Merge branch 'master' into OCPBUGS-3009

CHANGELOG.md

@@ -15,6 +15,8 @@ Versioning](https://semver.org/spec/v2.0.0.html).
   more ergonomic to pause scans during maintenance periods. See the
   [enhancement](https://github.com/ComplianceAsCode/compliance-operator/pull/375)
   for more details.
+- Implemented support for an optional `version` attribute on `Profile` custom
+  resources.
 
 ### Fixes
 

bundle/manifests/compliance-operator.clusterserviceversion.yaml

@@ -1296,7 +1296,11 @@ spec:
                     memory: 20Mi
                 securityContext:
                   allowPrivilegeEscalation: false
+                  capabilities:
+                    drop:
+                    - ALL
                   readOnlyRootFilesystem: true
+                  runAsNonRoot: true
                 volumeMounts:
                 - mountPath: /var/run/secrets/serving-cert
                   name: serving-cert

bundle/manifests/compliance.openshift.io_compliancecheckresults.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   name: compliancecheckresults.compliance.openshift.io
 spec:

bundle/manifests/compliance.openshift.io_complianceremediations.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   name: complianceremediations.compliance.openshift.io
 spec:

bundle/manifests/compliance.openshift.io_compliancescans.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   name: compliancescans.compliance.openshift.io
 spec:

bundle/manifests/compliance.openshift.io_compliancesuites.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   name: compliancesuites.compliance.openshift.io
 spec:
@@ -323,6 +323,11 @@ spec:
                   scheduled scans will start running only after the initial results
                   are ready.
                 type: string
+              suspend:
+                default: false
+                description: Defines if a schedule should be suspended and is a boolean
+                  value, defaulting to False.
+                type: boolean
             required:
             - scans
             type: object

bundle/manifests/compliance.openshift.io_profilebundles.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   name: profilebundles.compliance.openshift.io
 spec:

bundle/manifests/compliance.openshift.io_profiles.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   name: profiles.compliance.openshift.io
 spec:
@@ -17,7 +17,14 @@ spec:
     singular: profile
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .version
+      name: Version
+      type: string
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: Profile is the Schema for the profiles API
@@ -55,13 +62,16 @@ spec:
             nullable: true
             type: array
             x-kubernetes-list-type: atomic
+          version:
+            type: string
         required:
         - description
         - id
         - title
         type: object
     served: true
     storage: true
+    subresources: {}
 status:
   acceptedNames:
     kind: ""

bundle/manifests/compliance.openshift.io_rules.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   name: rules.compliance.openshift.io
 spec:

bundle/manifests/compliance.openshift.io_scansettingbindings.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   name: scansettingbindings.compliance.openshift.io
 spec:
@@ -16,7 +16,11 @@ spec:
     singular: scansettingbinding
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .status.phase
+      name: Status
+      type: string
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: ScanSettingBinding is the Schema for the scansettingbindings
@@ -124,6 +128,8 @@ spec:
                 - name
                 type: object
                 x-kubernetes-map-type: atomic
+              phase:
+                type: string
             type: object
         type: object
     served: true

bundle/manifests/compliance.openshift.io_scansettings.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   name: scansettings.compliance.openshift.io
 spec:
@@ -247,6 +247,11 @@ spec:
               be strict and error out. `false` means that we don't need to be strict
               and we can proceed.
             type: boolean
+          suspend:
+            default: false
+            description: Defines if a schedule should be suspended and is a boolean
+              value, defaulting to False.
+            type: boolean
           timeout:
             default: 30m
             description: Timeout is the maximum amount of time the scan can run. If

bundle/manifests/compliance.openshift.io_tailoredprofiles.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   name: tailoredprofiles.compliance.openshift.io
 spec:

bundle/manifests/compliance.openshift.io_variables.yaml

@@ -2,7 +2,7 @@ apiVersion: apiextensions.k8s.io/v1
 kind: CustomResourceDefinition
 metadata:
   annotations:
-    controller-gen.kubebuilder.io/version: v0.11.3
+    controller-gen.kubebuilder.io/version: v0.13.0
   creationTimestamp: null
   name: variables.compliance.openshift.io
 spec:

config/crd/bases/compliance.openshift.io_profiles.yaml

@@ -17,7 +17,14 @@ spec:
     singular: profile
   scope: Namespaced
   versions:
-  - name: v1alpha1
+  - additionalPrinterColumns:
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - jsonPath: .version
+      name: Version
+      type: string
+    name: v1alpha1
     schema:
       openAPIV3Schema:
         description: Profile is the Schema for the profiles API
@@ -55,10 +62,13 @@ spec:
             nullable: true
             type: array
             x-kubernetes-list-type: atomic
+          version:
+            type: string
         required:
         - description
         - id
         - title
         type: object
     served: true
     storage: true
+    subresources: {}

config/manager/deployment.yaml

@@ -27,6 +27,9 @@ spec:
           securityContext:
             readOnlyRootFilesystem: true
             allowPrivilegeEscalation: false
+            runAsNonRoot: true
+            capabilities:
+              drop: ["ALL"]
           resources:
             requests:
               memory: "20Mi"

doc/tutorials/workshop/content/exercises/03-creating-your-first-scan.md

@@ -299,7 +299,7 @@ scansettingbinding.compliance.openshift.io/periodic-e8 created
 
 > **NOTE**
 > 
-> Using the [`oc-compliance`](https://github.com/JAORMX/oc-compliance) plugin 
+> Using the [`oc-compliance`](https://github.com/openshift/oc-compliance) plugin 
 > it's also possible to create `ScanSettingBindings` using the subcommand
 > `oc compliance bind`. For this example, the invocation would have been:
 > 
@@ -480,7 +480,7 @@ Once you’re done with the extraction.
 
 > **NOTE**
 > 
-> Using the [`oc-compliance`](https://github.com/JAORMX/oc-compliance) plugin 
+> Using the [`oc-compliance`](https://github.com/openshift/oc-compliance) plugin 
 > it's also possible to extract the compliance results using the subcommand
 > `oc compliance fetch-raw`. For this example, the invocation would have been:
 > 

doc/tutorials/workshop/content/exercises/06-troubleshooting.md

@@ -91,7 +91,7 @@ rhcos4-no-kptr-restrict-worker   RUNNING   NOT-AVAILABLE
 
 > **NOTE**
 > 
-> Using the [`oc-compliance`](https://github.com/JAORMX/oc-compliance) plugin 
+> Using the [`oc-compliance`](https://github.com/openshift/oc-compliance) plugin 
 > it's also possible to re-run the scans using the subcommand
 > `oc compliance rerun-now`. For this example, the invocation would have been:
 > 

go.mod

@@ -25,8 +25,8 @@ require (
 	github.com/dsnet/compress v0.0.1
 	github.com/evanphx/json-patch v5.6.0+incompatible // indirect
 	github.com/fsnotify/fsnotify v1.6.0 // indirect
-	github.com/go-logr/logr v1.2.4
-	github.com/go-logr/zapr v1.2.4
+	github.com/go-logr/logr v1.3.0
+	github.com/go-logr/zapr v1.3.0
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
 	github.com/golang/protobuf v1.5.3 // indirect
@@ -42,8 +42,8 @@ require (
 	github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
 	github.com/modern-go/reflect2 v1.0.2 // indirect
 	github.com/nxadm/tail v1.4.8 // indirect
-	github.com/openshift/api v0.0.0-20231101062116-3680e212cc27
-	github.com/openshift/library-go v0.0.0-20231031152817-813f7140d659
+	github.com/openshift/api v0.0.0-20231102215821-c90b4c82852e
+	github.com/openshift/library-go v0.0.0-20231102154438-cfcf2b4fbc87
 	github.com/openshift/machine-config-operator v0.0.1-0.20230815171034-c2bb862bc08a
 	github.com/pborman/uuid v1.2.1
 	github.com/pkg/errors v0.9.1
@@ -86,7 +86,7 @@ require (
 	sigs.k8s.io/controller-tools v0.13.0
 	sigs.k8s.io/json v0.0.0-20221116044647-bc3834ca7abd // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.3.0 // indirect
-	sigs.k8s.io/yaml v1.3.0
+	sigs.k8s.io/yaml v1.4.0
 )
 
 require (
@@ -136,6 +136,6 @@ require (
 )
 
 replace (
-	github.com/openshift/api => github.com/openshift/api v0.0.0-20231101062116-3680e212cc27
+	github.com/openshift/api => github.com/openshift/api v0.0.0-20231102215821-c90b4c82852e
 	github.com/openshift/client-go => github.com/openshift/client-go v0.0.0-20231024221206-506d798bc61c
 )

