CMP-3765: Add customRule enforce-trusted-tls-registries

[Anna-Koudelkova]

Sketch of a rule for enforcing using only registries using TLS.

This is more of a fun and play than actual help, feel free to close this immediately - thanks a lot for including me in the meeting!

[openshift-ci]

Hi @Anna-Koudelkova. Thanks for your PR.

I'm waiting for a github.com member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[openshift-ci-robot]

@Anna-Koudelkova: This pull request references CMP-3765 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.21.0" version, but no target version was set.

Details

In response to this:

Sketch of a rule for enforcing using only registries using TLS.

This is more of a fun and play than actual help, feel free to close this immediately - thanks a lot for including me in the meeting!

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[rhmdnd]

Since we're dealing with a singular resource we can use hco.

[rhmdnd]

Then we should be able to simplify this to:

expression: |-
    !has(hco.spec.storageImport) ||
    hco.spec.storageImport.insecureRegistries.size() == 0

[rhmdnd]

Nice work 🎉

I was able to get this working on a live cluster with just a few changes:

diff --git a/config/samples/custom-rules/openshift-virtualization/kubevirt-enforce-trusted-tls-registries.yaml b/config/samples/custom-rules/openshift-virtualization/kubevirt-enforce-trusted-tls-registries.yaml
index 550bbbcc4..6c9eed345 100644
--- a/config/samples/custom-rules/openshift-virtualization/kubevirt-enforce-trusted-tls-registries.yaml
+++ b/config/samples/custom-rules/openshift-virtualization/kubevirt-enforce-trusted-tls-registries.yaml
@@ -1,11 +1,11 @@
 apiVersion: compliance.openshift.io/v1alpha1
 kind: CustomRule
 metadata:
-  name: kubevirt-enforce-trusted-tls
+  name: kubevirt-enforce-trusted-tls-registries
   namespace: openshift-compliance
 spec:
   title: "Only trusted registries using TLS can be used"
-  id: kubevirt_enforce_trusted_tls
+  id: kubevirt_enforce_trusted_tls_registries
   description: |-
     By only pulling container images from trusted registries, organizations 
     can reduce the risk of introducing unknown vulnerabilities or malicious 
@@ -18,18 +18,12 @@ spec:
   checkType: Platform
   scannerType: CEL
   inputs:
-    - name: hcoList
+    - name: hco
       kubernetesInputSpec:
         apiVersion: hco.kubevirt.io/v1beta1
         resource: hyperconvergeds
+        resourceName: kubevirt-hyperconverged
+        resourceNamespace: openshift-cnv
   expression: |
-    hcoList.items.filter(h,
-        h.metadata.name == 'kubevirt-hyperconverged' &&
-        h.metadata.namespace == 'openshift-cnv'
-    ).size() == 1 &&
-    hcoList.items.filter(h,
-        h.metadata.name == 'kubevirt-hyperconverged' &&
-        h.metadata.namespace == 'openshift-cnv'
-    ).all(h,
-        h.spec.storageImport.insecureRegistries == null
-    )
+    !has(hco.spec.storageImport) ||
+    hco.spec.storageImport.insecureRegistries.size() == 0

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:845-28c78c95786de1435629cc932b58c4be62a74043

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Anna-Koudelkova

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Anna-Koudelkova]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:845-53d515b86d0f507e6239a4147ec54a323932aee8

[Anna-Koudelkova]

Thanks for the reviews and explanations! I have forgotten this exists for a while - but now it should be rebased and modified based on your suggestions.

[openshift-ci]

@Anna-Koudelkova: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-serial	53d515b	link	true	/test e2e-aws-serial

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.