From fce3f6c4cea9d14c5b087f2a408aff59d8d43296 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Sun, 2 Mar 2025 13:07:51 -0300 Subject: [PATCH 1/9] cleaning release.yaml --- release.yaml | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/release.yaml b/release.yaml index be03dcbc43..8b13789179 100644 --- a/release.yaml +++ b/release.yaml @@ -1,2 +1 @@ -rancher-alerting-drivers: - - 105.0.1 + From 01162eaf281926fb45b554f9826b0425f8ef7c78 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Sun, 2 Mar 2025 13:07:58 -0300 Subject: [PATCH 2/9] fp: rancher-cis-benchmark-105.3.0+up7.3.0 --- .../rancher-cis-benchmark-105.3.0+up7.3.0.tgz | Bin 0 -> 6197 bytes .../105.3.0+up7.3.0/.helmignore | 1 + .../105.3.0+up7.3.0/Chart.yaml | 22 ++ .../105.3.0+up7.3.0/README.md | 9 + .../105.3.0+up7.3.0/app-readme.md | 34 +++ .../105.3.0+up7.3.0/templates/_helpers.tpl | 27 +++ .../templates/alertingrule.yaml | 14 ++ .../templates/benchmark-aks-1.0.yaml | 8 + .../templates/benchmark-cis-1.8.yaml | 9 + .../templates/benchmark-cis-1.9.yaml | 8 + .../templates/benchmark-eks-1.2.0.yaml | 8 + .../templates/benchmark-gke-1.2.0.yaml | 9 + .../templates/benchmark-gke-1.6.0.yaml | 8 + .../benchmark-k3s-cis-1.8-hardened.yaml | 9 + .../benchmark-k3s-cis-1.8-permissive.yaml | 9 + .../templates/benchmark-k3s-cis-1.9.yaml | 8 + .../benchmark-rke-cis-1.8-hardened.yaml | 8 + .../benchmark-rke-cis-1.8-permissive.yaml | 8 + .../benchmark-rke2-cis-1.8-hardened.yaml | 9 + .../benchmark-rke2-cis-1.8-permissive.yaml | 9 + .../templates/benchmark-rke2-cis-1.9.yaml | 8 + .../105.3.0+up7.3.0/templates/cis-roles.yaml | 49 ++++ .../105.3.0+up7.3.0/templates/configmap.yaml | 18 ++ .../105.3.0+up7.3.0/templates/deployment.yaml | 61 +++++ .../templates/network_policy_allow_all.yaml | 15 ++ .../patch_default_serviceaccount.yaml | 29 +++ .../105.3.0+up7.3.0/templates/rbac.yaml | 211 ++++++++++++++++++ .../templates/scanprofile-cis-1.8.yaml | 9 + .../templates/scanprofile-cis-1.9.yaml | 9 + .../scanprofile-k3s-cis-1.8-hardened.yml | 9 + .../scanprofile-k3s-cis-1.8-permissive.yml | 9 + .../templates/scanprofile-k3s-cis-1.9.yaml | 9 + .../scanprofile-rke-1.8-hardened.yaml | 9 + .../scanprofile-rke-1.8-permissive.yaml | 9 + .../scanprofile-rke2-cis-1.8-hardened.yml | 9 + .../scanprofile-rke2-cis-1.8-permissive.yml | 9 + .../templates/scanprofile-rke2-cis-1.9.yaml | 9 + .../templates/scanprofileaks.yml | 9 + .../templates/scanprofileeks.yml | 9 + .../templates/scanprofilegke-1.6.0.yml | 9 + .../templates/scanprofilegke.yml | 9 + .../templates/serviceaccount.yaml | 14 ++ .../templates/validate-install-crd.yaml | 17 ++ .../105.3.0+up7.3.0/values.yaml | 53 +++++ index.yaml | 26 +++ release.yaml | 3 +- 46 files changed, 846 insertions(+), 1 deletion(-) create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-105.3.0+up7.3.0.tgz create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/.helmignore create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/Chart.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/README.md create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/app-readme.md create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/_helpers.tpl create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/alertingrule.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-aks-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-cis-1.8.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-cis-1.9.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-eks-1.2.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-gke-1.2.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-gke-1.6.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-k3s-cis-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-k3s-cis-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-k3s-cis-1.9.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke-cis-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke-cis-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke2-cis-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke2-cis-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke2-cis-1.9.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/cis-roles.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/configmap.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/deployment.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/network_policy_allow_all.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/patch_default_serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/rbac.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-cis-1.8.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-cis-1.9.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-k3s-cis-1.8-hardened.yml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-k3s-cis-1.8-permissive.yml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-k3s-cis-1.9.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke2-cis-1.8-hardened.yml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke2-cis-1.8-permissive.yml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke2-cis-1.9.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofileaks.yml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofileeks.yml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofilegke-1.6.0.yml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofilegke.yml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/validate-install-crd.yaml create mode 100644 charts/rancher-cis-benchmark/105.3.0+up7.3.0/values.yaml diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-105.3.0+up7.3.0.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-105.3.0+up7.3.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..1cd13ff09e39f9bc1ee336c44c27a3205688f3a2 GIT binary patch literal 6197 zcmV-57|Q1#iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKDJbK5rZcYl5KSL`VFOp?~5UTvqEZ*Rs;{oJ^hx3SZ^>Et>t zOs*uHDS!n)tA3LF@81DHQhbwX$r7F1aVHZ?B)Gr=``KN9&_WRA%~3cWmChA1Z@wVn zy7zKUgmQ1mBKT$p)bIEEN8_>i+wb>_e+P%h!*2%T%6lYI+@VY=5(E>dR2Rn+{tpYH zym=)D4~3#rihlZdWig-1Fd(-MBMY3s%d-pkF{z-k{B?AN&J7AlIh(-Kzy1INclg5X zJAL>c7`UUM{`j==QC)=$iH8%=g76RpQCv9kRw`UnKEmY$0?ML4EANIV7F0Z5dKH^Q`Fbi)9ra}?)6WwD4l9$$o{)6Esxj z+WR@?#tD#-s{kd4h%w4$Mp;tsAkm8iRkvU|5jX<^T3G}`g=R#o3?1re?o%4zq}L-- zqLRIU&$#SWHrtgqv(7c%F1hgKq~oL&b?)lQbdU!9LoM2OQD{YcY~)+2w*NOIh*0jz z0o2(4;ds<9+W*7j*8Vp_Pv9q?d}R05Si;MbGaube3t3!)VI z21L5RPv`|iAlwi^Ek+fGD}+$P%LmF7hg%*AP`C&KqENb>4qcEL8t+48f^q#7Kw!uv zRb1Sr@aknPfhnZOOq&sRODM#Cg441xp=#DiP&iGZtZ`X5JP$9TL z-${z5AM)&u-C?IAQ1VE4C@1joa|hrF{1YLP5eb4@5a{v60+|ntE8Sl*M2}8y!H-8K zeHsY!b%6lM4T92xLG)mFoJo)JNE+7OoKp|YK&rW}28C-!js%heWuDLuK!P_X%(H)m zGS*ZZOJp}xaJE3EBrK_#LqN50H@wrP9Dt0xxvu^-WmKD27tW@7Y{BQSBrGRM=CO!b zX_aZ*lm`J{QZ_T(1Ily};{Q96=Kexgz|cb}iMTy5@(WyWBRzr_iQpEl1TlRxRVd); zs;i&6F;nfDC+0JN7e?9?_ZRW^1uo364u&sY(^$kmB9!-iqVwblyx~4VK&~*b@CmsO zL`pg{ov2Hk<8%UZr9wIB^;W*fggxAoJv~OwETTU4828bU7@((}U$67zNk?D0Fju%R z3Zz-SqEZ2$g1!lgP(50TgW`dP2EsEf2Nfvc?`eHtf~2G8ow$^V`ryNFolX`tKl3Xs zJHJ68sE_ZnWv3*NS`$hP$aG2>RkyZ%vw&ZbAPy*1fEGqJyo&A3InJn5x+A+?b2s+N zZ;UTB*K|jDDp-%fxIo?t^xfl5hXg3>5ZYM5Uo~Cg4GPoJB@xW3-U5}No_xoJn!tq6CT>u3E-}loQyNWk(=kpc!`#Z`z%^=not+hHJ8dGzN&Kw7 zfYT{@Y69Ii{35PjUru8?=$`%&k)XSNtTWA!vFEdG$UD!~tUSxK!MyV6)&%hhdb>T#pOn()IYF zcQfc*Q|3?L9rs_`5}gGq;uA%57*<{)3AyjYyyE-ulHA9S>FluNU0nG5xua(l6BEhB zF|i2%%>v{r6NTFgkY8Hst;|nh3K??$wG9AInICc;N^1@dgeD&JsEp&o)XMzl7@0c! zuNHa9wR8qU4?fOqMR77_kGAXKG+CW854_B-5Wqijvk|H#YZ{FDj zZ($1P=@wwD#K3*A5BwjM@IM;#Tl_acyTyO3BkS>R z)^*mxe|V(fuU+|{YYY6@+J{}zruhGUFaCd2!hgT@|BcW-@c;eR_&;vlf5UWt{G*BO zhFi=4>hXV6#Q%8QuKzYdyTyO1BkL^ywljb)iSCd8*){G9|3}9q{Eyo8zeZ@c_)m3Y zJ^p9cSdag^rT{P6DZmbCQ~Vz_b6%!%-k zp?^P9P>26fzp(#*I6533xA<>@c8mWi9a(P*u19xH1=`iX2539{o8LP~NpJ48C!ikx z#r6O3;OMZ$e-pGn{I7JRwE$l(ZG-b42Sx5i~j~_U--Y{9Y7uE+m`?h z(*5x-u5nNC|8QK~|2H~n=l{*nZt-8GBkK);s96d)Y7N2OX*>MyHvS)ui|_x(!^779 zH$wZv|9#^B)&e{>ZG`{fb^*ZV^Z(KDpxyt|2<;sIWgWQ_{=;_u|ERPj{x=E$>hWKE z|2H1B@qaV4NBrM20B9}1W71am-*5r2e*Lfb{%<%Kx9k6n(BANW#{yt2=-U;*#;6Ye z`nur3gOWkj;D0zM#sB@m@u0KDjQy^oU-a}DEO2HSb4AVqQH;~WpCY} zxRMk2(Deioh1~<_Mxh^n@-aaBDJ069cMrNVRQl`EeuZv8rRx5+R?cFEyn?Lop-aM0 z8V0NDCS``cSBcNKaN6$8S`_Eosp@XdrgXL-VYXk=yHCG;TKX~gPSoXw;_@rhmj5z6 zSkM2lZCFd&Q?36`RAGPqzkhsGjQ{(?Hvexk6x(Ps%CAXSOwC$0*l~s;r`nuulEx$9 zyGlWsnPt3-c|wRHO_LNS&K00;L+pT_NKD|9V~o`Q4BX+s?b~+{af>ob5YE6I_D#XR z{!m-;h2=f0WS&fLhW(0%%Qd9)p`>&N0I%f)x_B*}FE#x~mkM@cHxP z&Z3IU;PdCF`Ifwkg5VtwsCPSov*{bI-U*bL3I`^iQl?`wvLy+YAf>b`Y*NllYvLSL znVg+gtt=tCDc5ju`tq0av-iJVUc5Ycb9wgq(-%{`Sq=AAfoK>pogtQdKd4D(|?@mvAMIwG20}KY)x}d-<h!1ka7>b}Ws+o?oV8u} z1b;+aVP#dXez|ymdVcxljTSI9Z+RwNv*2hh)Nf4qGE_LXkv+1oc4cQ>+FV>W%}Cs6!n$r+TI94CBB zE|uoXNjb%TC5s@fY?Zb96EMnrWC{ku6{kX0=Z`>{7exNL$KuY$=?f+?c?zI7`ShwtnvS|t9-m@MOC$Z* zFg zd2i17b$0?Gmnu0w?7)7D!kHjGmWw;~Wt(Hc+?{~AC?n59^wB?nE1YtHj=5}J)=|z< zyOE#OKYTLY258#`XaY5;RI(QEMo*P$S2&D1S&G*+x?9aw<9SYeHpu!#jY2s)^X#r) z(I`J!D3YBdczm%S8bBYqaRr$-$k5H}n|;k}#L^#~Q2+n&UtJO@zR(3Oa{Bw8UnBch zH$KtibNmv}M7?5W-qSg(dr<3df9rGru84Qdr_)z-LDd8Xt&99`qdNa@UhqHg9Jm_) ze>^Vk{~H_+2kri!MrcQyIkIc!Bn;jBF&%dwHCgq92^g53He`>htbF~DyonULP4O<0 z!hQ$G8o+cBUt9UyGL8e?Z_P<2$&MF$q0FZ0$&mZz7!)V9>&e&EK8pB)IdmmoHueFs zSp5uDT+r;Yh#A@qO7=^)lECx#`Fl9FFnE>Cf6%_RrjUdze*R&Dx6izvSJGi z1L~QM(gB^|L4e|ZD!eQ!CwwK^xn4c9`e~Jsvy#59=d16S&0i(H`i@U7 zZgzDo9+O--sffa96eJfjJNoW!Or*H`&Dl0j6p^sb(^ulLgvL5Hm4_vjxrTx-P|Y!tX5{jWt!I0n&-&3?#K(4BRY6;9 ztULPiIZkzZl3u(+$__x;G1tb2GP?RVddgtKKAxXjS92&W4{d_Q-H%&25@>8JcRWT( z`!^bvrbpvTgijVX8@h(=MsPj6HpkV&2CymIKK9JK8LC_V$?Wgl`UI%j_rIn5uY;q* z_We&IwE6Ep-Pk+j6bS}LeD(@P1^EF;YG*FaHpsPfL-Sp*7s+-xCnyuQ8-Gg5@ zZI1uVPk`DA|LyO;8=>9f|NBPq|9y-92hk?@ug(C!gZxjUa{i~IqZa>7&@ScRP+#>M>4p&{@bXO|9Q}!|J)4i82`h^S^%uhJpb6e`{mQt_}^dwuzvloIR76Xw)x+h zp}ph3u?4_&x#u6dhrevv68{@50M@Vn732Tm;jsPvS0l71{5Q1#m`gbS*nRmm(gye^ z*YZAZ`^!{^|KV{l{x^SG{5L?m#D6A1>7HS)YZ|!y7V!_J4e*cq!vCmWT>l>oMlJpu zpu{100T@L<{i|Fi2jCH1COpdSAv|9{x-|7(VJiT_gW@;zIDR3Td{ur+Ol z|K|Mvuzmm62<-{~jUd1E{|~2H{BM={O4wJx=Y3Qxxq_uluHP!0YEqr*{Y|8Kut|8Inz z#A!fh3Z4bX;90==brjx_jj4At=t4J>(V+`n{qOm6=!5h5bLWZ4rT&*GkC+dWAHb)c z%G{8slAGOPw9(7N8C{#-a*HR^6Kc0-5eGTjGdMRV29}=}gv}7#mn0-tG@y#2bWh%$ z#r98TO42FJiTpd>CiOj2{6Y!JX5c=L%l)51lX69L5S8JF%wPM>w(2jJ2k;mClS(D^ zxWznkEqaE3q(zKqxt0k0BccL*=$&T6)IPS;d9S^5X8H#9kSYlxV$3+}vy0XG3?v6EfjLPTI0FK!*;9IsCt*I! zkZG3M`7gqN>KPTp$1H=I69pb&aE0LWB?~z5(RVwYCvawC0h{^1^ZW0=ceJZYqlrp& z2Db-}Jukpc*31ME99Ec_ngsKP=VOmbb5xCg5{8aI;xBL)HsEgj4~C<|lK($GY=8gV z2(7`t)X+~t?G*GmcpLchsSV&`U`IN{hYy<7vzN&9r70J1rav)Ma1k?jzOotew`X&u zLOJR6mdmB<(WDZWi&<}_k}EUPd+v5R|Bnk;*vY|^i-oZV+TP6h5)_9>qG{L^iHZas zfWRpVeTPQ^KKR_r)Ei@9K^U2#aP>_$zUF#-(VO$7qqsARsE@Ko{2Ohod?%79l8b3F zL;GE~Fw=jrb&|G8JP7zw_mj4KoFP+k(&;$xA#06Rt(#FbkFHEZ;zsqd1)qZhB`ZBA z%+~`JkcfG6J8?qzp!?9GyplcnBO*!f_f}<}gW^1}Mp;Bm0s$FOg?jMyNGsH{LC#Da zCabi*bE`Z0??{9%BY+lSRKj=ka!1OS;;}H^$!kQ7`6_amzwAgk#eP&ZSi|pYn25|anBE2(g93farBHDKBY9vLF|-tmy;UM-hs00odxyQ}xxS(jLXj?(YXiW1YkSYpLoJUqm(F>lu7cw$x-f42q!!Jdf(zn;8) zr4bwC*6X+cd)ilF@vhT(^2DfI#zU;MPe!3Oq@B(uxG<^;pRxsgDwUvDk?HYIRv!}M z*$m~HliJZwolj0o>4y@nzq3cGuJlvqlNkdekhc8QqJD_?*KZOt^prsCEeK^jZ#wJ6 z9G*X*!*2%e@c6sJ)r|yr@n8X7JXC=hA2K z^Z*fJ4i6Eas(m>DX6qeex~cI2BBVSXB1Fujzr7GgI}qY%CqjJxT~3I{UT$rvrIuRy TV(5PZ009600x`By0PFw&Z4#%f literal 0 HcmV?d00001 diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/.helmignore b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/.helmignore new file mode 100644 index 0000000000..95ef7c6bd1 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/.helmignore @@ -0,0 +1 @@ +*.orig diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/Chart.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/Chart.yaml new file mode 100644 index 0000000000..c643938319 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.32.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark +apiVersion: v1 +appVersion: v7.3.0 +description: The cis-operator enables running CIS benchmark security scans on a kubernetes + cluster +icon: file://assets/logos/rancher-cis-benchmark.svg +keywords: +- security +name: rancher-cis-benchmark +version: 105.3.0+up7.3.0 diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/README.md b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/README.md new file mode 100644 index 0000000000..50beab58ba --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/README.md @@ -0,0 +1,9 @@ +# Rancher CIS Benchmark Chart + +The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded. + +# Installation + +``` +helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system +``` diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/app-readme.md b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/app-readme.md new file mode 100644 index 0000000000..8fc741ce58 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/app-readme.md @@ -0,0 +1,34 @@ +# Rancher CIS Benchmarks + +This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). + +For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/cis-scan-guides). + +This chart installs the following components: + +- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. +- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed. +- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans. +- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. +- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish. + - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts. + - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart. + +## CIS Kubernetes Benchmark support + +| Source | Kubernetes distribution | scan profile | Kubernetes versions | +|--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------| +| CIS | any | [cis-1.9](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.9) | v1.27+ | +| CIS | any | [cis-1.8](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.8) | v1.26 | +| CIS | rke | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke-cis-1.8-permissive) | rke1-v1.26+ | +| CIS | rke | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke-cis-1.8-hardened) | rke1-v1.26+ | +| CIS | rke2 | [rke2-cis-1.9](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke2-cis-1.9) | rke2-v1.27+ | +| CIS | rke2 | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke2-cis-1.8-permissive) | rke2-v1.26 | +| CIS | rke2 | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke2-cis-1.8-hardened) | rke2-v1.26 | +| CIS | k3s | [k3s-cis-1.9](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/k3s-cis-1.9) | k3s-v1.27+ | +| CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26 | +| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26 | +| CIS | eks | [eks-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/eks-1.2.0) | eks | +| CIS | aks | [aks-1.