Skip to content

Enable all XCCDF groups when TP extends a profile#1199

Open
yuumasato wants to merge 1 commit intoComplianceAsCode:masterfrom
yuumasato:enable-all-xccdf-groups-when-TP-extends
Open

Enable all XCCDF groups when TP extends a profile#1199
yuumasato wants to merge 1 commit intoComplianceAsCode:masterfrom
yuumasato:enable-all-xccdf-groups-when-TP-extends

Conversation

@yuumasato
Copy link
Copy Markdown
Member

@yuumasato yuumasato commented Apr 30, 2026
edited
Loading

Keep track of all XCCDF Groups in the ProfileBundle and always enable them when a TailoredProfile extends a Profile.

This ensures that any rule that is enabled has its parent Group enabled as well, ensuring that OpenSCAP can get to the rule that was enbled.

If a TailoredProfile enables a rule that is not part of an XCCDF group enabled by the extended profile, the rule won't be enabled at all by OpenSCAP. This is because data stream traversal will stop at the disabled group.

Issue discovered when testing ComplianceAsCode/content#14665

  • Add tests for a TP with extends and rules out of the extended profile's enabled groups.

@yuumasato
Enable all XCCDF groups when TP extends a profile
564c3e0 
Keep track of all XCCDF Groups in the ProfileBundle and always enable
them when a TailoredProfile extends a Profile.

This ensures that any rule that is enabled has its parent Group enabled
as well, ensuring that OpenSCAP can get to the rule that was enbled.
@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented Apr 30, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yuumasato

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@yuumasato
Copy link
Copy Markdown
Member Author

yuumasato commented Apr 30, 2026

The ProfileBundle ends up looking like this:

apiVersion: compliance.openshift.io/v1alpha1
kind: ProfileBundle
metadata:
  annotations:
    compliance.openshift.io/xccdf-groups: xccdf_org.ssgproject.content_group_openshift,xccdf_org.ssgproject.content_group_integrity,xccdf_org.ssgproject.content_group_crypto,xccdf_org.ssgproject.content_group_accounts,xccdf_org.ssgproject.content_group_api-server,xccdf_org.ssgproject.content_group_authentication,xccdf_org.ssgproject.content_group_confinement,xccdf_org.ssgproject.content_group_controller,xccdf_org.ssgproject.content_group_etcd,xccdf_org.ssgproject.content_group_general,xccdf_org.ssgproject.content_group_high-availability,xccdf_org.ssgproject.content_group_kubelet,xccdf_org.ssgproject.content_group_logging,xccdf_org.ssgproject.content_group_master,xccdf_org.ssgproject.content_group_networking,xccdf_org.ssgproject.content_group_openshift-api-server,xccdf_org.ssgproject.content_group_rbac,xccdf_org.ssgproject.content_group_registry,xccdf_org.ssgproject.content_group_risk-assessment,xccdf_org.ssgproject.content_group_scc,xccdf_org.ssgproject.content_group_scheduler,xccdf_org.ssgproject.content_group_secrets,xccdf_org.ssgproject.content_group_worker
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"compliance.openshift.io/v1alpha1","kind":"ProfileBundle","metadata":{"annotations":{},"name":"upstream-ocp4","namespace":"openshift-compliance"},"spec":{"contentFile":"ssg-ocp4-ds.xml","contentImage":"openscap-ocp4-ds:latest"}}
  creationTimestamp: "2026-04-30T23:40:49Z"
  finalizers:
  - profilebundle.finalizers.compliance.openshift.io
  generation: 1
  name: upstream-ocp4
  namespace: openshift-compliance
  resourceVersion: "104608"
  uid: a502564d-d947-4187-a72a-d030d8223c12
spec:
  contentFile: ssg-ocp4-ds.xml
  contentImage: openscap-ocp4-ds:latest
status:
  conditions:
  - lastTransitionTime: "2026-04-30T23:41:04Z"
    message: Profile bundle successfully parsed
    reason: Valid
    status: "True"
    type: Ready
  dataStreamStatus: VALID

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 1, 2026

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1199-564c3e0416ca3abcc61729bde6ec3f429a20d6a7

@openshift-ci
Copy link
Copy Markdown

openshift-ci Bot commented May 1, 2026

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-rosa 564c3e0 link true /test e2e-rosa
ci/prow/e2e-aws-serial 564c3e0 link true /test e2e-aws-serial
ci/prow/e2e-aws-parallel 564c3e0 link true /test e2e-aws-parallel
ci/prow/e2e-aws-parallel-arm 564c3e0 link true /test e2e-aws-parallel-arm

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

sebrandon1
sebrandon1 reviewed May 1, 2026
View reviewed changes
Copy link
Copy Markdown

@sebrandon1 sebrandon1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just some comments.

Comment thread pkg/xccdf/tailoring.go
func TailoredProfileToXML(tp *cmpv1alpha1.TailoredProfile, p *cmpv1alpha1.Profile, pb *cmpv1alpha1.ProfileBundle, rules map[string]*cmpv1alpha1.Rule, variables []*cmpv1alpha1.Variable) (string, error) {
// Extract group IDs from ProfileBundle annotation if this TP extends a profile
var groupIDs []string
if p != nil {
Copy link
Copy Markdown

@sebrandon1 sebrandon1 May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this also check if pb is nil?

Comment thread pkg/profileparser/profileparser.go
pb.SetAnnotations(annotations)

// Update the ProfileBundle with the new annotation
if err := pcfg.Client.Update(context.TODO(), pb); err != nil {
Copy link
Copy Markdown

@sebrandon1 sebrandon1 May 1, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should this be Patch to avoid updating the entire object?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@taimurhafeez taimurhafeez Awaiting requested review from taimurhafeez

@Vincent056 Vincent056 Awaiting requested review from Vincent056

1 more reviewer

@sebrandon1 sebrandon1 sebrandon1 left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

approved

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yuumasato @sebrandon1