CMP-2868: Add scannerType field, CustomRule CRD, and 'kind' property for rule #686

Vincent056 · 2025-02-19T06:20:50Z

Added changes needed to CRDs to enable CEL scanner.

Introduce scannerType to ComplianceScan and ComplianceSuite CRDs for specifying OpenSCAP or CEL.
Add CustomRule CRD and types.
Extend TailoredProfile references with a 'kind' field to differentiate between Rule and CustomRule.

openshift-ci · 2025-02-19T06:20:57Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Vincent056

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [Vincent056]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

github-actions · 2025-02-19T06:28:10Z

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:686-0e1b9b6f1bbc3a6778b9958178de5819f7578cdb

Vincent056 · 2025-02-19T16:07:24Z

/retest

rhmdnd

A few suggestions inline. Thanks!

rhmdnd · 2025-02-20T22:13:53Z

bundle/manifests/compliance.openshift.io_tailoredprofiles.yaml

+                    kind:
+                      description: |-
+                        Type of the rule reference, either "Rule" or "CustomRule"
+                        We will use "Rule" by default if not specified


Nit: Suggest using passive voice here to be consistent with the rest of the properties.

Type of rule, either "Rule" or "CustomRule". "Rule" is the default if not specified.

rhmdnd · 2025-02-20T22:14:02Z

bundle/manifests/compliance.openshift.io_tailoredprofiles.yaml

+                    kind:
+                      description: |-
+                        Type of the rule reference, either "Rule" or "CustomRule"
+                        We will use "Rule" by default if not specified


Similar comment as above.

rhmdnd · 2025-02-20T22:14:10Z

bundle/manifests/compliance.openshift.io_tailoredprofiles.yaml

+                    kind:
+                      description: |-
+                        Type of the rule reference, either "Rule" or "CustomRule"
+                        We will use "Rule" by default if not specified


Similar comment as above.

rhmdnd · 2025-02-20T22:16:32Z

config/crd/bases/compliance.openshift.io_customrules.yaml

+            type: object
+          spec:
+            properties:
+              availableFixes:


Is this carry over from Rules? Do we want to open this up right away?

rhmdnd · 2025-02-20T22:17:16Z

config/crd/bases/compliance.openshift.io_customrules.yaml

+              checkType:
+                description: |-
+                  What type of check will this rule execute:
+                  Platform, Node or none (represented by an empty string)


This can only be Platform initially, right? Do we want to state that explicitly?

rhmdnd · 2025-02-20T22:17:52Z

config/crd/bases/compliance.openshift.io_customrules.yaml

+                minLength: 1
+                type: string
+              id:
+                description: The XCCDF ID


Does this have to be an XCCDF ID? Or does it just have to be an ID?

I made some changes to the descriptions here, I tried to move the common part together, but it looks like we have rulePayLoad referenced in other part of the code that prevents from doing so, I wonder if we should keep the minimal changes and make the documentation clear

pkg/apis/compliance/v1alpha1/compliancescan_types.go

rhmdnd · 2025-02-20T22:20:34Z

pkg/apis/compliance/v1alpha1/customrule_types.go

+const (
+	ScannerTypeCEL      ScannerType = "CEL"
+	ScannerTypeOpenSCAP ScannerType = "OpenSCAP"
+	ScannerTypeUnknown  ScannerType = "Unknown"


Based on the code above - we'd never use this, right?

no, we will not use that until later in the reconciler loop

Ok - so we will use it, just not now?

that's right

pkg/apis/compliance/v1alpha1/customrule_types.go

openshift-ci-robot · 2025-02-25T10:50:10Z

@Vincent056: This pull request references CMP-2868 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

Added changes needed to CRDs to enable CEL scanner.

Introduce scannerType to ComplianceScan and ComplianceSuite CRDs for specifying OpenSCAP or CEL.

Add CustomRule CRD and types.

