From ec25703c0ad0e75f236c24f45d28886e5450da5b Mon Sep 17 00:00:00 2001
From: Lance Bragstad <lbragsta@redhat.com>
Date: Mon, 18 Aug 2025 11:21:08 -0500
Subject: [PATCH] CMP-3536: Add profile stability for OCP4 CIS profiles

We've reimplemented a variant of this testing in the ocp4e2e suite, but
using the profile stability testing here saves us some resources and
relies on some common tooling that already exists for other products.

Let's reuse it for OCP/RHCOS profile stability.
---
 .../profile_stability/ocp4/cis-node.profile   | 105 ++++++++++++++++++
 tests/data/profile_stability/ocp4/cis.profile | 101 +++++++++++++++++
 2 files changed, 206 insertions(+)
 create mode 100644 tests/data/profile_stability/ocp4/cis-node.profile
 create mode 100644 tests/data/profile_stability/ocp4/cis.profile

diff --git a/tests/data/profile_stability/ocp4/cis-node.profile b/tests/data/profile_stability/ocp4/cis-node.profile
new file mode 100644
index 00000000000..82405ac50c6
--- /dev/null
+++ b/tests/data/profile_stability/ocp4/cis-node.profile
@@ -0,0 +1,105 @@
+etcd_unique_ca
+file_groupowner_cni_conf
+file_groupowner_controller_manager_kubeconfig
+file_groupowner_etcd_data_dir
+file_groupowner_etcd_data_files
+file_groupowner_etcd_member
+file_groupowner_etcd_pki_cert_files
+file_groupowner_ip_allocations
+file_groupowner_kube_apiserver
+file_groupowner_kube_controller_manager
+file_groupowner_kube_scheduler
+file_groupowner_kubelet_conf
+file_groupowner_master_admin_kubeconfigs
+file_groupowner_multus_conf
+file_groupowner_openshift_pki_cert_files
+file_groupowner_openshift_pki_key_files
+file_groupowner_openshift_sdn_cniserver_config
+file_groupowner_ovn_cni_server_sock
+file_groupowner_ovn_db_files
+file_groupowner_ovs_conf_db_hugetlbfs
+file_groupowner_ovs_conf_db_lock
+file_groupowner_ovs_conf_db_lock_hugetlbfs
+file_groupowner_ovs_conf_db_lock_openvswitch
+file_groupowner_ovs_conf_db_openvswitch
+file_groupowner_ovs_pid
+file_groupowner_ovs_sys_id_conf
+file_groupowner_ovs_sys_id_conf_hugetlbfs
+file_groupowner_ovs_sys_id_conf_openvswitch
+file_groupowner_ovs_vswitchd_pid
+file_groupowner_ovsdb_server_pid
+file_groupowner_scheduler_kubeconfig
+file_groupowner_worker_ca
+file_groupowner_worker_kubeconfig
+file_groupowner_worker_service
+file_owner_cni_conf
+file_owner_controller_manager_kubeconfig
+file_owner_etcd_data_dir
+file_owner_etcd_data_files
+file_owner_etcd_member
+file_owner_etcd_pki_cert_files
+file_owner_ip_allocations
+file_owner_kube_apiserver
+file_owner_kube_controller_manager
+file_owner_kube_scheduler
+file_owner_kubelet
+file_owner_kubelet_conf
+file_owner_master_admin_kubeconfigs
+file_owner_multus_conf
+file_owner_openshift_pki_cert_files
+file_owner_openshift_pki_key_files
+file_owner_openshift_sdn_cniserver_config
+file_owner_ovn_cni_server_sock
+file_owner_ovn_db_files
+file_owner_ovs_conf_db
+file_owner_ovs_conf_db_lock
+file_owner_ovs_pid
+file_owner_ovs_sys_id_conf
+file_owner_ovs_vswitchd_pid
+file_owner_ovsdb_server_pid
+file_owner_scheduler_kubeconfig
+file_owner_worker_ca
+file_owner_worker_kubeconfig
+file_owner_worker_service
+file_permissions_cni_conf
+file_permissions_controller_manager_kubeconfig
+file_permissions_etcd_data_dir
+file_permissions_etcd_data_files
+file_permissions_etcd_member
+file_permissions_etcd_pki_cert_files
+file_permissions_ip_allocations
+file_permissions_kube_apiserver
+file_permissions_kube_controller_manager
+file_permissions_kubelet_conf
+file_permissions_master_admin_kubeconfigs
+file_permissions_multus_conf
+file_permissions_openshift_pki_cert_files
+file_permissions_openshift_pki_key_files
+file_permissions_ovn_cni_server_sock
+file_permissions_ovn_db_files
+file_permissions_ovs_conf_db
+file_permissions_ovs_conf_db_lock
+file_permissions_ovs_pid
+file_permissions_ovs_sys_id_conf
+file_permissions_ovs_vswitchd_pid
+file_permissions_ovsdb_server_pid
+file_permissions_scheduler
+file_permissions_scheduler_kubeconfig
+file_permissions_worker_ca
+file_permissions_worker_kubeconfig
+file_permissions_worker_service
+file_perms_openshift_sdn_cniserver_config
