Merge pull request #45512 from darshan-nagaraj/BZ1964686-ent-4.7

[enterprise-4.7] BZ1964686: Adds Compliance Operator CRDs

Author: lpettyjo

_topic_maps/_topic_map.yml

@@ -685,6 +685,9 @@ Topics:
     File: compliance-operator-troubleshooting
   - Name: Uninstalling the Compliance Operator
     File: compliance-operator-uninstallation
+  - Name: Understanding the Custom Resource Definitions
+    File: compliance-operator-crd
+
 - Name: File Integrity Operator
   Dir: file_integrity_operator
   Topics:

modules/compliance-crd-advanced-compliance-scan.adoc

@@ -0,0 +1,59 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-crd.adoc
+
+:_content-type: CONCEPT
+[id="advance-compliance-scan-object_{context}"]
+= Advanced ComplianceScan Object
+The Compliance Operator includes options for advanced users for debugging or integrating with existing tooling. While it is recommended that you not create a `ComplianceScan` object directly, you can instead manage it using a `ComplianceSuite` object.
+
+.Example Advanced `ComplianceScan` object
+[source,yaml]
+----
+apiVersion: compliance.openshift.io/v1alpha1
+kind: ComplianceScan
+metadata:
+  name: <name of the scan>
+spec:
+  scanType: Node <1>
+  profile: xccdf_org.ssgproject.content_profile_moderate <2>
+  content: ssg-ocp4-ds.xml
+  contentImage: quay.io/complianceascode/ocp4:latest <3>
+  rule: "xccdf_org.ssgproject.content_rule_no_netrc_files" <4>
+  nodeSelector: <5>
+    node-role.kubernetes.io/worker: ""
+status:
+  phase: DONE <6>
+  result: NON-COMPLIANT <7>
+----
+
+<1> Specify either `Node` or `Platform`. Node profiles scan the cluster nodes and platform profiles scan the Kubernetes platform.
+<2> Specify the XCCDF identifier of the profile that you want to run.
+<3> Specify the container image that encapsulates the profile files.
+<4> It is optional. Specify the scan to run a single rule. This rule has to be identified with the XCCDF ID, and has to belong to the specified profile.
++
+[NOTE]
+====
+If you skip the `rule` parameter, then scan runs for all the available rules of the specified profile.
+====
+<5> If you are on the {product-title} and wants to generate a remediation, then nodeSelector label has to match the `MachineConfigPool` label.
++
+[NOTE]
+====
+If you do not specify `nodeSelector` parameter or match the `MachineConfig` label, scan will still run, but it will not create remediation.
+====
+<6> Indicates the current phase of the scan.
+<7> Indicates the verdict of the scan.
+
+[IMPORTANT]
+====
+If you delete a `ComplianceSuite` object, then all the associated scans get deleted.
+====
+
+When the scan is complete, it generates the result as Custom Resources of the `ComplianceCheckResult` object. However, the raw results are available in ARF format. These results are stored in a Persistent Volume (PV), which has a Persistent Volume Claim (PVC) associated with the name of the scan.
+You can programmatically fetch the `ComplianceScans` events. To generate events for the suite, run the following command:
+
+[source,terminal]
+----
+oc get events --field-selector involvedObject.kind=ComplianceScan,involvedObject.name=<name of the suite>
+----

