CMP-4040, CMP-4041: Add support for CEL based rules and profiles by yuumasato · Pull Request #14597 · ComplianceAsCode/content

yuumasato · 2026-03-24T23:25:49Z

Description:

Adds support for CEL based rules along with documentation and some tests
The CEL rules are supported by Compliance Operator, so they are limited to ocp4 product.

Rationale:

As we integrate and expand CEL content support for OpenShift with Compliance Operator, we would like to have these rules maintained and developed side by side with other similar security contents.

Review Hints:

Build OCP4 content and check the 'ocp4-cel-content.yaml' in the bulid directory.

xiaojiey · 2026-03-25T12:19:59Z

I verified PR #14597 and PR ComplianceAsCode/compliance-operator#1103 together. Generally it is good. The only problem is there is no COPY --from=builder /content/build/ocp4-cel-content.yaml . in the BuildConfig, I have to create a BuildConfig manually.
I failed to set up a kubevirt cluster today. Will continue verify the rules tomorrow.

1. ### Step 1: Build the Content Locally
# Build OCP4 product
./build_product ocp4
# Verify CEL content exists
ls -lh build/ocp4-cel-content.yaml
2. ###Step 2: build content image:
##2.1. Updated the BuildConfig (this is the code change):
$ oc apply -f - <<'EOF'
  apiVersion: build.openshift.io/v1
  kind: BuildConfig
  metadata:
    name: openscap-ocp4-ds
    namespace: openshift-compliance
  spec:
    output:
      to:
        kind: ImageStreamTag
        name: openscap-ocp4-ds:latest
    runPolicy: Serial
    source:
      dockerfile: |
        FROM registry.fedoraproject.org/fedora-minimal:38 as builder

        WORKDIR /content

        COPY . .

        RUN microdnf -y install cmake make git /usr/bin/python3 python3-pyyaml python3-jinja2 openscap-utils

        RUN ./build_product --debug ocp4 rhcos4

        FROM registry.access.redhat.com/ubi8/ubi-minimal
        WORKDIR /
        COPY --from=builder /content/build/ssg-ocp4-ds.xml .
        COPY --from=builder /content/build/ssg-rhcos4-ds.xml .
        COPY --from=builder /content/build/ocp4-cel-content.yaml .
      type: Dockerfile
    strategy:
      dockerStrategy:
        noCache: true
      type: Docker
    triggers:
    - type: ImageChange
  EOF

 ##2.2 Triggered a new build:

$ oc start-build openscap-ocp4-ds -n openshift-compliance --from-dir=.

3. ###Verified the image contains CEL content:

$ oc run -it --rm verify-cel \
    --image=image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds:latest \
    --restart=Never \
    -n openshift-compliance \
    -- ls -la /

4. ###Created ProfileBundle with CEL content:
$ oc apply -f - <<'EOF'
  apiVersion: compliance.openshift.io/v1alpha1
  kind: ProfileBundle
  metadata:
    name: ocp4-with-cel
    namespace: openshift-compliance
  spec:
    contentImage: image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds:latest
    contentFile: ssg-ocp4-ds.xml
    celContentFile: ocp4-cel-content.yaml
  EOF
5 ### Check the result:
$ oc get pb
NAME              CONTENTIMAGE                                                                                    CONTENTFILE         CELCONTENTFILE          STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest                                                      ssg-ocp4-ds.xml                             VALID
ocp4-with-cel     image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds:latest   ssg-ocp4-ds.xml     ocp4-cel-content.yaml   VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest                                                      ssg-rhcos4-ds.xml                           VALID
upstream-ocp4     openscap-ocp4-ds:latest                                                                         ssg-ocp4-ds.xml                             VALID
upstream-rhcos4   openscap-ocp4-ds:latest                                                                         ssg-rhcos4-ds.xml                           VALID
$ oc get rules -n openshift-compliance -o json | jq -r '.items[] | select(.scannerType == "CEL") | .metadata.name'e'
ocp4-with-cel-kubevirt-enforce-trusted-tls-registries
ocp4-with-cel-kubevirt-no-permitted-host-devices
ocp4-with-cel-kubevirt-no-vms-overcommitting-guest-memory
ocp4-with-cel-kubevirt-nonroot-feature-gate-is-enabled
ocp4-with-cel-kubevirt-persistent-reservation-disabled
$ oc get rules | grep kubevirt
ocp4-with-cel-kubevirt-enforce-trusted-tls-registries                                        7m7s
ocp4-with-cel-kubevirt-no-permitted-host-devices                                             7m7s
ocp4-with-cel-kubevirt-no-vms-overcommitting-guest-memory                                    7m7s
ocp4-with-cel-kubevirt-nonroot-feature-gate-is-enabled                                       7m7s
ocp4-with-cel-kubevirt-persistent-reservation-disabled                                       7m7s

yuumasato · 2026-03-25T21:41:01Z

Thanks for the review @xiaojiey.

Hopefully I have addessed the BuildConfig issue in the last commit.
Regarding the kubevirt rules, there is no need to thoroughly test them now. They won't be shipped downstream yet.

xiaojiey · 2026-03-26T04:22:38Z

@yuumasato Sorry, I forgot to highlight, there is one more need to be updated. The --datastream-only in ocp-resources/ds-build-remote.yaml need to be removed. Otherwise, the cel content file won't be included.
The good news is once the cel file included, the pb will be created correctly with the right CELCONTENTFILE, no need to patch any more.
################# with --datastream-only parameter

$ ./build_product ocp4
$ ./utils/build_ds_container.py -c -p
2026-03-26 10:29:01,458:INFO: Building content for ocp4, rhcos4
...
2026-03-26 10:32:23,395:INFO: Build status: Running
2026-03-26 10:32:27,162:INFO: Build status: Failed
$ oc get pod
NAME                                              READY   STATUS    RESTARTS        AGE
compliance-operator-54dd495bbb-wpn2b              1/1     Running   2 (8m50s ago)   8m54s
ocp4-openshift-compliance-pp-57d9c88555-5ccpv     1/1     Running   0               8m37s
openscap-ocp4-ds-1-build                          0/1     Error     0               7m54s
rhcos4-openshift-compliance-pp-5d6fb55f67-lchn6   1/1     Running   0               8m37s
$ oc logs pod/openscap-ocp4-ds-1-build --all-containers 
[2/2] STEP 5/7: COPY --from=builder /content/build/ocp4-cel-content.yaml .
error: build error: building at STEP "COPY --from=builder /content/build/ocp4-cel-content.yaml .": checking on sources under "/var/lib/containers/storage/overlay/c6192ee843a64e2ea122abce26db828840cf621dec559a2eecd0a71bd40d0f13/merged": copier: stat: "/content/build/ocp4-cel-content.yaml": no such file or directory

################# without --datastream-only parameter

$ git diff
diff --git a/ocp-resources/ds-build-remote.yaml b/ocp-resources/ds-build-remote.yaml
index 68764deb8e..5f6ee69916 100644
--- a/ocp-resources/ds-build-remote.yaml
+++ b/ocp-resources/ds-build-remote.yaml
@@ -25,7 +25,7 @@ spec:
 
       RUN microdnf -y install cmake make git /usr/bin/python3 python3-pyyaml python3-jinja2 openscap-utils
 
-      RUN ./build_product --datastream-only --debug ocp4 rhcos4
+      RUN ./build_product --debug ocp4 rhcos4
 