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/aks-1.0) | aks | +| CIS | gke | [gke-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.2.0) | gke-1.20 | +| CIS | gke | [gke-1.6.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.6.0) | gke-1.29+ | diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/_helpers.tpl b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/_helpers.tpl new file mode 100644 index 0000000000..b7bb000422 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "cis.namespace" -}} + {{- .Release.Namespace | default "cis-operator-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/alertingrule.yaml new file mode 100644 index 0000000000..1787c88a07 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/alertingrule.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alerts.enabled -}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: rancher-cis-pod-monitor + namespace: {{ template "cis.namespace" . }} +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + podMetricsEndpoints: + - port: cismetrics +{{- end }} diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-aks-1.0.yaml new file mode 100644 index 0000000000..1ac866253f --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-aks-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: aks-1.0 +spec: + clusterProvider: aks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-cis-1.8.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-cis-1.8.yaml new file mode 100644 index 0000000000..e1bbc72dd3 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-cis-1.8.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.8 +spec: + clusterProvider: "" + minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-cis-1.9.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-cis-1.9.yaml new file mode 100644 index 0000000000..480aad292a --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-cis-1.9.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.9 +spec: + clusterProvider: "" + minKubernetesVersion: "1.27.0" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-eks-1.2.0.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-eks-1.2.0.yaml new file mode 100644 index 0000000000..c1bdd9ed5e --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-eks-1.2.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: eks-1.2.0 +spec: + clusterProvider: eks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-gke-1.2.0.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-gke-1.2.0.yaml new file mode 100644 index 0000000000..426f7ec6a8 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-gke-1.2.0.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.2.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.28.x" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-gke-1.6.0.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-gke-1.6.0.yaml new file mode 100644 index 0000000000..0538240e53 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-gke-1.6.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.6.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.29.0" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-k3s-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-k3s-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..db52b9baeb --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-k3s-cis-1.8-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.8-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-k3s-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-k3s-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..0afe653586 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-k3s-cis-1.8-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.8-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-k3s-cis-1.9.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-k3s-cis-1.9.yaml new file mode 100644 index 0000000000..7b6ef228c8 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-k3s-cis-1.9.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.9 +spec: + clusterProvider: k3s + minKubernetesVersion: "1.27.0" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..d3d357c023 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke-cis-1.8-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.8-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..208eb777cd --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke-cis-1.8-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.8-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke2-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke2-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..1bbb5404f4 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke2-cis-1.8-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.8-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke2-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke2-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..3947056649 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke2-cis-1.8-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.8-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke2-cis-1.9.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke2-cis-1.9.yaml new file mode 100644 index 0000000000..57ce01b449 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/benchmark-rke2-cis-1.9.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.9 +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.27.0" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/cis-roles.yaml new file mode 100644 index 0000000000..23c93dc659 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/cis-roles.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-admin +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["create", "update", "delete", "patch","get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-view +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/configmap.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/configmap.yaml new file mode 100644 index 0000000000..ab91549809 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/configmap.yaml @@ -0,0 +1,18 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-clusterscanprofiles + namespace: {{ template "cis.namespace" . }} +data: + # Default ClusterScanProfiles per cluster provider type + rke: |- + <1.21.0: rke-profile-permissive-1.20 + >=1.21.0: rke-profile-permissive-1.8 + rke2: |- + <1.21.0: rke2-cis-1.20-profile-permissive + >=1.21.0: rke2-cis-1.9-profile + eks: "eks-profile" + gke: "gke-profile-1.6.0" + aks: "aks-profile" + k3s: "k3s-cis-1.9-profile" + default: "cis-1.9-profile" diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/deployment.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/deployment.yaml new file mode 100644 index 0000000000..8c9f72f5de --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cis-operator + namespace: {{ template "cis.namespace" . }} + labels: + cis.cattle.io/operator: cis-operator +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + template: + metadata: + labels: + cis.cattle.io/operator: cis-operator + spec: + serviceAccountName: cis-operator-serviceaccount + containers: + - name: cis-operator + image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}' + imagePullPolicy: IfNotPresent + ports: + - name: cismetrics + containerPort: {{ .Values.alerts.metricsPort }} + env: + - name: SECURITY_SCAN_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }} + - name: SECURITY_SCAN_IMAGE_TAG + value: {{ .Values.image.securityScan.tag }} + - name: SONOBUOY_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }} + - name: SONOBUOY_IMAGE_TAG + value: {{ .Values.image.sonobuoy.tag }} + - name: CIS_ALERTS_METRICS_PORT + value: '{{ .Values.alerts.metricsPort }}' + - name: CIS_ALERTS_SEVERITY + value: {{ .Values.alerts.severity }} + - name: CIS_ALERTS_ENABLED + value: {{ .Values.alerts.enabled | default "false" | quote }} + - name: CLUSTER_NAME + value: '{{ .Values.global.cattle.clusterName }}' + - name: CIS_OPERATOR_DEBUG + value: '{{ .Values.image.cisoperator.debug }}' + {{- if .Values.securityScanJob.overrideTolerations }} + - name: SECURITY_SCAN_JOB_TOLERATIONS + value: '{{ .Values.securityScanJob.tolerations | toJson }}' + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/network_policy_allow_all.yaml new file mode 100644 index 0000000000..6ed5d645ea --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ template "cis.namespace" . }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/patch_default_serviceaccount.yaml new file mode 100644 index 0000000000..e78a6bd08a --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: cis-operator-serviceaccount + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ template "cis.namespace" . }}] + + backoffLimit: 1 diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/rbac.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/rbac.yaml new file mode 100644 index 0000000000..cba20d18c0 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/rbac.yaml @@ -0,0 +1,211 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-clusterrole +rules: +- apiGroups: + - "cis.cattle.io" + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "" + resources: + - "pods" + - "services" + - "configmaps" + - "nodes" + - "serviceaccounts" + verbs: + - "get" + - "list" + - "create" + - "update" + - "watch" + - "patch" +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "clusterrolebindings" + - "clusterroles" + - "roles" + verbs: + - "get" + - "list" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "list" + - "create" + - "patch" + - "update" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-scan-ns +rules: +- apiGroups: + - "" + resources: + - "namespaces" + - "nodes" + - "pods" + - "serviceaccounts" + - "services" + - "replicationcontrollers" + verbs: + - "get" + - "list" + - "watch" +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "clusterrolebindings" + - "clusterroles" + - "roles" + verbs: + - "get" + - "list" +- apiGroups: + - "batch" + resources: + - "jobs" + - "cronjobs" + verbs: + - "list" +- apiGroups: + - "apps" + resources: + - "daemonsets" + - "deployments" + - "replicasets" + - "statefulsets" + verbs: + - "list" +- apiGroups: + - "autoscaling" + resources: + - "horizontalpodautoscalers" + verbs: + - "list" +- apiGroups: + - "networking.k8s.io" + resources: + - "networkpolicies" + verbs: + - "get" + - "list" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cis-operator-role + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + namespace: {{ template "cis.namespace" . }} +rules: +- apiGroups: + - "" + resources: + - "services" + verbs: + - "watch" + - "list" + - "get" + - "patch" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "watch" + - "list" + - "get" + - "delete" +- apiGroups: + - "" + resources: + - "configmaps" + - "pods" + - "secrets" + verbs: + - "*" +- apiGroups: + - "apps" + resources: + - "daemonsets" + verbs: + - "*" +- apiGroups: + - monitoring.coreos.com + resources: + - prometheusrules + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-operator-clusterrole +subjects: +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cis-scan-ns + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-scan-ns +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-rolebinding + namespace: {{ template "cis.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cis-operator-role +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-cis-1.8.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-cis-1.8.yaml new file mode 100644 index 0000000000..40be06c946 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-cis-1.8.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.8-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.8 diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-cis-1.9.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-cis-1.9.yaml new file mode 100644 index 0000000000..9f0c9f58af --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-cis-1.9.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.9-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.9 diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-k3s-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-k3s-cis-1.8-hardened.yml new file mode 100644 index 0000000000..03f6695689 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-k3s-cis-1.8-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.8-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-k3s-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-k3s-cis-1.8-permissive.yml new file mode 100644 index 0000000000..39932a4e5b --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-k3s-cis-1.8-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.8-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-k3s-cis-1.9.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-k3s-cis-1.9.yaml new file mode 100644 index 0000000000..3d9ea843b0 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-k3s-cis-1.9.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.9-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.9 diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke-1.8-hardened.yaml new file mode 100644 index 0000000000..54aa08691e --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke-1.8-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.8 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke-1.8-permissive.yaml new file mode 100644 index 0000000000..f7d4fdd229 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke-1.8-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.8 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke2-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke2-cis-1.8-hardened.yml new file mode 100644 index 0000000000..d0a1180f56 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke2-cis-1.8-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.8-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke2-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke2-cis-1.8-permissive.yml new file mode 100644 index 0000000000..0aa72407c0 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke2-cis-1.8-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.8-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke2-cis-1.9.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke2-cis-1.9.yaml new file mode 100644 index 0000000000..047d5e86ed --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofile-rke2-cis-1.9.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.9-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.9 diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofileaks.yml new file mode 100644 index 0000000000..ac9f47a8fb --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofileaks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: aks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: aks-1.0 diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofileeks.yml new file mode 100644 index 0000000000..7cf7936cbf --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofileeks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: eks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: eks-1.2.0 diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofilegke-1.6.0.yml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofilegke-1.6.0.yml new file mode 100644 index 0000000000..1fc299fc57 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofilegke-1.6.0.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile-1.6.0 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.6.0 diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofilegke.yml new file mode 100644 index 0000000000..42fa4f23a2 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/scanprofilegke.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.2.0 diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/serviceaccount.yaml new file mode 100644 index 0000000000..ec48ec6224 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + name: cis-operator-serviceaccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-serviceaccount diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..562295791b --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/templates/validate-install-crd.yaml @@ -0,0 +1,17 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/105.3.0+up7.3.0/values.yaml b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/values.yaml new file mode 100644 index 0000000000..df782588f0 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.3.0+up7.3.0/values.yaml @@ -0,0 +1,53 @@ +# Default values for rancher-cis-benchmark. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + cisoperator: + repository: rancher/cis-operator + tag: v1.3.6 + securityScan: + repository: rancher/security-scan + tag: v0.5.4 + sonobuoy: + repository: rancher/mirrored-sonobuoy-sonobuoy + tag: v0.57.2 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +securityScanJob: + overrideTolerations: false + tolerations: [] + +affinity: {} + +global: + cattle: + systemDefaultRegistry: "" + clusterName: "" + kubectl: + repository: rancher/kubectl + tag: v1.30.7 + +alerts: + enabled: false + severity: warning + metricsPort: 8080 diff --git a/index.yaml b/index.yaml index 82d2173bba..bf3d6085a6 100755 --- a/index.yaml +++ b/index.yaml @@ -12219,6 +12219,32 @@ entries: - assets/rancher-backup-crd/rancher-backup-crd-1.0.200.tgz version: 1.0.200 rancher-cis-benchmark: + - annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.32.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark + apiVersion: v1 + appVersion: v7.3.0 + created: "2025-03-02T13:07:54.967853071-03:00" + description: The cis-operator enables running CIS benchmark security scans on + a kubernetes cluster + digest: f7bd9db3a565abd3359d583a026f8b29a0399c9e87035776c4fe6e48dd21c5f1 + icon: file://assets/logos/rancher-cis-benchmark.svg + keywords: + - security + name: rancher-cis-benchmark + urls: + - assets/rancher-cis-benchmark/rancher-cis-benchmark-105.3.0+up7.3.0.tgz + version: 105.3.0+up7.3.0 - annotations: catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/certified: rancher diff --git a/release.yaml b/release.yaml index 8b13789179..4815b8371f 100644 --- a/release.yaml +++ b/release.yaml @@ -1 +1,2 @@ - +rancher-cis-benchmark: + - 105.3.0+up7.3.0 From c88e3421c298e47feebfd262ad6297dc4103d107 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Sun, 2 Mar 2025 13:08:05 -0300 Subject: [PATCH 3/9] fp: rancher-cis-benchmark-105.2.0+up7.2.0 --- .../rancher-cis-benchmark-105.2.0+up7.2.0.tgz | Bin 0 -> 6164 bytes .../105.2.0+up7.2.0/Chart.yaml | 22 ++ .../105.2.0+up7.2.0/README.md | 9 + .../105.2.0+up7.2.0/app-readme.md | 34 +++ .../105.2.0+up7.2.0/templates/_helpers.tpl | 27 +++ .../templates/alertingrule.yaml | 14 ++ .../templates/benchmark-aks-1.0.yaml | 8 + .../templates/benchmark-cis-1.8.yaml | 9 + .../templates/benchmark-cis-1.9.yaml | 8 + .../templates/benchmark-eks-1.2.0.yaml | 8 + .../templates/benchmark-gke-1.2.0.yaml | 9 + .../templates/benchmark-gke-1.6.0.yaml | 8 + .../benchmark-k3s-cis-1.8-hardened.yaml | 9 + .../benchmark-k3s-cis-1.8-permissive.yaml | 9 + .../templates/benchmark-k3s-cis-1.9.yaml | 8 + .../benchmark-rke-cis-1.8-hardened.yaml | 8 + .../benchmark-rke-cis-1.8-permissive.yaml | 8 + .../benchmark-rke2-cis-1.8-hardened.yaml | 9 + .../benchmark-rke2-cis-1.8-permissive.yaml | 9 + .../templates/benchmark-rke2-cis-1.9.yaml | 8 + .../105.2.0+up7.2.0/templates/cis-roles.yaml | 49 ++++ .../105.2.0+up7.2.0/templates/configmap.yaml | 18 ++ .../105.2.0+up7.2.0/templates/deployment.yaml | 61 +++++ .../templates/network_policy_allow_all.yaml | 15 ++ .../patch_default_serviceaccount.yaml | 29 +++ .../105.2.0+up7.2.0/templates/rbac.yaml | 211 ++++++++++++++++++ .../templates/scanprofile-cis-1.8.yaml | 9 + .../templates/scanprofile-cis-1.9.yaml | 9 + .../scanprofile-k3s-cis-1.8-hardened.yml | 9 + .../scanprofile-k3s-cis-1.8-permissive.yml | 9 + .../templates/scanprofile-k3s-cis-1.9.yaml | 9 + .../scanprofile-rke-1.8-hardened.yaml | 9 + .../scanprofile-rke-1.8-permissive.yaml | 9 + .../scanprofile-rke2-cis-1.8-hardened.yml | 9 + .../scanprofile-rke2-cis-1.8-permissive.yml | 9 + .../templates/scanprofile-rke2-cis-1.9.yaml | 9 + .../templates/scanprofileaks.yml | 9 + .../templates/scanprofileeks.yml | 9 + .../templates/scanprofilegke-1.6.0.yml | 9 + .../templates/scanprofilegke.yml | 9 + .../templates/serviceaccount.yaml | 14 ++ .../templates/validate-install-crd.yaml | 17 ++ .../105.2.0+up7.2.0/values.yaml | 53 +++++ index.yaml | 26 +++ release.yaml | 1 + 45 files changed, 844 insertions(+) create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-105.2.0+up7.2.0.tgz create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/Chart.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/README.md create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/app-readme.md create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/_helpers.tpl create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/alertingrule.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-aks-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-cis-1.8.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-cis-1.9.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-eks-1.2.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-gke-1.2.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-gke-1.6.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-k3s-cis-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-k3s-cis-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-k3s-cis-1.9.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke-cis-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke-cis-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke2-cis-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke2-cis-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke2-cis-1.9.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/cis-roles.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/configmap.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/deployment.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/network_policy_allow_all.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/patch_default_serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/rbac.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-cis-1.8.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-cis-1.9.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-k3s-cis-1.8-hardened.yml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-k3s-cis-1.8-permissive.yml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-k3s-cis-1.9.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke2-cis-1.8-hardened.yml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke2-cis-1.8-permissive.yml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke2-cis-1.9.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofileaks.yml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofileeks.yml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofilegke-1.6.0.yml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofilegke.yml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/validate-install-crd.yaml create mode 100644 charts/rancher-cis-benchmark/105.2.0+up7.2.0/values.yaml diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-105.2.0+up7.2.0.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-105.2.0+up7.2.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..5ada7ebdd12aa1be7aa6a5293079e4a38ce2297a GIT binary patch literal 6164 zcmV+v80+UBiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKDJbK5rZcYl5KSL`VFOp?~5UTvqEZ*Rs;{oJ^hx3S&3>Et>t zOs*uHD1Ze(tA67A@81DHQhbwT$r7F1aVHZ?B)Gr=``KN9&_WRAO;I==mCiLXZ#pMp z)_FZ8LbUO)`qv6o}?RLAxzrCaG(Ko%}@o;e1JL>j^-*kJ2gZ}Y1(A`Dl z>nM_nh;O=&uB#~AS3-m_u85+X$x#cyBZ>rk;(A1>0A0#EBvRa=OezutBdAmt#}ob! zbE3RyB?k|MqGO7F`gmnApUN;Gw+-UML(Y(?RqRPf|BBcQKsxKuf*$McB%Z_e(+F@dfh`U=66wO z#eF*bSKI#^5=1C>$|Nd~$E!zLXqh4eG>!4@w6OKs~D6nG=V=k(-*KIw6%PEyW zB@p=a=mkU|+z>%6Miqx^givG22g($OTOJ8eI1dA&P`a%a zos$U~??YvRas3rQV8|s^T->IR>SQf}DWu3mn-O>59=0F_;)O@pY9>i3N85-Dm#%y0 z4m20e_;ti@S96$CA-F)_Ns6W)^6ZY?eyb%=@<@0nNAT%$3*Z_26Csij34&V?=<)d+ znGcLB-Cr_9kB)D_k4Gkb8VK`sfdI)3g3^OQ^k8_LNssbK8rI&FQxDBRs;RC9g=IoyWH(fBHb;$WM$ROnK6V)Q(UBOSr=4G? z_3T+oU%D_?xG)N&S-zoC0Uv|D35rlXT8e|>frbXc3oQo~DBs&F zN>ERJ;6jbyRrl3XdgOYk+W)84xpOteAVeWu6>c30tegK0`on_%KR)g?^S@f?)2Gh2 zaLQyP5YlOpcJUIeg_dNFpdoX+n4&=Vw)6RO>(eJkdnd{e+Is$yKG_E6vvzR0fO~Fd z8t%K4?_KKC+7%No`>=jgJ45|BSCK7r6?3=}u>n~=MaSU&!$z*w0439sO2d;r77EJL z7~20=cG_Dpz(8X9rCpYyAW`Sr)<5m+FtK^Cpg{n{_tWk%2HiLlGo3V6ULLe`k!uY2 zBEFn4!`k>SxR?c;_!2xG1-d9mZ;E~tpotsQluOKVY?VgS+;of+$}qPwIWR+Qud}ma zZKqA-IEtUu7jQgAPmQ4cj$g#}>&t0u2kp~8A`-M$k9DRQGWLA74SDCeoRw!eJvFAj zCR%6zjU%OOBBB7doe!?D|J~tnFK_?*-Q%NfWB==*g59)nlN$$37WIykTd?eA5Co6-(m)^9{)#0{12P`KlRXV@t^9*Y72nP4B$(mhvR=T!+qiZ=(vpkX8o@g z+AaQ59a)Y4$qd)y|Gp`}t7ZzYL)sMoM>YBX=KXIyv=96rJp%vz?;HPLCp{ehvw=+3 z0G%ljJ~H$lW(wBff6(n0@IN>l3>*B{LA%9&m5!`71+&4uQ-NkRum;)=|K|4&Qqr3T z?Fm?q|Kj@puy@#R@Lvb*5C2OYX)M5(OWWXo({})C*{O>mY?+=Ub z|A+lSuUwr>J95nHNJ+w#sKQI7jEWlIJR`}m=0dW2LU-A84zc*;s|7)SW;s2fmz_p-n zRsd_Gb@2pu?cS_KalW0Z?&fSvCvy^J`z5{m{M+ZHAA|2iU2Z5Y zzCvyJFVln7{GZx}HMBjg_5X<~?9cyqkB^G+f44tq*8ggu*hZUCeoMk)YSyyBjx!WF z)#h}QG#&}xWeUp7EaOAW6G9Yenxr^!t^jo#Vhi*{Vgz@NF;f52bNfBFYu`b{Ey^rG zI6b%DH3k3r!`hOsEbo3L^JIe4?^Zlqt|6TdC8b*cIFlo2<4h*kv?ZQsVcL^So6JsX zeT$g#Bwv0u&=)g1F0wb{Q5xAiTe+M0@n463AH#s(&XGML9rzmj4~M1vAKl@wdH+`n zW$~`#k7eBUQ#$f1!nRBXolRg5ajHxkZagSO&#n{xBn^!DWTev+5)suPH&7|CQ zmnk;k^XJjMMHQLA=g-gcE%^`y!3Q2t?{)-d<9A$r5GXMf4op6!Ovh$qOA;(WN@-Wv zq@0=7#5t-mIXkUdSwePGuHoYJ^)KgVm%mO26;{0`w=*4XM)O-E{i)ybRF^UI5? zx2KoqXRj}=KD+AE$b3?rm|*Hc2D9rn#r@PJVoI`qM)=CP~*a zNit2&+BV$59}!nrS=F0gE-p{cuil-!tr+fXcjPl#X0q+B?3MQ)PR~y+-=AOobo%2j z6~p-aUK8Qtb(A*}gQ;Gt ziY+aT^i#)Vb<(={pP^cCF}n(lU%w(jz!&=eO=bgY-~S($_Wul;{D1XOaX~j8Z^|a6 zh1_@cmW}Z4Ss5@oqW|AAt!K#nT()}v$|eG3ygF>IVDW<0&&%5|Swudw&zR4r_Ty9c z^_NKN@NZsvq#E&`cwM8t)oeAM=fr1&tX|Y8 zl(RF>_UaXl@}q?!*-3)O=X0U~^syaRka>d)?YzF(*UUyN{m}{a|DXQVCXwQEUEm_8 zzn6T5>|gEpM3c|)OF$F#iivqo=dkv{T7Uans|9dPycr*l-_SW#Bj`0Q^1qGN`G50* z|B>gwt?~cI!{YwG-f{1^+5b}u?PxPccFmlGp_@OZ~WQquOE^( zkwUjA-bGT_@8DPim@eXLE1z4&aiIOJImsm1@nSEO*;G9la^D<-;-q#x`MTUk5nnKe zuH?(cK0p?$pP-5hnq3w#L%TuAeu?)e*)MiaM%*C#x!n4d16(DR?$2w=e99)NJj0()h zvuasZY=L1wJ=0M-pc6a@P&`b97iHyyuS7dnt7ld}tuk^}(%02|^&PYMtHf8|@d?g3 zlV}ISUP|B1F0aL7k}D?_Q8<%5v>N$H{rtf{25 z)KpznT+GY~DOS`Fk6KRA9trk)HY=uX$M~C?@&C}Jw2dr77TZ}gWL-)Iz)O&<^fMdT z@U_*%J8&N;P08oxY?~*FNLc0REAd!D<2p8#hb5J{hJw#gO)-*YUcL0fFBTl(`kj&*yIUc5)j7C_lCuZ<67bp3Dil);95JU_Rt=1^K5+60TcAGdNO zP}^AUc#M+vZ!|1*kH(h>pDb=RbPd~$;A(hnj;qHFU|qO<>X~^xv~K+;v%h!i6QI_< z|1ITz?Hvu9_dm7J=D+`pcV@3X{VB82x%76ZyldRe*LWS#Kv6b=wh|Gx)0aD`Zf09* zwrW3h4}RUWIsP|40ctD!H^2X`g?5ks?`y^X_YM9ZMVsKiIs^O;@;?pA`JWC44gTw( zUE)8N{W;c|GzrvxjX`DN`KRvNuYtD3e>MTsqw_xvi}|02gQMpBhgxXg_|N?`vMvjd zsr0G)_e-bk@W0s{U@iW8rTkBWX8vCf?FavL%>lCc=AXJJzfRf&|H7Q^wQ2VEhs6Iy z|34V^n%{rdLc7F&HlISGBXKr`eHwwvr1MYRuU`voga6I4zi%`DA9kDk@Ac5W@L$TO zQkMm2V*ib3L;P1|fPeh?Z-Y|)=U#LEb3L?U{P&+~0kAsr{8RVtmrq;ce}e_U_3MAd z`Ty{+$^TXl?H&KMEdZ{{J^$1_{AJUY_}^#&aQ*sUG5+r#cAMXS)k1s1e_acJxrFmi z-Ire@ZGe9=lMi{@U#4~V?;jWA|6Z^0|Mk!=@t;Xhx@XwyntE=xLHwg>1N`H@@IUC5 z&VTOp8~oQoyTm`%hJQ5p?>83U(X;{nC$l&u^`=%}J^oAn|FGHrR}bwH|E1jJd$t0p zLN-=lYuXI|_4)s9^Zu_E+7te3L4M=^A5UxXzg5P^Jgvk3;jp;=*BdnFKi5Nr^Ij@{ zTU$i>!%uox|C`*R{n>pRo+3d{UdE>$;JXTvp5atM8S&y8N3KMpGDz4*_b*vy*9Kn86Dct*8g60Esmu+DD!JJ%MjM?>oYA)VEw^|wJ)w4c7IBcXJ%e*|Vqp1sLD&SreN94g zO#`YZO84Z$S#1AgrX(H1l*qs1ZBpM0#V?egYy$4fxZM9KG$~g^2T>V*$o!SxY^(lq zbpU_CKdDqwk6X+$*P<8rM_R;)mTQT?KO!p7hxU2$>Gk+`d=~l<@TNqlINfhjRNqrmD(y|zsNGueGGCq=YF{K(+yC>^lb_z6x^sUg zb*zj3hW*0&Pj7g1)a?JNg`UB=)c|;Xb^)p7gx4Blt=6SRXC{0Ddq|B05iw@KdUmm# zpFwiK3Ye2rfiobmjGoeS{0Q@5f=sj2;Gc&9)e#lM$E<>y5(OS%aE;*e1q(Rw(RW*| zXK-e1fzABg`u+FcTT=|?sWquoXK*{<*nHtOSTg}4IIIwvngr8^=TnbLeN>Hq5{8aI z;?HpxHsF5z_xgjwLjM2W;qkEf{bwz-0{>D&KXJ7w=yUKk@aJRez++%X+Qq|1&FaN# zWct#W3pmrC7%I4k8N6KD4EfuOsZyaFbvld1!u4oUiOa>LvsB5Y8R@)qTdn`c1-z?18p7Q@#MjA(ChsHb$Z%fd?RPj6&bxk${gr_cHay7?