Managing the Compliance Operator

This section describes the lifecycle of security content, including how to use an updated version of compliance content and how to create a custom ProfileBundle object.

ProfileBundle CR example

The ProfileBundle object requires two pieces of information: the URL of a container image that contains the contentImage and the file that contains the compliance content. The contentFile parameter is relative to the root of the file system. You can define the built-in rhcos4 ProfileBundle object as shown in the following example:

  1. apiVersion: compliance.openshift.io/v1alpha1
  2. kind: ProfileBundle
  3. metadata:
  4.   creationTimestamp: "2022-10-19T12:06:30Z"
  5.   finalizers:
  6.   - profilebundle.finalizers.compliance.openshift.io
  7.   generation: 1
  8.   name: rhcos4
  9.   namespace: openshift-compliance
  10.   resourceVersion: "46741"
  11.   uid: 22350850-af4a-4f5c-9a42-5e7b68b82d7d
  12. spec:
  13.   contentFile: ssg-rhcos4-ds.xml (1)
  14.   contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:900e... (2)
  15. status:
  16.   conditions:
  17.   - lastTransitionTime: "2022-10-19T12:07:51Z"
  18.     message: Profile bundle successfully parsed
  19.     reason: Valid
  20.     status: "True"
  21.     type: Ready
  22.   dataStreamStatus: VALID
1Location of the file containing the compliance content.
2Content image location.

The base image used for the content images must include coreutils.

Updating security content

Security content is included as container images that the ProfileBundle objects refer to. To accurately track updates to ProfileBundles and the custom resources parsed from the bundles such as rules or profiles, identify the container image with the compliance content using a digest instead of a tag:

  1. $ oc -n openshift-compliance get profilebundles rhcos4 -oyaml

Example output

  1. apiVersion: compliance.openshift.io/v1alpha1
  2. kind: ProfileBundle
  3. metadata:
  4.   creationTimestamp: "2022-10-19T12:06:30Z"
  5.   finalizers:
  6.   - profilebundle.finalizers.compliance.openshift.io
  7.   generation: 1
  8.   name: rhcos4
  9.   namespace: openshift-compliance
  10.   resourceVersion: "46741"
  11.   uid: 22350850-af4a-4f5c-9a42-5e7b68b82d7d
  12. spec:
  13.   contentFile: ssg-rhcos4-ds.xml
  14.   contentImage: registry.redhat.io/compliance/openshift-compliance-content-rhel8@sha256:900e... (1)
  15. status:
  16.   conditions:
  17.   - lastTransitionTime: "2022-10-19T12:07:51Z"
  18.     message: Profile bundle successfully parsed
  19.     reason: Valid
  20.     status: "True"
  21.     type: Ready
  22.   dataStreamStatus: VALID
1Security container image.

Each ProfileBundle is backed by a deployment. When the Compliance Operator detects that the container image digest has changed, the deployment is updated to reflect the change and parse the content again. Using the digest instead of a tag ensures that you use a stable and predictable set of profiles.

Additional resources