       FROM registry.access.redhat.com/ubi8/ubi-minimal
       WORKDIR /
$ ./utils/build_ds_container.py -c -p
2026-03-26 11:39:54,642:INFO: Building content for ocp4, rhcos4
...
2026-03-26 11:43:10,806:INFO: Build status: Running
2026-03-26 11:43:15,440:INFO: Your image is available at image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds
2026-03-26 11:43:19,447:INFO: Created profile bundles for ocp4, rhcos4
$ oc get pod
NAME                                                      READY   STATUS      RESTARTS      AGE
compliance-operator-54dd495bbb-wpn2b                      1/1     Running     2 (76m ago)   76m
ocp4-openshift-compliance-pp-57d9c88555-5ccpv             1/1     Running     0             76m
openscap-ocp4-ds-3-build                                  0/1     Completed   0             4m56s
rhcos4-openshift-compliance-pp-5d6fb55f67-lchn6           1/1     Running     0             76m
upstream-ocp4-openshift-compliance-pp-7f856fd4-2m8q2      1/1     Running     0             100s
upstream-rhcos4-openshift-compliance-pp-f7d968bc6-prwvg   1/1     Running     0             98s
$ oc get pb 
NAME              CONTENTIMAGE                                 CONTENTFILE         CELCONTENTFILE          STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml                             VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml                           VALID
upstream-ocp4     openscap-ocp4-ds:latest                      ssg-ocp4-ds.xml     ocp4-cel-content.yaml   VALID
upstream-rhcos4   openscap-ocp4-ds:latest                      ssg-rhcos4-ds.xml                           PENDING
$ oc get profiles -n openshift-compliance -o json | \
  jq -r '.items[] | select(.metadata.annotations["compliance.openshift.io/scanner-type"] == "CEL") | .metadata.name'
upstream-ocp4-cis-vm-extension
$ oc get rules -n openshift-compliance -o json | jq -r '.items[] | select(.scannerType == "CEL") | .metadata.name'
upstream-ocp4-kubevirt-enforce-trusted-tls-registries
upstream-ocp4-kubevirt-no-permitted-host-devices
upstream-ocp4-kubevirt-no-vms-overcommitting-guest-memory
upstream-ocp4-kubevirt-nonroot-feature-gate-is-enabled
upstream-ocp4-kubevirt-persistent-reservation-disabled
$ oc get profile upstream-ocp4-cis-vm-extension -o=jsonpath={.rules} | jq -r
[
  "upstream-ocp4-kubevirt-enforce-trusted-tls-registries",
  "upstream-ocp4-kubevirt-no-permitted-host-devices",
  "upstream-ocp4-kubevirt-no-vms-overcommitting-guest-memory",
  "upstream-ocp4-kubevirt-nonroot-feature-gate-is-enabled",
  "upstream-ocp4-kubevirt-persistent-reservation-disabled"
]

Vincent056

I think the PR looks good, just some questions on formatting and templating.

yuumasato · 2026-03-27T12:12:30Z

@xiaojiey Thanks, instead of removing '--datastream-only' I have added a new parameter '--cel-content=ocp4'.
This way we don't unnecessarily build targets we don't need in our images.

xiaojiey · 2026-03-30T13:18:01Z

@yuumasato Thanks for the update. Now with/without CEL profiles, the profiles can be created successfully.

$ ./build_product ocp4
$ ./utils/build_ds_container.py -c -p
2026-03-30 21:07:10,260:INFO: Building content for ocp4, rhcos4
...
2026-03-30 21:10:28,765:INFO: Build status: Running
2026-03-30 21:10:32,503:INFO: Build status: Running
2026-03-30 21:10:37,081:INFO: Your image is available at image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds
2026-03-30 21:10:41,313:INFO: Created profile bundles for ocp4, rhcos4
$ oc get pb
NAME              CONTENTIMAGE                                 CONTENTFILE         CELCONTENTFILE          STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml                             VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml                           VALID
upstream-ocp4     openscap-ocp4-ds:latest                      ssg-ocp4-ds.xml     ocp4-cel-content.yaml   VALID
upstream-rhcos4   openscap-ocp4-ds:latest                      ssg-rhcos4-ds.xml                           VALID
$ oc get profiles -n openshift-compliance -o json | \
  jq -r '.items[] | select(.metadata.annotations["compliance.openshift.io/scanner-type"] == "CEL") | .metadata.name'
upstream-ocp4-cis-vm-extension
$ oc get rules -n openshift-compliance -o json | jq -r '.items[] | select(.scannerType == "CEL") | .metadata.name'
upstream-ocp4-kubevirt-enforce-trusted-tls-registries
upstream-ocp4-kubevirt-no-permitted-host-devices
upstream-ocp4-kubevirt-no-vms-overcommitting-guest-memory
upstream-ocp4-kubevirt-nonroot-feature-gate-is-enabled
upstream-ocp4-kubevirt-persistent-reservation-disabled
$ oc get profile upstream-ocp4-cis-vm-extension -o=jsonpath={.rules} | jq -r
[
  "upstream-ocp4-kubevirt-enforce-trusted-tls-registries",
  "upstream-ocp4-kubevirt-no-permitted-host-devices",
  "upstream-ocp4-kubevirt-no-vms-overcommitting-guest-memory",
  "upstream-ocp4-kubevirt-nonroot-feature-gate-is-enabled",
  "upstream-ocp4-kubevirt-persistent-reservation-disabled"
]