=}ACMaBe(~YmW9-nun zeBmhWOd{%|>=6G(8!O+5B#Pu>n#|08*DcKSUu>PEZ4wUxzR>-oEgxsdlpM8M4t&g7 zqh;$RR86C6(~!7PoovCE;6TYrPYLt&fCVIC-qZ$82p@GHT9j9^Cx1jF>HW^K>`PFb z2i7Qyh)EzIBdSmjz8-0XIvV86)M2v9>N~f(qyJvA{Vtr0wOUvQF{X^l>4DXutN@93 z(3O=O#7h6*z=dJ!z=^2bdKQ-%^2Q)F5-l%SJIjD*yIW!3wd zNc5A7_GurIwM;lkny1IzI2#{`5mpyZ+GC_aWt*Fxa;sY$Gg{H;xM;EMHhgAdI*IJz z3YP&`)e<#_2XU4}5r zITf6g#a_|P>El%$oey>rMv7}##I|n<8z2%E7zFySe%P#}6viqfg3M8&knylRrhk`B zFZHnQn3Dj7(oH;1``t;5|8rRg|45i7c!mI#)NnRZk`xR^p-qG*y(#)pfCol}q@Hfs zBMmLGvQT&9+`MPTK)`}9rTfo1nB*zN4X`nwH>l^3hD)L11V-|}Fk)ym0-1~i+K&9V z6z*-BhSfAN>57sIFlJEO|J2mp^xZ!@$U4hJt`3Qx*7puOFLQlGC4?efEYk*n`PTNH zqla1^X)c}fNMYFpZBc(tp*qjZ&DfJU_TEb~|4z!;elml^BNcafGAt*)Pc7TTeWMW@P7;*db9wq9xK36@oH88F{@VJ zJNQ`r1IK$~#6%_&mRf1z_Z6L+u6x)Ci8mt?G}2YGUn#6lBc(g*5w8vMT_f}S+*c3Q14Nk( zW^$bDOn?l}O--64K?(|(EkPi0RR6Ti=>$V=l}rgk%IXE literal 0 HcmV?d00001 diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/Chart.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/Chart.yaml new file mode 100644 index 0000000000..8469487497 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.32.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark +apiVersion: v1 +appVersion: v7.2.0 +description: The cis-operator enables running CIS benchmark security scans on a kubernetes + cluster +icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg +keywords: +- security +name: rancher-cis-benchmark +version: 105.2.0+up7.2.0 diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/README.md b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/README.md new file mode 100644 index 0000000000..50beab58ba --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/README.md @@ -0,0 +1,9 @@ +# Rancher CIS Benchmark Chart + +The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded. + +# Installation + +``` +helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system +``` diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/app-readme.md b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/app-readme.md new file mode 100644 index 0000000000..8fc741ce58 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/app-readme.md @@ -0,0 +1,34 @@ +# Rancher CIS Benchmarks + +This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). + +For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/cis-scan-guides). + +This chart installs the following components: + +- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. +- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed. +- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans. +- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. +- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish. + - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts. + - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart. + +## CIS Kubernetes Benchmark support + +| Source | Kubernetes distribution | scan profile | Kubernetes versions | +|--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------| +| CIS | any | [cis-1.9](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.9) | v1.27+ | +| CIS | any | [cis-1.8](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.8) | v1.26 | +| CIS | rke | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke-cis-1.8-permissive) | rke1-v1.26+ | +| CIS | rke | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke-cis-1.8-hardened) | rke1-v1.26+ | +| CIS | rke2 | [rke2-cis-1.9](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke2-cis-1.9) | rke2-v1.27+ | +| CIS | rke2 | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke2-cis-1.8-permissive) | rke2-v1.26 | +| CIS | rke2 | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke2-cis-1.8-hardened) | rke2-v1.26 | +| CIS | k3s | [k3s-cis-1.9](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/k3s-cis-1.9) | k3s-v1.27+ | +| CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26 | +| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26 | +| CIS | eks | [eks-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/eks-1.2.0) | eks | +| CIS | aks | [aks-1.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/aks-1.0) | aks | +| CIS | gke | [gke-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.2.0) | gke-1.20 | +| CIS | gke | [gke-1.6.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.6.0) | gke-1.29+ | diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/_helpers.tpl b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/_helpers.tpl new file mode 100644 index 0000000000..b7bb000422 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "cis.namespace" -}} + {{- .Release.Namespace | default "cis-operator-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/alertingrule.yaml new file mode 100644 index 0000000000..1787c88a07 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/alertingrule.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alerts.enabled -}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: rancher-cis-pod-monitor + namespace: {{ template "cis.namespace" . }} +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + podMetricsEndpoints: + - port: cismetrics +{{- end }} diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-aks-1.0.yaml new file mode 100644 index 0000000000..1ac866253f --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-aks-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: aks-1.0 +spec: + clusterProvider: aks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-cis-1.8.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-cis-1.8.yaml new file mode 100644 index 0000000000..e1bbc72dd3 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-cis-1.8.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.8 +spec: + clusterProvider: "" + minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-cis-1.9.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-cis-1.9.yaml new file mode 100644 index 0000000000..480aad292a --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-cis-1.9.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.9 +spec: + clusterProvider: "" + minKubernetesVersion: "1.27.0" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-eks-1.2.0.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-eks-1.2.0.yaml new file mode 100644 index 0000000000..c1bdd9ed5e --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-eks-1.2.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: eks-1.2.0 +spec: + clusterProvider: eks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-gke-1.2.0.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-gke-1.2.0.yaml new file mode 100644 index 0000000000..426f7ec6a8 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-gke-1.2.0.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.2.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.28.x" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-gke-1.6.0.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-gke-1.6.0.yaml new file mode 100644 index 0000000000..0538240e53 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-gke-1.6.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.6.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.29.0" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-k3s-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-k3s-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..db52b9baeb --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-k3s-cis-1.8-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.8-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-k3s-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-k3s-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..0afe653586 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-k3s-cis-1.8-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.8-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-k3s-cis-1.9.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-k3s-cis-1.9.yaml new file mode 100644 index 0000000000..7b6ef228c8 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-k3s-cis-1.9.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.9 +spec: + clusterProvider: k3s + minKubernetesVersion: "1.27.0" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..d3d357c023 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke-cis-1.8-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.8-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..208eb777cd --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke-cis-1.8-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.8-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke2-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke2-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..1bbb5404f4 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke2-cis-1.8-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.8-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke2-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke2-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..3947056649 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke2-cis-1.8-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.8-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke2-cis-1.9.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke2-cis-1.9.yaml new file mode 100644 index 0000000000..57ce01b449 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/benchmark-rke2-cis-1.9.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.9 +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.27.0" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/cis-roles.yaml new file mode 100644 index 0000000000..23c93dc659 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/cis-roles.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-admin +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["create", "update", "delete", "patch","get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-view +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/configmap.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/configmap.yaml new file mode 100644 index 0000000000..ab91549809 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/configmap.yaml @@ -0,0 +1,18 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-clusterscanprofiles + namespace: {{ template "cis.namespace" . }} +data: + # Default ClusterScanProfiles per cluster provider type + rke: |- + <1.21.0: rke-profile-permissive-1.20 + >=1.21.0: rke-profile-permissive-1.8 + rke2: |- + <1.21.0: rke2-cis-1.20-profile-permissive + >=1.21.0: rke2-cis-1.9-profile + eks: "eks-profile" + gke: "gke-profile-1.6.0" + aks: "aks-profile" + k3s: "k3s-cis-1.9-profile" + default: "cis-1.9-profile" diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/deployment.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/deployment.yaml new file mode 100644 index 0000000000..8c9f72f5de --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cis-operator + namespace: {{ template "cis.namespace" . }} + labels: + cis.cattle.io/operator: cis-operator +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + template: + metadata: + labels: + cis.cattle.io/operator: cis-operator + spec: + serviceAccountName: cis-operator-serviceaccount + containers: + - name: cis-operator + image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}' + imagePullPolicy: IfNotPresent + ports: + - name: cismetrics + containerPort: {{ .Values.alerts.metricsPort }} + env: + - name: SECURITY_SCAN_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }} + - name: SECURITY_SCAN_IMAGE_TAG + value: {{ .Values.image.securityScan.tag }} + - name: SONOBUOY_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }} + - name: SONOBUOY_IMAGE_TAG + value: {{ .Values.image.sonobuoy.tag }} + - name: CIS_ALERTS_METRICS_PORT + value: '{{ .Values.alerts.metricsPort }}' + - name: CIS_ALERTS_SEVERITY + value: {{ .Values.alerts.severity }} + - name: CIS_ALERTS_ENABLED + value: {{ .Values.alerts.enabled | default "false" | quote }} + - name: CLUSTER_NAME + value: '{{ .Values.global.cattle.clusterName }}' + - name: CIS_OPERATOR_DEBUG + value: '{{ .Values.image.cisoperator.debug }}' + {{- if .Values.securityScanJob.overrideTolerations }} + - name: SECURITY_SCAN_JOB_TOLERATIONS + value: '{{ .Values.securityScanJob.tolerations | toJson }}' + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/network_policy_allow_all.yaml new file mode 100644 index 0000000000..6ed5d645ea --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ template "cis.namespace" . }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/patch_default_serviceaccount.yaml new file mode 100644 index 0000000000..e78a6bd08a --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: cis-operator-serviceaccount + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ template "cis.namespace" . }}] + + backoffLimit: 1 diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/rbac.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/rbac.yaml new file mode 100644 index 0000000000..cba20d18c0 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/rbac.yaml @@ -0,0 +1,211 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-clusterrole +rules: +- apiGroups: + - "cis.cattle.io" + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "" + resources: + - "pods" + - "services" + - "configmaps" + - "nodes" + - "serviceaccounts" + verbs: + - "get" + - "list" + - "create" + - "update" + - "watch" + - "patch" +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "clusterrolebindings" + - "clusterroles" + - "roles" + verbs: + - "get" + - "list" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "list" + - "create" + - "patch" + - "update" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-scan-ns +rules: +- apiGroups: + - "" + resources: + - "namespaces" + - "nodes" + - "pods" + - "serviceaccounts" + - "services" + - "replicationcontrollers" + verbs: + - "get" + - "list" + - "watch" +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "clusterrolebindings" + - "clusterroles" + - "roles" + verbs: + - "get" + - "list" +- apiGroups: + - "batch" + resources: + - "jobs" + - "cronjobs" + verbs: + - "list" +- apiGroups: + - "apps" + resources: + - "daemonsets" + - "deployments" + - "replicasets" + - "statefulsets" + verbs: + - "list" +- apiGroups: + - "autoscaling" + resources: + - "horizontalpodautoscalers" + verbs: + - "list" +- apiGroups: + - "networking.k8s.io" + resources: + - "networkpolicies" + verbs: + - "get" + - "list" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cis-operator-role + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + namespace: {{ template "cis.namespace" . }} +rules: +- apiGroups: + - "" + resources: + - "services" + verbs: + - "watch" + - "list" + - "get" + - "patch" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "watch" + - "list" + - "get" + - "delete" +- apiGroups: + - "" + resources: + - "configmaps" + - "pods" + - "secrets" + verbs: + - "*" +- apiGroups: + - "apps" + resources: + - "daemonsets" + verbs: + - "*" +- apiGroups: + - monitoring.coreos.com + resources: + - prometheusrules + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-operator-clusterrole +subjects: +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cis-scan-ns + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-scan-ns +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-rolebinding + namespace: {{ template "cis.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cis-operator-role +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-cis-1.8.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-cis-1.8.yaml new file mode 100644 index 0000000000..40be06c946 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-cis-1.8.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.8-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.8 diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-cis-1.9.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-cis-1.9.yaml new file mode 100644 index 0000000000..9f0c9f58af --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-cis-1.9.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.9-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.9 diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-k3s-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-k3s-cis-1.8-hardened.yml new file mode 100644 index 0000000000..03f6695689 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-k3s-cis-1.8-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.8-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-k3s-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-k3s-cis-1.8-permissive.yml new file mode 100644 index 0000000000..39932a4e5b --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-k3s-cis-1.8-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.8-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-k3s-cis-1.9.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-k3s-cis-1.9.yaml new file mode 100644 index 0000000000..3d9ea843b0 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-k3s-cis-1.9.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.9-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.9 diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke-1.8-hardened.yaml new file mode 100644 index 0000000000..54aa08691e --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke-1.8-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.8 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke-1.8-permissive.yaml new file mode 100644 index 0000000000..f7d4fdd229 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke-1.8-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.8 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke2-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke2-cis-1.8-hardened.yml new file mode 100644 index 0000000000..d0a1180f56 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke2-cis-1.8-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.8-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke2-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke2-cis-1.8-permissive.yml new file mode 100644 index 0000000000..0aa72407c0 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke2-cis-1.8-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.8-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke2-cis-1.9.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke2-cis-1.9.yaml new file mode 100644 index 0000000000..047d5e86ed --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofile-rke2-cis-1.9.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.9-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.9 diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofileaks.yml new file mode 100644 index 0000000000..ac9f47a8fb --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofileaks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: aks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: aks-1.0 diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofileeks.yml new file mode 100644 index 0000000000..7cf7936cbf --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofileeks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: eks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: eks-1.2.0 diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofilegke-1.6.0.yml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofilegke-1.6.0.yml new file mode 100644 index 0000000000..1fc299fc57 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofilegke-1.6.0.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile-1.6.0 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.6.0 diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofilegke.yml new file mode 100644 index 0000000000..42fa4f23a2 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/scanprofilegke.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.2.0 diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/serviceaccount.yaml new file mode 100644 index 0000000000..ec48ec6224 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + name: cis-operator-serviceaccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-serviceaccount diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..562295791b --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/templates/validate-install-crd.yaml @@ -0,0 +1,17 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/105.2.0+up7.2.0/values.yaml b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/values.yaml new file mode 100644 index 0000000000..145668793e --- /dev/null +++ b/charts/rancher-cis-benchmark/105.2.0+up7.2.0/values.yaml @@ -0,0 +1,53 @@ +# Default values for rancher-cis-benchmark. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + cisoperator: + repository: rancher/cis-operator + tag: v1.3.5 + securityScan: + repository: rancher/security-scan + tag: v0.5.3 + sonobuoy: + repository: rancher/mirrored-sonobuoy-sonobuoy + tag: v0.57.2 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +securityScanJob: + overrideTolerations: false + tolerations: [] + +affinity: {} + +global: + cattle: + systemDefaultRegistry: "" + clusterName: "" + kubectl: + repository: rancher/kubectl + tag: v1.30.7 + +alerts: + enabled: false + severity: warning + metricsPort: 8080 diff --git a/index.yaml b/index.yaml index bf3d6085a6..c870d43d29 100755 --- a/index.yaml +++ b/index.yaml @@ -12245,6 +12245,32 @@ entries: urls: - assets/rancher-cis-benchmark/rancher-cis-benchmark-105.3.0+up7.3.0.tgz version: 105.3.0+up7.3.0 + - annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.32.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark + apiVersion: v1 + appVersion: v7.2.0 + created: "2025-03-02T13:08:01.933758243-03:00" + description: The cis-operator enables running CIS benchmark security scans on + a kubernetes cluster + digest: a67a68bb82c6a95afbe70fd72322bec75bc23783725cb19e21c9495d4b0e4177 + icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg + keywords: + - security + name: rancher-cis-benchmark + urls: + - assets/rancher-cis-benchmark/rancher-cis-benchmark-105.2.0+up7.2.0.tgz + version: 105.2.0+up7.2.0 - annotations: catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/certified: rancher diff --git a/release.yaml b/release.yaml index 4815b8371f..470fa9bbcb 100644 --- a/release.yaml +++ b/release.yaml @@ -1,2 +1,3 @@ rancher-cis-benchmark: - 105.3.0+up7.3.0 + - 105.2.0+up7.2.0 From 122c650ddf472038eab8fa8a2ce88067da8ef627 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Sun, 2 Mar 2025 13:08:12 -0300 Subject: [PATCH 4/9] fp: rancher-cis-benchmark-105.1.0+up7.1.1 --- .../rancher-cis-benchmark-105.1.0+up7.1.1.tgz | Bin 0 -> 5918 bytes .../105.1.0+up7.1.1/Chart.yaml | 22 ++ .../105.1.0+up7.1.1/README.md | 9 + .../105.1.0+up7.1.1/app-readme.md | 31 +++ .../105.1.0+up7.1.1/templates/_helpers.tpl | 27 +++ .../templates/alertingrule.yaml | 14 ++ .../templates/benchmark-aks-1.0.yaml | 8 + .../templates/benchmark-cis-1.8.yaml | 8 + .../templates/benchmark-eks-1.2.0.yaml | 8 + .../templates/benchmark-gke-1.2.0.yaml | 9 + .../templates/benchmark-gke-1.6.0.yaml | 8 + .../benchmark-k3s-cis-1.8-hardened.yaml | 8 + .../benchmark-k3s-cis-1.8-permissive.yaml | 8 + .../benchmark-rke-cis-1.8-hardened.yaml | 8 + .../benchmark-rke-cis-1.8-permissive.yaml | 8 + .../benchmark-rke2-cis-1.8-hardened.yaml | 8 + .../benchmark-rke2-cis-1.8-permissive.yaml | 8 + .../105.1.0+up7.1.1/templates/cis-roles.yaml | 49 ++++ .../105.1.0+up7.1.1/templates/configmap.yaml | 18 ++ .../105.1.0+up7.1.1/templates/deployment.yaml | 61 +++++ .../templates/network_policy_allow_all.yaml | 15 ++ .../patch_default_serviceaccount.yaml | 29 +++ .../105.1.0+up7.1.1/templates/rbac.yaml | 209 ++++++++++++++++++ .../templates/scanprofile-cis-1.8.yaml | 9 + .../scanprofile-k3s-cis-1.8-hardened.yml | 9 + .../scanprofile-k3s-cis-1.8-permissive.yml | 9 + .../scanprofile-rke-1.8-hardened.yaml | 9 + .../scanprofile-rke-1.8-permissive.yaml | 9 + .../scanprofile-rke2-cis-1.8-hardened.yml | 9 + .../scanprofile-rke2-cis-1.8-permissive.yml | 9 + .../templates/scanprofileaks.yml | 9 + .../templates/scanprofileeks.yml | 9 + .../templates/scanprofilegke-1.6.0.yml | 9 + .../templates/scanprofilegke.yml | 9 + .../templates/serviceaccount.yaml | 14 ++ .../templates/validate-install-crd.yaml | 17 ++ .../105.1.0+up7.1.1/values.yaml | 53 +++++ index.yaml | 26 +++ release.yaml | 1 + 39 files changed, 783 insertions(+) create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-105.1.0+up7.1.1.tgz create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/Chart.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/README.md create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/app-readme.md create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/_helpers.tpl create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/alertingrule.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-aks-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-cis-1.8.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-eks-1.2.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-gke-1.2.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-gke-1.6.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-k3s-cis-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-k3s-cis-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke-cis-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke-cis-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke2-cis-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke2-cis-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/cis-roles.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/configmap.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/deployment.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/network_policy_allow_all.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/patch_default_serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/rbac.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-cis-1.8.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-k3s-cis-1.8-hardened.yml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-k3s-cis-1.8-permissive.yml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke2-cis-1.8-hardened.yml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke2-cis-1.8-permissive.yml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofileaks.yml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofileeks.yml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofilegke-1.6.0.yml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofilegke.yml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/validate-install-crd.yaml create mode 100644 charts/rancher-cis-benchmark/105.1.0+up7.1.1/values.yaml diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-105.1.0+up7.1.1.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-105.1.0+up7.1.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..dadbf8f4e39b4304702e6e25976c82eca5a273a2 GIT binary patch literal 5918 zcmV+(7vbn1iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PKDHa@#o4@BDl86kYP3N<5!QU2SJoJ6q++_-uJLx3WFEHIh zbY4%1Q0^U>1>bFfy4`N~XgD-~yWMW_Z||sk^j&Xw+&}6bANG#=-*tP3gTe4S=x(F% zRTN1@#CP2%msPCXH$sFlu85+X$x#cyBZ>rk;(A1>0A0#EBvRa=OezutBd8oMjwk#d zW<+_@N)8?hMaLBV^zq7UK9ylW?i@yDID*$_7w}_JKxO`$=o+0{6q0f_f){`N0eWu# zmD_c?@E7R0gTB6eQTeDYLWab{5$KBW5Cu_OIPy*^oK-%;3CY_NjH|*41Fn4$xgs0Tz0eoX2_X>TzNZb-QeAv3tx^}PFiT|p=M1xtk*qsdv5oC zqR>`%clfW?|Fx6ExO`$^_&3CxF0^ORBiIOCiP9%s^{Jd%dBH|5kr(~)Ybi$USq zo+E+eK$$1B0g&KL3G?hfTZu6c02s5MJtfP=ONuo|Xs3NjlnZ#kq{v z2OocHwX&%BnP2O=^IH^x`gobmJ0^kDBca5AjK`Ewb!X+91pJx=u|uf>v@o*nRjhB$ zaYCii4cTs+yRlV%XY8j*(+%aRU^xck40$ckb&p#u5}>eMXnh5LA-cp{6h_iH5zG#~ z87e_N`GE^Hf>+&F-5pxwda2s}r`ox5HN_xAAzc-2>k6EFL)epDMneVr@FX1a9P&iAc<+Sy^E^I%Sc0Eq9W&0`e0F(zg@X|%jNXz481 z81Q+VoKeGC`Omqy2{`d3csvSpR*>El{U|`=H>fF>nB~|i^`^P$7$cNnZtLX04QhRz zofT_6Z9K3?HLDVvBWz)k0aEA)SNc-+hD|90dcyh5%Y#czd0Qtsv;Wh#COKY8l`YB8yL+-z|4&W*CL#|zE&B1}t_=6sm zv45Cqng1LmvkL!KnbkEf4}Je^?Uth{ihx(qB{?n6xFY-qoSvWi&gnD zzT+{HA~g1IKG+3sVKV6H7G;Y`Xt4THgdc9{)N=&wceQ_#c$;f85yr zT4=lYkH^Sz{F`;1rSR_`HSn*Q9*=)Cy1l=F2e2CdM@9S(oA>|q(01{kj*;aW02>eB zYof>Fe{zG*h5w`D68`&*{jY_#i~n?tEXV)k23O->&*uMF;v>9r|7aA%)@WV)AJt_4 zoA*EU&~xDb=n44m|GBaMb<*SUe>0HD8h|q;!bgVw<5a;){11!k|AWKfpuv9~v|apH zjgjT5;AZgPRG?W6sDU=azuE6BCB1#rJHgfXFRuR$dq=$n|8>yw;eRnk8V&IE(&OT4f7JN@_0V?lUo}RSqhG9;3N+|{e%cKG&u;(w!+wMRI_UZE{}}t%lYqGhc&c0t+fBiP0HH}C&yp;$+oUVcl$VrZta!j4ZUJJsrR zonw3n-$e+T%q-(W%o9Qs=`razaFzgd7h((a>|q4=j!{y7>AC%$+qG+uu|%0Eh|_cX zU6b*zKdj98%JS}4GEXKr{cgp>g0i|LhJAoA*Dp zP*&e-|8wED|CILp61P2bf_fdb4{@j@>ux^ki1xM*d?y0Nd@{Au6y#VwnkhgcrnyFO zOFcaCJRULiuGDBwoPpR3iTs=?LK%vTGhW%?mTcfOc#&)KrD0NZ>wo^79`!d5yP1${ z?jpnzeEBkZFsmXH`10jNUXl+{5PaYP_3lP+Hh#y|2Z0jP%7HmgpJ~`k-I4?LkW$(d zHYig@nm9&5CT5czR+f<6mP@!eef`V%+2yZS7q3s=U7fu>`P*rxs5pMf6IwAFJ}cjh zj}hhS^5k!o;yh4@?SL}(_wU~S_{;lWpQDa(c)L~g%SrIqswKRaRO|KG#ns81)AP%V ztGB0@=Vz}ku0Fg!zbtcpv1**Wc!>AK=|4_&-#jRB%r*%lwnE&~cPBr-IsNG|9Fw3M znIK6fW?38V;rECutSsuyFBg}m=U4Ae-d1#XwmI?@DlzJ+Lxl#)$rZ!>~>v_jA!s0VtaYl=0gElY+$rJ3cS(!sI2wnSI7wpW4e^ zxAoUZtMG4LdZjL6e$w(-9kA;CZ?{)G|2^zA_^*eG_`lZuy}{JH|^W>7eiv;Yd< zj{s;-F_^h>+L>~G(;h*{rAodZabSN%;Y1K0%h?_KvemI*ZjZnu%E8aAn6%I3;EXC^@?Tu!u@jNGv4ZVC( zqma+eJlo4xG|G<_vScR-9-qyK2GGZLTtH?A0kreu&2BR=)zX(vsQ>@`uQrJkpXm%2 zx$%3+Z;<_~9Y?hO62AmCUay##_p}acAFQ;uzqMKb*TlQw>dBD%CJeTd>h`Kj;f9#UkTG}9s=PVksrXvH|1xS|KleP5r z%3|W3){m@B$+qV7nJ0=!SZ2{H@mNCRDmIlt@ylF8!DpzZ7)jG}dB)b7J<(46Xtm(3 z%~h3i7AxqMzCOpXmM3Y&2Wr^@C>!IIexQu5|Baq9*szc1=g`$0O3Og&U~&8XR<{1N z_2riPD3O1yZmGLBzDD?DakHjr*sKSa!)tw9J*@-l!tJhS;Jc+&>pz+O-5Y-aVCDPY z;`&d&cQkC?|I|Y3pZ|?_<}Z)_pKL0xdOK7;HQ?q;ypCv~C>udri3r>2%bj#=W+gRS z^>^KZ-!`p-|LO>!PmljG7?k#Z93M67zqQad@n3ZSB@F`dyvm?5@aV4F_FJG$@t+L< z^3?brgJJRf-*9l;od2tZo*VzU!)|qHfJ~vgZr`t+*1^9p(cRaL{`naDU&Q}l*l*5% z)k53EfA&0WGDhOlw9kqB%AljWZr5*xHo^aT(LXow|A*Zs{%1Y(T=*}Yr>{!`G`4>& zS`+_O5kQ|D|93Dbe*b6KYrg+g4{aI$~Y z?+kYvY(JUSz&}10{s-OS`d_ct#Q&~`wuyhN4gZVpjPJVrzI9py|CtW}Z+rhw$^IWU z@BizeZQ{Qau=1I;z~XDeyKcpAm)667efGcCtpC?S&xHS4kl)zuHyu!G8@@i1%H&=e~&a$47cyy;r}ef3`2fE)MJF>$vMaeu!4#|CR*QCkm4g zK8`0Iz3(TX75MKB4vXLa>-UeF@Bh?7dvO?`iGr5_GI$wqeiMZcoXqar_S(?Sob+l# zTmReNhb}l@zO?pCEX6;KdBl7e{Qy4oROW_6mE3F>y^T)B&uH8DHXA&dexYo07O|7F zIfHZa#hCK*g0KmK`cjj-Uj8*>MuwPjJ=?#yLn*ATO&>o!I5dg2xE+EyM@LFT6)wJ?kZG10{If8i+M|N_Gh3jh zM1e;bTqF2=&H_$+^xal#56-MEu#x{-pFVwRO);3I+N5$ggWCbe#tXF0nsE@pVFl0B z1eh~Ccik)XQ8oTa7&-!pKf`V4fQRwl>vfNc_&+=zHu$fFmf&A%=qIK&1$_?Q2L60( z4R{RfNSk>0s9C*yjZ7zvxqvf$#ZbXT%wT_^GvseCr%Hu#)alIUbJwFuAubn_#pj1R z3pLW&cU!Ih#|6x+b1>#&X7qv9H&Z?b#UYYt1REn!k-!5GI7XrG@JPT%pL>~dV+_m) zBNG&^zUjtkuE%GcDW5xvJClg|C_BWz)ym3uB8ehNOoJTQ-&(><`^DNxT9J4V@VRa$ zt@$`ZrsSyAa^PcD8!e=pP&JLNjUcg5oovQ^aG<26r-b>s!vYd9Z)zPUgpaxnEy^p| zliwqfw0>uicOMkzfmO;PViE|*h$_^buX|dd_69jKWta$4`p%th=)aeAzY8a0JuIw& z7*j^&^uUgxYy}eQpbIM*h^6+yfeXXdffG{zQ2o62CtrTb_~xJXEe9XRl%a(A6qz0x zO3=w9MnY=9vcvnDNc59L`?L?qS|*$%;^}@j#>NL?Dyy?6@|fD7vf`#+InxryjFt!; zXD!NZ-DftYlgI{VHGtEpNi7awKBeANv(?E9t9YBtIbytMt4!FPiJVKv)QdY-agaAO z1j=m5DFYX(hB$#S&eJbgRMh~yNGd*C#Ky6~{FyB$MBf&i$ZgtfHbb8hg~6Tf^GJ7t z;_>ia^p|eZg$uKoQ^85O+Dn=_eY~on^UhAfNO28|SobYp14P0cgFye)51W;gLSKbM zkQpizGVZpgwC_UnQVZ*bISEiGE#i6F?oOioU&w;{N5VAN8w9ANhO?<9Nx@(SwDIty zH$^`R@W2cqsi#}^lO`5fS*W{l%&s$|AYe|I((PvrO!AcC2G|(TThwz%!=+Gg0wZ}~ z7%{XX0-1~i+J^kNsNCB$Jd+VIX^N5wFltci|5Vl9_T4`^$U2JvPY#Kn*7puO`?_t}g-l}ga-$h7#q9S@1}tcP;qqc@Cf?K(a~M+wBvj8N9`#*hy&elNORCoV9 ze5^ho^q`NGRLZz@wmR{8f9JOA9(F?F-H-{I>Q%GfkA>XdemM?QJH~k~3a5Iq0#!mHd_^s8Un*Dw(R8i>7#NK+t zS23>~@~f+WH%qIK?oE7xzD#*+sxhl2%q#rmRfxA&KcNCKho>m~D*191m@LHd%> zR3YWDc^||qx|>(wXbV+1+CmlnoJYd0SFIXqsG)`$dMf>I00030|DC)^901S&09_g+ A8vp= 1.28.0-0 < 1.32.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark +apiVersion: v1 +appVersion: v7.1.1 +description: The cis-operator enables running CIS benchmark security scans on a kubernetes + cluster +icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg +keywords: +- security +name: rancher-cis-benchmark +version: 105.1.0+up7.1.1 diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/README.md b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/README.md new file mode 100644 index 0000000000..50beab58ba --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/README.md @@ -0,0 +1,9 @@ +# Rancher CIS Benchmark Chart + +The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded. + +# Installation + +``` +helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system +``` diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/app-readme.md b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/app-readme.md new file mode 100644 index 0000000000..a34a8bd5ca --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/app-readme.md @@ -0,0 +1,31 @@ +# Rancher CIS Benchmarks + +This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). + +For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/cis-scan-guides). + +This chart installs the following components: + +- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. +- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed. +- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans. +- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. +- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish. + - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts. + - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart. + +## CIS Kubernetes Benchmark support + +| Source | Kubernetes distribution | scan profile | Kubernetes versions | +|--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------| +| CIS | any | [cis-1.8](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.8) | v1.26+ | +| CIS | rke | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke-cis-1.8-permissive) | rke1-v1.26+ | +| CIS | rke | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke-cis-1.8-hardened) | rke1-v1.26+ | +| CIS | rke2 | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke2-cis-1.8-permissive) | rke2-v1.26+ | +| CIS | rke2 | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/rke2-cis-1.8-hardened) | rke2-v1.26+ | +| CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26+ | +| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26+ | +| CIS | eks | [eks-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/eks-1.2.0) | eks | +| CIS | aks | [aks-1.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/aks-1.0) | aks | +| CIS | gke | [gke-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.2.0) | gke-1.20 | +| CIS | gke | [gke-1.6.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.6.0) | gke-1.29+ | diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/_helpers.tpl b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/_helpers.tpl new file mode 100644 index 0000000000..b7bb000422 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "cis.namespace" -}} + {{- .Release.Namespace | default "cis-operator-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/alertingrule.yaml new file mode 100644 index 0000000000..1787c88a07 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/alertingrule.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alerts.enabled -}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: rancher-cis-pod-monitor + namespace: {{ template "cis.namespace" . }} +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + podMetricsEndpoints: + - port: cismetrics +{{- end }} diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-aks-1.0.yaml new file mode 100644 index 0000000000..1ac866253f --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-aks-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: aks-1.0 +spec: + clusterProvider: aks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-cis-1.8.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-cis-1.8.yaml new file mode 100644 index 0000000000..ae19007b2e --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-cis-1.8.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.8 +spec: + clusterProvider: "" + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-eks-1.2.0.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-eks-1.2.0.yaml new file mode 100644 index 0000000000..c1bdd9ed5e --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-eks-1.2.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: eks-1.2.0 +spec: + clusterProvider: eks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-gke-1.2.0.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-gke-1.2.0.yaml new file mode 100644 index 0000000000..426f7ec6a8 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-gke-1.2.0.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.2.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.28.x" diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-gke-1.6.0.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-gke-1.6.0.yaml new file mode 100644 index 0000000000..0538240e53 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-gke-1.6.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.6.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.29.0" diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-k3s-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-k3s-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..07b4300d20 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-k3s-cis-1.8-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.8-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-k3s-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-k3s-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..c30fa7f725 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-k3s-cis-1.8-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.8-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..d3d357c023 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke-cis-1.8-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.8-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..208eb777cd --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke-cis-1.8-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.8-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke2-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke2-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..0237206a73 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke2-cis-1.8-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.8-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke2-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke2-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..b5f9e4b50f --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/benchmark-rke2-cis-1.8-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.8-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/cis-roles.yaml new file mode 100644 index 0000000000..23c93dc659 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/cis-roles.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-admin +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["create", "update", "delete", "patch","get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-view +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/configmap.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/configmap.yaml new file mode 100644 index 0000000000..2988b18397 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/configmap.yaml @@ -0,0 +1,18 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-clusterscanprofiles + namespace: {{ template "cis.namespace" . }} +data: + # Default ClusterScanProfiles per cluster provider type + rke: |- + <1.21.0: rke-profile-permissive-1.20 + >=1.21.0: rke-profile-permissive-1.8 + rke2: |- + <1.21.0: rke2-cis-1.20-profile-permissive + >=1.21.0: rke2-cis-1.8-profile-permissive + eks: "eks-profile" + gke: "gke-profile-1.6.0" + aks: "aks-profile" + k3s: "k3s-cis-1.8-profile-permissive" + default: "cis-1.8-profile" diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/deployment.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/deployment.yaml new file mode 100644 index 0000000000..8c9f72f5de --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cis-operator + namespace: {{ template "cis.namespace" . }} + labels: + cis.cattle.io/operator: cis-operator +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + template: + metadata: + labels: + cis.cattle.io/operator: cis-operator + spec: + serviceAccountName: cis-operator-serviceaccount + containers: + - name: cis-operator + image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}' + imagePullPolicy: IfNotPresent + ports: + - name: cismetrics + containerPort: {{ .Values.alerts.metricsPort }} + env: + - name: SECURITY_SCAN_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }} + - name: SECURITY_SCAN_IMAGE_TAG + value: {{ .Values.image.securityScan.tag }} + - name: SONOBUOY_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }} + - name: SONOBUOY_IMAGE_TAG + value: {{ .Values.image.sonobuoy.tag }} + - name: CIS_ALERTS_METRICS_PORT + value: '{{ .Values.alerts.metricsPort }}' + - name: CIS_ALERTS_SEVERITY + value: {{ .Values.alerts.severity }} + - name: CIS_ALERTS_ENABLED + value: {{ .Values.alerts.enabled | default "false" | quote }} + - name: CLUSTER_NAME + value: '{{ .Values.global.cattle.clusterName }}' + - name: CIS_OPERATOR_DEBUG + value: '{{ .Values.image.cisoperator.debug }}' + {{- if .Values.securityScanJob.overrideTolerations }} + - name: SECURITY_SCAN_JOB_TOLERATIONS + value: '{{ .Values.securityScanJob.tolerations | toJson }}' + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/network_policy_allow_all.yaml new file mode 100644 index 0000000000..6ed5d645ea --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ template "cis.namespace" . }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/patch_default_serviceaccount.yaml new file mode 100644 index 0000000000..e78a6bd08a --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: cis-operator-serviceaccount + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ template "cis.namespace" . }}] + + backoffLimit: 1 diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/rbac.