×

This section describes the lifecycle of security content, including how to use an updated version of compliance content and how to create a custom ProfileBundle object.

Updating security content

Security content is shipped as container images that the ProfileBundle objects refer to. To accurately track updates to ProfileBundles and the custom resources parsed from the bundles such as rules or profiles, identify the container image with the compliance content using a digest instead of a tag:

Example output
  apiVersion: compliance.openshift.io/v1alpha1
  kind: ProfileBundle
  metadata:
    name: rhcos4
  spec:
    contentImage: quay.io/user/ocp4-openscap-content@sha256:a1749f5150b19a9560a5732fe48a89f07bffc79c0832aa8c49ee5504590ae687 (1)
    contentFile: ssg-rhcos4-ds.xml
1 Security container image.

Each ProfileBundle is backed by a deployment. When the Compliance Operator detects that the container image digest has changed, the deployment is updated to reflect the change and parse the content again. Using the digest instead of a tag ensures that you use a stable and predictable set of profiles.

Using image streams

The contentImage reference points to a valid ImageStreamTag, and the Compliance Operator ensures that the content stays up to date automatically.

ProfileBundle objects also accept ImageStream references.

Example image stream
$ oc get is -n openshift-compliance
Example output
NAME           	   IMAGE REPOSITORY                                                                       	TAGS     UPDATED
openscap-ocp4-ds   image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds   latest   32 seconds ago
Procedure
  1. Ensure that the lookup policy is set to local:

    $ oc patch is openscap-ocp4-ds \
        -p '{"spec":{"lookupPolicy":{"local":true}}}' \
        --type=merge
        imagestream.image.openshift.io/openscap-ocp4-ds patched
        -n openshift-compliance
  2. Use the name of the ImageStreamTag for the ProfileBundle by retrieving the istag name:

    $ oc get istag -n openshift-compliance
    Example output
    NAME                  	IMAGE REFERENCE                                                                                                                                              	UPDATED
    openscap-ocp4-ds:latest   image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds@sha256:46d7ca9b7055fe56ade818ec3e62882cfcc2d27b9bf0d1cbae9f4b6df2710c96   3 minutes ago
  3. Create the ProfileBundle:

    $ cat << EOF | oc create -f -
    apiVersion: compliance.openshift.io/v1alpha1
    kind: ProfileBundle
    metadata:
      name: mybundle
       spec:
         contentImage: openscap-ocp4-ds:latest
         contentFile: ssg-rhcos4-ds.xml
    EOF

This ProfileBundle will track the image and any changes that are applied to it, such as updating the tag to point to a different hash, will immediately be reflected in the ProfileBundle.

ProfileBundle CR example

The bundle object needs two pieces of information: the URL of a container image that contains the contentImage and the file that contains the compliance content. The contentFile parameter is relative to the root of the file system. The built-in rhcos4 ProfileBundle object can be defined in the example below:

  apiVersion: compliance.openshift.io/v1alpha1
  kind: ProfileBundle
  metadata:
    name: rhcos4
  spec:
    contentImage: quay.io/complianceascode/ocp4:latest (1)
    contentFile: ssg-rhcos4-ds.xml (2)
1 Content image location.
2 Location of the file containing the compliance content.

The base image used for the content images must include coreutils.

Additional resources