xiaojiey · 2026-03-30T13:18:32Z

/retest

Mab879

Please update shared/schemas as well.
Use underscoes to separate words, as this project follows the Python style.
- scannerType -> scanner_type
- checkType -> checkType
- etc
The style guide needs to be updated as well for the new fields

yuumasato · 2026-04-01T21:34:16Z

@Mab879 I have moved the CEL specific keys to its own file.

Add a new build-script along with a new output type that builds the CEL rules into the yaml that can be loaded by Compliance Operator.

Copies the CEL content file to the content images.

Adds --cel-content parameter that takes a comma separated list of products to build cel-content for. Add the new parameter with OCP4 product where it makes sense.

With addition of '--cel-content' as an option to build CEL content. And with it being additional to data stream builds, having '--datastream-only' parameter feels weird. This add '--datastream' so that we can move away from '--datastream-only' and be more consistent.

Keep only the --datastream option, which builds the CMake target that generates the data stream files, in addition to any other target defined during script invocation.

Keeps the fields pertainint to CEL scanning engine separate from the rule.yml, which can remain agnostic. This facilitates the implementation of templates later on. 'scanner_type' is completely removed from rules, and inferred by presence of 'cel' directory or presence of 'expression' and 'input' keys.

Prefer the --datastream option that accommodates the use of --cel-content argument.

The failure_reason field is specific to the CEL checking engine.

openshift-ci · 2026-04-21T11:24:44Z

@yuumasato: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-platform-compliance	`c9f98a0`	link	true	`/test e2e-aws-openshift-platform-compliance`

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

jan-cerny

Looks good to me. I'm able to build OCP 4 CEL file successfully.

Mab879 · 2026-04-21T19:14:45Z

@Vincent056 or @rhmdnd can you double check this before we merge?

rhmdnd

/lgtm

yuumasato requested review from Anna-Koudelkova, Vincent056 and xiaojiey March 24, 2026 23:25

yuumasato requested review from Mab879, ggbecker, jan-cerny, marcusburghardt, matusmarhefka and vojtapolasek as code owners March 24, 2026 23:25

jan-cerny added the OpenShift OpenShift product related. label Mar 25, 2026

Vincent056 mentioned this pull request Mar 25, 2026

Add Python CEL content bundler and integrate into Konflux build #14589

Closed

3 tasks

yuumasato force-pushed the add-cel-rules branch from e7d189f to af527ae Compare March 25, 2026 21:27

yuumasato force-pushed the add-cel-rules branch from af527ae to 188024f Compare March 25, 2026 21:41

yuumasato added this to the 0.1.81 milestone Mar 25, 2026

yuumasato force-pushed the add-cel-rules branch from 188024f to 25fe7a6 Compare March 25, 2026 23:43

Vincent056 reviewed Mar 26, 2026

View reviewed changes

Comment thread applications/openshift-virtualization/kubevirt-nonroot-feature-gate-is-enabled/rule.yml Outdated

