feat: add generate command

[hennersz]

Current Behavior

Kyverno policies that are generated for auditing a cluster are deleted after the audit is done

Proposed Behavior

This adds a generate command to output the kyverno policies from OCSAL definitions

[brandtkeller]

Thanks @hennersz for the contribution! I'll do some testing but I believe this would be a beneficial capability to have available via the CLI.

For your situational awareness - Lula is undergoing some preparatory steps for transitioning resources to full-time and establishing office-hours and other points of communication for collaboration.

[brandtkeller]

The only other issue that I believe would block this being a useful contribution (and wasn't part of the code added/modified here) is that the generated name for the ClusterPolicy is currently not valid for use with Kyverno. If you take the generated ClusterPolicy as it exists now and run a kubectl apply -f <yaml file> --dry-run=server to see the error:

The ClusterPolicy "42C2FFDC-5F05-44DF-A67F-EEC8660AEFFD" is invalid: metadata.name: Invalid value: "42C2FFDC-5F05-44DF-A67F-EEC8660AEFFD": a lowercase RFC 1123 subdomain must consist of lower case alphanumeric characters, '-' or '.', and must start and end with an alphanumeric character (e.g. 'example.com', regex used for validation is '[a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*')

This is largely due to the name currently being uppercase from the UUID generation. We haven't encountered this yet due to it not mattering for the Kyverno Logic to execute an audit.

I believe if we wrapped implementedRequirement.UUID in a strings.ToLower(implementedRequirement.UUID) then it looks like this will pass validation server-side.

Line to modify on your fork

[hennersz]

@brandtkeller I have applied the change you suggested, and installing generated policies into a real cluster now works. Sorry, probably should have checked end 2 end that this works before submitting.

[brandtkeller]

Changes provide minimum requirement for generation of a Kyverno ClusterPolicy from the OSCAL source.

The generation can handle creation of directories that do-not exist and accommodating directories that do exist. The Policies tested were able to be applied to the cluster running Kyverno with the required CRD's without any issue.

[brandtkeller]

Thank you @hennersz for the contribution. It is highly aligned with the vision of Lula and the role it plays in integrating with a policy enforcement engine.

Lula is gearing up to commit more dedicated resources into the development of the project. We will likely be evaluating current project structure and moving some logic around for clarity purposes. In the event you would like to join us on this adventure - we will ensure the issues tab is populated with where we would like to take the project and good issues for others to grab and implement. If you have questions about the addition of other logic/testing/etc - please feel free to create an issue for discussion.