Add support for CEL based rules and profiles

[yuumasato]

Description:

• Adds support for CEL based rules along with documentation and some tests
• The CEL rules are supported by Compliance Operator, so they are limited to ocp4 product.

Rationale:

• As we integrate and expand CEL content support for OpenShift with Compliance Operator, we would like to have these rules maintained and developed side by side with other similar security contents.

Review Hints:

• Build OCP4 content and check the 'ocp4-cel-content.yaml' in the bulid directory.

[xiaojiey]

I verified PR #14597 and PR ComplianceAsCode/compliance-operator#1103 together. Generally it is good. The only problem is there is no COPY --from=builder /content/build/ocp4-cel-content.yaml . in the BuildConfig, I have to create a BuildConfig manually.
I failed to set up a kubevirt cluster today. Will continue verify the rules tomorrow.

1. ### Step 1: Build the Content Locally
# Build OCP4 product
./build_product ocp4
# Verify CEL content exists
ls -lh build/ocp4-cel-content.yaml
2. ###Step 2: build content image:
##2.1. Updated the BuildConfig (this is the code change):
$ oc apply -f - <<'EOF'
  apiVersion: build.openshift.io/v1
  kind: BuildConfig
  metadata:
    name: openscap-ocp4-ds
    namespace: openshift-compliance
  spec:
    output:
      to:
        kind: ImageStreamTag
        name: openscap-ocp4-ds:latest
    runPolicy: Serial
    source:
      dockerfile: |
        FROM registry.fedoraproject.org/fedora-minimal:38 as builder

        WORKDIR /content

        COPY . .

        RUN microdnf -y install cmake make git /usr/bin/python3 python3-pyyaml python3-jinja2 openscap-utils

        RUN ./build_product --debug ocp4 rhcos4

        FROM registry.access.redhat.com/ubi8/ubi-minimal
        WORKDIR /
        COPY --from=builder /content/build/ssg-ocp4-ds.xml .
        COPY --from=builder /content/build/ssg-rhcos4-ds.xml .
        COPY --from=builder /content/build/ocp4-cel-content.yaml .
      type: Dockerfile
    strategy:
      dockerStrategy:
        noCache: true
      type: Docker
    triggers:
    - type: ImageChange
  EOF

 ##2.2 Triggered a new build:

$ oc start-build openscap-ocp4-ds -n openshift-compliance --from-dir=.

3. ###Verified the image contains CEL content:

$ oc run -it --rm verify-cel \
    --image=image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds:latest \
    --restart=Never \
    -n openshift-compliance \
    -- ls -la /

4. ###Created ProfileBundle with CEL content:
$ oc apply -f - <<'EOF'
  apiVersion: compliance.openshift.io/v1alpha1
  kind: ProfileBundle
  metadata:
    name: ocp4-with-cel
    namespace: openshift-compliance
  spec:
    contentImage: image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds:latest
    contentFile: ssg-ocp4-ds.xml
    celContentFile: ocp4-cel-content.yaml
  EOF
5 ### Check the result:
$ oc get pb
NAME              CONTENTIMAGE                                                                                    CONTENTFILE         CELCONTENTFILE          STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest                                                      ssg-ocp4-ds.xml                             VALID
ocp4-with-cel     image-registry.openshift-image-registry.svc:5000/openshift-compliance/openscap-ocp4-ds:latest   ssg-ocp4-ds.xml     ocp4-cel-content.yaml   VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest                                                      ssg-rhcos4-ds.xml                           VALID
upstream-ocp4     openscap-ocp4-ds:latest                                                                         ssg-ocp4-ds.xml                             VALID
upstream-rhcos4   openscap-ocp4-ds:latest                                                                         ssg-rhcos4-ds.xml                           VALID
$ oc get rules -n openshift-compliance -o json | jq -r '.items[] | select(.scannerType == "CEL") | .metadata.name'e'
ocp4-with-cel-kubevirt-enforce-trusted-tls-registries
ocp4-with-cel-kubevirt-no-permitted-host-devices
ocp4-with-cel-kubevirt-no-vms-overcommitting-guest-memory
ocp4-with-cel-kubevirt-nonroot-feature-gate-is-enabled
ocp4-with-cel-kubevirt-persistent-reservation-disabled
$ oc get rules | grep kubevirt
ocp4-with-cel-kubevirt-enforce-trusted-tls-registries                                        7m7s
ocp4-with-cel-kubevirt-no-permitted-host-devices                                             7m7s
ocp4-with-cel-kubevirt-no-vms-overcommitting-guest-memory                                    7m7s
ocp4-with-cel-kubevirt-nonroot-feature-gate-is-enabled                                       7m7s
ocp4-with-cel-kubevirt-persistent-reservation-disabled                                       7m7s

[openshift-ci]

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-openshift-node-compliance	e7d189f	link	true	/test e2e-aws-openshift-node-compliance
ci/prow/e2e-aws-openshift-platform-compliance	e7d189f	link	true	/test e2e-aws-openshift-platform-compliance
ci/prow/4.16-images	e7d189f	link	true	/test 4.16-images
ci/prow/images	e7d189f	link	true	/test images
ci/prow/4.20-images	e7d189f	link	true	/test 4.20-images
ci/prow/4.21-images	e7d189f	link	true	/test 4.21-images
ci/prow/4.19-images	e7d189f	link	true	/test 4.19-images
ci/prow/4.17-images	e7d189f	link	true	/test 4.17-images
ci/prow/4.18-images	e7d189f	link	true	/test 4.18-images
ci/prow/4.14-images	e7d189f	link	true	/test 4.14-images
ci/prow/4.12-images	e7d189f	link	true	/test 4.12-images

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[yuumasato]

Thanks for the review @xiaojiey.

Hopefully I have addessed the BuildConfig issue in 188024f
Regarding the kubevirt rules, there is no need to thoroughly test them now. They won't be shipped downstream yet.