swapped source url, double checked generate command reference fix tsw…

…ift blank spaces
defenseunicorns · Sep 25, 2024 · 742c8e6 · 742c8e6
1 parent 9bdebee
commit 742c8e6
Show file tree

Hide file tree

Showing 35 changed files with 105 additions and 120 deletions.
diff --git a/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml b/compliance/validations/istio/all-namespaces-istio-injected/tests.yaml
@@ -7,4 +7,5 @@ pass:
     validation: validation.yaml
     resources: resources.json
     permutation: '.namespaces |= map(if .metadata.name == "grafana" then del(.metadata.labels["istio-injection"]) else . end)'
-    expected-validation: false
+    expected-validation: false
+
diff --git a/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml b/compliance/validations/istio/all-namespaces-istio-injected/validation.yaml
@@ -52,4 +52,4 @@ provider:
       validation: validate.validate
       observations:
       - validate.msg
-      - validate.msg_exempt_namespaces
+      - validate.msg_exempt_namespaces
diff --git a/compliance/validations/istio/all-pods-istio-injected/tests.yaml b/compliance/validations/istio/all-pods-istio-injected/tests.yaml
@@ -22,4 +22,4 @@ pass:
     validation: validation.yaml
     resources: resources.json
     permutation: '.pods |= map(if .metadata.namespace == "grafana" then .metadata.annotations = {} else . end)'
-    expected-validation: false
+    expected-validation: false
diff --git a/compliance/validations/istio/all-pods-istio-injected/validation.yaml b/compliance/validations/istio/all-pods-istio-injected/validation.yaml
@@ -63,4 +63,4 @@ provider:
       validation: validate.validate
       observations:
         - validate.msg
-        - validate.msg_exempt_namespaces
+        - validate.msg_exempt_namespaces
diff --git a/compliance/validations/istio/authorized-keycloak-access/tests.yaml b/compliance/validations/istio/authorized-keycloak-access/tests.yaml
@@ -6,10 +6,10 @@ pass:
   - test: remove-auth-rules
     validation: validation.yaml
     resources: resources.json
-    permutation: 'del(.authorizationPolicy.spec.rules)'
+    permutation: "del(.authorizationPolicy.spec.rules)"
     expected-validation: false
   - test: add-not-namespaces
     validation: validation.yaml
     resources: resources.json
     permutation: '(.authorizationPolicy.spec.rules[] | .from[] | .source.notNamespaces) |= . + ["test-ns"]'
-    expected-validation: false
+    expected-validation: false
diff --git a/compliance/validations/istio/authorized-keycloak-access/validation.yaml b/compliance/validations/istio/authorized-keycloak-access/validation.yaml
@@ -69,4 +69,4 @@ provider:
     output:
       validation: validate.validate
       observations:
-        - validate.msg
+        - validate.msg
diff --git a/compliance/validations/istio/authorized-traffic-egress/validation.yaml b/compliance/validations/istio/authorized-traffic-egress/validation.yaml
@@ -3,12 +3,12 @@ metadata:
   uuid: 7455f86d-b79c-4226-9ce3-f3fb7d9348c8
 domain:
   type: kubernetes
-  kubernetes-spec: 
+  kubernetes-spec:
     resources: []
 provider:
   type: opa
-  opa-spec: 
+  opa-spec:
     rego: |
       package validate
 
