UNCLASSIFIED - NO CUI

Skip to content

Resolve "OSCAL Package Validation"

Abimbola Abiola requested to merge 57-oscal-package-validation into main

General MR

Summary OSCAL Package Validation Results Documentation for Kyverno Package

The checks ensure that Kyverno components are functioning correctly and that configurations meet the required standards. The validation was executed using custom scripts defined in kyverno-healthcheck.yaml and kyverno-config-check.yaml. The results are saved in the baseline-assessment-results.txt file and are used as a threshold for pipeline validation fail/pass criteria.

Validation Script Execution The validation script kyverno-validations.sh was executed, performing the following steps:

  • Run health check validations using kyverno-healthcheck.yaml.
  • Run configuration validations using kyverno-config-check.yaml.
  • Combine results from both sets of validations into baseline-assessment-results.txt. Script Output

Screenshot_2024-05-30_at_9.17.15_PM

  • Validation passed for kyverno-pod-status
  • Validation passed for kyverno-service-status
  • Validation passed for kyverno-policy-check
  • Validation passed for kyverno-role-check

Description: Checks if any Kyverno pods are not in the "Running" or "Succeeded" state.

  • Validation 1: kyverno-service-status
  • Result: Validation passed.
  • Output: No pods found in an incorrect state.

Description: Checks if any Kyverno services of type "LoadBalancer" have no ingress.

  • Validation 2: kyverno-service-status
  • Result: Validation passed.
  • Output: No services found with missing ingress.
  • Configuration Validations
  • kyverno-config-check.yaml

Description: Checks if any cluster policies have zero rules.

  • Validation 3: kyverno-policy-check
  • Result: Validation passed.
  • Output: No cluster policies found with zero rules.

Description: Checks if any roles in the Kyverno namespace have zero rules.

  • Validation 4: kyverno-role-check
  • Result: Validation passed. = Output: No roles found with zero rules.
  • Combined Results -The results from both health check validations and configuration validations were combined into a single file baseline-assessment-results.txt.

Threshold for Pipeline Validation Fail/Pass

  • To use the results as a threshold for pipeline validation fail/pass criteria, follow these steps:

  • Check the results file: Add a step in your CI/CD pipeline to check the contents of baseline-assessment-results.txt Determine pass/fail criteria:

  • If the file contains any lines indicating "Validation failed", the pipeline should fail

  • If all lines indicate "Validation passed", the pipeline should pass

Example Check in CI/CD Script Add the following step in your CI/CD pipeline script to determine the pass/fail status based on the validation results:

if grep -q "Validation failed" baseline-assessment-results.txt; then
  echo "Validation failed. Exiting..."
  exit 1
else
  echo "All validations passed."
fi

The Kyverno package validations passed successfully with all checks indicating "Validation passed". This ensures that the Kyverno setup is continuously validated against defined criteria, maintaining compliance and operational integrity.

#57

Upgrade Notices

N/A

Edited by Abimbola Abiola

Merge request reports

UNCLASSIFIED - NO CUI