diff --git a/example_OPA_orchestration.py b/example_OPA_orchestration.py index 3f0a981..d1d0feb 100644 --- a/example_OPA_orchestration.py +++ b/example_OPA_orchestration.py @@ -1,62 +1,64 @@ from fluentm import Actor, Boundary, Process, DataFlow, TLS, HTTP, Internal, GIT, SSH from fluentm import report -Process("Policy Repo").inBoundary(Boundary("Version Control")) +# Example of a more code-oriented approach, using variables which will play +# nicely with IDEs. It can be a faster way to write these. -Boundary("New Kubernetes Cluster").inBoundary("New AWS Account") +# Setup scenes here: +scenes = {} -scenes = { - "Developer requests a new cluster": [ - DataFlow( - Actor("Developer"), - Process("Cluster Orchestrator").inBoundary(Boundary("Control Cluster")), - TLS(HTTP("Create cluster request")), - ), - DataFlow( - Process("Cluster Orchestrator"), - Process("Cluster Orchestrator"), - Internal("Validates user"), - ), - DataFlow( - Process("Cluster Orchestrator"), - Process("IAM").inBoundary("AWS"), - TLS(HTTP("Create new account")), - response=TLS(HTTP("Account Details")), - ), - DataFlow( - Process("Cluster Orchestrator"), - Process("EKS").inBoundary("AWS"), - TLS(HTTP("Create new cluster")), - response=TLS(HTTP("Cluster Details")), - ), - DataFlow( - Process("Cluster Orchestrator"), - Process("k8s API").inBoundary(Boundary("New Kubernetes Cluster")), - TLS(HTTP("Add default admission controller")), - ), - ], - "Developer creates a pod": [ - DataFlow(Actor("Developer"), Process("k8s API"), TLS(HTTP("Create POD"))), - DataFlow( - Process("k8s API"), - Process("Admission Controller").inBoundary("Cluster Orchestrator"), - TLS(HTTP("Validate pod creation")), - ), - DataFlow( - Process("Admission Controller"), - Process("OPA").inBoundary("Cluster Orchestrator"), - HTTP("Validate pod creation.."), - ), - DataFlow( - Process("OPA"), - Process("Policy Repo"), - SSH(GIT("Get latest policy")), - response=SSH(GIT("Latest policy REGO")), - ), - DataFlow(Process("OPA"), Process("k8s API"), TLS(HTTP("Validation Decision"))), - DataFlow(Process("k8s API"), Actor("Developer"), TLS(HTTP("Approve/Denied"))), - ], -} +newK8sClusterBoundary = Boundary("New Kubernetes Cluster").inBoundary("New AWS Account") + +## Developer requests a new cluster +# Participants +developer = Actor("Developer") +clusterOrchestrator = Process("Cluster Orchestrator").inBoundary( + Boundary("Control Cluster") +) +iam = Process("IAM").inBoundary("AWS") +eks = Process("EKS").inBoundary("AWS") +k8sApi = Process("k8s API").inBoundary(Boundary("New Kubernetes Cluster")) +# Flows +scenes["Developer requests a new cluster"] = [ + DataFlow(developer, clusterOrchestrator, TLS(HTTP("Create cluster request"))), + DataFlow(clusterOrchestrator, clusterOrchestrator, Internal("Validates user")), + DataFlow( + clusterOrchestrator, + iam, + TLS(HTTP("Create new account")), + response=TLS(HTTP("Account Details")), + ), + DataFlow( + clusterOrchestrator, + eks, + TLS(HTTP("Create new cluster")), + response=TLS(HTTP("Cluster Details")), + ), + DataFlow( + clusterOrchestrator, k8sApi, TLS(HTTP("Add default admission controller")) + ), +] + +## Developer creates a pod +# New participants (not seen above) +developer = Actor("Developer") +admissionController = Process("Admission Controller").inBoundary("Cluster Orchestrator") +policyRepo = Process("Policy Repo").inBoundary(Boundary("Version Control")) +opa = Process("OPA") +# DataFlows +scenes["Developer creates a pod"] = [ + DataFlow(developer, k8sApi, TLS(HTTP("Create POD"))), + DataFlow(k8sApi, admissionController, TLS(HTTP("Validate pod creation"))), + DataFlow(admissionController, opa, TLS(HTTP("Validate pod creation"))), + DataFlow( + opa, + policyRepo, + SSH(GIT("Get latest policy")), + response=SSH(GIT("Latest policy REGO")), + ), + DataFlow(opa, k8sApi, TLS(HTTP("Validation