Extend TailoredProfile references with a 'kind' field to differentiate between Rule and CustomRule.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

github-actions · 2025-02-25T11:04:57Z

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:686-f10057fa1740738ef4dab488e72ae3f0bd63986d

github-actions · 2025-02-27T02:22:15Z

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:686-866bd41b109c994cdd0a2697db929d83d69352e9

xiaojiey · 2025-02-27T03:50:42Z

Still failed to list customrule crd with the latest version. More permission needed from the apiGroups. Refer to #671 for info.

% oc project openshift-compliance
Already on project "openshift-compliance" on server "https://api.xiyuan-18b.qe.devcluster.openshift.com:6443".
% oc get csv
 NAME                             DISPLAY               VERSION     REPLACES   PHASE
compliance-operator.v1.6.2-dev   Compliance Operator   1.6.2-dev              Succeeded
% oc get customrule                                     
error: the server doesn't have a resource type "customrule"
% oc get crd | grep -i compliancescan
compliancescans.compliance.openshift.io                           2025-02-27T02:10:54Z

github-actions · 2025-02-27T19:47:52Z

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:686-4446db38df6d58b67d9d6ef582c2dd8565b889ef

Vincent056 · 2025-02-28T00:04:07Z

2025/02/27 21:48:56 CronJob test-suspend-scan-setting-binding-rerunner is active
    main_test.go:1790: Put "https://api.ci-op-infhdffw-f837a.quay.devcluster.openshift.com:6443/apis/compliance.openshift.io/v1alpha1/namespaces/osdk-e2e-66ae43a3-80d7-4fdd-8ef9-a53f1fdc5faa/scansettings/test-suspend-scan-setting-scansetting": read tcp 10.129.192.153:45824->54.151.38.0:6443: read: connection reset by peer
--- FAIL: TestSuspendScanSetting (55.93s)
=== RUN   TestRemoveProfileScan

api transient issue

Vincent056 · 2025-02-28T00:04:16Z

/retest

xiaojiey · 2025-02-28T14:48:42Z

Verification pass:

creat customrule with correct configration, customrules created correctly.

% oc get customrule
NAME                                                    AGE
custom-rule-configure-network-policies-namespaces-cel   6s
custom-rule-enable-nonroot-feature-gate-cel             7s
custom-rule-etcd-cert-file-cel                          5s
custom-rule-motd-exists-cel                             36s

When creating customrule with wrong scannertype, the customrule will be failed to created.

% oc apply -f customrules_motd_error_scannertype.yaml 
The CustomRule "custom-rule-motd-error-scannertype-cel" is invalid: spec.scannerType: Unsupported value: "OpenSCAP": supported values: "CEL"

xiaojiey · 2025-02-28T14:48:53Z

/label qe-approved

github-actions · 2025-02-28T18:29:27Z

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:686-c1f92b2dd19b9538e752ea9d77928804fb5f05ff

rhmdnd · 2025-02-28T19:59:30Z

pkg/apis/compliance/v1alpha1/customrule_types.go

+
+type CELPayload struct {
+
+	// ScannerType specifies what type of check this rule performs


This bit is a little confusing to me since we also have the concept of platform and node checks.

Perhaps something like:

// ScannerType denotes the scanning implementation to use when evaluating rules

rhmdnd · 2025-02-28T20:02:27Z

pkg/apis/compliance/v1alpha1/customrule_types.go

+	// ScannerType specifies what type of check this rule performs
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:Enum=CEL
+	ScannerType ScannerType `json:"scannerType"`


I wonder if ScannerType should be defined outside the CELPayload. What happens if/when we add another implementation along side CEL? Will we need to define ScannerType in its payload, too?

that's a really good point!

rhmdnd · 2025-02-28T20:05:28Z

pkg/apis/compliance/v1alpha1/customrule_types.go

+const (
+	ScannerTypeCEL      ScannerType = "CEL"
+	ScannerTypeOpenSCAP ScannerType = "OpenSCAP"
+	ScannerTypeUnknown  ScannerType = "Unknown"


Ok - so we will use it, just not now?

