Develop a Validation

This document describes some best practices for developing and using a Lula Validation, the primary mechanism for evaluation of system’s compliance against a specified control.

About

Lula Validations are constructed by establishing the collection of measurements about a system, given by the specified Domain, and the evaluation of adherence, performed by the Provider.

The currently supported domains are:

• API
• Kubernetes

The currently supported providers are:

• OPA (Open Policy Agent)
• Kyverno

Creating a Sample Validation

Here, we will step through creating a sample validation using the Kubernetes domain and OPA provider. Generating a validation is in the scope of answering some control or standard. For instance, our control might be something like “system implements test application as target for development purposes”. Our validation should then seek to prove that some “test application” is running in our domain, i.e., Kubernetes.

Pre-Requistes

• Lula installed
• Kubectl
• Helm
• A running Kubernetes cluster
  • Kind
    • kind create cluster -n lula-test
  • K3d
    • k3d cluster create lula-test
• Podinfo deployed in the cluster

  $ helm repo add podinfo https://stefanprodan.github.io/podinfo
  
  $ helm upgrade -i my-release podinfo/podinfo -n podinfo --create-namespace
  

Steps

[!NOTE] Demo files can be found in the lula repository under demo/develop-validation

1. Assume we have some component definition for Podinfo with the associated standard we are trying to prove the system satisfies:

   component-definition:
     uuid: a506014d-cb8a-4db9-ac48-ef72f7209a60
     metadata:
       last-modified: 2024-07-11T13:38:09.633174-04:00
       oscal-version: 1.1.2
       published: 2024-07-11T13:38:09.633174-04:00
       remarks: Lula Generated Component Definition
       title: Component Title
       version: 0.0.1
     components:
     - uuid: 75859c1e-30f5-4fde-9ad4-c79f863b049f
       type: software
       title: podinfo
       description: Sample application
       control-implementations:
       - uuid: a3039927-839c-5745-ac4e-a9993bcd60ed
         source: https://github.com/defenseunicorns/lula
         description: Control Implementation Description
         implemented-requirements:
         - uuid: 257d2b2a-fda7-49c5-9a2b-acdc995bc8e5
           control-id: ID-1
           description: >-
             Podinfo, a sample application, is deployed into the cluster and exposed for testing purposes.
           remarks: >-
             System implements test application as target for development purposes.
   

2. We recognize that we can satisfy this control by proving that podinfo is alive in the cluster. If we know nothing about podinfo, we may first want to identify which Kubernetes constructs are used in it’s configuration:

   $ kubectl get all -n podinfo 
   
   NAME                                     READY   STATUS    RESTARTS   AGE
   pod/my-release-podinfo-fb6d4888f-ptlss   1/1     Running   0          17m
   
   NAME                         TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)             AGE
   service/my-release-podinfo   ClusterIP   10.43.172.65   <none>        9898/TCP,9999/TCP   17m
   
   NAME                                 READY   UP-TO-DATE   AVAILABLE   AGE
   deployment.apps/my-release-podinfo   1/1     1            1           17m
   
   NAME                                           DESIRED   CURRENT   READY   AGE
   replicaset.apps/my-release-podinfo-fb6d4888f   1         1         1       17m
   

3. Now that we know what resources are in the podinfo namespace, we can use our kubernetes knowledge to deduce that proving podinfo is healthy in the cluster could be performed by looking at the status of the podinfo deployment for the replicas value to match readyReplicas:

   $ kubectl get deployment my-release-podinfo -n podinfo -o json | jq '.status'
   
   {
   "availableReplicas": 1,
   "conditions": [
     {
       "lastTransitionTime": "2024-07-11T17:36:53Z",
       "lastUpdateTime": "2024-07-11T17:36:53Z",
       "message": "Deployment has minimum availability.",
       "reason": "MinimumReplicasAvailable",
       "status": "True",
       "type": "Available"
     },
     {
       "lastTransitionTime": "2024-07-11T17:36:53Z",
       "lastUpdateTime": "2024-07-11T17:36:56Z",
       "message": "ReplicaSet \"my-release-podinfo-fb6d4888f\" has successfully progressed.",
       "reason": "NewReplicaSetAvailable",
       "status": "True",
       "type": "Progressing"
     }
   ],
   "observedGeneration": 1,
   "readyReplicas": 1,
   "replicas": 1,
   "updatedReplicas": 1
   }
   

4. With this we should now have enough information to write our Lula Validation! First construct the top-matter metadata:

   Run lula tools uuidgen to get a unique ID for your validation

   $ lula tools uuidgen              
   ad38ef57-99f6-4ac6-862e-e0bc9f55eebe
   

   Add a validation.yaml file with the following

   metadata:
     name: check-podinfo-health
     uuid: ad38ef57-99f6-4ac6-862e-e0bc9f55eebe
   

5. Construct the domain:

   Since we are extracting Kubernetes manifest data as validation “proof”, the domain we use should be kubernetes.

   domain:
     type: kubernetes
     kubernetes-spec:
       resources:
         - name: podinfoDeployment
           resource-rule:
             name: my-release-podinfo
             namespaces: [podinfo]
             group: apps
             version: v1
             resource: deployments
   

   Note a few things about the specification for obtaining these kubernetes resources:

   • resources key is used as an array of resources we are asking for from the cluster
     • name is the keyword that will be used as an input to the policy, stated below in the provider. Note - to play nicely with the policy, it is best to make this a single word, camel-cased if desired.
     • resource-rule is the api specification for the resource being extracted
       • name is the name of our deployment, my-release-podinfo
       • namespaces is the list of namespaces, one can be provided but must be in list format
       • group, version, resource is the compliant values to access the kubernetes API

   See reference for more information about the Lula Validation schema and kubernetes domain.