go.sum

@@ -77,8 +77,12 @@ github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32/go.mod h1:GIjDIg/heH
 github.com/go-logr/logr v1.2.0/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
 github.com/go-logr/logr v1.2.4 h1:g01GSCwiDw2xSZfjJ2/T9M+S6pFdcNtFYsp+Y43HYDQ=
 github.com/go-logr/logr v1.2.4/go.mod h1:jdQByPbusPIv2/zmleS9BjJVeZ6kBagPoEUsqbVz/1A=
+github.com/go-logr/logr v1.3.0 h1:2y3SDp0ZXuc6/cjLSZ+Q3ir+QB9T/iG5yYRXqsagWSY=
+github.com/go-logr/logr v1.3.0/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/zapr v1.2.4 h1:QHVo+6stLbfJmYGkQ7uGHUCu5hnAFAj6mDe6Ea0SeOo=
 github.com/go-logr/zapr v1.2.4/go.mod h1:FyHWQIzQORZ0QVE1BtVHv3cKtNLuXsbNLtpuhNapBOA=
+github.com/go-logr/zapr v1.3.0 h1:XGdV8XW8zdwFiwOA2Dryh1gj2KRQyOOoNmBy4EplIcQ=
+github.com/go-logr/zapr v1.3.0/go.mod h1:YKepepNBd1u/oyhd/yQmtjVXmm9uML4IXUgMOwR8/Gg=
 github.com/go-openapi/jsonpointer v0.19.6/go.mod h1:osyAmYz/mB/C3I+WsTTSgw1ONzaLJoLCyoi6/zppojs=
 github.com/go-openapi/jsonpointer v0.20.0 h1:ESKJdU9ASRfaPNOPRx12IUyA1vn3R9GiE3KYD14BXdQ=
 github.com/go-openapi/jsonpointer v0.20.0/go.mod h1:6PGzBjjIIumbLYysB73Klnms1mwnU4G3YHOECG3CedA=
@@ -208,6 +212,8 @@ github.com/openshift/api v0.0.0-20231013202211-096c446e7f60 h1:vaGyewNUE95Zo+GdK
 github.com/openshift/api v0.0.0-20231013202211-096c446e7f60/go.mod h1:qNtV0315F+f8ld52TLtPvrfivZpdimOzTi3kn9IVbtU=
 github.com/openshift/api v0.0.0-20231101062116-3680e212cc27 h1:Xnx7S0ZV11mn/kYW6eGok52FEnkZWG4iNXV4TKR7S/I=
 github.com/openshift/api v0.0.0-20231101062116-3680e212cc27/go.mod h1:qNtV0315F+f8ld52TLtPvrfivZpdimOzTi3kn9IVbtU=
+github.com/openshift/api v0.0.0-20231102215821-c90b4c82852e h1:vV6rs7WEgJ4jkkXWReu+Y4VEnHWi1gjicZO1n4ysbdc=
+github.com/openshift/api v0.0.0-20231102215821-c90b4c82852e/go.mod h1:qNtV0315F+f8ld52TLtPvrfivZpdimOzTi3kn9IVbtU=
 github.com/openshift/client-go v0.0.0-20230926161409-848405da69e1 h1:W1N/3nVciqmjPjn2xldHjb0AwwCQzlGxLvX5BCgE8H4=
 github.com/openshift/client-go v0.0.0-20230926161409-848405da69e1/go.mod h1:ihUJrhBcYAGYQrJu/gP2OMgfVds5f5z5kbeLNBqjHLo=
 github.com/openshift/client-go v0.0.0-20231005121823-e81400b97c46 h1:J7UsTNgyM1krYnfsmijowYqt5I4mDM1qxNAy4eEa0xc=
@@ -220,6 +226,8 @@ github.com/openshift/library-go v0.0.0-20231010152045-c91dd9756953 h1:YE/jLh4Q1v
 github.com/openshift/library-go v0.0.0-20231010152045-c91dd9756953/go.mod h1:hl8bxWuFMM72N4YH7FKLGWtYhDz/A0xwvaa8Yr5fxYU=
 github.com/openshift/library-go v0.0.0-20231031152817-813f7140d659 h1:tdhZbyhi4LKi7fFvbH6oae+OOg4oCjQefN3Uszwc2fE=
 github.com/openshift/library-go v0.0.0-20231031152817-813f7140d659/go.mod h1:8UzmrBMCn7+GzouL8DVYkL9COBQTB1Ggd13/mHJQCUg=
+github.com/openshift/library-go v0.0.0-20231102154438-cfcf2b4fbc87 h1:GcaI98ric0Q3WbZsTh8cIE39pgw12v3s3xuiIFO5zQ0=
+github.com/openshift/library-go v0.0.0-20231102154438-cfcf2b4fbc87/go.mod h1:8UzmrBMCn7+GzouL8DVYkL9COBQTB1Ggd13/mHJQCUg=
 github.com/openshift/machine-config-operator v0.0.1-0.20230815171034-c2bb862bc08a h1:3KR43D0bbEi3IYSS6b7abKWbj93RJyuxoHImmYaiWZU=
 github.com/openshift/machine-config-operator v0.0.1-0.20230815171034-c2bb862bc08a/go.mod h1:kP51fbL8QBSY/mAkFicoF73x0QSraPrX4BjWIdzFPio=
 github.com/pborman/uuid v1.2.1 h1:+ZZIw58t/ozdjRaXh/3awHfmWRbzYxJoAdNJxe/3pvw=
@@ -496,3 +504,5 @@ sigs.k8s.io/structured-merge-diff/v4 v4.3.0 h1:UZbZAZfX0wV2zr7YZorDz6GXROfDFj6Lv
 sigs.k8s.io/structured-merge-diff/v4 v4.3.0/go.mod h1:N8hJocpFajUSSeSJ9bOZ77VzejKZaXsTtZo4/u7Io08=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
+sigs.k8s.io/yaml v1.4.0 h1:Mk1wCc2gy/F0THH0TAp1QYyJNzRm2KCLy3o5ASXVI5E=
+sigs.k8s.io/yaml v1.4.0/go.mod h1:Ejl7/uTz7PSA4eKMyQCUTnhZYNmLIl+5c2lQPGR2BPY=

