diff --git a/bundle/manifests/compliance.openshift.io_compliancecheckresults.yaml b/bundle/manifests/compliance.openshift.io_compliancecheckresults.yaml index 2fcd4649b..3ba7d6697 100644 --- a/bundle/manifests/compliance.openshift.io_compliancecheckresults.yaml +++ b/bundle/manifests/compliance.openshift.io_compliancecheckresults.yaml @@ -41,6 +41,9 @@ spec: description: description: A human-readable check description, what and why it does type: string + errorMessage: + description: The ErrorMessage of the rule evaluation + type: string id: description: A unique identifier of a check type: string diff --git a/bundle/manifests/compliance.openshift.io_compliancescans.yaml b/bundle/manifests/compliance.openshift.io_compliancescans.yaml index 28f38feec..bca1fa115 100644 --- a/bundle/manifests/compliance.openshift.io_compliancescans.yaml +++ b/bundle/manifests/compliance.openshift.io_compliancescans.yaml @@ -266,6 +266,12 @@ spec: default: Node description: The type of Compliance scan. type: string + scanner: + default: OpenSCAP + description: |- + Scanner is the type of scanner that should be used to evaluate this rule + Defaults to OpenSCAP + type: string showNotApplicable: default: false description: Determines whether to hide or show results that are not diff --git a/bundle/manifests/compliance.openshift.io_compliancesuites.yaml b/bundle/manifests/compliance.openshift.io_compliancesuites.yaml index 745c3209a..6a129680b 100644 --- a/bundle/manifests/compliance.openshift.io_compliancesuites.yaml +++ b/bundle/manifests/compliance.openshift.io_compliancesuites.yaml @@ -285,6 +285,12 @@ spec: default: Node description: The type of Compliance scan. type: string + scanner: + default: OpenSCAP + description: |- + Scanner is the type of scanner that should be used to evaluate this rule + Defaults to OpenSCAP + type: string showNotApplicable: default: false description: Determines whether to hide or show results that diff --git a/bundle/manifests/compliance.openshift.io_rules.yaml b/bundle/manifests/compliance.openshift.io_rules.yaml index dbc2c9c57..5af854d34 100644 --- a/bundle/manifests/compliance.openshift.io_rules.yaml +++ b/bundle/manifests/compliance.openshift.io_rules.yaml @@ -58,9 +58,63 @@ spec: description: description: The description of the Rule type: string + evaluations: + description: |- + Evaluations is the list of CEL expressions that will be used + to evaluate the rule + items: + properties: + errorMessage: + description: Error message to be displayed if the evaluation fails + type: string + expression: + description: The CEL expression to be evaluated + type: string + required: + - expression + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic id: description: The XCCDF ID type: string + inputs: + description: Inputs represent the input parameters for the CEL expression + items: + description: InputPayload defines the structure for the inputs used + in the CEL expression + properties: + kubeResource: + description: The kubernetes resource that will be used as input + nullable: true + properties: + apiGroup: + description: The API group of the resource + type: string + apiVersion: + description: The version of the resource + type: string + namespace: + description: The namespace of the resource + type: string + resource: + description: The resource type + type: string + required: + - apiGroup + - apiVersion + - resource + type: object + name: + description: The name of the input parameter + type: string + required: + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic instructions: description: Instructions for auditing this specific rule type: string @@ -77,6 +131,12 @@ spec: rationale: description: The rationale of the Rule type: string + scanner: + default: OpenSCAP + description: |- + Scanner is the type of scanner that should be used to evaluate this rule + Defaults to OpenSCAP + type: string severity: description: The severity level type: string diff --git a/config/crd/bases/compliance.openshift.io_compliancecheckresults.yaml b/config/crd/bases/compliance.openshift.io_compliancecheckresults.yaml index f1ee87615..79ca0a57f 100644 --- a/config/crd/bases/compliance.openshift.io_compliancecheckresults.yaml +++ b/config/crd/bases/compliance.openshift.io_compliancecheckresults.yaml @@ -41,6 +41,9 @@ spec: description: description: A human-readable check description, what and why it does type: string + errorMessage: + description: The ErrorMessage of the