CUSTOMER NEED

As a security-conscious customer, I want to use CEL (Common Expression Language) to define compliance checks so that I can easily enforce security policies in my cluster.

As a engineer in ISC, I want to be able to use CEL to define new profiles for the kube layer of OpenShift, for several reasons: 

 1. it is a much easier language to define expressions for cloud native environments

 2. the simplicity and easy readability of CEL rules, make it simpler to be autogenerated with an LLM. Reducing considerably the amount of effort invested to generate new profiles.

Background:

In the Compliance Operator, both RHCOS and OCP4 profiles define security and compliance checks, but they target different components of an OpenShift deployment.

• RHCOS Profiles ´rhcos´ target  the underlying OS for OpenShift worker and control plane nodes
• OCP4 Profiles target the kubernetes resources and platform settings of OpenShift. 

RHCOS profiles are inherited by RHEL and are written in SCAP. This will remain being the case.

OCP4 profiles are currently written in SCAP as well, and we want to do a transition with CEL:

 Phase 1: Offer a way for customers to write a custom profile using CEL

 Phase 2: Brand new profiles that we are planning to support (ex. OCP Virt profile) will be written in CEL 

 Phase 3: Transition of existing profiles from SCAP -> CEL.  This will be done gradually when each of the existing profiles needs to be updated to a later version. 

The goal of this ticket is to address Phase 1.