Add scannerType field, CustomRule CRD, and 'kind' property for rule references

- Introduce scannerType to ComplianceScan and ComplianceSuite for specifying OpenSCAP or CEL.
- Add custom rule CRD (compliance.openshift.io_customrules.yaml) and types.
- Extend TailoredProfile references with a 'kind' field to differentiate between Rule and CustomRule.

Author: Vincent056

bundle/manifests/compliance.openshift.io_compliancescans.yaml

@@ -266,6 +266,10 @@ spec:
                 default: Node
                 description: The type of Compliance scan.
                 type: string
+              scannerType:
+                default: OpenSCAP
+                description: The scanner used to perform the scan.
+                type: string
               showNotApplicable:
                 default: false
                 description: Determines whether to hide or show results that are not

bundle/manifests/compliance.openshift.io_compliancesuites.yaml

@@ -285,6 +285,10 @@ spec:
                       default: Node
                       description: The type of Compliance scan.
                       type: string
+                    scannerType:
+                      default: OpenSCAP
+                      description: The scanner used to perform the scan.
+                      type: string
                     showNotApplicable:
                       default: false
                       description: Determines whether to hide or show results that

bundle/manifests/compliance.openshift.io_rules.yaml

@@ -59,7 +59,10 @@ spec:
             description: The description of the Rule
             type: string
           id:
-            description: The XCCDF ID
+            description: |-
+              The ID of the Rule
+              This can be the XCCDF ID for OpenSCAP rules
+              or the ID of the rule in the source content
             type: string
           instructions:
             description: Instructions for auditing this specific rule

bundle/manifests/compliance.openshift.io_tailoredprofiles.yaml

@@ -57,6 +57,11 @@ spec:
                   description: RuleReferenceSpec specifies a rule to be selected/deselected,
                     as well as the reason why
                   properties:
+                    kind:
+                      description: |-
+                        Type of the rule reference, either "Rule" or "CustomRule"
+                        We will use "Rule" by default if not specified
+                      type: string
                     name:
                       description: Name of the rule that's being referenced
                       type: string
@@ -75,6 +80,11 @@ spec:
                   description: RuleReferenceSpec specifies a rule to be selected/deselected,
                     as well as the reason why
                   properties:
+                    kind:
+                      description: |-
+                        Type of the rule reference, either "Rule" or "CustomRule"
+                        We will use "Rule" by default if not specified
+                      type: string
                     name:
                       description: Name of the rule that's being referenced
                       type: string
@@ -97,6 +107,11 @@ spec:
                   description: RuleReferenceSpec specifies a rule to be selected/deselected,
                     as well as the reason why
                   properties:
+                    kind:
+                      description: |-
+                        Type of the rule reference, either "Rule" or "CustomRule"
+                        We will use "Rule" by default if not specified
+                      type: string
                     name:
                       description: Name of the rule that's being referenced
                       type: string

config/crd/bases/compliance.openshift.io_compliancescans.yaml

@@ -266,6 +266,10 @@ spec:
                 default: Node
                 description: The type of Compliance scan.
                 type: string
+              scannerType:
+                default: OpenSCAP
+                description: The scanner used to perform the scan.
+                type: string
               showNotApplicable:
                 default: false
                 description: Determines whether to hide or show results that are not

config/crd/bases/compliance.openshift.io_compliancesuites.yaml

@@ -285,6 +285,10 @@ spec:
                       default: Node
                       description: The type of Compliance scan.
                       type: string
+                    scannerType:
+                      default: OpenSCAP
+                      description: The scanner used to perform the scan.
+                      type: string
                     showNotApplicable:
                       default: false
                       description: Determines whether to hide or show results that

config/crd/bases/compliance.openshift.io_customrules.yaml

@@ -0,0 +1,159 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.1
+  name: customrules.compliance.openshift.io
+spec:
+  group: compliance.openshift.io
+  names:
+    kind: CustomRule
+    listKind: CustomRuleList
+    plural: customrules
+    singular: customrule
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: CustomRule is the Schema for the customrules API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              availableFixes:
+                description: The Available fixes
+                items:
+                  description: |-
+                    FixDefinition Specifies a fix or remediation
+                    that applies to a rule
+                  properties:
+                    disruption:
+                      description: |-
+                        An estimate of the potential disruption or operational
+                        degradation that this fix will impose in the target system
+                      type: string
+                    fixObject:
+                      description: an object that should bring the rule into compliance
+                      type: object
+                      x-kubernetes-embedded-resource: true
+                      x-kubernetes-preserve-unknown-fields: true
+                    platform:
+                      description: The platform that the fix applies to
+                      type: string
+                  type: object
+                nullable: true
+                type: array
+                x-kubernetes-list-type: atomic
+              checkType:
+                description: |-
+                  What type of check will this rule execute:
+                  Platform, Node or none (represented by an empty string)
+                type: string
+              description:
+                description: The description of the Rule
+                type: string
+              errorMessage:
+                description: ErrorMessage is displayed when the rule evaluation fails
+                minLength: 1
+                type: string
+              expression:
+                description: Expression is the CEL expression to evaluate
+                minLength: 1
+                type: string
+              id:
+                description: |-
+                  The ID of the Rule
+                  This can be the XCCDF ID for OpenSCAP rules
+                  or the ID of the rule in the source content
+                type: string
+              inputs:
+                description: Inputs defines the Kubernetes resources that need to
+                  be fetched before evaluating the expression
+                items:
+                  nullable: true
+                  properties:
+                    apiGroup:
+                      description: APIGroup is the Kubernetes API group of the resource
+                      type: string
+                    name:
+                      description: Name is the variable name used to reference this
+                        resource in the CEL expression
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: Namespace is the Kubernetes namespace of the resource
+                      type: string
+                    resource:
+                      description: Resource is the Kubernetes resource type
+                      minLength: 1
+                      type: string
+                    type:
+                      enum:
+                      - KubeGroupVersionResource
+                      type: string
+                    version:
+                      description: Version is the Kubernetes API version of the resource
+                      minLength: 1
+                      type: string
+                  required:
+                  - apiGroup
+                  - name
+                  - resource
+                  - type
+                  - version
+                  type: object
+                minItems: 1
+                type: array
+              instructions:
+                description: Instructions for auditing this specific rule
+                type: string
+              rationale:
+                description: The rationale of the Rule
+                type: string
+              scannerType:
+                description: ScannerType specifies what type of check this rule performs
+                enum:
+                - CEL
+                - OpenSCAP
+                type: string
+              severity:
+                description: The severity level
+                type: string
+              title:
+                description: The title of the Rule
+                type: string
+              warning:
+                description: A discretionary warning about the of the Rule
+                type: string
+            required:
+            - errorMessage
+            - expression
+            - id
+            - inputs
+            - scannerType
+            - title
+            type: object
+          status:
+            description: Status is intentionally left empty.
+            type: object
+        type: object
+    served: true
+    storage: true

config/crd/bases/compliance.openshift.io_rules.yaml

@@ -59,7 +59,10 @@ spec:
             description: The description of the Rule
             type: string
           id:
-            description: The XCCDF ID
+            description: |-
+              The ID of the Rule
+              This can be the XCCDF ID for OpenSCAP rules
+              or the ID of the rule in the source content
             type: string
           instructions:
             description: Instructions for auditing this specific rule

config/crd/bases/compliance.openshift.io_tailoredprofiles.yaml

@@ -57,6 +57,11 @@ spec:
                   description: RuleReferenceSpec specifies a rule to be selected/deselected,
                     as well as the reason why
                   properties:
+                    kind:
+                      description: |-
+                        Type of the rule reference, either "Rule" or "CustomRule"
+                        We will use "Rule" by default if not specified
+                      type: string
                     name:
                       description: Name of the rule that's being referenced
                       type: string
@@ -75,6 +80,11 @@ spec:
                   description: RuleReferenceSpec specifies a rule to be selected/deselected,
                     as well as the reason why
                   properties:
+                    kind:
+                      description: |-
+                        Type of the rule reference, either "Rule" or "CustomRule"
+                        We will use "Rule" by default if not specified
+                      type: string
                     name:
                       description: Name of the rule that's being referenced
                       type: string
@@ -97,6 +107,11 @@ spec:
                   description: RuleReferenceSpec specifies a rule to be selected/deselected,
                     as well as the reason why
                   properties:
+                    kind:
+                      description: |-
+                        Type of the rule reference, either "Rule" or "CustomRule"
+                        We will use "Rule" by default if not specified
+                      type: string
                     name:
                       description: Name of the rule that's being referenced
                       type: string

pkg/apis/compliance/v1alpha1/compliancescan_types.go

@@ -50,6 +50,8 @@ const DefaultStorageRotation = 3
 
 var ErrUnkownScanType = errors.New("Unknown scan type")
 
+var ErrUnkownScanerType = errors.New("Unknown scanner type")
+
 // Represents the status of the compliance scan run.
 type ComplianceScanStatusPhase string
 
@@ -234,6 +236,9 @@ type ComplianceScanSpec struct {
 	// The type of Compliance scan.
 	// +kubebuilder:default=Node
 	ScanType ComplianceScanType `json:"scanType,omitempty"`
+	// The scanner used to perform the scan.
+	// +kubebuilder:default=OpenSCAP
+	ScannerType ScannerType `json:"scannerType,omitempty"`
 	// Is the image with the content (Data Stream), that will be used to run
 	// OpenSCAP.
 	ContentImage string `json:"contentImage,omitempty"`
@@ -367,6 +372,19 @@ func (cs *ComplianceScan) GetScanTypeIfValid() (ComplianceScanType, error) {
 	return "", ErrUnkownScanType
 }
 
+// GetScanerTypeIfValid returns scaner type we will be using if the scan has a valid one, else it returns
+// an error
+func (cs *ComplianceScan) GetScanerTypeIfValid() (ScannerType, error) {
+	if strings.ToLower(string(cs.Spec.ScannerType)) == strings.ToLower(string(ScannerTypeOpenSCAP)) {
+		return ScannerTypeOpenSCAP, nil
+	}
+
+	if strings.ToLower(string(cs.Spec.ScannerType)) == strings.ToLower(string(ScannerTypeCEL)) {
+		return ScannerTypeCEL, nil
+	}
+	return "", ErrUnkownScanerType
+}
+
 // GetScanType get's the scan type for a scan
 func (cs *ComplianceScan) GetScanType() ComplianceScanType {
 	scantype, err := cs.GetScanTypeIfValid()
@@ -377,6 +395,16 @@ func (cs *ComplianceScan) GetScanType() ComplianceScanType {
 	return scantype
 }
 
+// GetScannerType will get the scanner type for a scan
+func (cs *ComplianceScan) GetScannerType() ScannerType {
+	scannertype, err := cs.GetScanerTypeIfValid()
+	if err != nil {
+		// This shouldn't happen
+		panic(err)
+	}
+	return scannertype
+}
+
 // Returns whether remediation enforcement is off or not
 func (cs *ComplianceScan) RemediationEnforcementIsOff() bool {
 	return (strings.EqualFold(cs.Spec.RemediationEnforcement, RemediationEnforcementEmpty) ||