-      default validate := false
+      default validate := false
diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml b/compliance/validations/istio/check-istio-admin-gateway-and-usage/tests.yaml
@@ -6,7 +6,7 @@ pass:
   - test: no-gateway
     validation: validation.yaml
     resources: resources.json
-    permutation: 'del(.adminGateway)'
+    permutation: "del(.adminGateway)"
     expected-validation: false
   - test: admin-vs-not-using-admin-gw
     validation: validation.yaml
@@ -17,4 +17,4 @@ pass:
     validation: validation.yaml
     resources: resources.json
     permutation: '.virtualServices |= map(if .metadata.name == "keycloak-tenant-public-auth-access-with-optional-client-certificate" then .spec.gateways = ["istio-admin-gateway/admin-gateway"] else . end)'
-    expected-validation: false
+    expected-validation: false
diff --git a/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml b/compliance/validations/istio/check-istio-admin-gateway-and-usage/validation.yaml
@@ -71,4 +71,4 @@ provider:
     output:
       validation: validate.validate
       observations:
-        - validate.msg
+        - validate.msg
diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml b/compliance/validations/istio/check-istio-logging-all-traffic/tests.yaml
@@ -6,7 +6,7 @@ pass:
   - test: change-accessLogFile-to-different-dir
     validation: validation.yaml
     resources: resources.json
-    permutation: ".istioMeshConfig.accessLogFile = \"/log/test\""
+    permutation: '.istioMeshConfig.accessLogFile = "/log/test"'
     expected-validation: false
   - test: remove-accessLogFile
     validation: validation.yaml

diff --git a/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml b/compliance/validations/istio/check-istio-logging-all-traffic/validation.yaml
@@ -5,22 +5,22 @@ domain:
   type: kubernetes
   kubernetes-spec:
     resources:
-    - name: istioMeshConfig
-      resource-rule:
-        field:
-          jsonpath: .data.mesh
-          type: yaml
-        namespaces:
-        - istio-system
-        resource: configmaps
-        version: v1
-        name: istio
+      - name: istioMeshConfig
+        resource-rule:
+          field:
+            jsonpath: .data.mesh
+            type: yaml
+          namespaces:
+            - istio-system
+          resource: configmaps
+          version: v1
+          name: istio
 provider:
   type: opa
   opa-spec:
     output:
       observations:
-      - validate.msg
+        - validate.msg
       validation: validate.validate
     rego: |
       package validate
@@ -43,4 +43,4 @@ provider:
         msg := "Istio is logging all traffic."
       } else = {"result": false, "msg": msg} if {
         msg := "Istio is not logging all traffic."
-      }
+      }
diff --git a/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml b/compliance/validations/istio/communications-terminated-after-inactivity/validation.yaml
@@ -3,15 +3,15 @@ metadata:
   uuid: 663f5e92-6db4-4042-8b5a-eba3ebe5a622
 domain:
   type: kubernetes
-  kubernetes-spec:  
+  kubernetes-spec:
     resources: []
 provider:
   type: opa
   opa-spec:
     rego: |
       package validate
-      
+
       validate := false
 
       # Check on destination rule, outlier detection?
-      # -> Doesn't appear that UDS is configured to create destination rules.
+      # -> Doesn't appear that UDS is configured to create destination rules.
diff --git a/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml b/compliance/validations/istio/egress-gateway-exists-and-configured/validation.yaml
@@ -3,12 +3,12 @@ metadata:
   uuid: c3b022eb-19a5-4711-8099-da4a90c9dd5d
 domain:
   type: kubernetes
-  kubernetes-spec:  
+  kubernetes-spec:
     resources: []
 provider:
   type: opa
-  opa-spec: 
+  opa-spec:
     rego: |
       package validate
 
-      default validate := false
+      default validate := false
diff --git a/compliance/validations/istio/external-traffic-managed/validation.yaml b/compliance/validations/istio/external-traffic-managed/validation.yaml
@@ -3,7 +3,7 @@ metadata:
   uuid: 19faf69a-de74-4b78-a628-64a9f244ae13
 domain:
   type: kubernetes
-  kubernetes-spec:  
+  kubernetes-spec:
     resources: []
 provider:
   type: opa
@@ -12,7 +12,7 @@ provider:
       package validate
 
       default validate := false
-      
+
       # This policy could check meshConfig.outboundTrafficPolicy.mode (default is ALLOW_ANY)
       # Possibly would need a ServiceEntry(?)
-      # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services)
+      # (https://istio.io/latest/docs/tasks/traffic-management/egress/egress-control/#envoy-passthrough-to-external-services)
diff --git a/compliance/validations/istio/fips-evaluation/validation.yaml b/compliance/validations/istio/fips-evaluation/validation.yaml
@@ -3,12 +3,12 @@ metadata:
   uuid: 73434890-2751-4894-b7b2-7e583b4a8977
 domain:
   type: kubernetes
-  kubernetes-spec:  
+  kubernetes-spec:
     resources: []
 provider:
   type: opa
-  opa-spec: 
+  opa-spec:
     rego: |
       package validate
 