rhmdnd · 2025-02-28T20:05:58Z

pkg/apis/compliance/v1alpha1/compliancescan_types.go

@@ -367,6 +372,19 @@ func (cs *ComplianceScan) GetScanTypeIfValid() (ComplianceScanType, error) {
 	return "", ErrUnkownScanType
 }

+// GetScanerTypeIfValid returns scanner type we will be using if the scan has a valid one, else it returns
+// an error
+func (cs *ComplianceScan) GetScanerTypeIfValid() (ScannerType, error) {


nit: GetScannerTypeIfValid

rhmdnd · 2025-02-28T20:06:45Z

pkg/apis/compliance/v1alpha1/compliancescan_types.go

@@ -50,6 +50,8 @@ const DefaultStorageRotation = 3

 var ErrUnkownScanType = errors.New("Unknown scan type")

+var ErrUnkownScanerType = errors.New("Unknown scanner type")


Similar comment here as below (e.g., Scanner instead of Scaner)

rhmdnd · 2025-02-28T20:08:32Z

pkg/apis/compliance/v1alpha1/compliancescan_types.go

@@ -367,6 +372,19 @@ func (cs *ComplianceScan) GetScanTypeIfValid() (ComplianceScanType, error) {
 	return "", ErrUnkownScanType
 }

+// GetScanerTypeIfValid returns scanner type we will be using if the scan has a valid one, else it returns
+// an error
+func (cs *ComplianceScan) GetScanerTypeIfValid() (ScannerType, error) {


nit: Could steal a leaf from the kubeclient book and name if GetScannerTypeOrDie) - or we could use OrFail if we remove the panic(err) eventually.

rhmdnd · 2025-02-28T20:13:54Z

config/crd/bases/compliance.openshift.io_tailoredprofiles.yaml

                    name:
                      description: Name of the rule that's being referenced
                      type: string
                    rationale:
                      description: Rationale of why this rule is being selected/deselected
                      type: string
                  required:
+                  - kind


Does this mean it's possible to have a CustomRule named foo and a Rule named foo?

I'm trying to think through a case where someone would want to disable a CustomRule. In that case, wouldn't they just not include it in the tailored profile?

In that case, wouldn't they just not include it in the tailored profile?

no, they would not be included in the tailored profile in that case

rhmdnd · 2025-02-28T20:14:10Z

config/crd/bases/compliance.openshift.io_tailoredprofiles.yaml

                    name:
                      description: Name of the rule that's being referenced
                      type: string
                    rationale:
                      description: Rationale of why this rule is being selected/deselected
                      type: string
                  required:
+                  - kind


This one makes sense to me.

rhmdnd · 2025-02-28T20:14:41Z

config/crd/bases/compliance.openshift.io_tailoredprofiles.yaml

                    name:
                      description: Name of the rule that's being referenced
                      type: string
                    rationale:
                      description: Rationale of why this rule is being selected/deselected
                      type: string
                  required:
+                  - kind


Similar comment here as above. Does it makes sense to support CustomRules from a manual rule perspective in a tailored profile?

I can write a check later in tailoredProfile controller to check for that

pkg/apis/compliance/v1alpha1/customrule_types.go

github-actions · 2025-03-03T16:17:52Z

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:686-401c06c0874f1a16ff23c3760bb6c9889942fd07

Vincent056 · 2025-03-03T16:58:41Z

/retest

xiaojiey · 2025-03-04T04:51:52Z

/label qe-approved

% oc get customrules
NAME                                                    AGE
custom-rule-configure-network-policies-namespaces-cel   88m
custom-rule-enable-nonroot-feature-gate-cel             88m
custom-rule-etcd-cert-file-cel                          88m
custom-rule-motd-exists-cel                             12m
% oc apply -f customrules_motd_error_scannerType.yaml 
The CustomRule "custom-rule-motd-error-scannertype-cel" is invalid: spec.scannerType: Unsupported value: "OpenSCAP": supported values: "CEL"
% oc apply -f customrules_motd_scannerType_empty.yaml 
The CustomRule "custom-rule-motd-error-scannertype-cel" is invalid: spec.scannerType: Unsupported value: "": supported values: "CEL"

rhmdnd

Overall this is on the right track, but I feel we should remove the things we're not going to support initially so it's a simpler feature and less testing surface.

