Managing the Compliance Operator

Security content is shipped as container images that the ProfileBundle objects refer to. To accurately track updates to ProfileBundles and the custom resources parsed from the bundles such as rules or profiles, identify the container image with the compliance content using a digest instead of a tag:

Example output

Each ProfileBundle is backed by a deployment. When the Compliance Operator detects that the container image digest has changed, the deployment is updated to reflect the change and parse the content again. Using the digest instead of a tag ensures that you use a stable and predictable set of profiles.

The contentImage reference points to a valid ImageStreamTag, and the Compliance Operator ensures that the content stays up to date automatically.

Example image stream

$ oc get is -n openshift-compliance

Example output

Procedure

Ensure that the lookup policy is set to local:

$ oc patch is openscap-ocp4-ds \
    imagestream.image.openshift.io/openscap-ocp4-ds patched
    -n openshift-compliance

Example output

NAME                      IMAGE REFERENCE                                                                                                                                                  UPDATED
openscap-ocp4-ds:latest   image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds@sha256:46d7ca9b7055fe56ade818ec3e62882cfcc2d27b9bf0d1cbae9f4b6df2710c96   3 minutes ago

Create the ProfileBundle:

This ProfileBundle will track the image and any changes that are applied to it, such as updating the tag to point to a different hash, will immediately be reflected in the ProfileBundle.

The bundle object needs two pieces of information: the URL of a container image that contains the and the file that contains the compliance content. The contentFile parameter is relative to the root of the file system. The built-in rhcos4 ProfileBundle object can be defined in the example below:

  kind: ProfileBundle
  metadata:
    name: rhcos4
  spec:
    contentImage: quay.io/complianceascode/ocp4:latest (1)
    contentFile: ssg-rhcos4-ds.xml (2)

The Compliance Operator is supported in a restricted network environment. For more information, see Using Operator Lifecycle Manager on restricted networks.