-      default validate := false
+      default validate := false
diff --git a/compliance/validations/istio/gateway-configuration-check/tests.yaml b/compliance/validations/istio/gateway-configuration-check/tests.yaml
@@ -11,5 +11,5 @@ pass:
   - test: add_new_gateway
     validation: validation.yaml
     resources: resources.json
-    permutation: ".gateways += [{\"apiVersion\": \"networking.istio.io/v1beta1\", \"kind\": \"Gateway\", \"metadata\": {\"name\": \"new-gateway\", \"namespace\": \"new-namespace\"}}]"
-    expected-validation: false
+    permutation: '.gateways += [{"apiVersion": "networking.istio.io/v1beta1", "kind": "Gateway", "metadata": {"name": "new-gateway", "namespace": "new-namespace"}}]'
+    expected-validation: false
diff --git a/compliance/validations/istio/gateway-configuration-check/validation.yaml b/compliance/validations/istio/gateway-configuration-check/validation.yaml
@@ -60,4 +60,4 @@ provider:
       observations:
         - validate.msg
         - validate.msg_existing_gateways
-        - validate.msg_allowed_gateways
+        - validate.msg_allowed_gateways
diff --git a/compliance/validations/istio/healthcheck/tests.yaml b/compliance/validations/istio/healthcheck/tests.yaml
@@ -6,10 +6,10 @@ pass:
   - test: hpa_zero_replicas
     validation: validation.yaml
     resources: resources.json
-    permutation: '.istiodhpa.status.currentReplicas = 0'
+    permutation: ".istiodhpa.status.currentReplicas = 0"
     expected-validation: false
   - test: deployment_condition_false
     validation: validation.yaml
     resources: resources.json
-    permutation: '.istioddeployment.status.availableReplicas = 0'
-    expected-validation: false
+    permutation: ".istioddeployment.status.availableReplicas = 0"
+    expected-validation: false
diff --git a/compliance/validations/istio/healthcheck/validation.yaml b/compliance/validations/istio/healthcheck/validation.yaml
@@ -5,22 +5,22 @@ domain:
   type: kubernetes
   kubernetes-spec:
     resources:
-    - name: istioddeployment
-      resource-rule:
-        group: apps
-        name: istiod
-        namespaces:
-        - istio-system
-        resource: deployments
-        version: v1
-    - name: istiodhpa
-      resource-rule:
-        group: autoscaling
-        name: istiod
-        namespaces:
-        - istio-system
-        resource: horizontalpodautoscalers
-        version: v2
+      - name: istioddeployment
+        resource-rule:
+          group: apps
+          name: istiod
+          namespaces:
+            - istio-system
+          resource: deployments
+          version: v1
+      - name: istiodhpa
+        resource-rule:
+          group: autoscaling
+          name: istiod
+          namespaces:
+            - istio-system
+          resource: horizontalpodautoscalers
+          version: v2
 provider:
   type: opa
   opa-spec:
@@ -59,4 +59,4 @@ provider:
         msg := "HPA has sufficient replicas."
       } else = {"result": false, "msg": msg} if {
         msg := "HPA does not have sufficient replicas."
-      }
+      }
diff --git a/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml b/compliance/validations/istio/ingress-traffic-encrypted/tests.yaml
@@ -12,4 +12,4 @@ pass:
     validation: validation.yaml
     resources: resources.json
     permutation: '.gateways |= map(if .metadata.name == "admin-gateway" then .spec.servers[0].tls.httpsRedirect = false else . end)'
-    expected-validation: false
+    expected-validation: false
diff --git a/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml b/compliance/validations/istio/ingress-traffic-encrypted/validation.yaml
@@ -28,7 +28,7 @@ provider:
       }
       msg = check_gateways_allowed.msg
       msg_exempted_gateways = concat(", ", exempt_gateways)
-      
+
       # Collect gateways that do not encrypt ingress traffic
       gateways_disallowed = {sprintf("%s/%s", [gateway.metadata.namespace, gateway.metadata.name]) |
         gateway := input.gateways[_];

