Managing the Compliance Operator

This section describes the lifecycle of security content, including how to use an updated version of compliance content and how to create a custom ProfileBundle object.

Updating security content

Security content is shipped as container images that the ProfileBundle objects refer to. To accurately track updates to ProfileBundles and the custom resources parsed from the bundles such as rules or profiles, identify the container image with the compliance content using a digest instead of a tag:

Example output

  1. apiVersion: compliance.openshift.io/v1alpha1
  2. kind: ProfileBundle
  3. metadata:
  4. name: rhcos4
  5. spec:
  6. contentImage: quay.io/user/ocp4-openscap-content@sha256:a1749f5150b19a9560a5732fe48a89f07bffc79c0832aa8c49ee5504590ae687 (1)
  7. contentFile: ssg-rhcos4-ds.xml
1Security container image.

Each ProfileBundle is backed by a deployment. When the Compliance Operator detects that the container image digest has changed, the deployment is updated to reflect the change and parse the content again. Using the digest instead of a tag ensures that you use a stable and predictable set of profiles.

Using image streams

The contentImage reference points to a valid ImageStreamTag, and the Compliance Operator ensures that the content stays up to date automatically.

ProfileBundle objects also accept ImageStream references.

Example image stream

  1. $ oc get is -n openshift-compliance

Example output

  1. NAME IMAGE REPOSITORY TAGS UPDATED
  2. openscap-ocp4-ds image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds latest 32 seconds ago

Procedure

  1. Ensure that the lookup policy is set to local:

    1. $ oc patch is openscap-ocp4-ds \
    2. -p '{"spec":{"lookupPolicy":{"local":true}}}' \
    3. --type=merge
    4. imagestream.image.openshift.io/openscap-ocp4-ds patched
    5. -n openshift-compliance
  2. Use the name of the ImageStreamTag for the ProfileBundle by retrieving the istag name:

    1. $ oc get istag -n openshift-compliance

    Example output

    1. NAME IMAGE REFERENCE UPDATED
    2. openscap-ocp4-ds:latest image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds@sha256:46d7ca9b7055fe56ade818ec3e62882cfcc2d27b9bf0d1cbae9f4b6df2710c96 3 minutes ago
  3. Create the ProfileBundle:

    1. $ cat << EOF | oc create -f -
    2. apiVersion: compliance.openshift.io/v1alpha1
    3. kind: ProfileBundle
    4. metadata:
    5. name: mybundle
    6. spec:
    7. contentImage: openscap-ocp4-ds:latest
    8. contentFile: ssg-rhcos4-ds.xml
    9. EOF

This ProfileBundle will track the image and any changes that are applied to it, such as updating the tag to point to a different hash, will immediately be reflected in the ProfileBundle.

ProfileBundle CR example

The bundle object needs two pieces of information: the URL of a container image that contains the contentImage and the file that contains the compliance content. The contentFile parameter is relative to the root of the file system. The built-in rhcos4 ProfileBundle object can be defined in the example below:

  1. apiVersion: compliance.openshift.io/v1alpha1
  2. kind: ProfileBundle
  3. metadata:
  4. name: rhcos4
  5. spec:
  6. contentImage: quay.io/complianceascode/ocp4:latest (1)
  7. contentFile: ssg-rhcos4-ds.xml (2)
1Content image location.
2Location of the file containing the compliance content.

The base image used for the content images must include coreutils.

Additional resources