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/rbac.yaml new file mode 100644 index 0000000000..5fe075e34f --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/rbac.yaml @@ -0,0 +1,209 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-clusterrole +rules: +- apiGroups: + - "cis.cattle.io" + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "" + resources: + - "pods" + - "services" + - "configmaps" + - "nodes" + - "serviceaccounts" + verbs: + - "get" + - "list" + - "create" + - "update" + - "watch" + - "patch" +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "clusterrolebindings" + - "clusterroles" + verbs: + - "get" + - "list" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "list" + - "create" + - "patch" + - "update" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-scan-ns +rules: +- apiGroups: + - "" + resources: + - "namespaces" + - "nodes" + - "pods" + - "serviceaccounts" + - "services" + - "replicationcontrollers" + verbs: + - "get" + - "list" + - "watch" +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "clusterrolebindings" + - "clusterroles" + verbs: + - "get" + - "list" +- apiGroups: + - "batch" + resources: + - "jobs" + - "cronjobs" + verbs: + - "list" +- apiGroups: + - "apps" + resources: + - "daemonsets" + - "deployments" + - "replicasets" + - "statefulsets" + verbs: + - "list" +- apiGroups: + - "autoscaling" + resources: + - "horizontalpodautoscalers" + verbs: + - "list" +- apiGroups: + - "networking.k8s.io" + resources: + - "networkpolicies" + verbs: + - "get" + - "list" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cis-operator-role + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + namespace: {{ template "cis.namespace" . }} +rules: +- apiGroups: + - "" + resources: + - "services" + verbs: + - "watch" + - "list" + - "get" + - "patch" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "watch" + - "list" + - "get" + - "delete" +- apiGroups: + - "" + resources: + - "configmaps" + - "pods" + - "secrets" + verbs: + - "*" +- apiGroups: + - "apps" + resources: + - "daemonsets" + verbs: + - "*" +- apiGroups: + - monitoring.coreos.com + resources: + - prometheusrules + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-operator-clusterrole +subjects: +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cis-scan-ns + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-scan-ns +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-rolebinding + namespace: {{ template "cis.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cis-operator-role +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-cis-1.8.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-cis-1.8.yaml new file mode 100644 index 0000000000..40be06c946 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-cis-1.8.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.8-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.8 diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-k3s-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-k3s-cis-1.8-hardened.yml new file mode 100644 index 0000000000..03f6695689 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-k3s-cis-1.8-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.8-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-k3s-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-k3s-cis-1.8-permissive.yml new file mode 100644 index 0000000000..39932a4e5b --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-k3s-cis-1.8-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.8-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke-1.8-hardened.yaml new file mode 100644 index 0000000000..54aa08691e --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke-1.8-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.8 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke-1.8-permissive.yaml new file mode 100644 index 0000000000..f7d4fdd229 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke-1.8-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.8 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke2-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke2-cis-1.8-hardened.yml new file mode 100644 index 0000000000..d0a1180f56 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke2-cis-1.8-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.8-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke2-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke2-cis-1.8-permissive.yml new file mode 100644 index 0000000000..0aa72407c0 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofile-rke2-cis-1.8-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.8-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofileaks.yml new file mode 100644 index 0000000000..ac9f47a8fb --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofileaks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: aks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: aks-1.0 diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofileeks.yml new file mode 100644 index 0000000000..7cf7936cbf --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofileeks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: eks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: eks-1.2.0 diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofilegke-1.6.0.yml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofilegke-1.6.0.yml new file mode 100644 index 0000000000..1fc299fc57 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofilegke-1.6.0.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile-1.6.0 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.6.0 diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofilegke.yml new file mode 100644 index 0000000000..42fa4f23a2 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/scanprofilegke.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.2.0 diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/serviceaccount.yaml new file mode 100644 index 0000000000..ec48ec6224 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + name: cis-operator-serviceaccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-serviceaccount diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..562295791b --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/templates/validate-install-crd.yaml @@ -0,0 +1,17 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/105.1.0+up7.1.1/values.yaml b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/values.yaml new file mode 100644 index 0000000000..13c84572b1 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.1.0+up7.1.1/values.yaml @@ -0,0 +1,53 @@ +# Default values for rancher-cis-benchmark. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + cisoperator: + repository: rancher/cis-operator + tag: v1.3.4 + securityScan: + repository: rancher/security-scan + tag: v0.5.2 + sonobuoy: + repository: rancher/mirrored-sonobuoy-sonobuoy + tag: v0.57.2 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +securityScanJob: + overrideTolerations: false + tolerations: [] + +affinity: {} + +global: + cattle: + systemDefaultRegistry: "" + clusterName: "" + kubectl: + repository: rancher/kubectl + tag: v1.30.7 + +alerts: + enabled: false + severity: warning + metricsPort: 8080 diff --git a/index.yaml b/index.yaml index c870d43d29..0397b3d819 100755 --- a/index.yaml +++ b/index.yaml @@ -12271,6 +12271,32 @@ entries: urls: - assets/rancher-cis-benchmark/rancher-cis-benchmark-105.2.0+up7.2.0.tgz version: 105.2.0+up7.2.0 + - annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.32.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark + apiVersion: v1 + appVersion: v7.1.1 + created: "2025-03-02T13:08:08.939806282-03:00" + description: The cis-operator enables running CIS benchmark security scans on + a kubernetes cluster + digest: fa1589febd004a733b2de6400d8c6c7a01a7062859cd40a83685cc94f4de36eb + icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg + keywords: + - security + name: rancher-cis-benchmark + urls: + - assets/rancher-cis-benchmark/rancher-cis-benchmark-105.1.0+up7.1.1.tgz + version: 105.1.0+up7.1.1 - annotations: catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/certified: rancher diff --git a/release.yaml b/release.yaml index 470fa9bbcb..eff167d6ed 100644 --- a/release.yaml +++ b/release.yaml @@ -1,3 +1,4 @@ rancher-cis-benchmark: - 105.3.0+up7.3.0 - 105.2.0+up7.2.0 + - 105.1.0+up7.1.1 From 710a4a1fd22619d62a462243432afd7f3f1f8eb2 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Sun, 2 Mar 2025 13:08:19 -0300 Subject: [PATCH 5/9] fp: rancher-cis-benchmark-105.0.1+up7.0.1 --- .../rancher-cis-benchmark-105.0.1+up7.0.1.tgz | Bin 0 -> 5887 bytes .../105.0.1+up7.0.1/Chart.yaml | 22 ++ .../105.0.1+up7.0.1/README.md | 9 + .../105.0.1+up7.0.1/app-readme.md | 31 +++ .../105.0.1+up7.0.1/templates/_helpers.tpl | 27 +++ .../templates/alertingrule.yaml | 14 ++ .../templates/benchmark-aks-1.0.yaml | 8 + .../templates/benchmark-cis-1.8.yaml | 8 + .../templates/benchmark-eks-1.2.0.yaml | 8 + .../templates/benchmark-gke-1.2.0.yaml | 9 + .../templates/benchmark-gke-1.6.0.yaml | 8 + .../benchmark-k3s-cis-1.8-hardened.yaml | 8 + .../benchmark-k3s-cis-1.8-permissive.yaml | 8 + .../benchmark-rke-cis-1.8-hardened.yaml | 8 + .../benchmark-rke-cis-1.8-permissive.yaml | 8 + .../benchmark-rke2-cis-1.8-hardened.yaml | 8 + .../benchmark-rke2-cis-1.8-permissive.yaml | 8 + .../105.0.1+up7.0.1/templates/cis-roles.yaml | 49 ++++ .../105.0.1+up7.0.1/templates/configmap.yaml | 18 ++ .../105.0.1+up7.0.1/templates/deployment.yaml | 61 +++++ .../templates/network_policy_allow_all.yaml | 15 ++ .../patch_default_serviceaccount.yaml | 29 +++ .../105.0.1+up7.0.1/templates/rbac.yaml | 209 ++++++++++++++++++ .../templates/scanprofile-cis-1.8.yaml | 9 + .../scanprofile-k3s-cis-1.8-hardened.yml | 9 + .../scanprofile-k3s-cis-1.8-permissive.yml | 9 + .../scanprofile-rke-1.8-hardened.yaml | 9 + .../scanprofile-rke-1.8-permissive.yaml | 9 + .../scanprofile-rke2-cis-1.8-hardened.yml | 9 + .../scanprofile-rke2-cis-1.8-permissive.yml | 9 + .../templates/scanprofileaks.yml | 9 + .../templates/scanprofileeks.yml | 9 + .../templates/scanprofilegke-1.6.0.yml | 9 + .../templates/scanprofilegke.yml | 9 + .../templates/serviceaccount.yaml | 14 ++ .../templates/validate-install-crd.yaml | 17 ++ .../105.0.1+up7.0.1/values.yaml | 53 +++++ index.yaml | 26 +++ release.yaml | 1 + 39 files changed, 783 insertions(+) create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-105.0.1+up7.0.1.tgz create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/Chart.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/README.md create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/app-readme.md create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/_helpers.tpl create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/alertingrule.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-aks-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-cis-1.8.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-eks-1.2.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-gke-1.2.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-gke-1.6.0.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-k3s-cis-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-k3s-cis-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke-cis-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke-cis-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke2-cis-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke2-cis-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/cis-roles.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/configmap.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/deployment.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/network_policy_allow_all.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/patch_default_serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/rbac.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-cis-1.8.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-k3s-cis-1.8-hardened.yml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-k3s-cis-1.8-permissive.yml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke-1.8-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke-1.8-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke2-cis-1.8-hardened.yml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke2-cis-1.8-permissive.yml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofileaks.yml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofileeks.yml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofilegke-1.6.0.yml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofilegke.yml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/validate-install-crd.yaml create mode 100644 charts/rancher-cis-benchmark/105.0.1+up7.0.1/values.yaml diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-105.0.1+up7.0.1.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-105.0.1+up7.0.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..c07afc9393b99eb18453e4ba80230813c76451b5 GIT binary patch literal 5887 zcmVDc zVQyr3R8em|NM&qo0PKDHa@#o4@BDl86kYP3N<5!Q-F(TacDBls@!9fhZe@FRYbrbC zKx9k8iUK$QXpK*tcmE0iN%1DjvSljSWmhVuK(Nuc{JI+;&=iDuQxuLzr87e2P3J_+ zI-;56dhCa)5j~b`Ba7hxpf$s;}Bk-U&4<`0hRe@(FmOz6q0f_gcpDP0eWu# zmD_c?@E7R0gTB6eQTeDYLWab{A?S+m5Cu_OIPz91oL4@=?1oRf}ujwBeo7L>S^v%r9wIE zbUdx|q#H|YhQ5@jWGCPgE<0KPGvrJ`uDqGFW_Y{c!k5FAlNQ>#uUXR$>vfNGHUB3H zZFP5t|7!hzLxKq9whX`;{og+vbc_1`=(yMD|2k+7e!?+{0tL3uVa!GK=yh9ra5be8 zs00GPp1ytKjJcQ-rO<~l4NzzJ3B7;_gc~BL#i-&iLI^dMe4tEmxaE-mh4U~V3Z>g> z(K(r*u|8BL7}q}m1cqEv#l>w3sZLfCm`sXHv>I^-u2z=`5HCH#Rx?R*Ia)_#xOCkk z%Y`#Oiumnn4s$957w9`l*7PFJ?!@i4S^_1HgoknnpTD#K_TZlgk&H+X+=4)l&*#W| zU|i|;k|BC@d<%ZuGwIVnn6EPgNNy06?hK+k!{bbPlt7+p9Y z>%Ik_!-B9}O)`%~%+^*J;l?}&_=2*D;T}+?vk?E^ku>+`x&VeAN=d}+fvLa1IXAUO z@FEf1!blL)He-bXUM!pXg&Q-~rg>bEf=>5@0bKqkAxBfG9FV#)vc9p67UfTVuw-%XkldCt61M$;Dk!0 z8?xOtcVnyk&e%_rrW?vr!Dz=e)BtT)i(E1AgQgn$oD2${FBA6X|b5w$Q z@&gxY2(P-Yx;wPU^-{I{PqlOBdWu1aLb@t^v@5V~{x|3!7VQ7YNw1mz)k2>?cfN-+ zCL@86PK&gOmuNM#By$7}ncKw_1;Y28FJD@pKRenwQHIdg^Oy9=HaK6jfzuh>3p>+r z-=%!