Managing the Compliance Operator

Managing the Compliance Operator

This section describes the lifecycle of security content, including how to use an updated version of compliance content and how to create a custom ProfileBundle object.

Updating security content

Security content is shipped as container images that the ProfileBundle objects refer to. To accurately track updates to ProfileBundles and the custom resources parsed from the bundles such as rules or profiles, identify the container image with the compliance content using a digest instead of a tag:

Example output

  apiVersion: compliance.openshift.io/v1alpha1
  kind: ProfileBundle
  metadata:
    name: rhcos4
  spec:
    contentImage: quay.io/user/ocp4-openscap-content@sha256:a1749f5150b19a9560a5732fe48a89f07bffc79c0832aa8c49ee5504590ae687 (1)
    contentFile: ssg-rhcos4-ds.xml

1	Security container image.

Each ProfileBundle is backed by a deployment. When the Compliance Operator detects that the container image digest has changed, the deployment is updated to reflect the change and parse the content again. Using the digest instead of a tag ensures that you use a stable and predictable set of profiles.

Using image streams

The contentImage reference points to a valid ImageStreamTag, and the Compliance Operator ensures that the content stays up to date automatically.

ProfileBundle objects also accept ImageStream references.

Example image stream

$ oc get is -n openshift-compliance

Example output

NAME                  IMAGE REPOSITORY                                                                           TAGS     UPDATED
openscap-ocp4-ds   image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds   latest   32 seconds ago

Procedure

Ensure that the lookup policy is set to local:

$ oc patch is openscap-ocp4-ds \
    -p '{"spec":{"lookupPolicy":{"local":true}}}' \
    --type=merge
    imagestream.image.openshift.io/openscap-ocp4-ds patched
    -n openshift-compliance

Use the name of the ImageStreamTag for the ProfileBundle by retrieving the istag name:

$ oc get istag -n openshift-compliance

Example output

NAME                      IMAGE REFERENCE                                                                                                                                                  UPDATED
openscap-ocp4-ds:latest   image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds@sha256:46d7ca9b7055fe56ade818ec3e62882cfcc2d27b9bf0d1cbae9f4b6df2710c96   3 minutes ago

Create the ProfileBundle:

$ cat << EOF | oc create -f -
apiVersion: compliance.openshift.io/v1alpha1
kind: ProfileBundle
metadata:
  name: mybundle
   spec:
     contentImage: openscap-ocp4-ds:latest
     contentFile: ssg-rhcos4-ds.xml
EOF

This ProfileBundle will track the image and any changes that are applied to it, such as updating the tag to point to a different hash, will immediately be reflected in the ProfileBundle.

ProfileBundle CR example

The bundle object needs two pieces of information: the URL of a container image that contains the contentImage and the file that contains the compliance content. The contentFile parameter is relative to the root of the file system. The built-in rhcos4 ProfileBundle object can be defined in the example below:

  apiVersion: compliance.openshift.io/v1alpha1
  kind: ProfileBundle
  metadata:
    name: rhcos4
  spec:
    contentImage: quay.io/complianceascode/ocp4:latest (1)
    contentFile: ssg-rhcos4-ds.xml (2)

1	Content image location.
2	Location of the file containing the compliance content.

The base image used for the content images must include coreutils.

Additional resources

The Compliance Operator is supported in a restricted network environment. For more information, see Using Operator Lifecycle Manager on restricted networks.