Merge branch '57-oscal-package-validation' into 'main'

Resolve "OSCAL Package Validation" See merge request !133

Merge branch '57-oscal-package-validation' into 'main'
3dd8a06c · Abimbola Abiola · 7b4418af · 874884e2 · 3dd8a06c · 3dd8a06c
Commit 3dd8a06c authored 9 months ago by Abimbola Abiola
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -3,6 +3,9 @@
 Format: [Keep a Changelog](https://keepachangelog.com/en/1.0.0/)

 ---
+## [3.1.4-bb.9] - 2024-05-24
+### Changed
+- Added healthcheck validation and configuration validation 
 ## [3.1.4-bb.8] - 2024-04-29
 ### Changed
 - Updated CHANGELOG to fix formatting

--- a/README.md
+++ b/README.md
 # kyverno

-![Version: 3.1.4-bb.8](https://img.shields.io/badge/Version-3.1.4--bb.8-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.11.4](https://img.shields.io/badge/AppVersion-v1.11.4-informational?style=flat-square)
+![Version: 3.1.4-bb.9](https://img.shields.io/badge/Version-3.1.4--bb.9-informational?style=flat-square) ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square) ![AppVersion: v1.11.4](https://img.shields.io/badge/AppVersion-v1.11.4-informational?style=flat-square)

 Kubernetes Native Policy Management


--- a/baseline-assessment-results.txt
+++ b/baseline-assessment-results.txt
+Validation passed for kyverno-pod-status
+Validation passed for kyverno-service-status
+Validation passed for kyverno-policy-check
+Validation passed for kyverno-role-check
--- a/baseline-config-check-results.txt
+++ b/baseline-config-check-results.txt
+Validation passed for kyverno-policy-check
+Validation passed for kyverno-role-check
--- a/baseline-healthcheck-results.txt
+++ b/baseline-healthcheck-results.txt
+Validation passed for kyverno-pod-status
+Validation passed for kyverno-service-status
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 type: application
 name: kyverno
-version: 3.1.4-bb.8
+version: 3.1.4-bb.9
 appVersion: v1.11.4
 icon: https://github.com/kyverno/kyverno/raw/main/img/logo.png
 description: Kubernetes Native Policy Management

--- a/kyverno-config-check.yaml
+++ b/kyverno-config-check.yaml
+apiVersion: compliance.bigbang.dev/v1alpha1
+kind: Validation
+metadata:
+  name: kyverno-config-check
+spec:
+  checks:
+    - name: kyverno-policy-check
+      script: |
+        kubectl get clusterpolicies -o json | jq -r '.items[] | select(.spec.rules | length == 0) | .metadata.name'
+      expectedOutcome: ""
+    - name: kyverno-role-check
+      script: |
+        kubectl get roles -n kyverno -o json | jq -r '.items[] | select(.rules | length == 0) | .metadata.name'
+      expectedOutcome: ""
+
--- a/kyverno-healthcheck.yaml
+++ b/kyverno-healthcheck.yaml
+apiVersion: compliance.bigbang.dev/v1alpha1
+kind: Validation
+metadata:
+  name: kyverno-healthcheck
+spec:
+  checks:
+    - name: kyverno-pod-status
+      script: |
+         kubectl get pods -n kyverno -o json | jq -r '.items[] | select(.status.phase != "Running" and .status.phase != "Succeeded") | .metadata.name'
+      expectedOutcome: ""
+    - name: kyverno-service-status
+      script: |
+        kubectl get svc -n kyverno -o json | jq -r '.items[] | select(.spec.type == "LoadBalancer" and .status.loadBalancer.ingress == null) | .metadata.name'
+      expectedOutcome: ""
+
--- a/kyverno-validations.sh
+++ b/kyverno-validations.sh
+#!/bin/bash
+
+# Function to run a validation check and save the result
+run_validation() {
+  local yaml_file=$1
+  local result_file=$2
+
+  # Check if the file exists
+  if [[ ! -f $yaml_file ]]; then
+    echo "File not found: $yaml_file"
+    exit 1
+  fi
+
+  # Extract checks from the YAML file
+  checks_count=$(yq e '.spec.checks | length' $yaml_file)
+
+  echo "Running validations from $yaml_file..."
+
+  # Clear or create the result file
+  > $result_file
+
+  # Loop through each check and execute the script
+  for i in $(seq 0 $(($checks_count - 1))); do
+    check_name=$(yq e ".spec.checks[$i].name" $yaml_file)
+    script=$(yq e ".spec.checks[$i].script" $yaml_file)
+    
+    echo "Running check: $check_name"
+    result=$(eval "$script")
+    if [[ $result != "" ]]; then
+      echo "Validation failed for $check_name: $result" | tee -a $result_file
+    else
+      echo "Validation passed for $check_name" | tee -a $result_file
+    fi
+  done
+}
+
+# Sleep for a specified duration before running the validations
+sleep_duration=30  # Duration in seconds
+
+# Run healthcheck validations
+echo "Sleeping for $sleep_duration seconds before running healthcheck validations..."
+sleep $sleep_duration
+run_validation kyverno-healthcheck.yaml baseline-healthcheck-results.txt
+
+# Sleep again before running configuration validations
+echo "Sleeping for $sleep_duration seconds before running configuration validations..."
+sleep $sleep_duration
+run_validation kyverno-config-check.yaml baseline-config-check-results.txt
+
+# Combine results
+cat baseline-healthcheck-results.txt baseline-config-check-results.txt > baseline-assessment-results.txt
+
+echo "Validation complete. Results saved in baseline-assessment-results.txt."