+kubelet_anonymous_auth
+kubelet_authorization_mode
+kubelet_configure_client_ca
+kubelet_configure_event_creation
+kubelet_configure_tls_cipher_suites
+kubelet_enable_cert_rotation
+kubelet_enable_client_cert_rotation
+kubelet_enable_iptables_util_chains
+kubelet_enable_server_cert_rotation
+kubelet_enable_streaming_connections
+kubelet_eviction_thresholds_set_hard_imagefs_available
+kubelet_eviction_thresholds_set_hard_memory_available
+kubelet_eviction_thresholds_set_hard_nodefs_available
+kubelet_eviction_thresholds_set_hard_nodefs_inodesfree
\ No newline at end of file
diff --git a/tests/data/profile_stability/ocp4/cis.profile b/tests/data/profile_stability/ocp4/cis.profile
new file mode 100644
index 00000000000..bd0b79ad4f3
--- /dev/null
+++ b/tests/data/profile_stability/ocp4/cis.profile
@@ -0,0 +1,101 @@
+accounts_restrict_service_account_tokens
+accounts_unique_service_account
+api_server_admission_control_plugin_alwaysadmit
+api_server_admission_control_plugin_alwayspullimages
+api_server_admission_control_plugin_namespacelifecycle
+api_server_admission_control_plugin_noderestriction
+api_server_admission_control_plugin_scc
+api_server_admission_control_plugin_service_account
+api_server_anonymous_auth
+api_server_api_priority_gate_enabled
+api_server_audit_log_maxbackup
+api_server_audit_log_maxsize
+api_server_audit_log_path
+api_server_auth_mode_no_aa
+api_server_auth_mode_rbac
+api_server_basic_auth
+api_server_bind_address
+api_server_client_ca
+api_server_encryption_provider_cipher
+api_server_etcd_ca
+api_server_etcd_cert
+api_server_etcd_key
+api_server_https_for_kubelet_conn
+api_server_insecure_bind_address
+api_server_insecure_port
+api_server_kubelet_certificate_authority
+api_server_kubelet_client_cert
+api_server_kubelet_client_cert_pre_4_9
+api_server_kubelet_client_key
+api_server_kubelet_client_key_pre_4_9
+api_server_oauth_https_serving_cert
+api_server_openshift_https_serving_cert
+api_server_profiling_protected_by_rbac
+api_server_request_timeout
+api_server_service_account_lookup
+api_server_service_account_public_key
+api_server_tls_cert
+api_server_tls_cipher_suites
+api_server_tls_private_key
+api_server_tls_security_profile_custom_min_tls_version
+api_server_tls_security_profile_not_old
+api_server_token_auth
+audit_log_forwarding_enabled
+audit_log_forwarding_webhook
+audit_logging_enabled
+audit_profile_set
+configure_network_policies
+configure_network_policies_hypershift_hosted
+configure_network_policies_namespaces
+controller_insecure_port_disabled
+controller_secure_port
+controller_service_account_ca
+controller_service_account_private_key
+controller_use_service_account
+etcd_auto_tls
+etcd_cert_file
+etcd_client_cert_auth
+etcd_key_file
+etcd_peer_auto_tls
+etcd_peer_cert_file
+etcd_peer_client_cert_auth
+etcd_peer_key_file
+file_groupowner_proxy_kubeconfig
+file_owner_proxy_kubeconfig
+file_permissions_proxy_kubeconfig
+general_apply_scc
+general_default_namespace_use
+general_default_seccomp_profile
+general_namespaces_in_use
+idp_is_configured
+kubeadmin_removed
+kubelet_configure_tls_cert
+kubelet_configure_tls_cipher_suites_ingresscontroller
+kubelet_configure_tls_key
+kubelet_disable_readonly_port
+ocp_allowed_registries
+ocp_allowed_registries_for_import
+ocp_api_server_audit_log_maxbackup
+ocp_api_server_audit_log_maxsize
+ocp_insecure_allowed_registries_for_import
+ocp_insecure_registries
+openshift_api_server_audit_log_path
+rbac_debug_role_protects_pprof
+rbac_least_privilege
+rbac_limit_cluster_admin
+rbac_limit_secrets_access
+rbac_pod_creation_access
+rbac_wildcard_use
+scc_drop_container_capabilities
+scc_limit_container_allowed_capabilities
+scc_limit_ipc_namespace
+scc_limit_net_raw_capability
+scc_limit_network_namespace
+scc_limit_privilege_escalation
+scc_limit_privileged_containers
+scc_limit_process_id_namespace
+scc_limit_root_containers
+scheduler_profiling_protected_by_rbac
+scheduler_service_protected_by_rbac
+secrets_consider_external_storage
+secrets_no_environment_variables
\ No newline at end of file