rule evaluation + type: string id: description: A unique identifier of a check type: string diff --git a/config/crd/bases/compliance.openshift.io_compliancescans.yaml b/config/crd/bases/compliance.openshift.io_compliancescans.yaml index 2885701e4..631c15173 100644 --- a/config/crd/bases/compliance.openshift.io_compliancescans.yaml +++ b/config/crd/bases/compliance.openshift.io_compliancescans.yaml @@ -266,6 +266,12 @@ spec: default: Node description: The type of Compliance scan. type: string + scanner: + default: OpenSCAP + description: |- + Scanner is the type of scanner that should be used to evaluate this rule + Defaults to OpenSCAP + type: string showNotApplicable: default: false description: Determines whether to hide or show results that are not diff --git a/config/crd/bases/compliance.openshift.io_compliancesuites.yaml b/config/crd/bases/compliance.openshift.io_compliancesuites.yaml index 329014edf..4fbd58f9a 100644 --- a/config/crd/bases/compliance.openshift.io_compliancesuites.yaml +++ b/config/crd/bases/compliance.openshift.io_compliancesuites.yaml @@ -285,6 +285,12 @@ spec: default: Node description: The type of Compliance scan. type: string + scanner: + default: OpenSCAP + description: |- + Scanner is the type of scanner that should be used to evaluate this rule + Defaults to OpenSCAP + type: string showNotApplicable: default: false description: Determines whether to hide or show results that diff --git a/config/crd/bases/compliance.openshift.io_rules.yaml b/config/crd/bases/compliance.openshift.io_rules.yaml index 99eba783c..e91aa318e 100644 --- a/config/crd/bases/compliance.openshift.io_rules.yaml +++ b/config/crd/bases/compliance.openshift.io_rules.yaml @@ -58,9 +58,63 @@ spec: description: description: The description of the Rule type: string + evaluations: + description: |- + Evaluations is the list of CEL expressions that will be used + to evaluate the rule + items: + properties: + errorMessage: + description: Error message to be displayed if the evaluation fails + type: string + expression: + description: The CEL expression to be evaluated + type: string + required: + - expression + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic id: description: The XCCDF ID type: string + inputs: + description: Inputs represent the input parameters for the CEL expression + items: + description: InputPayload defines the structure for the inputs used + in the CEL expression + properties: + kubeResource: + description: The kubernetes resource that will be used as input + nullable: true + properties: + apiGroup: + description: The API group of the resource + type: string + apiVersion: + description: The version of the resource + type: string + namespace: + description: The namespace of the resource + type: string + resource: + description: The resource type + type: string + required: + - apiGroup + - apiVersion + - resource + type: object + name: + description: The name of the input parameter + type: string + required: + - name + type: object + nullable: true + type: array + x-kubernetes-list-type: atomic instructions: description: Instructions for auditing this specific rule type: string @@ -77,6 +131,12 @@ spec: rationale: description: The rationale of the Rule type: string + scanner: + default: OpenSCAP + description: |- + Scanner is the type of scanner that should be used to evaluate this rule + Defaults to OpenSCAP + type: string severity: description: The severity level type: string diff --git a/pkg/apis/compliance/v1alpha1/compliancecheckresult_types.go b/pkg/apis/compliance/v1alpha1/compliancecheckresult_types.go index fa6773630..aada51080 100644 --- a/pkg/apis/compliance/v1alpha1/compliancecheckresult_types.go +++ b/pkg/apis/compliance/v1alpha1/compliancecheckresult_types.go @@ -98,6 +98,8 @@ type ComplianceCheckResult struct { Warnings []string `json:"warnings,omitempty"` // It stores a list of values used by the check ValuesUsed []string `json:"valuesUsed,omitempty"` + // The ErrorMessage of the rule evaluation + ErrorMessage string `json:"errorMessage,omitempty"` } // +kubebuilder:object:root=true diff --git a/pkg/apis/compliance/v1alpha1/compliancescan_types.go b/pkg/apis/compliance/v1alpha1/compliancescan_types.go index 17b3e437a..3d652c2eb 100644 --- a/pkg/apis/compliance/v1alpha1/compliancescan_types.go +++ b/pkg/apis/compliance/v1alpha1/compliancescan_types.go @@ -89,6 +89,9 @@ const CmScanResultAnnotation = "compliance.openshift.io/scan-result" // CmScanResultErrMsg