rhmdnd · 2025-03-06T21:33:04Z

bundle/manifests/compliance.openshift.io_tailoredprofiles.yaml

+                    kind:
+                      description: Type of rule, either "Rule" or "CustomRule". "Rule"
+                        is the default if not specified.
+                      type: string


I don't understand why we would support disabling a CustomRule. The use case for CustomRule is that:

User creates a CustomRule for a check that doesn't exist in the default profiles

User creates a TailoredProfile with the CustomRule from step 1 in the enabledRules

Are you able to walk me through the use case for adding a CustomRule to the disabledRules?

rhmdnd · 2025-03-06T21:36:17Z

bundle/manifests/compliance.openshift.io_tailoredprofiles.yaml

@@ -97,13 +107,18 @@ spec:
                  description: RuleReferenceSpec specifies a rule to be selected/deselected,
                    as well as the reason why
                  properties:
+                    kind:
+                      description: Type of rule, either "Rule" or "CustomRule". "Rule"
+                        is the default if not specified.


Same comment here as the disabledRules above. Do we need to support CustomRules here initially? Or can we add that in later?

rhmdnd · 2025-03-06T21:38:09Z

config/crd/bases/compliance.openshift.io_customrules.yaml

+              availableFixes:
+                description: |-
+                  The Available fixes
+                  This is not supported with CustomRule


I feel if we're not going to support it - we should remove it from the CRD so it's not confusing to users, and not creating additional API surface area for us to test.

We could always add this in later.

github-actions · 2025-03-10T13:38:23Z

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:686-482271b1ccf2da0fe6083fca8e6a6cb501ba68f5

rhmdnd · 2025-03-10T16:16:17Z

pkg/apis/compliance/v1alpha1/customrule_types.go

+	// Expression is the CEL expression to evaluate
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	Expression string `json:"expression"`


Evaluation (struct): // CELEvaluation Expression: Inputs: // BashEvaluation Commands: (list of command strings or reference to config map) // AnsibleEvaluation Tasks: (reference to config map or CRDs) // SomeNewThingWeDoNotKnowAboutYetEvaluation

Perhaps we can learn from https://github.com/openshift/cluster-logging-operator/blob/master/api/observability/v1/output_types.go

github-actions · 2025-03-10T17:04:46Z

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:686-f7e5add53de9c428332e87aca435978fe777e985

- Introduce scannerType to ComplianceScan and ComplianceSuite for specifying OpenSCAP or CEL. - Add custom rule CRD (compliance.openshift.io_customrules.yaml) and types. - Extend TailoredProfile with addtional EnableCustomRule field.

github-actions · 2025-03-10T20:04:51Z

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:686-e5265d453ffe2aee0123f1bd52441420de7dc22b

openshift-ci · 2025-03-10T23:48:49Z

@Vincent056: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/images	`e5265d4`	link	true	`/test images`
ci/prow/e2e-aws-parallel-arm	`e5265d4`	link	true	`/test e2e-aws-parallel-arm`
ci/prow/e2e-aws-serial	`e5265d4`	link	true	`/test e2e-aws-serial`

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Vincent056 · 2025-03-11T14:33:56Z

/retest

openshift-ci bot requested review from mrogers950 and rhmdnd February 19, 2025 06:20

openshift-ci bot added the approved label Feb 19, 2025

rhmdnd reviewed Feb 20, 2025

View reviewed changes

Vincent056 changed the title ~~Add scannerType field, CustomRule CRD, and 'kind' property for rule~~ CMP-2868: Add scannerType field, CustomRule CRD, and 'kind' property for rule Feb 25, 2025

openshift-ci-robot added the jira/valid-reference label Feb 25, 2025

Vincent056 force-pushed the cel-scanner-crd branch 2 times, most recently from 1fed741 to f10057f Compare February 25, 2025 10:57