modules/compliance-crd-compliance-check-result.adoc

@@ -0,0 +1,50 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-crd.adoc
+
+:_content-type: CONCEPT
+[id="compliance-check-result_{context}"]
+= ComplianceCheckResult object
+When you run a scan with a specific profile, several rules in the profiles are verified. For each of these rules, a `ComplianceCheckResult` object is created, which provides the state of the cluster for a specific rule.
+
+.Example `ComplianceCheckResult` object
+[source,yaml]
+----
+apiVersion: compliance.openshift.io/v1alpha1
+kind: ComplianceCheckResult
+metadata:
+  labels:
+    compliance.openshift.io/check-severity: medium
+    compliance.openshift.io/check-status: FAIL
+    compliance.openshift.io/suite: example-compliancesuite
+    compliance.openshift.io/scan-name: workers-scan
+  name: workers-scan-no-direct-root-logins
+  namespace: openshift-compliance
+  ownerReferences:
+  - apiVersion: compliance.openshift.io/v1alpha1
+    blockOwnerDeletion: true
+    controller: true
+    kind: ComplianceScan
+    name: workers-scan
+description: <description of scan check>
+instructions: <manual instructions for the scan>
+id: xccdf_org.ssgproject.content_rule_no_direct_root_logins
+severity: medium <1>
+status: FAIL <2>
+----
+
+<1> Describes the severity of the scan check.
+<2> Describes the result of the check. The possible values are:
+* PASS: check was successful.
+* FAIL: check was unsuccessful.
+* INFO: check was successful and found something not severe enough to be considered an error.
+* MANUAL: check cannot automatically assess the status and manual check is required.
+* INCONSISTENT: different nodes report different results.
+* ERROR: check run successfully, but could not complete.
+* NOTAPPLICABLE: check did not run as it is not applicable.
+
+To get all the check results from a suite, run the following command:
+[source,terminal]
+----
+oc get compliancecheckresults -l compliance.openshift.io/suite=<suit name>
+----

modules/compliance-crd-compliance-remediation.adoc

@@ -0,0 +1,69 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-crd.adoc
+
+:_content-type: CONCEPT
+[id="compliance-remediation-object_{context}"]
+= ComplianceRemediation object
+For a specific check you can have a datastream specified fix. However, if a Kubernetes fix is available, then the Compliance Operator creates a `ComplianceRemediation` object.
+
+.Example `ComplianceRemediation` object
+[source,yaml]
+----
+apiVersion: compliance.openshift.io/v1alpha1
+kind: ComplianceRemediation
+metadata:
+  labels:
+    compliance.openshift.io/suite: example-compliancesuite
+    compliance.openshift.io/scan-name: workers-scan
+    machineconfiguration.openshift.io/role: worker
+  name: workers-scan-disable-users-coredumps
+  namespace: openshift-compliance
+  ownerReferences:
+  - apiVersion: compliance.openshift.io/v1alpha1
+    blockOwnerDeletion: true
+    controller: true
+    kind: ComplianceCheckResult
+    name: workers-scan-disable-users-coredumps
+    uid: <UID>
+spec:
+  apply: false <1>
+  object:
+    current: <2>
+       apiVersion: machineconfiguration.openshift.io/v1
+       kind: MachineConfig
+       spec:
+         config:
+           ignition:
+             version: 2.2.0
+           storage:
+             files:
+             - contents:
+                 source: data:,%2A%20%20%20%20%20hard%20%20%20core%20%20%20%200
+               filesystem: root
+               mode: 420
+               path: /etc/security/limits.d/75-disable_users_coredumps.conf
+    outdated: {} <3>
+----
+
+<1> `true` indicates the remediation was applied. `false` indicates the remediation was not applied.
+<2> Includes the definition of the remediation.
+<3> Indicates remediation that was previously parsed from an earlier version of the content. The Compliance Operator still retains the outdated objects to give the administrator a chance to review the new remediations before applying them.
+
+To get all the remediations from a suite, run the following command:
+[source,terminal]
+----
+oc get complianceremediations -l compliance.openshift.io/suite=<suite name>
+----
+
+To list all failing checks that can be remediated automatically, run the following command:
+[source,terminal]
+----
+oc get compliancecheckresults -l 'compliance.openshift.io/check-status in (FAIL),compliance.openshift.io/automated-remediation'
+----
+
+To list all failing checks that can be remediated manually, run the following command:
+[source,terminal]
+----
+oc get compliancecheckresults -l 'compliance.openshift.io/check-status in (FAIL),!compliance.openshift.io/automated-remediation'
+----

