CMP-3765: Bootstrap samples for OpenShift Virt profile (#813)

Let's use the config samples to show how users can write CustomRule
resources to harden an OpenShift virtualization cluster. These updates
are isolated to an openshift-virtualization directory with a
kustomization file so that they're easy to reuse and apply in existing
clusters (e.g., oc apply -k config/samples/custom-rules/openshift-virtualization/).

This idea can be expanded on to show how other contributors and teams
can ship their own content for the Compliance Operator, and bundle it
such that it can be reused by others.

One potential future workflow would be reuse this idea by putting
necessary rules in a directory, build the rules and rbac changes into a
scratch image, upload the image to registry, and reuse the profile
bundle feature to parse the rules and load them into the compliance
operator.

Author: rhmdnd

config/samples/custom-rules/openshift-virtualization/README.md

@@ -0,0 +1,30 @@
+# OpenShift Virtualization Hardening with `CustomRule`
+
+The Compliance Operator (version 1.8.0 and newer) includes a `CustomRule`
+Custom Resource Definition (CRD). This feature allows you to write your own
+compliance checks.
+
+This collection of samples demonstrates how to use `CustomRule` to harden an
+OpenShift Virtualization cluster.
+
+## Running a Scan
+
+The following command applies all the `CustomRule` resources in this directory,
+bundles them into a `TailoredProfile`, and immediately starts a compliance
+scan:
+
+```bash
+$ oc apply -k config/samples/custom-rules/openshift-virtualization
+```
+
+This scan will produce `ComplianceCheckResult` resources, one for each rule.
+You can monitor the progress of the scan and view the results using this
+command:
+
+```bash
+$ oc get suites,scans,compliancecheckresults
+```
+
+The `kustomization.yaml` file in this directory contains the full workflow
+using the rules, profiles, bindings, and permissions for the Compliance
+Operator to execute these checks.

config/samples/custom-rules/openshift-virtualization/kubevirt-no-permitted-host-devices.yaml

@@ -0,0 +1,42 @@
+apiVersion: compliance.openshift.io/v1alpha1
+kind: CustomRule
+metadata:
+  name: kubevirt-no-permitted-host-devices
+  namespace: openshift-compliance
+spec:
+  title: "KubeVirt Must Not Permit Host Devices"
+  id: kubevirt_no_permitted_host_devices
+  description: |-
+    Host devices should not be permitted to virtualization workloads unless
+    absolutely necessary for workload execution. Allowing host devices provides
+    direct access to host hardware, which can introduce security risks including
+    unauthorized access to sensitive hardware resources, potential for privilege
+    escalation, and bypass of virtualization security boundaries.
+
+    By default, no host devices should be trusted or permitted for use by
+    virtualization workloads.
+  failureReason: |-
+    The '.spec.permittedHostDevices' field is set in the 'kubevirt-hyperconverged'
+    resource, allowing host devices to be used by virtualization workloads.
+  severity: Medium
+  checkType: Platform
+  scannerType: CEL
+  inputs:
+    - name: hcoList
+      kubernetesInputSpec:
+        apiVersion: hco.kubevirt.io/v1beta1
+        resource: hyperconvergeds
+  expression: |
+    hcoList.items.filter(h,
+        h.metadata.name == 'kubevirt-hyperconverged' &&
+        h.metadata.namespace == 'openshift-cnv'
+    ).size() == 1 &&
+    hcoList.items.filter(h,
+        h.metadata.name == 'kubevirt-hyperconverged' &&
+        h.metadata.namespace == 'openshift-cnv'
+    ).all(h,
+        !has(h.spec.permittedHostDevices) ||
+        h.spec.permittedHostDevices == null ||
+        (has(h.spec.permittedHostDevices.pciHostDevices) && size(h.spec.permittedHostDevices.pciHostDevices) == 0) &&
+        (has(h.spec.permittedHostDevices.mediatedDevices) && size(h.spec.permittedHostDevices.mediatedDevices) == 0)
+    )

config/samples/custom-rules/openshift-virtualization/kubevirt-nonroot-feature-gate-is-enabled.yaml

@@ -0,0 +1,37 @@
+apiVersion: compliance.openshift.io/v1alpha1
+kind: CustomRule
+metadata:
+  name: kubevirt-nonroot-feature-gate-is-enabled
+  namespace: openshift-compliance
+spec:
+  title: "KubeVirt nonRoot Feature Gate Must Be Enabled"
+  id: kubevirt_nonroot_feature_gate_is_enabled
+  description: |-
+    Unauthorized access to a root account without restrictions implemented by
+    the nonRoot feature introduces the risk of unintended or unauthorized
+    access to privilege elevation and the ability to perform administrative
+    tasks.
+  failureReason: |-
+    The '.spec.featureGates.nonRoot' field is missing or not set to 'true' in
+    the 'kubevirt-hyperconverged' resource.
+  severity: Medium
+  checkType: Platform
+  scannerType: CEL
+  inputs:
+    - name: hcoList
+      kubernetesInputSpec:
+        apiVersion: hco.kubevirt.io/v1beta1
+        resource: hyperconvergeds
+  expression: |
+    hcoList.items.filter(h,
+        h.metadata.name == 'kubevirt-hyperconverged' &&
+        h.metadata.namespace == 'openshift-cnv'
+    ).size() == 1 &&
+    hcoList.items.filter(h,
+        h.metadata.name == 'kubevirt-hyperconverged' &&
+        h.metadata.namespace == 'openshift-cnv'
+    ).all(h,
+        has(h.spec.featureGates) &&
+        has(h.spec.featureGates.nonRoot) &&
+        h.spec.featureGates.nonRoot == true
+    )

config/samples/custom-rules/openshift-virtualization/kubevirt-persistent-reservation-disabled.yaml