holds the processed scanner error message const CmScanResultErrMsg = "compliance.openshift.io/scan-error-msg" +// CELFeatureEnableAnnotation is used to enable the CEL feature +const CELFeatureEnableAnnotation = "compliance.openshift.io/cel-feature-enable" + const ( // ResultNot available represents the compliance scan not having finished yet ResultNotAvailable ComplianceScanStatusResult = "NOT-AVAILABLE" @@ -244,6 +247,10 @@ type ComplianceScanSpec struct { // rule. Note that when leaving this empty, the scan will check for all the // rules for a specific profile. Rule string `json:"rule,omitempty"` + // Scanner is the type of scanner that should be used to evaluate this rule + // Defaults to OpenSCAP + // +kubebuilder:default=OpenSCAP + Scanner ScannerType `json:"scanner,omitempty"` // Is the path to the file that contains the content (the data stream). // Note that the path needs to be relative to the `/` (root) directory, as // it is in the ContentImage diff --git a/pkg/apis/compliance/v1alpha1/profile_types.go b/pkg/apis/compliance/v1alpha1/profile_types.go index 11c3a110b..9aaa6a092 100644 --- a/pkg/apis/compliance/v1alpha1/profile_types.go +++ b/pkg/apis/compliance/v1alpha1/profile_types.go @@ -15,6 +15,13 @@ const ProductAnnotation = "compliance.openshift.io/product" // ProfileGuidLabel specifies the unique identifier of the Profile const ProfileGuidLabel = "compliance.openshift.io/profile-guid" +// ScannerAnnotation specifies the type of scanner to use for this Profile +const ScannerAnnotation = "compliance.openshift.io/scanner" + +// UserProfileAnnotation define if tailored profile contains User Created rules +// that are not part of the original profile +const UserProfileAnnotation = "compliance.openshift.io/user-profile" + // ProfileRule defines the name of a specific rule in the profile type ProfileRule string diff --git a/pkg/apis/compliance/v1alpha1/rule_types.go b/pkg/apis/compliance/v1alpha1/rule_types.go index 533296e74..6897be4ea 100644 --- a/pkg/apis/compliance/v1alpha1/rule_types.go +++ b/pkg/apis/compliance/v1alpha1/rule_types.go @@ -27,6 +27,28 @@ const ( CheckTypeNone = "" ) +// ScannerType is an enum type for the scanner type +type ScannerType string + +// InputType is an enum type for the input type +type InputType string + +const ( + // ScannerTypeOpenSCAP is the default scanner type + ScannerTypeOpenSCAP ScannerType = "OpenSCAP" + // ScannerTypeCelScanner is the scanner type for the CEL scanner + ScannerTypeCelScanner ScannerType = "CEL" + // ScannerTypeUnknown is the scanner type for an unknown scanner + ScannerTypeUnknown ScannerType = "Unknown" +) + +type Evaluation struct { + // The CEL expression to be evaluated + Expression string `json:"expression"` + // Error message to be displayed if the evaluation fails + ErrorMessage string `json:"errorMessage,omitempty"` +} + type RulePayload struct { // The XCCDF ID ID string `json:"id"` @@ -50,6 +72,45 @@ type RulePayload struct { // +optional // +listType=atomic AvailableFixes []FixDefinition `json:"availableFixes,omitempty"` + // Scanner is the type of scanner that should be used to evaluate this rule + // Defaults to OpenSCAP + // +kubebuilder:default=OpenSCAP + Scanner ScannerType `json:"scanner,omitempty"` + // Evaluations is the list of CEL expressions that will be used + // to evaluate the rule + // +nullable + // +optional + // +listType=atomic + Evaluatiosn []Evaluation `json:"evaluations,omitempty"` + // Inputs represent the input parameters for the CEL expression + // +nullable + // +optional + // +listType=atomic + Inputs []InputPayload `json:"inputs,omitempty"` +} + +// KubernetesResource represents a kubernetes resource that can be used as an input +// for the CEL expression +type KubernetesResource struct { + // The API group of the resource + APIGroup string `json:"apiGroup"` + // The version of the resource + ApiVersion string `json:"apiVersion"` + // The resource type + Resource string `json:"resource"` + // The namespace of the resource + // +optional + Namespace string `json:"namespace,omitempty"` +} + +// InputPayload defines the structure for the inputs used in the CEL expression +type InputPayload struct { + // The name of the input parameter + Name string `json:"name"` + // The kubernetes resource that will be used as input + // +nullable + // +optional + KubeResource KubernetesResource `json:"kubeResource,omitempty"` } // +kubebuilder:object:root=true