pkg/apis/compliance/v1alpha1/profile_types.go

@@ -35,12 +35,16 @@ type ProfilePayload struct {
 	// +optional
 	// +listType=atomic
 	Values []ProfileValue `json:"values,omitempty"`
+	// +optional
+	Version string `json:"version"`
 }
 
 // +kubebuilder:object:root=true
 
 // Profile is the Schema for the profiles API
 // +kubebuilder:resource:path=profiles,scope=Namespaced,shortName=profs;prof
+// +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"
+// +kubebuilder:printcolumn:name="Version",type="string",JSONPath=`.version`
 type Profile struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`

pkg/apis/compliance/v1alpha1/rule_types.go

@@ -18,6 +18,9 @@ const RuleHideTagAnnotationKey = "compliance.openshift.io/hide-tag"
 // RuleVariableAnnotationKey store list of xccdf variables used to render the rule
 const RuleVariableAnnotationKey = "compliance.openshift.io/rule-variable"
 
+// RuleProfileAnnotationKey is the annotation used to store which profiles are using a particular rule
+const RuleProfileAnnotationKey = "compliance.openshift.io/profiles"
+
 const (
 	CheckTypePlatform = "Platform"
 	CheckTypeNode     = "Node"

pkg/controller/profilebundle/profilebundle_controller.go

@@ -439,6 +439,7 @@ func (r *ReconcileProfileBundle) newWorkloadForBundle(pb *compliancev1alpha1.Pro
 							SecurityContext: &corev1.SecurityContext{
 								AllowPrivilegeEscalation: &falseP,
 								ReadOnlyRootFilesystem:   &trueP,
+								RunAsNonRoot:             &trueP,
 								Capabilities: &corev1.Capabilities{
 									Drop: []corev1.Capability{"ALL"},
 								},
@@ -466,6 +467,7 @@ func (r *ReconcileProfileBundle) newWorkloadForBundle(pb *compliancev1alpha1.Pro
 							SecurityContext: &corev1.SecurityContext{
 								AllowPrivilegeEscalation: &falseP,
 								ReadOnlyRootFilesystem:   &trueP,
+								RunAsNonRoot:             &trueP,
 								Capabilities: &corev1.Capabilities{
 									Drop: []corev1.Capability{"ALL"},
 								},
@@ -502,6 +504,10 @@ func (r *ReconcileProfileBundle) newWorkloadForBundle(pb *compliancev1alpha1.Pro
 							SecurityContext: &corev1.SecurityContext{
 								AllowPrivilegeEscalation: &falseP,
 								ReadOnlyRootFilesystem:   &trueP,
+								RunAsNonRoot:             &trueP,
+								Capabilities: &corev1.Capabilities{
+									Drop: []corev1.Capability{"ALL"},
+								},
 							},
 							Command: []string{
 								"/bin/sh", "-c",