Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: compliance inPepr ADR #1824

Open
wants to merge 8 commits into
base: main
Choose a base branch
from
Open

chore: compliance inPepr ADR #1824

Changes from 2 commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
e2b3919
chore: WIP compliance inPepr ADR
cmwylie19 Feb 13, 2025
3408928
chore: on demand keywork
cmwylie19 Feb 13, 2025
6fc5f9b
chore: cons list
cmwylie19 Feb 13, 2025
fb8fbf8
Merge branch 'main' into 1823
cmwylie19 Feb 18, 2025
757144c
chore: address PR comments
cmwylie19 Feb 18, 2025
49ade32
Merge branch 'main' into 1823
cmwylie19 Feb 27, 2025
01e9a00
chore: sync with Jeff and Pepr Controls Repo
cmwylie19 Feb 27, 2025
b4250f9
Merge branch 'main' into 1823
cmwylie19 Feb 27, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
45 changes: 45 additions & 0 deletions adr/0016-compliance-in-pepr.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
# 14. Compliance in Pepr

Date: 2025-02-13


## Status

Pending


## Context
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I get the feeling there is some context missing here with regards to the primary functions that pepr provides and the performance of compliance objectives. They are not innately the same and the need to generate reports for compliance feels like it is missing more background.

What does Pepr do today? What could pepr do to enable compliance?

I think it is more than reporting - Evidence Collection -> Evaluation -> Aggregation -> Storage -> Reporting


Pepr needs to generate reports for compliance purposes, demonstrating adherence to required security and compliance standards through specific bindings. To achieve this, it’s essential to map compliance controls to Pepr’s bindings. During our discovery process, we determined that Pepr’s role in compliance should focus on reporting rather than enforcement. This is because compliance controls are already enforced through the bindings themselves, and Pepr’s primary function is to report on the compliance status of resources.

## Decision

Extend the fluent API with a new keyword function that accepts a strongly typed control, allowing it to be associated with a given binding. This enables users to map compliance controls to Pepr’s bindings, facilitating the generation of compliance reports based on control status.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is the intent to stick to admission or provide a separate example/implementation?

I believe admission enables compliance - but is not indicative of compliance as a whole.

OnSchedule I think has a lot of room for use here as the general baseline.

Not to say this mechanism couldn't be used on admission - considering the levels of fidelity in doing so is important though.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The answer influences some questions I had below on if module authors need to update their modules or if this is outright a separate implementation.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good points, in this case, it is the module author that is writing the Pepr bindings that is responsible for enforcing the compliance. The job is Pepr Core is to enable reporting on the bindings and functions



### Consequences ###

- Extend the Capability class with a new function, such as `CompliesWith()`, that accepts a strongly typed control to associate it with a given binding.
- Store compliance data in `PeprStore` (or introduce a new store for this purpose).
- Prevent deletion of compliance data from PeprStore for audit purposes, unless a new store is used.
- Enhance the Pepr CLI to generate compliance reports based on stored compliance data.

##### Pros

- Gives Pepr the ability to generate compliance reports based on the status of compliance controls on demand.
- Straightforward to implement and maintain.
- Should not make a major impact in terms of resource utilization.

##### Cons

_Questions_
- How do Exemptions work here?
- What does the audit trail look like
- We should probably just use a new store where the Store API is not mapped

### Related Repos ###

These repos are related to this ADR in that they house collections of admission policies.

- [Kubernetes Validating Admission Policy Library](https://github.com/vap-library/vap-library)
- [CEL Admission Library](https://github.com/kubescape/cel-admission-library)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A few missing bits that we discussed are:

  • pepr should only provide the mechanism to run the validation, the validation rules can be bundled separately, potentially we'll create a default list of validation, but users can add their own;
  • the report generation should be either on-demand, or on schedule.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, I attempted to speak to this in the new ## Goals section. I am not entirely sure that I understood the top point. Let me know how I can change it to account for you point if it does not meet it. I am guessing you are talking about a canned set of controls?

Loading