Skip to content

CMP-4119: Add support for CIS v1.7.0 and CIS v1.9.0 references#1104

Open
yuumasato wants to merge 1 commit intoComplianceAsCode:masterfrom
yuumasato:parse-cis-versioned-references
Open

CMP-4119: Add support for CIS v1.7.0 and CIS v1.9.0 references#1104
yuumasato wants to merge 1 commit intoComplianceAsCode:masterfrom
yuumasato:parse-cis-versioned-references

Conversation

@yuumasato
Copy link
Member

@yuumasato yuumasato commented Mar 11, 2026

Adds support for versioned CIS references.

@openshift-ci-robot
Copy link
Collaborator

openshift-ci-robot commented Mar 11, 2026

@yuumasato: This pull request references CMP-4119 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.22.0" version, but no target version was set.

Details

In response to this:

Adds support for versioned CIS references.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci
Copy link

openshift-ci bot commented Mar 11, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: yuumasato

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@yuumasato yuumasato mentioned this pull request Mar 11, 2026
Open
@github-actions
Copy link

github-actions bot commented Mar 11, 2026

🤖 To deploy this PR, run the following command:

make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1104-701fc5b0a057528a4a9be0cf489b5e8c582314d1

@openshift-ci
Copy link

openshift-ci bot commented Mar 11, 2026

@yuumasato: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/e2e-rosa 701fc5b link true /test e2e-rosa
ci/prow/e2e-aws-parallel 701fc5b link true /test e2e-aws-parallel

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@Anna-Koudelkova
Copy link
Collaborator

Anna-Koudelkova commented Mar 12, 2026
edited
Loading

Pre-merge verification passed on 4.21 cluster using CO deployed from this PR and content build from ComplianceAsCode/content#14548.

Verification steps:

  1. Install released CO and verify the rules does not have the CIS-OCP controls:
$ oc get rule ocp4-api-server-tls-security-profile-custom-min-tls-version -o json | jq '.metadata.annotations'
{
  "compliance.openshift.io/image-digest": "pb-ocp4bh9v8",
  "compliance.openshift.io/profiles": "ocp4-moderate-rev-4,ocp4-cis-1-7,ocp4-pci-dss-4-0,ocp4-pci-dss-3-2,ocp4-moderate,ocp4-cis,ocp4-pci-dss,ocp4-nerc-cip,ocp4-high-rev-4,ocp4-high",
  "compliance.openshift.io/rule": "api-server-tls-security-profile-custom-min-tls-version",
  "control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
  "control.compliance.openshift.io/PCI-DSS-4-0": "2.2.1;2.2",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1),2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NIST-800-53,PCI-DSS-4-0"
}

$ oc get rule ocp4-api-server-tls-security-profile-not-old -o json | jq '.metadata.annotations'
{
  "compliance.openshift.io/image-digest": "pb-ocp4bh9v8",
  "compliance.openshift.io/profiles": "ocp4-nerc-cip,ocp4-cis-1-7,ocp4-high-rev-4,ocp4-moderate,ocp4-pci-dss-4-0,ocp4-bsi,ocp4-high,ocp4-pci-dss-3-2,ocp4-moderate-rev-4,ocp4-bsi-2022,ocp4-cis,ocp4-pci-dss",
  "compliance.openshift.io/rule": "api-server-tls-security-profile-not-old",
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
  "control.compliance.openshift.io/PCI-DSS-4-0": "2.2.1;2.2",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1),APP.4.4.A17,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NIST-800-53,BSI,PCI-DSS-4-0"
}

  1. Uninstall the CO and deploy CO from this PR using make catalog-deploy CATALOG_IMG=ghcr.io/complianceascode/compliance-operator-catalog:1104-701fc5b0a057528a4a9be0cf489b5e8c582314d1

  2. Build content from this PR

  3. Verify the rules have the CIS-OCP control label present:

$ oc get rule upstream-ocp4-api-server-tls-security-profile-custom-min-tls-version -o json | jq '.metadata.annotations'
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4k6vcq",
  "compliance.openshift.io/profiles": "upstream-ocp4-moderate,upstream-ocp4-pci-dss-4-0,upstream-ocp4-cis-1-7,upstream-ocp4-high,upstream-ocp4-cis-1-9,upstream-ocp4-cis,upstream-ocp4-moderate-rev-4,upstream-ocp4-pci-dss-3-2,upstream-ocp4-high-rev-4,upstream-ocp4-pci-dss,upstream-ocp4-nerc-cip",
  "compliance.openshift.io/rule": "api-server-tls-security-profile-custom-min-tls-version",
  "control.compliance.openshift.io/CIS-OCP-1-7-0": "1.2.32;1.2;1",
  "control.compliance.openshift.io/CIS-OCP-1-9-0": "1.2.30;1.2;1",
  "control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
  "control.compliance.openshift.io/PCI-DSS-4-0": "2.2.1;2.2",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1),1.2.32,1.2,1,1.2.30,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NIST-800-53,CIS-OCP-1-7-0,CIS-OCP-1-9-0,PCI-DSS-4-0"
}

$ oc get rule upstream-ocp4-api-server-tls-security-profile-not-old -o json | jq '.metadata.annotations'
{
  "compliance.openshift.io/image-digest": "pb-upstream-ocp4k6vcq",
  "compliance.openshift.io/profiles": "upstream-ocp4-pci-dss,upstream-ocp4-cis-1-7,upstream-ocp4-high,upstream-ocp4-cis-1-9,upstream-ocp4-nerc-cip,upstream-ocp4-cis,upstream-ocp4-moderate-rev-4,upstream-ocp4-pci-dss-3-2,upstream-ocp4-pci-dss-4-0,upstream-ocp4-bsi-2022,upstream-ocp4-moderate,upstream-ocp4-high-rev-4,upstream-ocp4-bsi",
  "compliance.openshift.io/rule": "api-server-tls-security-profile-not-old",
  "control.compliance.openshift.io/BSI": "APP.4.4.A17",
  "control.compliance.openshift.io/CIS-OCP-1-7-0": "1.2.32;1.2;1",
  "control.compliance.openshift.io/CIS-OCP-1-9-0": "1.2.30;1.2;1",
  "control.compliance.openshift.io/NIST-800-53": "SC-8;SC-8(1)",
  "control.compliance.openshift.io/PCI-DSS-4-0": "2.2.1;2.2",
  "policies.open-cluster-management.io/controls": "SC-8,SC-8(1),APP.4.4.A17,1.2.32,1.2,1,1.2.30,2.2.1,2.2",
  "policies.open-cluster-management.io/standards": "NIST-800-53,BSI,CIS-OCP-1-7-0,CIS-OCP-1-9-0,PCI-DSS-4-0"
}

I am not really sure yet how to verify it on ACS , but the reference seems to be present.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Anna-Koudelkova Anna-Koudelkova Awaiting requested review from Anna-Koudelkova

@mrogers950 mrogers950 Awaiting requested review from mrogers950

Assignees

No one assigned

Labels

approved jira/valid-reference

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yuumasato @openshift-ci-robot @Anna-Koudelkova