Open mitodrummer opened 11 months ago
Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security)
Auto PR: https://github.com/elastic/kibana/pull/163834 with required version additions.
Note: in the PR additionalProperties was updated to false. I believe this was a requirement for the agent side, but we should test if this breaks anything in the configuration UI, and if so, manually override this option in code prior to validating the yaml.
@mitodrummer in cloud security we worked it out differently:
The agent policy contains both schema versions for BC for example
policy:
v1:
fieldX:
v2:
breaking_change_field:
This way, only when introduced a breaking change in the schema we increment the schema version and decide whether to keep supporting previous versions as well.
The idea behind it, is that older agents that are deployed would still be supported after an ELK upgrade.
Unlike using the version
field (https://github.com/elastic/cloud-defend/pull/470), when we will introduce a breaking change in the schema, like version 2.x.y. Older agents won't be able to support such version change.
So maybe it worth to discuss about this implementation before we continue
Absolutely, this might be a nice way forward, we just need to consider the IAC (standalone) mode. Which maybe isn't such a big issue as the agent version + policy versions are baked together in git somewhere. cc @norrietaylor @mmat11
Upgrade scenarios
Scenario A
Scenario B
Example agent config:
security-policy: <-- v0 (old version of yaml unchanged after save)
file:
selectors:
- name: something
operation:
- createExecutable
responses:
- match: [something]
actions: [alert]
security-policy-v1:
file:
selectors:
- name: something
operation:
- createExecutable
responses:
- match: [something]
actions: [alert, block] <-- user added block via UI and saved (note v0 above did not get the update)
Waiting for product prioritization - moved back to backlog
Summary OUTDATED
Note: the following approach is being revised, see the comment in this issue below. @nick-alayil will cut a proper epic for this work based off some discussions we've had with @norrietaylor and @mmat11
================================== The Linux Platform team has a PR (https://github.com/elastic/cloud-defend/pull/470) to add "version" to the json schema shared between the cloud-defend repo and kibana. This schema is used to validate policy yaml both in kibana and in the agent.
The kibana side should be updated to include the value from the "version" specified in policy_schema.json when a user saves their integration package. This way, agent will know what version of the policy the package instance was last saved with, and make a determination about whether it should allow the agent to continue running, or whether to put it in a degraded or failed state. see: https://github.com/elastic/cloud-defend/blob/2f11875ad62c3991d64fc00149c50618168e7f49/docs/policy-versioning.md
Definition of done
after the above PR is merged ensure an "Automatic PR" to sync the schemas is was created and merged to kibana
ensure all newly saved D4C policy yaml's have a "version" field specified using the value found here e.g
include checks/tests to ensure a user doesn't modify this field via the yaml editor (or perhaps we can exclude it from the editor so it cannot be changed)
Out of scope