search

fleetdm / fleet

Open-source platform for IT, security, and infrastructure teams. (Linux, macOS, Chrome, Windows, cloud, data center)
https://fleetdm.com
Other
3k stars 416 forks source link

Allow get policies via fleetctl #12584

Open dherder opened 1 year ago

dherder commented 1 year ago

Goal

User story
As a GitOps user,
I want to run fleetctl get policies
so that I can easily get policies in YAML format.

Context

Changes

Product

Engineering

ℹ️  Please read this issue carefully and understand it. Pay special attention to UI wireframes, especially "dev notes".

QA

Risk assessment

Manual testing steps

  1. Step 1
  2. Step 2
  3. Step 3

Testing notes

Confirmation

  1. [ ] Engineer (@____): Added comment to user story confirming successful completion of QA.
  2. [ ] QA (@____): Added comment to user story confirming successful completion of QA.
zacharysfisher commented 1 year ago

+1 helpful to initial setup of fleet and to make sure configurations in CI/CD pipeline match those that are in Fleet.

noahtalerman commented 9 months ago

make sure configurations in CI/CD pipeline match those that are in Fleet.

Hey @dherder and @zacharysfisher, the plan is to address these problems by hooking you up w/ Fleet's best practice GitOps.

This story tracks the ongoing work to get the best practice GitOps workflow working: https://github.com/fleetdm/fleet/issues/13643

lucasmrod commented 5 months ago

Maybe we need this fleetctl get policies command for existing users to migrate to GitOps? E.g. I have 100 policies I have created on the UI, how do I generate the .yml with all the policies to start using the GitOps flow? (Maybe this is documented but I cannot find it.)

spokanemac commented 5 months ago

@noahtalerman I understand that there's a potential workaround with adding API to fleetctl but we should consider adding an option to retrieve policies using fleetctl with a command similar to

fleetctl get policies --yaml --name "💻🐣Workstations (canary)"
getvictor commented 5 months ago

We also have 2 yaml formats now -- spec and gitops

noahtalerman commented 5 months ago

I have 100 policies I have created on the UI, how do I generate the .yml with all the policies to start using the GitOps flow?

Hey @spokanemac and @lucasmrod did this problem come up when dogfooding Fleet in your calendar? Or dogfooding something else?

lucasmrod commented 5 months ago

I have 100 policies I have created on the UI, how do I generate the .yml with all the policies to start using the GitOps flow?

(Sorry for the confusion, this is a hypothetical scenario.)

dherder commented 4 months ago

I'm trying to coalesce policies for CIS Benchmarks for a prospect and I cannot do this without the ability to retrieve policies via something like fleetctl get policies. @noahtalerman can you tell me how to do this with gitops as it is blocking a current evaluation with prospect-lysthia?

noahtalerman commented 4 months ago

@dherder, we want to convert CIS policies to GitOps format.

User story is here: https://github.com/fleetdm/fleet/issues/17913

Let's discuss during our call today.

noahtalerman commented 4 months ago

@dherder do you think we can close this one? We decided to convert the policies to GitOps format and use Fleet's best practice GitOps (instead of fleetctl apply)

dherder commented 4 months ago

I'm confused, wouldn't you still need to "get" the policies for initial configuration, even if you were intending to use them in a gitops workflow?

noahtalerman commented 4 months ago

I'm trying to coalesce policies for CIS Benchmarks for a prospect

wouldn't you still need to "get" the policies for initial configuration, even if you were intending to use them in a gitops workflow?

@dherder if we're adding CIS policies for a prospect I think the answer is no.

If we convert CIS policies to GitOps format (story here), then we can apply these policies to a team in Fleet w/o needed to "get" the policies.

I walk through what I think the workflow will look like in a Loom here.

spokanemac commented 4 months ago

@noahtalerman Beyond CIS benchmark policies, the ability to call fleetctl to get the policies remains something we could use. I've had several instances where I would want to export policies ahead of a gitops workflow to ensure we have every policy in the gitops repo.

dherder commented 4 months ago

I think I can use the new fleetctl api command to get the policies. But not having parity between fleetctl and the api just seems wrong, almost bug-like.

noahtalerman commented 4 months ago

where I would want to export policies ahead of a gitops workflow to ensure we have every policy in the gitops repo.

Ah, it's like a migrate to GitOps tool we're after.

noahtalerman commented 3 months ago

Hey @sharon-fdm, I'm doing some organizing on the drafting board. Did this story miss yesterday's estimation? It's still in "Settled."

cc @rachaelshaw

getvictor commented 2 months ago

@noahtalerman @rachaelshaw What YAML format should be returned -- gitops or apply?

noahtalerman commented 2 months ago

What YAML format should be returned -- gitops or apply?

@getvictor fleetctl apply YAML format.

customer-pingali uses fleetctl apply for GitOps (instead of the new best practice). @ksatter and @Patagonia121 please correct me if I'm wrong.

sharon-fdm commented 2 months ago

Hey team! Please add your planning poker estimate with Zenhub @getvictor @lucasmrod @mostlikelee

RachelElysia commented 2 months ago

I might be able to take this ticket if we're short on BE folks.

noahtalerman commented 2 months ago

Hey @Patagonia121 and @dherder heads up that this didn't make it into the upcoming engineering sprint (4.46) because we didn't have enough engineering capacity.

Check out the 4.46 milestone to see what made it instead.

Please let @zayhanlon or I know if this request is a high priority for the business so that it can be evaluated at the next feature fest accordingly: https://fleetdm.com/handbook/company/product-groups#how-feature-requests-are-evaluated

I'm also happy to discuss at the next product office hours.