Vincent056 mentioned this pull request Feb 25, 2025

CMP-2872: Implement the cel-scanner component #692

Open

Vincent056 requested a review from rhmdnd February 25, 2025 11:21

Vincent056 force-pushed the cel-scanner-crd branch from f10057f to 866bd41 Compare February 27, 2025 02:15

rhmdnd added the CEL CEL features and functionality label Feb 27, 2025

Vincent056 force-pushed the cel-scanner-crd branch 2 times, most recently from ce487a5 to 4446db3 Compare February 27, 2025 19:26

openshift-ci bot added the qe-approved label Feb 28, 2025

Vincent056 force-pushed the cel-scanner-crd branch from 4446db3 to c1f92b2 Compare February 28, 2025 18:22

rhmdnd reviewed Feb 28, 2025

View reviewed changes

rhmdnd added this to the 1.7.0 milestone Feb 28, 2025

rhmdnd reviewed Feb 28, 2025

View reviewed changes

pkg/apis/compliance/v1alpha1/customrule_types.go Show resolved Hide resolved

Vincent056 force-pushed the cel-scanner-crd branch 2 times, most recently from cb3392e to 401c06c Compare March 3, 2025 16:10

rhmdnd requested changes Mar 6, 2025

View reviewed changes

openshift-ci bot assigned rhmdnd Mar 6, 2025

Vincent056 force-pushed the cel-scanner-crd branch from 401c06c to 482271b Compare March 10, 2025 13:31

rhmdnd reviewed Mar 10, 2025

View reviewed changes

Vincent056 force-pushed the cel-scanner-crd branch 2 times, most recently from 51a25a6 to f7e5add Compare March 10, 2025 16:30

Vincent056 force-pushed the cel-scanner-crd branch from f7e5add to 26cdbb5 Compare March 10, 2025 19:57

Vincent056 force-pushed the cel-scanner-crd branch from 26cdbb5 to e5265d4 Compare March 10, 2025 19:57

Vincent056 requested a review from rhmdnd March 11, 2025 14:36

rhmdnd removed this from the 1.7.0 milestone Apr 3, 2025


		type CELPayload struct {

		// ScannerType specifies what type of check this rule performs

		@@ -50,6 +50,8 @@ const DefaultStorageRotation = 3

		var ErrUnkownScanType = errors.New("Unknown scan type")

		var ErrUnkownScanerType = errors.New("Unknown scanner type")

CMP-2868: Add scannerType field, CustomRule CRD, and 'kind' property for rule #686

Are you sure you want to change the base?

CMP-2868: Add scannerType field, CustomRule CRD, and 'kind' property for rule #686

Conversation

Vincent056 commented Feb 19, 2025

openshift-ci bot commented Feb 19, 2025

github-actions bot commented Feb 19, 2025

Vincent056 commented Feb 19, 2025

rhmdnd left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

openshift-ci-robot commented Feb 25, 2025

github-actions bot commented Feb 25, 2025

github-actions bot commented Feb 27, 2025

xiaojiey commented Feb 27, 2025

github-actions bot commented Feb 27, 2025

Vincent056 commented Feb 28, 2025

Vincent056 commented Feb 28, 2025

xiaojiey commented Feb 28, 2025

xiaojiey commented Feb 28, 2025

github-actions bot commented Feb 28, 2025

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Vincent056 Mar 3, 2025 • edited Loading

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

github-actions bot commented Mar 3, 2025

Vincent056 commented Mar 3, 2025

xiaojiey commented Mar 4, 2025 • edited Loading

rhmdnd left a comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

Choose a reason for hiding this comment

github-actions bot commented Mar 10, 2025

Choose a reason for hiding this comment

github-actions bot commented Mar 10, 2025

github-actions bot commented Mar 10, 2025

openshift-ci bot commented Mar 10, 2025

Vincent056 commented Mar 11, 2025

Vincent056 Mar 3, 2025 •

edited

Loading

xiaojiey commented Mar 4, 2025 •

edited

Loading