CMP-4283: Enable all XCCDF groups when TP extends a profile

[yuumasato]

Keep track of all XCCDF Groups in the ProfileBundle and always enable them when a TailoredProfile extends a Profile.

This ensures that any rule that is enabled has its parent Group enabled as well, ensuring that OpenSCAP can get to the rule that was enbled.

If a TailoredProfile enables a rule that is not part of an XCCDF group enabled by the extended profile, the rule won't be enabled at all by OpenSCAP. This is because data stream traversal will stop at the disabled group.

Issue discovered when testing ComplianceAsCode/content#14665

• Add tests for a TP with extends and rules out of the extended profile's enabled groups.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yuumasato

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [yuumasato]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[yuumasato]

The ProfileBundle ends up looking like this:

apiVersion: compliance.openshift.io/v1alpha1
kind: ProfileBundle
metadata:
  annotations:
    compliance.openshift.io/xccdf-groups: xccdf_org.ssgproject.content_group_openshift,xccdf_org.ssgproject.content_group_integrity,xccdf_org.ssgproject.content_group_crypto,xccdf_org.ssgproject.content_group_accounts,xccdf_org.ssgproject.content_group_api-server,xccdf_org.ssgproject.content_group_authentication,xccdf_org.ssgproject.content_group_confinement,xccdf_org.ssgproject.content_group_controller,xccdf_org.ssgproject.content_group_etcd,xccdf_org.ssgproject.content_group_general,xccdf_org.ssgproject.content_group_high-availability,xccdf_org.ssgproject.content_group_kubelet,xccdf_org.ssgproject.content_group_logging,xccdf_org.ssgproject.content_group_master,xccdf_org.ssgproject.content_group_networking,xccdf_org.ssgproject.content_group_openshift-api-server,xccdf_org.ssgproject.content_group_rbac,xccdf_org.ssgproject.content_group_registry,xccdf_org.ssgproject.content_group_risk-assessment,xccdf_org.ssgproject.content_group_scc,xccdf_org.ssgproject.content_group_scheduler,xccdf_org.ssgproject.content_group_secrets,xccdf_org.ssgproject.content_group_worker
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"compliance.openshift.io/v1alpha1","kind":"ProfileBundle","metadata":{"annotations":{},"name":"upstream-ocp4","namespace":"openshift-compliance"},"spec":{"contentFile":"ssg-ocp4-ds.xml","contentImage":"openscap-ocp4-ds:latest"}}
  creationTimestamp: "2026-04-30T23:40:49Z"
  finalizers:
  - profilebundle.finalizers.compliance.openshift.io
  generation: 1
  name: upstream-ocp4
  namespace: openshift-compliance
  resourceVersion: "104608"
  uid: a502564d-d947-4187-a72a-d030d8223c12
spec:
  contentFile: ssg-ocp4-ds.xml
  contentImage: openscap-ocp4-ds:latest
status:
  conditions:
  - lastTransitionTime: "2026-04-30T23:41:04Z"
    message: Profile bundle successfully parsed
    reason: Valid
    status: "True"
    type: Ready
  dataStreamStatus: VALID

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1199-564c3e0416ca3abcc61729bde6ec3f429a20d6a7

[sebrandon1]

Just some comments.

[sebrandon1]

Should this be Patch to avoid updating the entire object?

[openshift-ci-robot]

@yuumasato: This pull request references CMP-4283 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Keep track of all XCCDF Groups in the ProfileBundle and always enable them when a TailoredProfile extends a Profile.

This ensures that any rule that is enabled has its parent Group enabled as well, ensuring that OpenSCAP can get to the rule that was enbled.

If a TailoredProfile enables a rule that is not part of an XCCDF group enabled by the extended profile, the rule won't be enabled at all by OpenSCAP. This is because data stream traversal will stop at the disabled group.

Issue discovered when testing ComplianceAsCode/content#14665

• Add tests for a TP with extends and rules out of the extended profile's enabled groups.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[Vincent056]

Should we surface this error in case the user needs to use those rules, and fail the bundle as an error state? or if we do not want to fail entire profilebundle we could in TailoredProfileToXML, if the annotation is missing AND the TP extends a profile, enable groups based on a query of the live datastream or a sentinel "enable all groups" wildcard.

[yuumasato]

We could have have the ProfileBundle in error state.

Another alternative is to have the tailoring controller extract the groups at creation time, rather than Profile Bundle creation.
That would avoid us having the annotation in PB.