Vincent056 reviewed Mar 26, 2026

View reviewed changes

Comment thread ssg/build_yaml.py Outdated

yuumasato changed the title ~~Add support for CEL based rules and profiles~~ CMP-4040, CMP-4041: Add support for CEL based rules and profiles Mar 30, 2026

Mab879 requested changes Mar 31, 2026

View reviewed changes

Comment thread build_product Outdated

yuumasato force-pushed the add-cel-rules branch 3 times, most recently from 9fde596 to 2772f94 Compare April 1, 2026 21:32

yuumasato added 13 commits April 13, 2026 14:20

Add support for building CEL content

1b24d30

Add a new build-script along with a new output type that builds the CEL rules into the yaml that can be loaded by Compliance Operator.

Add tests for the CEL build-script

f5ae297

Document CEL Rules and its usage

3223dd7

Include and ship the CEL content file

d3e1455

Copies the CEL content file to the content images.

Include CEL content in PBs created by build_ds_container.py

a6fa372

Implement parameter to build cel-content

3d28f8e

Adds --cel-content parameter that takes a comma separated list of products to build cel-content for. Add the new parameter with OCP4 product where it makes sense.

Adjust CEL Rules keys to snake case

f2fda3a

Document CEL rules in json schema

68a64e2

Improve docs and style guides with CEL rules info

56c18e2

Remove nonsensical --no-datastream option

58619f0

Keep only the --datastream option, which builds the CMake target that generates the data stream files, in addition to any other target defined during script invocation.

build_product: Set --datastream-only as deprecated

751a5cc

Prefer the --datastream option that accommodates the use of --cel-content argument.

yuumasato force-pushed the add-cel-rules branch from edf602f to 751a5cc Compare April 13, 2026 12:22

yuumasato requested review from Mab879 and jan-cerny April 13, 2026 12:24

jan-cerny reviewed Apr 16, 2026

View reviewed changes

Comment thread docs/manual/developer/02_building_complianceascode.md Outdated

Comment thread docs/manual/developer/03_creating_content.md Outdated

Comment thread .claude/CLAUDE.md Outdated

Comment thread products/ocp4/profiles/cis-vm-extension.profile Outdated

yuumasato added 4 commits April 21, 2026 12:40

Move 'failure_reason' from rule to CEL file

39147cb

The failure_reason field is specific to the CEL checking engine.

Small clarification on how CEL rules are picked up

4744db9

Fix profile description typo

34ffc88

Update references to CEL documentation

c9f98a0

yuumasato requested a review from jan-cerny April 21, 2026 10:51

jan-cerny approved these changes Apr 21, 2026

View reviewed changes

Mab879 requested changes Apr 21, 2026

View reviewed changes

Comment thread applications/openshift-virtualization/kubevirt-no-permitted-host-devices/cel/shared.yml

Mab879 approved these changes Apr 21, 2026

View reviewed changes

rhmdnd approved these changes Apr 21, 2026

View reviewed changes

rhmdnd merged commit 85004fc into ComplianceAsCode:master Apr 21, 2026
61 of 65 checks passed

yuumasato deleted the add-cel-rules branch April 22, 2026 08:00

Conversation

yuumasato commented Mar 24, 2026

Description:

Rationale:

Review Hints:

Uh oh!

xiaojiey commented Mar 25, 2026

Uh oh!

yuumasato commented Mar 25, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

xiaojiey commented Mar 26, 2026

Uh oh!

Uh oh!

Vincent056 left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

yuumasato commented Mar 27, 2026

Uh oh!

xiaojiey commented Mar 30, 2026

Uh oh!

xiaojiey commented Mar 30, 2026

Uh oh!

Mab879 left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

yuumasato commented Apr 1, 2026

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

openshift-ci Bot commented Apr 21, 2026

Uh oh!

jan-cerny left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Mab879 commented Apr 21, 2026

Uh oh!

rhmdnd left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

6 participants

yuumasato commented Mar 25, 2026 •

edited

Loading

Mab879 left a comment •

edited

Loading