diff --git a/compliance/validations/istio/metrics-logging-configured/tests.yaml b/compliance/validations/istio/metrics-logging-configured/tests.yaml
@@ -6,10 +6,10 @@ pass:
   - test: change_enablePrometheusMerge_to_false
     validation: validation.yaml
     resources: resources.json
-    permutation: '.istioConfig.enablePrometheusMerge = false'
+    permutation: ".istioConfig.enablePrometheusMerge = false"
     expected-validation: false
   - test: change_enablePrometheusMerge_to_false
     validation: validation.yaml
     resources: resources.json
-    permutation: 'del(.istioConfig.enablePrometheusMerge)'
-    expected-validation: true
+    permutation: "del(.istioConfig.enablePrometheusMerge)"
+    expected-validation: true
diff --git a/compliance/validations/istio/metrics-logging-configured/validation.yaml b/compliance/validations/istio/metrics-logging-configured/validation.yaml
@@ -5,16 +5,16 @@ domain:
   type: kubernetes
   kubernetes-spec:
     resources:
-    - name: istioConfig
-      resource-rule:
-        resource: configmaps
-        namespaces:
-        - istio-system
-        version: v1
-        name: istio
-        field:
-          jsonpath: .data.mesh
-          type: yaml
+      - name: istioConfig
+        resource-rule:
+          resource: configmaps
+          namespaces:
+            - istio-system
+          version: v1
+          name: istio
+          field:
+            jsonpath: .data.mesh
+            type: yaml
 provider:
   type: opa
   opa-spec:
@@ -41,4 +41,4 @@ provider:
     output:
       validation: validate.validate
       observations:
-      - validate.msg
+        - validate.msg
diff --git a/compliance/validations/istio/prometheus-annotations-validation/tests.yaml b/compliance/validations/istio/prometheus-annotations-validation/tests.yaml
@@ -7,4 +7,4 @@ pass:
     validation: validation.yaml
     resources: resources.json
     permutation: '.pods |= map(if .metadata.namespace == "grafana" then .metadata.annotations["prometheus.io/scrape"] = false else . end)'
-    expected-validation: false
+    expected-validation: false
diff --git a/compliance/validations/istio/prometheus-annotations-validation/validation.yaml b/compliance/validations/istio/prometheus-annotations-validation/validation.yaml
@@ -57,4 +57,4 @@ provider:
       validation: validate.validate
       observations:
         - validate.msg
-        - validate.msg_exempted_namespaces
+        - validate.msg_exempted_namespaces
diff --git a/compliance/validations/istio/rbac-enforcement-check/tests.yaml b/compliance/validations/istio/rbac-enforcement-check/tests.yaml
@@ -7,4 +7,4 @@ pass:
     validation: validation.yaml
     resources: resources.json
     permutation: ".authorizationPolicies = []"
-    expected-validation: false
+    expected-validation: false
diff --git a/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml b/compliance/validations/istio/rbac-for-approved-personnel/validation.yaml
@@ -3,12 +3,12 @@ metadata:
   uuid: 9b361d7b-4e07-40db-8b86-3854ed499a4b
 domain:
   type: kubernetes
-  kubernetes-spec:  
+  kubernetes-spec:
     resources: []
 provider:
   type: opa
-  opa-spec: 
+  opa-spec:
     rego: |
       package validate
 
-      default validate := false
+      default validate := false