@@ -0,0 +1,39 @@
+apiVersion: compliance.openshift.io/v1alpha1
+kind: CustomRule
+metadata:
+  name: kubevirt-persistent-reservation-disabled
+  namespace: openshift-compliance
+spec:
+  title: "KubeVirt Persistent Reservation Feature Gate Must Be Disabled"
+  id: kubevirt_persistent_reservation_disabled
+  description: |-
+    The persistent reservation feature gate in KubeVirt allows virtual machines
+    to use SCSI persistent reservations, which provide exclusive access to shared
+    storage. This feature should be disabled unless explicitly required for
+    workload operation, as it can introduce security risks by allowing VMs to
+    claim exclusive access to storage resources, potentially impacting availability
+    and enabling resource manipulation outside normal access controls.
+  failureReason: |-
+    The '.spec.featureGates.persistentReservation' field is missing, not set,
+    or not set to 'false' in the 'kubevirt-hyperconverged' resource.
+  severity: Medium
+  checkType: Platform
+  scannerType: CEL
+  inputs:
+    - name: hcoList
+      kubernetesInputSpec:
+        apiVersion: hco.kubevirt.io/v1beta1
+        resource: hyperconvergeds
+  expression: |
+    hcoList.items.filter(h,
+        h.metadata.name == 'kubevirt-hyperconverged' &&
+        h.metadata.namespace == 'openshift-cnv'
+    ).size() == 1 &&
+    hcoList.items.filter(h,
+        h.metadata.name == 'kubevirt-hyperconverged' &&
+        h.metadata.namespace == 'openshift-cnv'
+    ).all(h,
+        has(h.spec.featureGates) &&
+        has(h.spec.featureGates.persistentReservation) &&
+        h.spec.featureGates.persistentReservation == false
+    )

config/samples/custom-rules/openshift-virtualization/kustomization.yaml

@@ -0,0 +1,8 @@
+resources:
+  - ocp-virt-permissions.yaml
+  - ocp-virt-rbac-binding.yaml
+  - kubevirt-nonroot-feature-gate-is-enabled.yaml
+  - kubevirt-no-permitted-host-devices.yaml
+  - kubevirt-persistent-reservation-disabled.yaml
+  - tailored-profile.yaml
+  - scan-setting-binding.yaml

config/samples/custom-rules/openshift-virtualization/ocp-virt-permissions.yaml

@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: ocp-virt-api-resource-collector
+rules:
+  - apiGroups:
+      - hco.kubevirt.io
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch

config/samples/custom-rules/openshift-virtualization/ocp-virt-rbac-binding.yaml

@@ -0,0 +1,13 @@
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: ocp-virt-api-resource-collector
+subjects:
+  - kind: ServiceAccount
+    name: api-resource-collector
+    namespace: openshift-compliance
+roleRef:
+  kind: ClusterRole
+  name: ocp-virt-api-resource-collector
+  apiGroup: rbac.authorization.k8s.io

config/samples/custom-rules/openshift-virtualization/scan-setting-binding.yaml

@@ -0,0 +1,13 @@
+apiVersion: compliance.openshift.io/v1alpha1
+kind: ScanSettingBinding
+metadata:
+  name: openshift-virt-binding
+  namespace: openshift-compliance
+profiles:
+  - apiGroup: compliance.openshift.io/v1alpha1
+    kind: TailoredProfile
+    name: openshift-virt-platform-checks
+settingsRef:
+  apiGroup: compliance.openshift.io/v1alpha1
+  kind: ScanSetting
+  name: default

config/samples/custom-rules/openshift-virtualization/tailored-profile.yaml

@@ -0,0 +1,31 @@
+apiVersion: compliance.openshift.io/v1alpha1
+kind: TailoredProfile
+metadata:
+  name: openshift-virt-platform-checks
+  namespace: openshift-compliance
+spec:
+  description: Custom security checks for OpenShift Virtualization
+  enableRules:
+    - kind: CustomRule
+      name: kubevirt-nonroot-feature-gate-is-enabled
+      rationale: |-
+        Unauthorized access to a root account without restrictions implemented
+        by the nonRoot feature introduces the risk of unintended or
+        unauthorized access to privilege elevation and the ability to perform
+        administrative tasks.
+    - kind: CustomRule
+      name: kubevirt-no-permitted-host-devices
+      rationale: |-
+        Host devices should not be permitted to virtualization workloads unless
+        absolutely necessary. Allowing host devices provides direct access to
+        host hardware, which can introduce security risks including
+        unauthorized access to sensitive hardware resources and potential
+        privilege escalation.
+    - kind: CustomRule
+      name: kubevirt-persistent-reservation-disabled
+      rationale: |-
+        The persistent reservation feature gate should be disabled unless
+        explicitly required. This feature allows VMs to claim exclusive access
+        to storage resources, potentially impacting availability and enabling
+        resource manipulation outside normal access controls.
+  title: Platform checks for OpenShift Virtualization