[yuumasato]

I think I prefer the current approach, with an annotation in the ProfileBundle.

[Vincent056]

I think the PR looks good, do you think you could add a unit test to test the parser and also e2e tests for a TP with extends and rules out of the extended profile's enabled groups?

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1199-9f3feacef992691f8a4f601123ddcebb7282613e

[Anna-Koudelkova]

Verification failed with the compliance operator deployed using the image from the PR on OCP 4.22:

Verification steps:

1. Deploy compliance operator from the PR

$ make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1199-9f3feacef992691f8a4f601123ddcebb7282613e

$ oc get csv
NAME                             DISPLAY               VERSION     RELEASE   REPLACES   PHASE
compliance-operator.v1.8.0-dev   Compliance Operator   1.8.0-dev                        Succeeded

2. Checkout the PR CMP-4248 added compliance checks content#14665 and build its content to a profile bundle:

$ oc get pb
NAME              CONTENTIMAGE                                 CONTENTFILE         CELCONTENTFILE   STATUS
ocp4              ghcr.io/complianceascode/k8scontent:latest   ssg-ocp4-ds.xml                      VALID
rhcos4            ghcr.io/complianceascode/k8scontent:latest   ssg-rhcos4-ds.xml                    VALID
upstream-ocp4     openscap-ocp4-ds:latest                      ssg-ocp4-ds.xml                      VALID
upstream-rhcos4   openscap-ocp4-ds:latest                      ssg-rhcos4-ds.xml                    VALID

3. Create a Tailored profile using this yaml file:

apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  annotations:
    compliance.openshift.io/product-type: Node
  name: test-profile-extension-rules
  namespace: openshift-compliance
spec:
  extends: upstream-rhcos4-moderate
  description: Testing custom package removal and configuration rules
  title: Test Custom Rules
  enableRules:
    - name: upstream-rhcos4-chronyd-specify-remote-server
      rationale: "Test chronyd remote server configuration"
    - name: upstream-rhcos4-kerberos-disable-no-keytab
      rationale: "Test rule only in default.profile"
      
$ oc get tp
NAME                           STATE
test-profile-extension-rules   READY

4. Create a ssb with said tp and wait for the suite to reach the DONE phase

$ oc compliance bind -N test tailoredprofile/test-profile-extension-rules
Creating ScanSettingBinding test

$ oc get suite -w
NAME   PHASE     RESULT
test   RUNNING   NOT-AVAILABLE
test   RUNNING   NOT-AVAILABLE
test   RUNNING   NOT-AVAILABLE
test   AGGREGATING   NOT-AVAILABLE
test   DONE          NON-COMPLIANT

5. Check the ccrs. Upstream rhcos4-moderate as well as both rules should have ccrs created.

$ oc get ccr | head -10
NAME                                                                                                             STATUS   SEVERITY
test-profile-extension-rules-master-accounts-no-uid-except-zero                                                  PASS     high
test-profile-extension-rules-master-audit-rules-dac-modification-chmod                                           FAIL     medium
test-profile-extension-rules-master-audit-rules-dac-modification-chown                                           FAIL     medium
test-profile-extension-rules-master-audit-rules-dac-modification-fchmod                                          FAIL     medium
test-profile-extension-rules-master-audit-rules-dac-modification-fchmodat                                        FAIL     medium
test-profile-extension-rules-master-audit-rules-dac-modification-fchown                                          FAIL     medium
test-profile-extension-rules-master-audit-rules-dac-modification-fchownat                                        FAIL     medium
test-profile-extension-rules-master-audit-rules-dac-modification-fremovexattr                                    FAIL     medium
test-profile-extension-rules-master-audit-rules-dac-modification-fsetxattr                                       FAIL     medium

$ oc get ccr | grep chronyd-specify-remote-server
test-profile-extension-rules-master-chronyd-specify-remote-server                                                PASS     medium
test-profile-extension-rules-worker-chronyd-specify-remote-server                                                PASS     medium

$ oc get ccr | grep kerberos-disable-no-keytab

--> There is no ccr for rule upstream-rhcos4-kerberos-disable-no-keytab. The rule object itself exists on the cluster:

$ oc get rules |grep upstream-rhcos4-kerberos-disable-no-keytab
upstream-rhcos4-kerberos-disable-no-keytab                                                   90m

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1199-31da5ee27679fefb692d2e44b7e8bb620ae30efe

[Anna-Koudelkova]

Pre-merge verification PASS on OCP 4.22 + CO installed from this PR. ✔️

Premerge verification steps:

1. Install CO from this image ghcr.io/complianceascode/compliance-operator-catalog:1199-31da5ee27679fefb692d2e44b7e8bb620ae30efe
2. Create a tailored profile:

apiVersion: compliance.openshift.io/v1alpha1
kind: TailoredProfile
metadata:
  annotations:
    compliance.openshift.io/product-type: Node
  name: test-profile-extension-rules
  namespace: openshift-compliance
spec:
  extends: rhcos4-moderate
  description: Testing custom package removal and configuration rules
  title: Test Custom Rules
  enableRules:
    - name: rhcos4-chronyd-specify-remote-server
      rationale: "Test chronyd remote server configuration"
    - name: rhcos4-ssh-client-rekey-limit
      rationale: "Test rule only in default.profile"

3. Create ssb with the tailored profile and default scansetting
4. Wait for the suite to reach DONE phase and check the ccr has been generated for both rules

$ oc get ccr | grep ssh-client-rekey-limit
test-profile-extension-rules-master-ssh-client-rekey-limit                                                       FAIL     medium
test-profile-extension-rules-worker-ssh-client-rekey-limit                                                       FAIL     medium

$ oc get ccr | grep chronyd-specify-remote-server 
test-profile-extension-rules-master-chronyd-specify-remote-server                                                PASS     medium
test-profile-extension-rules-worker-chronyd-specify-remote-server                                                PASS     medium

Bonus step: Both profilebundles have metadata annotations:

$ oc get pb ocp4 -ojsonpath='{.metadata.annotations}'
{"compliance.openshift.io/xccdf-groups":"xccdf_org.ssgproject.content_group_openshift,xccdf_org.ssgproject.content_group_integrity,xccdf_org.ssgproject.content_group_crypto,xccdf_org.ssgproject.content_group_accounts,xccdf_org.ssgproject.content_group_api-server,xccdf_org.ssgproject.content_group_authentication,xccdf_org.ssgproject.content_group_confinement,xccdf_org.ssgproject.content_group_controller,xccdf_org.ssgproject.content_group_etcd,xccdf_org.ssgproject.content_group_general,xccdf_org.ssgproject.content_group_high-availability,xccdf_org.ssgproject.content_group_kubelet,xccdf_org.ssgproject.content_group_logging,xccdf_org.ssgproject.content_group_master,xccdf_org.ssgproject.content_group_networking,xccdf_org.ssgproject.content_group_openshift-api-server,xccdf_org.ssgproject.content_group_rbac,xccdf_org.ssgproject.content_group_registry,xccdf_org.ssgproject.content_group_risk-assessment,xccdf_org.ssgproject.content_group_scc,xccdf_org.ssgproject.content_group_scheduler,xccdf_org.ssgproject.content_group_secrets,xccdf_org.ssgproject.content_group_worker"}

$ oc get pb rhcos4 -ojsonpath='{.metadata.annotations}'
{"compliance.openshift.io/xccdf-groups":"xccdf_org.ssgproject.content_group_system,xccdf_org.ssgproject.content_group_software,xccdf_org.ssgproject.content_group_integrity,xccdf_org.ssgproject.content_group_software-integrity,xccdf_org.ssgproject.content_group_rpm_verification,xccdf_org.ssgproject.content_group_aide,xccdf_org.ssgproject.content_group_fips,xccdf_org.ssgproject.content_group_crypto,xccdf_org.ssgproject.content_group_certified-vendor,xccdf_org.ssgproject.content_group_endpoint_security_software,xccdf_org.ssgproject.content_group_mcafee_security_software,xccdf_org.ssgproject.content_group_mcafee_hbss_software,xccdf_org.ssgproject.content_group_disk_partitioning,...
[shortened}

[yuumasato]

@Vincent056 unit and e2e tests were added.

[yuumasato]

Also rebased to pick up on #1215

[github-actions]

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1199-e3757b954fdcb56d35eac046684455e4e86c6af9

[openshift-ci]

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-aws-parallel-arm	31da5ee	link	true	/test e2e-aws-parallel-arm
ci/prow/e2e-aws-serial-arm	31da5ee	link	true	/test e2e-aws-serial-arm
ci/prow/e2e-aws-serial	31da5ee	link	true	/test e2e-aws-serial
ci/prow/e2e-aws-parallel	31da5ee	link	true	/test e2e-aws-parallel
ci/prow/e2e-rosa	e3757b9	link	true	/test e2e-rosa

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.