Conversation
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: Vincent056 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
|
🤖 To deploy this PR, run the following command: |
|
Wondering about calling these |
|
🤖 To deploy this PR, run the following command: |
that's a good point! we’re starting with That said, once CEL becomes the default and we’re fully away from SCAP, we will add new field |
|
🤖 To deploy this PR, run the following command: |
|
🤖 To deploy this PR, run the following command: |
|
|
||
| ## Summary | ||
|
|
||
| This enhancement proposes introducing a **new CRD** called `CustomRule` to provide **CEL** (Common Expression Language) scanning capabilities in the Compliance Operator. By creating a stand-alone CRD, instead of modifying the existing `ComplianceScan` resource, we preserve backward compatibility for the OpenSCAP-based workflows. |
There was a problem hiding this comment.
This also means we have the ability to experiment with the CEL scanning implementation in CustomRule before we bake it into the Rule.
rhmdnd
left a comment
rhmdnd
left a comment
There was a problem hiding this comment.
Thanks for all the detail. It definitely helped me understand more of the approach!
|
|
||
| ### Background | ||
|
|
||
| The Compliance Operator currently relies on `oscap`. Developing compliance checks is a complex process requiring: |
There was a problem hiding this comment.
Nit: We could supplement the following with a short summary for readers who aren't intimately familiar with the internals of the Compliance Operator, oscap, or SCAP.
relies on
oscap
The oscap binary is used to perform vulnerability scanning and compliance checks on systems. It is a command-line tool that uses the OpenSCAP framework to scan systems for vulnerabilities, non-compliance, and policy violations.
|
|
||
| ### Why CEL? | ||
|
|
||
| - CEL is already popular and widely used throughout the Kubernetes community, thus **reducing the learning curve**. |
There was a problem hiding this comment.
Yes - specifically reducing the learning curve for cluster administrators and/or security teams looking to write their own compliance content.
There was a problem hiding this comment.
We could also supplement this with a link to CEL K8s docs - for folks to learn more:
|
|
||
| - CEL is already popular and widely used throughout the Kubernetes community, thus **reducing the learning curve**. | ||
| - It integrates with typical cluster-admin workflows; writing or editing a CEL rule is more straightforward than SCAP/OVAL content. | ||
| - We already have a proof-of-concept (POC) that integrates CEL scanning with the Compliance Operator. |
There was a problem hiding this comment.
Link to the PoC here would be good if people are curious how we approach that work.
|
|
||
| 1. **Backward Compatibility** | ||
| - Users relying on existing SCAP-based scans (`ComplianceScan`) see no difference. | ||
| - We do **not** add new fields to `ComplianceScan`; instead, we introduce a new CRD for CEL-based scanning. |
There was a problem hiding this comment.
This means users opt-into the new functionality by creating a TailoredProfile, which contains CustomRule objects, and then linking the TailoredProfile to a ScanSetting with a ScanSettingBinding, re-using much of the flow users are familiar with today 👍🏻
|
|
||
| 2. **Simplified Architecture** | ||
| - A single container (the “cel-scanner”) handles *resource fetching*, *rule evaluation*, and *result creation*. | ||
| - **No** need to coordinate multiple pods or containers for scanning/log-collection tasks. |
There was a problem hiding this comment.
Yessss 👏🏻
Specifically the code we have to shuffle results around with config maps between components.
| The aggregator sees the `ConfigMap` (by label) and creates corresponding `ComplianceCheckResult` objects. | ||
| - Option 2 (Direct creation of `ComplianceCheckResult` CRs from the scanner): The scanner can create them in-cluster immediately. | ||
|
|
||
| Depending on the desired flow, we can either **continue the aggregator approach** or have the “cel-scanner” do it directly. |
There was a problem hiding this comment.
What do you feel is the better approach here?
There was a problem hiding this comment.
I think we can go with option2 agree with what you have above
|
|
||
| ### 6. TailoredProfile Controller | ||
|
|
||
| - Ensures that if a `TailoredProfile` references a `CustomRule` (with `scannerType: cel`), the resulting annotation `scanner-type: cel` is set. |
There was a problem hiding this comment.
How are we going to put guard rails around using CustomRule with SCAP content? That should break, right?
| - A new CRD Extends existing `ComplianceRule` logic with CEL-specific fields. | ||
|
|
||
| - **`TailoredProfile` CRD**: | ||
| - Add Type filed in Spec.enableRules |
|
|
||
| ### Implementation Details / Notes / Constraints | ||
|
|
||
| - **RBAC**: The “cel-scanner” Pod needs read permissions (`get/list/watch`) for every resource type mentioned in the `inputs`. |
There was a problem hiding this comment.
The API resource collector is going to use the existing service account, right?
If so - is the expectations that cluster admins update that role to include the permissions for the custom rules they've written?
Will the compliance operator overwrite those permissions on update?
There was a problem hiding this comment.
Or does this mean users can only write CustomRule resources for permissions that are already supported by the API resource collector?
There was a problem hiding this comment.
we can let user to choose what service account to use, if they don't we will use a default one.
|
|
||
| Putting it all together: | ||
|
|
||
| 1. **User** defines a `CustomRule` with `scannerType:"cel"`. |
There was a problem hiding this comment.
Similar to the above question.
If I write a CustomRule to evaluate a resource that isn't include in the API resources aggregator permissions, do I need a subsequent step here to make sure it can fetch those resources?
Otherwise, if I understand correctly, it's entirely possible that a user would get all the way through the flow, up to the scan, only to have it fail on a 403?
There was a problem hiding this comment.
I think that's a good point, yeah, we can make it that we check for the permission before a scan is happened.
|
Can we add a section discussion the relationship/difference between a CustomRule and a ValidatingAdmissionPolicy? Specifically, how each is expected to be used, and how we might let a CustomRule possibly 'lift' a CEL expression from a ValidatingAdmissionPolicy? This could be useful as customers might have their own collection of VAPs that they want to re-use.f |
I think makes sense, I was reviewing some of existing VAPs, I think we will have the ability to wield what VAPs has to Compliance Operator and reuse those existing VAPs to CO. Since VAP is always being evaluated, the time when we fetch the VAP is the current state of things |
3 participants
Adding the CEL enhancement document.