Add scannerType field, CustomRule CRD, and 'enabledCustomRule' fields

- Introduce scannerType to ComplianceScan and ComplianceSuite for specifying OpenSCAP or CEL.
- Add custom rule CRD (compliance.openshift.io_customrules.yaml) and types.
- Extend TailoredProfile with addtional EnableCustomRule field.

Author: Vincent056

bundle/manifests/compliance-operator.clusterserviceversion.yaml

@@ -205,6 +205,9 @@ spec:
       kind: ComplianceSuite
       name: compliancesuites.compliance.openshift.io
       version: v1alpha1
+    - kind: CustomRule
+      name: customrules.compliance.openshift.io
+      version: v1alpha1
     - description: ProfileBundle is the Schema for the profilebundles API
       displayName: Profile Bundle
       kind: ProfileBundle

bundle/manifests/compliance.openshift.io_compliancescans.yaml

@@ -266,6 +266,10 @@ spec:
                 default: Node
                 description: The type of Compliance scan.
                 type: string
+              scannerType:
+                default: OpenSCAP
+                description: The scanner used to perform the scan.
+                type: string
               showNotApplicable:
                 default: false
                 description: Determines whether to hide or show results that are not

bundle/manifests/compliance.openshift.io_compliancesuites.yaml

@@ -285,6 +285,10 @@ spec:
                       default: Node
                       description: The type of Compliance scan.
                       type: string
+                    scannerType:
+                      default: OpenSCAP
+                      description: The scanner used to perform the scan.
+                      type: string
                     showNotApplicable:
                       default: false
                       description: Determines whether to hide or show results that

bundle/manifests/compliance.openshift.io_customrules.yaml

@@ -0,0 +1,141 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.1
+  creationTimestamp: null
+  name: customrules.compliance.openshift.io
+spec:
+  group: compliance.openshift.io
+  names:
+    kind: CustomRule
+    listKind: CustomRuleList
+    plural: customrules
+    singular: customrule
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: CustomRule is the Schema for the customrules API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              checkType:
+                description: |-
+                  What type of check will this rule execute:
+                  Platform or none (represented by an empty string)
+                enum:
+                - Platform
+                type: string
+              description:
+                description: The description of the Rule
+                type: string
+              errorMessage:
+                description: ErrorMessage is displayed when the rule evaluation fails
+                minLength: 1
+                type: string
+              expression:
+                description: Expression is the CEL expression to evaluate
+                minLength: 1
+                type: string
+              id:
+                description: The ID of the Rule
+                type: string
+              inputs:
+                description: Inputs defines the Kubernetes resources that need to
+                  be fetched before evaluating the expression
+                items:
+                  nullable: true
+                  properties:
+                    apiGroup:
+                      description: APIGroup is the Kubernetes API group of the resource
+                      type: string
+                    name:
+                      description: Name is the variable name used to reference this
+                        resource in the CEL expression
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: Namespace is the Kubernetes namespace of the resource
+                      type: string
+                    resource:
+                      description: Resource is the Kubernetes resource type
+                      minLength: 1
+                      type: string
+                    type:
+                      enum:
+                      - KubeGroupVersionResource
+                      type: string
+                    version:
+                      description: Version is the Kubernetes API version of the resource
+                      minLength: 1
+                      type: string
+                  required:
+                  - apiGroup
+                  - name
+                  - resource
+                  - type
+                  - version
+                  type: object
+                minItems: 1
+                type: array
+              instructions:
+                description: Instructions for auditing this specific rule
+                type: string
+              rationale:
+                description: The rationale of the Rule
+                type: string
+              scannerType:
+                description: ScannerType denotes the scanning implementation to use
+                  when evaluating rules
+                enum:
+                - CEL
+                type: string
+              severity:
+                description: The severity level
+                type: string
+              title:
+                description: The title of the Rule
+                type: string
+              warning:
+                description: A discretionary warning about the of the Rule
+                type: string
+            required:
+            - checkType
+            - errorMessage
+            - expression
+            - id
+            - inputs
+            - scannerType
+            - title
+            type: object
+          status:
+            description: Status is intentionally left empty.
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: null
+  storedVersions: null

bundle/manifests/compliance.openshift.io_rules.yaml

@@ -59,7 +59,7 @@ spec:
             description: The description of the Rule
             type: string
           id:
-            description: The XCCDF ID
+            description: The ID of the Rule
             type: string
           instructions:
             description: Instructions for auditing this specific rule

bundle/manifests/compliance.openshift.io_tailoredprofiles.yaml

@@ -69,6 +69,24 @@ spec:
                   type: object
                 nullable: true
                 type: array
+              enableCustomRules:
+                description: Enables the referenced custom rules
+                items:
+                  description: CustomRuleReferenceSpec specifies a customRule to be
+                    selected, as well as the reason why
+                  properties:
+                    name:
+                      description: Name of the customRule that's being referenced
+                      type: string
+                    rationale:
+                      description: Rationale of why this customRule is being selected
+                      type: string
+                  required:
+                  - name
+                  - rationale
+                  type: object
+                nullable: true
+                type: array
               enableRules:
                 description: Enables the referenced rules
                 items:

config/crd/bases/compliance.openshift.io_compliancescans.yaml

@@ -266,6 +266,10 @@ spec:
                 default: Node
                 description: The type of Compliance scan.
                 type: string
+              scannerType:
+                default: OpenSCAP
+                description: The scanner used to perform the scan.
+                type: string
               showNotApplicable:
                 default: false
                 description: Determines whether to hide or show results that are not

config/crd/bases/compliance.openshift.io_compliancesuites.yaml

@@ -285,6 +285,10 @@ spec:
                       default: Node
                       description: The type of Compliance scan.
                       type: string
+                    scannerType:
+                      default: OpenSCAP
+                      description: The scanner used to perform the scan.
+                      type: string
                     showNotApplicable:
                       default: false
                       description: Determines whether to hide or show results that

config/crd/bases/compliance.openshift.io_customrules.yaml

@@ -0,0 +1,135 @@
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.17.1
+  name: customrules.compliance.openshift.io
+spec:
+  group: compliance.openshift.io
+  names:
+    kind: CustomRule
+    listKind: CustomRuleList
+    plural: customrules
+    singular: customrule
+  scope: Namespaced
+  versions:
+  - name: v1alpha1
+    schema:
+      openAPIV3Schema:
+        description: CustomRule is the Schema for the customrules API
+        properties:
+          apiVersion:
+            description: |-
+              APIVersion defines the versioned schema of this representation of an object.
+              Servers should convert recognized schemas to the latest internal value, and
+              may reject unrecognized values.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
+            type: string
+          kind:
+            description: |-
+              Kind is a string value representing the REST resource this object represents.
+              Servers may infer this from the endpoint the client submits requests to.
+              Cannot be updated.
+              In CamelCase.
+              More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
+            type: string
+          metadata:
+            type: object
+          spec:
+            properties:
+              checkType:
+                description: |-
+                  What type of check will this rule execute:
+                  Platform or none (represented by an empty string)
+                enum:
+                - Platform
+                type: string
+              description:
+                description: The description of the Rule
+                type: string
+              errorMessage:
+                description: ErrorMessage is displayed when the rule evaluation fails
+                minLength: 1
+                type: string
+              expression:
+                description: Expression is the CEL expression to evaluate
+                minLength: 1
+                type: string
+              id:
+                description: The ID of the Rule
+                type: string
+              inputs:
+                description: Inputs defines the Kubernetes resources that need to
+                  be fetched before evaluating the expression
+                items:
+                  nullable: true
+                  properties:
+                    apiGroup:
+                      description: APIGroup is the Kubernetes API group of the resource
+                      type: string
+                    name:
+                      description: Name is the variable name used to reference this
+                        resource in the CEL expression
+                      minLength: 1
+                      type: string
+                    namespace:
+                      description: Namespace is the Kubernetes namespace of the resource
+                      type: string
+                    resource:
+                      description: Resource is the Kubernetes resource type
+                      minLength: 1
+                      type: string
+                    type:
+                      enum:
+                      - KubeGroupVersionResource
+                      type: string
+                    version:
+                      description: Version is the Kubernetes API version of the resource
+                      minLength: 1
+                      type: string
+                  required:
+                  - apiGroup
+                  - name
+                  - resource
+                  - type
+                  - version
+                  type: object
+                minItems: 1
+                type: array
+              instructions:
+                description: Instructions for auditing this specific rule
+                type: string
+              rationale:
+                description: The rationale of the Rule
+                type: string
+              scannerType:
+                description: ScannerType denotes the scanning implementation to use
+                  when evaluating rules
+                enum:
+                - CEL
+                type: string
+              severity:
+                description: The severity level
+                type: string
+              title:
+                description: The title of the Rule
+                type: string
+              warning:
+                description: A discretionary warning about the of the Rule
+                type: string
+            required:
+            - checkType
+            - errorMessage
+            - expression
+            - id
+            - inputs
+            - scannerType
+            - title
+            type: object
+          status:
+            description: Status is intentionally left empty.
+            type: object
+        type: object
+    served: true
+    storage: true

config/crd/bases/compliance.openshift.io_rules.yaml

@@ -59,7 +59,7 @@ spec:
             description: The description of the Rule
             type: string
           id:
-            description: The XCCDF ID
+            description: The ID of the Rule
             type: string
           instructions:
             description: Instructions for auditing this specific rule

config/crd/bases/compliance.openshift.io_tailoredprofiles.yaml

@@ -69,6 +69,24 @@ spec:
                   type: object
                 nullable: true
                 type: array
+              enableCustomRules:
+                description: Enables the referenced custom rules
+                items:
+                  description: CustomRuleReferenceSpec specifies a customRule to be
+                    selected, as well as the reason why
+                  properties:
+                    name:
+                      description: Name of the customRule that's being referenced
+                      type: string
+                    rationale:
+                      description: Rationale of why this customRule is being selected
+                      type: string
+                  required:
+                  - name
+                  - rationale
+                  type: object
+                nullable: true
+                type: array
               enableRules:
                 description: Enables the referenced rules
                 items: