Uploaded image for project: 'Cloud Infrastructure Security & Compliance'
  1. Cloud Infrastructure Security & Compliance
  2. CMP-4011

Document Custom OpenShift Compliance Scans using Compliance Operator CEL

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • 6
    • Important
    • Customer Facing

      Story Objective

      The Compliance Operator supports CustomRules where users can define their own checks and run them against the platform (OpenShift/Kubernetes resources). This capability is in Tech Preview with Compliance Operator 1.8.0 and becomes GA with Compliance Operator 1.9.0. 

      Why is this important?

      This gives users the flexibility to write their own custom security checks against their own infrastructure, going beyond the compliance content made available by Red Hat's ISC team.

      Scenarios

      1. As a security officer responsible for the compliance posture of an OpenShift cluster, I want to specify rules that must run on all or some nodes in an OpenShift cluster and have the Compliance Operator present those results like it does with OpenSCAP today so that I can assess the infrastructure compliance of my cluster

      Acceptance Criteria

      • Users can create CustomRules that check file permissions on nodes
      • Users can create CustomRules that check file contents on nodes
      • Users can create CustomRules that check directory permissions and contents

      Dependencies (internal and external)

      1. This work will have a dependency on the compliance-sdk, which needs to expose specific node-related checks (checking processes, files, etc.).

      Previous Work (Optional):

      1. CO 1.8.0 release notes.
      2. CO 1.8.0 table updates.
      3. KCS document on CustomRule use.

      Open questions::

      1. The most important resource: KCS source google doc: https://docs.google.com/document/d/1Cg87JUtfi1kHHKG-9hM6zClOmtEmy7aGCVX1-o_ovKQ/edit?tab=t.0#heading=h.t92g8plmuoq4 
      2. Is a table of custom parameters needed? https://issues.redhat.com/browse/CMP-3765 
      3. Link to kubernetes documentation about CEL.
      4. Link to google doc about automating with CustomRule: https://docs.google.com/document/d/16X2guvgELSjLuZ8RarO5OK4GJbk1aHYTj8v7103ZusA/edit?tab=t.0#heading=h.432rl11ov39s
      5. Developer blog about automating with CustomRule: https://developers.redhat.com/articles/2025/12/02/automate-unique-compliance-checks-openshift-and-customrule#
      6.  

      Done Checklist

      • Jira - Create Story for logging work and tying it to parent epic
      • PR -  Creation of PR that connects doc work to Jira
      • Developer Review - Late draft for review by developers
      • vale scans - use vale to find typos or style violations in source docs
      • QE Review - Preview and PR reviewed by ISC QE membe
      • DOC - Downstream documentation merged: <link to meaningful PR>

              rhn-support-jbrigman James Brigman
              lbragsta@redhat.com Lance Bragstad
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated: