature set for supporting validation workflows that could allow it to be useful in the auditing/validating domain.

For instance - if we wanted to check that all namespaces (besides exlcuded) had at least 1 peerAuthentication resource AND that MTLS.mode was set to STRICT - we could write a CEL expression similar to:

all(namespace in namespaces.allResources:
  peerauthentications := kubernetes[namespace].security.istio.io.peerauthentications;
  count(peerauthentications) > 0 &&
  all(pa in peerauthentications:
    pa.spec.mtls.mode == "STRICT"))
brandtkeller commented 1 year ago

CEL ADR has been merged into main as Proposed in #71

Further investigation is required and following guidelines for provider introduction will be required for further integration.

Closing this as completed.