CMP-4040, CMP-4041: Add support for CEL based rules and profiles by yuumasato · Pull Request #14597 · ComplianceAsCode/content

yuumasato · 2026-03-24T23:25:49Z

Description:

Adds support for CEL based rules along with documentation and some tests
The CEL rules are supported by Compliance Operator, so they are limited to ocp4 product.

Rationale:

As we integrate and expand CEL content support for OpenShift with Compliance Operator, we would like to have these rules maintained and developed side by side with other similar security contents.

Review Hints:

Build OCP4 content and check the 'ocp4-cel-content.yaml' in the bulid directory.

xiaojiey · 2026-03-25T12:19:59Z

I verified PR #14597 and PR ComplianceAsCode/compliance-operator#1103 together. Generally it is good. The only problem is there is no COPY --from=builder /content/build/ocp4-cel-content.yaml . in the BuildConfig, I have to create a BuildConfig manually.
I failed to set up a kubevirt cluster today. Will continue verify the rules tomorrow.

1. ### Step 1: Build the Content Locally
# Build OCP4 product
./build_product ocp4
# Verify CEL content exists
ls -lh build/ocp4-cel-content.yaml
2. ###Step 2: build content image:
##2.1. Updated the BuildConfig (this is the code change):
$ oc apply -f - <<'EOF'
  apiVersion: build.openshift.io/v1
  kind: BuildConfig
  metadata:
    name: openscap-ocp4-ds
    namespace: openshift-compliance
  spec:
    output:
      to:
        kind: ImageStreamTag
        name: openscap-ocp4-ds:latest
    runPolicy: Serial
    source:
      dockerfile: |
        FROM registry.fedoraproject.org/fedora-minimal:38 as builder

        WORKDIR /content

        COPY . .

        RUN microdnf -y install cmake make git /usr/bin/python3 python3-pyyaml python3-jinja2 openscap-utils

        RUN ./build_product --debug ocp4 rhcos4

        FROM registry.access.redhat.com/ubi8/ubi-minimal
        WORKDIR /
        COPY --from=builder /content/build/ssg-ocp4-ds.xml .
        COPY --from=builder /content/build/ssg-rhcos4-ds.xml .
        COPY --from=builder /content/build/ocp4-cel-content.yaml .
      type: Dockerfile
    strategy:
      dockerStrategy:
        noCache: true
      type: Docker
    triggers:
    - type: ImageChange
  EOF

 ##2.2 Triggered a new build:

$ oc start-build openscap-ocp4-ds -n openshift-compliance --from-dir=.

3. ###Verified the image contains CEL content:

$ oc run -it --rm verify-cel \
    --image=image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds:latest \
    --restart=Never \
    -n openshift-compliance \
    -- ls -la /

4. ###Created ProfileBundle with CEL content:
$ oc apply -f - <<'EOF'
  apiVersion: compliance.openshift.io/v1alpha1
  kind: ProfileBundle
  metadata:
    name: ocp4-with-cel
    namespace: openshift-compliance
  spec:
    contentImage: image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds:latest
    contentFile: ssg-ocp4-ds.xml
    celContentFile: ocp4-cel-content.yaml
  EOF
5 ### Check the result:
$ oc get pb
NAME              CONTENTIMAGE                                                                                    CONTENTFILE         CELCONTENTFILE          STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest                                                      ssg-ocp4-ds.xml                             VALID
ocp4-with-cel     image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds:latest   ssg-ocp4-ds.xml     ocp4-cel-content.yaml   VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest                                                      ssg-rhcos4-ds.xml                           VALID
upstream-ocp4     openscap-ocp4-ds:latest                                                                         ssg-ocp4-ds.xml                             VALID
upstream-rhcos4   openscap-ocp4-ds:latest                                                                         ssg-rhcos4-ds.xml                           VALID
$ oc get rules -n openshift-compliance -o json | jq -r '.items[] | select(.scannerType == "CEL") | .metadata.name'e'
ocp4-with-cel-kubevirt-enforce-trusted-tls-registries
ocp4-with-cel-kubevirt-no-permitted-host-devices
ocp4-with-cel-kubevirt-no-vms-overcommitting-guest-memory
ocp4-with-cel-kubevirt-nonroot-feature-gate-is-enabled
ocp4-with-cel-kubevirt-persistent-reservation-disabled
$ oc get rules | grep kubevirt
ocp4-with-cel-kubevirt-enforce-trusted-tls-registries                                        7m7s
ocp4-with-cel-kubevirt-no-permitted-host-devices                                             7m7s
ocp4-with-cel-kubevirt-no-vms-overcommitting-guest-memory                                    7m7s
ocp4-with-cel-kubevirt-nonroot-feature-gate-is-enabled                                       7m7s
ocp4-with-cel-kubevirt-persistent-reservation-disabled                                       7m7s

yuumasato · 2026-03-25T21:41:01Z

Thanks for the review @xiaojiey.

Hopefully I have addessed the BuildConfig issue in the last commit.
Regarding the kubevirt rules, there is no need to thoroughly test them now. They won't be shipped downstream yet.

xiaojiey · 2026-03-26T04:22:38Z

@yuumasato Sorry, I forgot to highlight, there is one more need to be updated. The --datastream-only in ocp-resources/ds-build-remote.yaml need to be removed. Otherwise, the cel content file won't be included.
The good news is once the cel file included, the pb will be created correctly with the right CELCONTENTFILE, no need to patch any more.
################# with --datastream-only parameter

$ ./build_product ocp4
$ ./utils/build_ds_container.py -c -p
2026-03-26 10:29:01,458:INFO: Building content for ocp4, rhcos4
...
2026-03-26 10:32:23,395:INFO: Build status: Running
2026-03-26 10:32:27,162:INFO: Build status: Failed
$ oc get pod
NAME                                              READY   STATUS    RESTARTS        AGE
compliance-operator-54dd495bbb-wpn2b              1/1     Running   2 (8m50s ago)   8m54s
ocp4-openshift-compliance-pp-57d9c88555-5ccpv     1/1     Running   0               8m37s
openscap-ocp4-ds-1-build                          0/1     Error     0               7m54s
rhcos4-openshift-compliance-pp-5d6fb55f67-lchn6   1/1     Running   0               8m37s
$ oc logs pod/openscap-ocp4-ds-1-build --all-containers 
[2/2] STEP 5/7: COPY --from=builder /content/build/ocp4-cel-content.yaml .
error: build error: building at STEP "COPY --from=builder /content/build/ocp4-cel-content.yaml .": checking on sources under "/var/lib/containers/storage/overlay/c6192ee843a64e2ea122abce26db828840cf621dec559a2eecd0a71bd40d0f13/merged": copier: stat: "/content/build/ocp4-cel-content.yaml": no such file or directory

################# without --datastream-only parameter

$ git diff
diff --git a/ocp-resources/ds-build-remote.yaml b/ocp-resources/ds-build-remote.yaml
index 68764deb8e..5f6ee69916 100644
--- a/ocp-resources/ds-build-remote.yaml
+++ b/ocp-resources/ds-build-remote.yaml
@@ -25,7 +25,7 @@ spec:
 
       RUN microdnf -y install cmake make git /usr/bin/python3 python3-pyyaml python3-jinja2 openscap-utils
 
-      RUN ./build_product --datastream-only --debug ocp4 rhcos4
+      RUN ./build_product --debug ocp4 rhcos4
 
       FROM registry.access.redhat.com/ubi8/ubi-minimal
       WORKDIR /
$ ./utils/build_ds_container.py -c -p
2026-03-26 11:39:54,642:INFO: Building content for ocp4, rhcos4
...
2026-03-26 11:43:10,806:INFO: Build status: Running
2026-03-26 11:43:15,440:INFO: Your image is available at image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds
2026-03-26 11:43:19,447:INFO: Created profile bundles for ocp4, rhcos4
$ oc get pod
NAME                                                      READY   STATUS      RESTARTS      AGE
compliance-operator-54dd495bbb-wpn2b                      1/1     Running     2 (76m ago)   76m
ocp4-openshift-compliance-pp-57d9c88555-5ccpv             1/1     Running     0             76m
openscap-ocp4-ds-3-build                                  0/1     Completed   0             4m56s
rhcos4-openshift-compliance-pp-5d6fb55f67-lchn6           1/1     Running     0             76m
upstream-ocp4-openshift-compliance-pp-7f856fd4-2m8q2      1/1     Running     0             100s
upstream-rhcos4-openshift-compliance-pp-f7d968bc6-prwvg   1/1     Running     0             98s
$ oc get pb 
NAME              CONTENTIMAGE                                 CONTENTFILE         CELCONTENTFILE          STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml                             VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml                           VALID
upstream-ocp4     openscap-ocp4-ds:latest                      ssg-ocp4-ds.xml     ocp4-cel-content.yaml   VALID
upstream-rhcos4   openscap-ocp4-ds:latest                      ssg-rhcos4-ds.xml                           PENDING
$ oc get profiles -n openshift-compliance -o json | \
  jq -r '.items[] | select(.metadata.annotations["compliance.openshift.io/scanner-type"] == "CEL") | .metadata.name'
upstream-ocp4-cis-vm-extension
$ oc get rules -n openshift-compliance -o json | jq -r '.items[] | select(.scannerType == "CEL") | .metadata.name'
upstream-ocp4-kubevirt-enforce-trusted-tls-registries
upstream-ocp4-kubevirt-no-permitted-host-devices
upstream-ocp4-kubevirt-no-vms-overcommitting-guest-memory
upstream-ocp4-kubevirt-nonroot-feature-gate-is-enabled
upstream-ocp4-kubevirt-persistent-reservation-disabled
$ oc get profile upstream-ocp4-cis-vm-extension -o=jsonpath={.rules} | jq -r
[
  "upstream-ocp4-kubevirt-enforce-trusted-tls-registries",
  "upstream-ocp4-kubevirt-no-permitted-host-devices",
  "upstream-ocp4-kubevirt-no-vms-overcommitting-guest-memory",
  "upstream-ocp4-kubevirt-nonroot-feature-gate-is-enabled",
  "upstream-ocp4-kubevirt-persistent-reservation-disabled"
]

applications/openshift-virtualization/kubevirt-nonroot-feature-gate-is-enabled/rule.yml

Vincent056

I think the PR looks good, just some questions on formatting and templating.

ssg/build_yaml.py

yuumasato · 2026-03-27T12:12:30Z

@xiaojiey Thanks, instead of removing '--datastream-only' I have added a new parameter '--cel-content=ocp4'.
This way we don't unnecessarily build targets we don't need in our images.

xiaojiey · 2026-03-30T13:18:01Z

@yuumasato Thanks for the update. Now with/without CEL profiles, the profiles can be created successfully.

$ ./build_product ocp4
$ ./utils/build_ds_container.py -c -p
2026-03-30 21:07:10,260:INFO: Building content for ocp4, rhcos4
...
2026-03-30 21:10:28,765:INFO: Build status: Running
2026-03-30 21:10:32,503:INFO: Build status: Running
2026-03-30 21:10:37,081:INFO: Your image is available at image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds
2026-03-30 21:10:41,313:INFO: Created profile bundles for ocp4, rhcos4
$ oc get pb
NAME              CONTENTIMAGE                                 CONTENTFILE         CELCONTENTFILE          STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml                             VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml                           VALID
upstream-ocp4     openscap-ocp4-ds:latest                      ssg-ocp4-ds.xml     ocp4-cel-content.yaml   VALID
upstream-rhcos4   openscap-ocp4-ds:latest                      ssg-rhcos4-ds.xml                           VALID
$ oc get profiles -n openshift-compliance -o json | \
  jq -r '.items[] | select(.metadata.annotations["compliance.openshift.io/scanner-type"] == "CEL") | .metadata.name'
upstream-ocp4-cis-vm-extension
$ oc get rules -n openshift-compliance -o json | jq -r '.items[] | select(.scannerType == "CEL") | .metadata.name'
upstream-ocp4-kubevirt-enforce-trusted-tls-registries
upstream-ocp4-kubevirt-no-permitted-host-devices
upstream-ocp4-kubevirt-no-vms-overcommitting-guest-memory
upstream-ocp4-kubevirt-nonroot-feature-gate-is-enabled
upstream-ocp4-kubevirt-persistent-reservation-disabled
$ oc get profile upstream-ocp4-cis-vm-extension -o=jsonpath={.rules} | jq -r
[
  "upstream-ocp4-kubevirt-enforce-trusted-tls-registries",
  "upstream-ocp4-kubevirt-no-permitted-host-devices",
  "upstream-ocp4-kubevirt-no-vms-overcommitting-guest-memory",
  "upstream-ocp4-kubevirt-nonroot-feature-gate-is-enabled",
  "upstream-ocp4-kubevirt-persistent-reservation-disabled"
]

xiaojiey · 2026-03-30T13:18:32Z

/retest

Mab879

Please update shared/schemas as well.
Use underscoes to separate words, as this project follows the Python style.
- scannerType -> scanner_type
- checkType -> checkType
- etc
The style guide needs to be updated as well for the new fields

Mab879 · 2026-03-31T21:28:37Z

build_product

 	printf '\t%s\n' "-t, --thin, --no-thin: Build thin data streams for each rule. Do not build any of the guides, tables, etc (off by default)"
 	printf '\t%s\n' "-r, --rule-id: Rule ID: Build a thin data stream with the specified rule. Do not build any of the guides, tables, etc (off by default)"
 	printf '\t%s\n' "-d, --datastream-only, --no-datastream-only: Build the data stream only. Do not build any of the guides, tables, etc (off by default)"
+	printf '\t%s\n' "--datastream, --no-datastream: Build the data stream. Do not build any of the guides, tables, etc (off by default)"


--no-datastream that name is confusing to me.

Lol, it just following the pattern of the script.

@Mab879 Thanks for review, hopefully I have addressed your comments in the new commits I added.
I kept the historical --no-datastream-only to be deprecated / removed when convenient, 😂

We expect this profile to exclusively leverage the CEL rules.

Add a new build-script along with a new output type that builds the CEL rules into the yaml that can be loaded by Compliance Operator.

Copies the CEL content file to the content images.

Adds --cel-content parameter that takes a comma separated list of products to build cel-content for. Add the new parameter with OCP4 product where it makes sense.

With addition of '--cel-content' as an option to build CEL content. And with it being additional to data stream builds, having '--datastream-only' parameter feels weird. This add '--datastream' so that we can move away from '--datastream-only' and be more consistent.

Keep only the --datastream option, which builds the CMake target that generates the data stream files, in addition to any other target defined during script invocation.

Keeps the fields pertainint to CEL scanning engine separate from the rule.yml, which can remain agnostic. This facilitates the implementation of templates later on. 'scanner_type' is completely removed from rules, and inferred by presence of 'cel' directory or presence of 'expression' and 'input' keys.

yuumasato · 2026-04-01T21:34:16Z

@Mab879 I have moved the CEL specific keys to its own file.

xiaojiey · 2026-04-02T02:35:35Z

/retest

openshift-ci · 2026-04-02T05:45:14Z

@yuumasato: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-node-compliance	`2772f94`	link	true	`/test e2e-aws-openshift-node-compliance`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

yuumasato requested review from Anna-Koudelkova, Vincent056 and xiaojiey March 24, 2026 23:25

yuumasato requested review from Mab879, ggbecker, jan-cerny, marcusburghardt, matusmarhefka and vojtapolasek as code owners March 24, 2026 23:25

jan-cerny added the OpenShift OpenShift product related. label Mar 25, 2026

Vincent056 mentioned this pull request Mar 25, 2026

Add Python CEL content bundler and integrate into Konflux build #14589

Closed

3 tasks

yuumasato force-pushed the add-cel-rules branch from e7d189f to af527ae Compare March 25, 2026 21:27

yuumasato force-pushed the add-cel-rules branch from af527ae to 188024f Compare March 25, 2026 21:41

yuumasato added this to the 0.1.81 milestone Mar 25, 2026

yuumasato force-pushed the add-cel-rules branch from 188024f to 25fe7a6 Compare March 25, 2026 23:43

Vincent056 reviewed Mar 26, 2026

View reviewed changes

applications/openshift-virtualization/kubevirt-nonroot-feature-gate-is-enabled/rule.yml Outdated Show resolved Hide resolved

Vincent056 reviewed Mar 26, 2026

View reviewed changes

ssg/build_yaml.py Outdated Show resolved Hide resolved

yuumasato changed the title ~~Add support for CEL based rules and profiles~~ CMP-4040, CMP-4041: Add support for CEL based rules and profiles Mar 30, 2026

Mab879 requested changes Mar 31, 2026

View reviewed changes

yuumasato added 4 commits April 1, 2026 14:50

Add CEL CustomRules from CO

49a8108

Add a profile for CIS OCP VM Extension v1.0.0

3405a0f

We expect this profile to exclusively leverage the CEL rules.

Add support for building CEL content

e08420a

Add a new build-script along with a new output type that builds the CEL rules into the yaml that can be loaded by Compliance Operator.

Add tests for the CEL build-script

6d47a17

yuumasato added 5 commits April 1, 2026 14:50

Document CEL Rules and its usage

c83fd14

Include and ship the CEL content file

0dc64b8

Copies the CEL content file to the content images.

Include CEL content in PBs created by build_ds_container.py

2678610

Implement parameter to build cel-content

9ce929e

Adds --cel-content parameter that takes a comma separated list of products to build cel-content for. Add the new parameter with OCP4 product where it makes sense.

yuumasato force-pushed the add-cel-rules branch from 5d0549e to 7058b4f Compare April 1, 2026 12:50

yuumasato added 4 commits April 1, 2026 15:10

Adjust CEL Rules keys to snake case

90afdcd

Document CEL rules in json schema

12fde16

Improve docs and style guides with CEL rules info

ba8e930

Remove nonsensical --no-datastream option

ae5afb0

Keep only the --datastream option, which builds the CMake target that generates the data stream files, in addition to any other target defined during script invocation.

yuumasato force-pushed the add-cel-rules branch from 7058b4f to ae5afb0 Compare April 1, 2026 13:10

yuumasato force-pushed the add-cel-rules branch from 9fde596 to 2772f94 Compare April 1, 2026 21:32

Conversation

yuumasato commented Mar 24, 2026

Description:

Rationale:

Review Hints:

Uh oh!

xiaojiey commented Mar 25, 2026

Uh oh!

yuumasato commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

xiaojiey commented Mar 26, 2026

Uh oh!

Uh oh!

Vincent056 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

yuumasato commented Mar 27, 2026

Uh oh!

xiaojiey commented Mar 30, 2026

Uh oh!

xiaojiey commented Mar 30, 2026

Uh oh!

Mab879 left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Mab879 Mar 31, 2026

Choose a reason for hiding this comment

Uh oh!

yuumasato Apr 1, 2026

Choose a reason for hiding this comment

Uh oh!

yuumasato Apr 1, 2026

Choose a reason for hiding this comment

Uh oh!

yuumasato commented Apr 1, 2026

Uh oh!

xiaojiey commented Apr 2, 2026

Uh oh!

openshift-ci bot commented Apr 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

5 participants

yuumasato commented Mar 25, 2026 •

edited

Loading

Mab879 left a comment •

edited

Loading