Decision"))), + DataFlow(k8sApi, developer, TLS(HTTP("Approve/Denied"))), +] if __name__ == "__main__": r = report(scenes, outputDir="examples/OPA_orchestration", dfdLabels=True) diff --git a/examples/OPA_orchestration/AggregatedDfd-dfd b/examples/OPA_orchestration/AggregatedDfd-dfd index b871d9e..95fffeb 100644 --- a/examples/OPA_orchestration/AggregatedDfd-dfd +++ b/examples/OPA_orchestration/AggregatedDfd-dfd @@ -3,6 +3,7 @@ digraph all { node [fontname=Arial fontsize=11 shape=box style=rounded] edge [fontname=Arial fontsize=11] Developer + OPA subgraph "cluster_Control Cluster" { graph [color=red fontname=Arial fontsize=11 label="Control Cluster" style=dashed] "Cluster Orchestrator" @@ -22,7 +23,6 @@ digraph all { subgraph "cluster_Cluster Orchestrator" { graph [color=red fontname=Arial fontsize=11 label="Cluster Orchestrator" style=dashed] "Admission Controller" - OPA } subgraph "cluster_Version Control" { graph [color=red fontname=Arial fontsize=11 label="Version Control" style=dashed] diff --git a/examples/OPA_orchestration/AggregatedDfd-dfd.png b/examples/OPA_orchestration/AggregatedDfd-dfd.png index 80623d9..87470d6 100644 Binary files a/examples/OPA_orchestration/AggregatedDfd-dfd.png and b/examples/OPA_orchestration/AggregatedDfd-dfd.png differ diff --git a/examples/OPA_orchestration/Developer creates a pod-dfd b/examples/OPA_orchestration/Developer creates a pod-dfd index 3dc9da2..183560d 100644 --- a/examples/OPA_orchestration/Developer creates a pod-dfd +++ b/examples/OPA_orchestration/Developer creates a pod-dfd @@ -3,6 +3,7 @@ digraph "Developer creates a pod" { node [fontname=Arial fontsize=11 shape=box style=rounded] edge [fontname=Arial fontsize=11] Developer + OPA subgraph "cluster_New AWS Account" { graph [color=red fontname=Arial fontsize=11 label="New AWS Account" style=dashed] subgraph "cluster_New Kubernetes Cluster" { @@ -13,7 +14,6 @@ digraph "Developer creates a pod" { subgraph "cluster_Cluster Orchestrator" { graph [color=red fontname=Arial fontsize=11 label="Cluster Orchestrator" style=dashed] "Admission Controller" - OPA } subgraph "cluster_Version Control" { graph [color=red fontname=Arial fontsize=11 label="Version Control" style=dashed] @@ -21,7 +21,7 @@ digraph "Developer creates a pod" { } Developer -> "k8s API" [label="(1) Create POD"] "k8s API" -> "Admission Controller" [label="(2) Validate pod creation"] - "Admission Controller" -> OPA [label="(3) Validate pod creation.."] + "Admission Controller" -> OPA [label="(3) Validate pod creation"] OPA -> "Policy Repo" [label="(4) Get latest policy"] "Policy Repo" -> OPA [label="(5) Latest policy REGO"] OPA -> "k8s API" [label="(6) Validation Decision"] diff --git a/examples/OPA_orchestration/Developer creates a pod-dfd.png b/examples/OPA_orchestration/Developer creates a pod-dfd.png index 9609493..ca7732e 100644 Binary files a/examples/OPA_orchestration/Developer creates a pod-dfd.png and b/examples/OPA_orchestration/Developer creates a pod-dfd.png differ diff --git a/examples/OPA_orchestration/flow-Developer creates a pod-3 b/examples/OPA_orchestration/flow-Developer creates a pod-3 index fa586f5..d1edf43 100644 --- a/examples/OPA_orchestration/flow-Developer creates a pod-3 +++ b/examples/OPA_orchestration/flow-Developer creates a pod-3 @@ -1,5 +1,5 @@ digraph { graph [bgcolor=transparent fontsize=11 fontstyle=Arial] node [fontsize=11 fontstyle=Arial shape=plaintext] - struct [label="HTTP|{Validate pod creation..}" shape=record] + struct [label="TLS|HTTP|{Validate pod creation}" shape=record] } diff --git a/examples/OPA_orchestration/flow-Developer creates a pod-3.png b/examples/OPA_orchestration/flow-Developer creates a pod-3.png index 7004461..6db5f22 100644 Binary files a/examples/OPA_orchestration/flow-Developer creates a pod-3.png and b/examples/OPA_orchestration/flow-Developer creates a pod-3.png differ