6. Construct the provider and write the OPA policy:

   Any provider should be compatible with the domain outputs, here we’ve decided to use OPA and rego, so our provider section is as follows:

   provider:
     type: opa
     opa-spec:
       rego: |
         package validate
         import rego.v1
   
         # Default values
         default validate := false
         default msg := "Not evaluated"
   
         # Validation result
         validate if {
           check_podinfo_healthy.result
         }
         msg = check_podinfo_healthy.msg
   
         check_podinfo_healthy = {"result": true, "msg": msg} if {
           input.podinfoDeployment.status.replicas > 0
           input.podinfoDeployment.status.availableReplicas == input.podinfoDeployment.status.replicas
           msg := "Number of replicas > 0 and all replicas are available."
         } else = {"result": false, "msg": msg} {
           msg := "Podinfo not available."
         }
       output:
         validation: validate.validate
         observations:
           - validate.msg
   

   The Rego policy language can be a little funny looking at first glance, check out both the rego docs and the OPA Provider reference for more information about rego.

   With that said, some things are important to highlight about the policy

   • package validate is mandatory at the top (you can use any package name you want, but if a different value is used the output.validation needs to be updated accordingly)
   • import rego.v1 is optional, but recommended as OPA looks to upgrade to v1
   • The “Default values” section is best practice to set these to protect against a result that yields undefined values for these variables
   • The “Validation result” section defines the rego evaluation on the input.podinfoDeployment - checking that both the number of replicas is greater than 0 and the available and requested replicas are equal.

7. Putting it all together we are left with the validation.yaml, let’s run some commands to validate our validation:

   Get the resources to visually inspect that they are what you expect from the domain and in the right struction for the provider’s policy:

   $ lula dev get-resources -f validation.yaml -o resources.json
   

   The result should be a resources.json file that looks roughly as follows:

   {
     "podinfoDeployment": {
       "apiVersion": "apps/v1",
       "kind": "Deployment",
       # ... rest of the json
     }
   }
   

   Now check the validation is resulting in the expected outcome:

   $ lula dev validate -f validation.yaml                        
   •  Observations:
   •  --> validate.msg: Number of replicas > 0 and all replicas are available.
   •  Validation completed with 1 passing and 0 failing results
   

   If we expected this validation to fail, we would have added -e=false

8. Now that we have our baseline validation, and we know it is returning an expected result for our current cluster configuration, we should probably ensure that the policy results are successful when other resource cases exist. There are really two options here:

   1. Manually modify the resources in your cluster and re-run lula dev validate

   2. Manually modify the resources.json and test those

      If we have a test cluster, perhaps changing some things about it is acceptable, but for this case I’m just going to take the path of least resistance and modify the resources.json:

      Copy your resources.json and rename to resources-bad.json. First, find podinfoDeployment.status.replicas and change the value to 0. Run lula dev validate with those resources as the input, along with our expected failure outcome:

      $ lula dev validate -f validation.yaml -r resources-bad.json -e=false                    
      • Observations: 
      •  --> validate.msg: Podinfo not available.                                                              
      •  Validation completed with 0 passing and 1 failing results 
      

      Success! Additional conditions can be tested this way to fully stress-test the validity of the policy.

9. Finally, we can bring this back into the component-definition. This validation should be added as a link to the respective implemented-requirement:

   # ... rest of component definition
       implemented-requirements:
         - uuid: 257d2b2a-fda7-49c5-9a2b-acdc995bc8e5
           control-id: ID-1
           description: >-
           Podinfo, a sample application, is deployed into the cluster and exposed for testing purposes.
           remarks: >-
           System implements test application as target for development purposes.
           links:
             - href: 'file:./validation.yaml
               ref: lula
               text: Check that Podinfo is healthy
   

10. Now that we have our full OSCAL Component Definition model specified, we can take this off to validate and evaluate the system!

Limitations

We are aware that many of these validations are brittle to environment changes, for instance if namespaces change. This is a known limitation and on our roadmap as something to offer a possible templating solution for in the future.

Additionally, since we are adding these validations to OSCAL yaml documents, there is some ugliness with having to compose strings of yaml into yaml. We support “remote” validations, where instead of a reference to a backmatter uuid, instead a link to a file is provided. A limitation of that currently is that it does not support authentication if the remote link is in a protected location.