modules/compliance-crd-compliance-suite.adoc

@@ -0,0 +1,55 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-crd.adoc
+
+:_content-type: CONCEPT
+[id="compliance-suite-object_{context}"]
+= ComplianceSuite object
+The `ComplianceSuite` object helps you keep track of the state of the scans. It contains the raw settings to create scans and the overall result.
+
+For `Node` type scans, you should map the scan to the `MachineConfigPool`, since it contains the remediations for any issues. If you specify a label, ensure it directly applies to a pool.
+
+.Example `ComplianceSuite` object
+[source,yaml]
+----
+apiVersion: compliance.openshift.io/v1alpha1
+kind: ComplianceSuite
+metadata:
+  name: <name of the scan>
+spec:
+  autoApplyRemediations: false <1>
+  schedule: "0 1 * * *" <2>
+  scans: <3>
+    - name: workers-scan
+      scanType: Node
+      profile: xccdf_org.ssgproject.content_profile_moderate
+      content: ssg-rhcos4-ds.xml
+      contentImage: quay.io/complianceascode/ocp4:latest
+      rule: "xccdf_org.ssgproject.content_rule_no_netrc_files"
+      nodeSelector:
+        node-role.kubernetes.io/worker: ""
+status:
+  Phase: DONE <4>
+  Result: NON-COMPLIANT <5>
+  scanStatuses:
+  - name: workers-scan
+    phase: DONE
+    result: NON-COMPLIANT
+----
+<1> Set to `true` to enable auto remediations. Set to `false` to disable auto remediations.
+<2> Specify how often the scan should be run in cron format.
+<3> Specify a list of scan specifications to run in the cluster.
+<4> Indicates the progress of the scans.
+<5> Indicates the overall verdict of the suite.
+
+The suite in the background creates the `ComplianceScan` object based on the `scans` parameter.
+You can programmatically fetch the `ComplianceSuites` events. To get the events for the suite, run the following command:
+[source,terminal]
+----
+$ oc get events --field-selector involvedObject.kind=ComplianceSuite,involvedObject.name=<name of the suite>
+----
+
+[IMPORTANT]
+====
+You might create errors when you manually define the `ComplianceSuite`, since it contains the XCCDF attributes.
+====

modules/compliance-crd-profile-bundle.adoc

@@ -0,0 +1,35 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-crd.adoc
+
+:_content-type: CONCEPT
+[id="profile-bundle-object_{context}"]
+= ProfileBundle object
+When you install the Compliance Operator, it includes ready-to-run `ProfileBundle` object. The Compliance Operator parses the `ProfileBundle` object and creates a `Profile` object for each profile in the bundle. It also parses `Rule` and `Variable` objects, which are used by the `Profile` object.
+
+
+.Example `ProfileBundle` object
+[source,yaml]
+----
+apiVersion: compliance.openshift.io/v1alpha1
+kind: ProfileBundle
+  name: <profile bundle name>
+  namespace: openshift-compliance
+spec:
+  contentFile: ssg-ocp4-ds.xml <1>
+  contentImage: quay.io/complianceascode/ocp4:latest <2>
+status:
+  dataStreamStatus: VALID <3>
+----
+<1> Specify a path from the root directory (/) where the profile file is located.
+<2> Specify the container image that encapsulates the profile files.
+<3> Indicates whether the Compliance Operator was able to parse the content files.
+
+[NOTE]
+====
+When the `contentFile` fails, an `errorMessage` attribute appears, which provides details of the error that occurred.
+====
+
+.Troubleshooting
+
+When you roll back to a known content image from an invalid image, the `ProfileBundle` object stops responding and displays `PENDING` state. As a workaround, you can move to a different image than the previous one. Alternatively, you can delete and re-create the `ProfileBundle` object to return to the working state.

modules/compliance-crd-profile.adoc

@@ -0,0 +1,52 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-crd.adoc
+
+:_content-type: CONCEPT
+[id="profile-object_{context}"]
+= Profile object
+
+The `Profile` object defines the rules and variables that can be evaluated for a certain compliance standard. It contains parsed out details about an OpenSCAP profile, such as its XCCDF identifier and profile checks for a `Node` or `Platform` type. You can either directly use the `Profile` object or further customize it using a `TailorProfile` object.
+
+[NOTE]
+====
+You cannot create or modify the `Profile` object manually because it is derived from a single `ProfileBundle` object. Typically, a single `ProfileBundle` object can include several `Profile` objects.
+====
+
+.Example `Profile` object
+[source,yaml]
+----
+apiVersion: compliance.openshift.io/v1alpha1
+description: <description of the profile>
+id: xccdf_org.ssgproject.content_profile_moderate <1>
+kind: Profile
+metadata:
+  annotations:
+    compliance.openshift.io/product: <product name>
+    compliance.openshift.io/product-type: Node <2>
+  creationTimestamp: "YYYY-MM-DDTMM:HH:SSZ"
+  generation: 1
+  labels:
+    compliance.openshift.io/profile-bundle: <profile bundle name>
+  name: rhcos4-moderate
+  namespace: openshift-compliance
+  ownerReferences:
+  - apiVersion: compliance.openshift.io/v1alpha1
+    blockOwnerDeletion: true
+    controller: true
+    kind: ProfileBundle
+    name: <profile bundle name>
+    uid: <uid string>
+  resourceVersion: "<version number>"
+  selfLink: /apis/compliance.openshift.io/v1alpha1/namespaces/openshift-compliance/profiles/rhcos4-moderate
+  uid: <uid string>
+rules: <3>
+- rhcos4-account-disable-post-pw-expiration
+- rhcos4-accounts-no-uid-except-zero
+- rhcos4-audit-rules-dac-modification-chmod
+- rhcos4-audit-rules-dac-modification-chown
+title: <title of the profile>
+----
+<1> Specify the XCCDF name of the profile. Use this identifier when you define a `ComplianceScan` object as the value of the profile attribute of the scan.
+<2> Specify either a `Node` or `Platform`. Node profiles scan the cluster nodes and platform profiles scan the Kubernetes platform.
+<3> Specify the list of rules for the profile. Each rule corresponds to a single check.

modules/compliance-crd-rule.adoc

@@ -0,0 +1,42 @@
+// Module included in the following assemblies:
+//
+// * security/compliance_operator/compliance-operator-crd.adoc
+
+:_content-type: CONCEPT
+[id="rule-object_{context}"]
+= Rule object
+The `Rule` object, which forms the profiles, are also exposed as objects. Use the `Rule` object to define your compliance check requirements and specify how it could be fixed.
+
+.Example `Rule` object
+[source,yaml]
+----
+    apiVersion: compliance.openshift.io/v1alpha1
+    checkType: Platform <1>
+    description: <description of the rule>
+    id: xccdf_org.ssgproject.content_rule_configure_network_policies_namespaces <2>
+    instructions: <manual instructions for the scan>
+    kind: Rule
+    metadata:
+      annotations:
+        compliance.openshift.io/rule: configure-network-policies-namespaces
+        control.compliance.openshift.io/CIS-OCP: 5.3.2
+        control.compliance.openshift.io/NERC-CIP: CIP-003-3 R4;CIP-003-3 R4.2;CIP-003-3
+          R5;CIP-003-3 R6;CIP-004-3 R2.2.4;CIP-004-3 R3;CIP-007-3 R2;CIP-007-3 R2.1;CIP-007-3
+          R2.2;CIP-007-3 R2.3;CIP-007-3 R5.1;CIP-007-3 R6.1
+        control.compliance.openshift.io/NIST-800-53: AC-4;AC-4(21);CA-3(5);CM-6;CM-6(1);CM-7;CM-7(1);SC-7;SC-7(3);SC-7(5);SC-7(8);SC-7(12);SC-7(13);SC-7(18)
+      labels:
+        compliance.openshift.io/profile-bundle: ocp4
+      name: ocp4-configure-network-policies-namespaces
+      namespace: openshift-compliance
+    rationale: <description of why this rule is checked>
+    severity: high <3>
+    title: <summary of the rule>
+----
+<1> Specify the type of check this rule executes. `Node` profiles scan the cluster nodes and `Platform` profiles scan the Kubernetes platform. An empty value indicates there is no automated check.
+<2> Specify the XCCDF name of the rule, which is parsed directly from the datastream.
+<3> Specify the severity of the rule when it fails.
+
+[NOTE]
+====
+The `Rule` object gets an appropriate label for an easy identification of the associated `ProfileBundle` object. The `ProfileBundle` also gets specified in the `OwnerReferences` of this object.
+====