-Qk&MUn0VQT^`qJt>g!xVHq&*?;abEBWcd^wgZmHbxmpF3OiL;iPx@FWC{tr- z|6kc@KZ*ec64M{;axDrq>U`h&r=1-pIu8~!2!Qy0+B`;~8)IUolSa$SgO<)R!hkR0 z^yr@kGu&wh_c&|clw88KvR`K%0iQi@aneou1o$gc4YX|9;W`>-YN2`cFMnM0XxCDXL#vM@3H$m#gw+e8*!X zMQH5be6S1N!er3XEy|XY(zNJy&+Q$#-S&S9w7v;?IR15xp8M)q@INTw|D>`1wa|9) zACHmM_&4i1E8*WiZs1=tJskgNbbJ319>9A19~bd|*u4L*hqjCVbd0Rl0N8i{UlTnX z|C1R$7yge=%J^^We=W3K{HJ4NHU1|vT#tV}oBv~lkMPRBrC*Z&T=f?imNe{>WY#@_00B1^sj|}~Xse-lmKP;~Q4~_=M4gTw(?c%>`jI34# zv%$Snfo3(J26`O+&3CJ=Q39iR~asBVGcXZg`zYcmn{4d8yqXE8NdN}^Y4C}N1 z$BqAA4{aC!Rbyl|`o)^5K!g70r^n&{+3kOSaMa+x4thTPKg9kw8erG75&rv+a{xBS z|KOxMXz*VLZ5{vRF>){b`wjkgN{__wdg3O=R*R^F>j6c}=$?5!IV zBRPbRZBHOk*gk-E6#DU%j{(}NkSK53K4?!+>7NVx6WRfls{Px_dKM#O6zU2e+awI7 zVX#a$N9OdsN_@tdQ@J;jC_Zmn)!dwo>10mAY`dg)Uwr?fbQokS!{vtJ;u{<-|7GJ~ zHUC}fu!bH_YwdqB6rRui_qyGF(f;>)&H7(06zgcy%Wp|o49!$l*zpNvr&^tEa*QwG zy9_~-nPq&4c|wRHJtiFo&Jv(*Lu`SbJq+Q_F-qz$J-6R;yLJsSmMAj?ae8jQYcl@z zhqXChS>F9h=E(%7->rDKTta3(RFxZNatLjl$>g?H$`f6$_GBrZP9!EL$>*F6bYkwc zYpE2SFYdLWJ$IkU*G#VdyJ?;N_c09k?Ht(?!a=Ul|A&XA^PkDB=U2n2xTZT&Uj^mTe5-E;6<*@SB6Q^t^fIRdeq-M>}Eo)xyuks@a4SXn}LQ!e51?Da1f=U2a8U%ozlcYXf$^lxXGqT=`^PiVz#_^f<0K17u3tJA+# zigQmPwgbxC-@kkR<1g=jeU3WD;qBJdFDJo6tCsLyQLWeKm)ECn&MvMluiu_sU7WwZ zy#Db1;;PK~#kz6w;y&J&Xa6|UeRHqGG20}J*cx%q-ktvV=Ip13a7==3WP&7_m}PCa zgWn^ru(GH(zg%9OU0lCAeOuAp+2+VcG|EI(1-<@~Qz5F~XQ0drB7arzBR9k56_g`hW!c%=MS*fT z?x4skSIt~}zZJ6O;zO+yPvtwcEM2}Y?iEfan81`Nfa2hT%PeU)!dAI|ijtOkde=T# zowUyXXQ&oj%&tRY*RM$s@P+<=li9$!_rHUqqW?b_H1S{Rq2hvm+~1T@Dlz z-Lo=e#)$s^kzt)e?&qSN0#G&)DC4&SCIyQLc6?slhRI8WbNh_BKC_p*ZtJg+*5Tj0 z^h#aC{G{cfI$+)V-)^sX{`;`k;J+R!;(w(3dx`m<`KSWvW>7eiv;Yd}bYY!phQYGJyIIzE>a3YA067usL3^x&CQyS)C2Ili^i*l>3Wpg^mg04d_M>L2@jNGv4ZV6%qma+eJlm^R zG|G<_vScR-9-q&N2GGZLTtH?A0kreu&2BR=)zX(vsQ>@`uQrJkpX&^lx$%3&XUP85 zjw4!siC+R6uUAaWds>IJ57ye--&!qz5%FexJbpvxR1IO5AEIbzC$!G~n++aM{0_(( z`+ss+eE-`!>76wDziXi_ZRW|YnUgSd^I@9r|I|>`6UJd+dfJfvTv6rghvZGP&@#ol zhzk2%9IF7+MSQL0bIUjmw7)lztdkv2HlfU>>dBD%CJeTd>hmW~@<~M$j-wz+%5+i4NwrL-U$n~}gxpVZ7rT8;A*Cgy>Z0OoX6{F^ zqJ+5Da)axM0KaEbYHD7LU8x!K4_z|bNE>AFoJB*{bYwug1j$N!vXS0iTTHyu`hm46 z+18vs^F$E|t1NmY9!qFk$EGqUewk}1_#D*~BWZdr&)8bCC)%kWtrpz1xvFx`Vg=pO z*B3a}@+7TzPc2&jWn;Y750ug9-{>iW4f}Y04qeTmv<$Qf7PsGTW$RyCUv9aN68Sgk zmb!c6YlKf0HyfIU$MxW9cx{fWr*&XmxZU*(e7Cf2{U@`(`_W$jSo{9BwEw?%eAvAI zsf9K_{~PbjUmg8F*;-!pcBp)6z|EI9ifEuH8$w%&2;1q)opfwwB{f_1cin>DHf@6c z>Ik4ukN+_kl=gp|95w5|wa_;4Uv&&64FdAK%Ahjv=&sxLTcF3{KN|q#sqsGshuu>A zkK-o(XD#&H_|F}7t4jl93f*=4e(kgg{)LI|zG?K&huHrj{s)K6`QLhIoA}S3r%lF4 ze46$-kzW~fbl2_rtp zFerZi=djm&|EnI_GXBfaE^1l;sE$0k>(>4H>CyP#U;$wL{J*&Ve|R)#*8gjvXUBhS z3jnKPkM6pKzi!$9|70c~vf5v!b@=a}l)nGhYw%wWZ4>{Q*i_Gqbz;6V+--PKBX#@OcJ^;M!{XZr9f7HDHuZOmY|4hKj z_$$EAs|A){8{Ty*e!H|8{_C^<-Dds27J4T9*Mj`U{y&}8;{Q<*U-GmL|3`<#_kX=X zxAFgLp+dax%02f*q(3~;>-xR=Mg6mV8Fq14H($qH_wjwS4*xeKpgvKUgz#}Z@!)+w z39Z3@Z*Wxn{$Ia;+J9E;j4Q>5ze;>Nw zeEHJaGqDu^H0BZWVfX|1)Ki%o5>;}uUGz3O89$?KVZIns zeqInZL2zG_kc?W0(^8cf3u?d#U)P5|mBA-H-GApMpraEZT|6 z@I&UW{AH#3)Aa%T3ICu{N!@QT&zwXr@%J=~saj4Ffxkyopbzbfp#82+?%UH7C5*7;CkzG&(cx8`vP# z5=6w90qgnYa()I$fMqaW(gMzaz|wn4zvDuf4-;gXr3U{z45;>~ApXo2s3}q45e6d! zpD$RziI2Y9YVE4U+dGSPpv5i^HiHu4rg#X;MjP9)>$(SA~>wznVJA|hUcz( zr9P_0KM6xeAo1t84IOYl{(IfyV*JnE(MfauvmRQ3f2pCLnA#NdId~iR^RYGHF|Z?T z;^Cua_3||`oiyeG&h-^T1(z{{{iV*3zrCC)70O|!vsf%#k0ynhJ*pLeEw;VAA*BI={;5dTIiE8mGEiX<@&a$tXJ2{Y{%YbR+%;z7U{x}CJ<;|!US z!&b|Ik6CTBlx{-RG#VK}VxcBx2swI!*{5bsJigSF$I+M|dR`+?NyFu}IcrW`) zH|f%aSxfv-8g2~xls_XAWZ4@vj!%4N^t{h4CoE&Ii%rIC^&(UJTQzH+7W?F zMgna^eq2`WZ5p1*h?q1*$pjcRsP%uUYH#}PA01?!Wq>D##82ycN1gp#TTuz2NEger z0${$?y%*@Au8%ZH7d%o}HbIXlKR2K{d*)_r$sBuc-^{<0e72oTC-F$dO`deisqa(G zhXlcGzF{RQ_+&E=&C0?js}K-uOl0`=^z9ps*dRAw=K^fB@51E0)!N%LLoQ<>mZMKb zp;n}=)*W1$p$d1|j6Ri0&{1Ss{LYStM0wUjIdM`wde^#hVoEPcwEE67Qgxwstvk~P zrb1ftS6B68ys7qHmn88Uj2F~V0i9e**vj|Nn@BB3=N_0057{_rU-F literal 0 HcmV?d00001 diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/Chart.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/Chart.yaml new file mode 100644 index 0000000000..c6b9f41f26 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.32.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark +apiVersion: v1 +appVersion: v7.0.1 +description: The cis-operator enables running CIS benchmark security scans on a kubernetes + cluster +icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg +keywords: +- security +name: rancher-cis-benchmark +version: 105.0.1+up7.0.1 diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/README.md b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/README.md new file mode 100644 index 0000000000..50beab58ba --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/README.md @@ -0,0 +1,9 @@ +# Rancher CIS Benchmark Chart + +The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded. + +# Installation + +``` +helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system +``` diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/app-readme.md b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/app-readme.md new file mode 100644 index 0000000000..aea7514ef2 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/app-readme.md @@ -0,0 +1,31 @@ +# Rancher CIS Benchmarks + +This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). + +For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/cis-scan-guides). + +This chart installs the following components: + +- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. +- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed. +- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans. +- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. +- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish. + - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts. + - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart. + +## CIS Kubernetes Benchmark support + +| Source | Kubernetes distribution | scan profile | Kubernetes versions | +|--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------| +| CIS | any | [cis-1.8](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.8) | v1.26+ | +| CIS | rke | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-permissive) | rke1-v1.26+ | +| CIS | rke | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-hardened) | rke1-v1.26+ | +| CIS | rke2 | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-permissive)| rke2-v1.26+ | +| CIS | rke2 | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-hardened) | rke2-v1.26+ | +| CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26+ | +| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26+ | +| CIS | eks | eks-1.2.0 | eks | +| CIS | aks | aks-1.0 | aks | +| CIS | gke | gke-1.2.0 | gke | +| CIS | gke | gke-1.6.0 | gke-1.29+ | diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/_helpers.tpl b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/_helpers.tpl new file mode 100644 index 0000000000..b7bb000422 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "cis.namespace" -}} + {{- .Release.Namespace | default "cis-operator-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/alertingrule.yaml new file mode 100644 index 0000000000..1787c88a07 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/alertingrule.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alerts.enabled -}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: rancher-cis-pod-monitor + namespace: {{ template "cis.namespace" . }} +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + podMetricsEndpoints: + - port: cismetrics +{{- end }} diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-aks-1.0.yaml new file mode 100644 index 0000000000..1ac866253f --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-aks-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: aks-1.0 +spec: + clusterProvider: aks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-cis-1.8.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-cis-1.8.yaml new file mode 100644 index 0000000000..ae19007b2e --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-cis-1.8.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.8 +spec: + clusterProvider: "" + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-eks-1.2.0.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-eks-1.2.0.yaml new file mode 100644 index 0000000000..c1bdd9ed5e --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-eks-1.2.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: eks-1.2.0 +spec: + clusterProvider: eks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-gke-1.2.0.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-gke-1.2.0.yaml new file mode 100644 index 0000000000..426f7ec6a8 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-gke-1.2.0.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.2.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.28.x" diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-gke-1.6.0.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-gke-1.6.0.yaml new file mode 100644 index 0000000000..0538240e53 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-gke-1.6.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.6.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.29.0" diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-k3s-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-k3s-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..07b4300d20 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-k3s-cis-1.8-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.8-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-k3s-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-k3s-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..c30fa7f725 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-k3s-cis-1.8-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.8-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..d3d357c023 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke-cis-1.8-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.8-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..208eb777cd --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke-cis-1.8-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.8-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke2-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke2-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..0237206a73 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke2-cis-1.8-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.8-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke2-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke2-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..b5f9e4b50f --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/benchmark-rke2-cis-1.8-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.8-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/cis-roles.yaml new file mode 100644 index 0000000000..23c93dc659 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/cis-roles.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-admin +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["create", "update", "delete", "patch","get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-view +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/configmap.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/configmap.yaml new file mode 100644 index 0000000000..094c9dfe0a --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/configmap.yaml @@ -0,0 +1,18 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-clusterscanprofiles + namespace: {{ template "cis.namespace" . }} +data: + # Default ClusterScanProfiles per cluster provider type + rke: |- + <1.21.0: rke-profile-permissive-1.20 + >=1.21.0: rke-profile-permissive-1.8 + rke2: |- + <1.21.0: rke2-cis-1.20-profile-permissive + >=1.21.0: rke2-cis-1.8-profile-permissive + eks: "eks-profile" + gke: "gke-profile" + aks: "aks-profile" + k3s: "k3s-cis-1.8-profile-permissive" + default: "cis-1.8-profile" diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/deployment.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/deployment.yaml new file mode 100644 index 0000000000..8c9f72f5de --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cis-operator + namespace: {{ template "cis.namespace" . }} + labels: + cis.cattle.io/operator: cis-operator +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + template: + metadata: + labels: + cis.cattle.io/operator: cis-operator + spec: + serviceAccountName: cis-operator-serviceaccount + containers: + - name: cis-operator + image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}' + imagePullPolicy: IfNotPresent + ports: + - name: cismetrics + containerPort: {{ .Values.alerts.metricsPort }} + env: + - name: SECURITY_SCAN_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }} + - name: SECURITY_SCAN_IMAGE_TAG + value: {{ .Values.image.securityScan.tag }} + - name: SONOBUOY_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }} + - name: SONOBUOY_IMAGE_TAG + value: {{ .Values.image.sonobuoy.tag }} + - name: CIS_ALERTS_METRICS_PORT + value: '{{ .Values.alerts.metricsPort }}' + - name: CIS_ALERTS_SEVERITY + value: {{ .Values.alerts.severity }} + - name: CIS_ALERTS_ENABLED + value: {{ .Values.alerts.enabled | default "false" | quote }} + - name: CLUSTER_NAME + value: '{{ .Values.global.cattle.clusterName }}' + - name: CIS_OPERATOR_DEBUG + value: '{{ .Values.image.cisoperator.debug }}' + {{- if .Values.securityScanJob.overrideTolerations }} + - name: SECURITY_SCAN_JOB_TOLERATIONS + value: '{{ .Values.securityScanJob.tolerations | toJson }}' + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/network_policy_allow_all.yaml new file mode 100644 index 0000000000..6ed5d645ea --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ template "cis.namespace" . }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/patch_default_serviceaccount.yaml new file mode 100644 index 0000000000..e78a6bd08a --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: cis-operator-serviceaccount + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ template "cis.namespace" . }}] + + backoffLimit: 1 diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/rbac.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/rbac.yaml new file mode 100644 index 0000000000..5fe075e34f --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/rbac.yaml @@ -0,0 +1,209 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-clusterrole +rules: +- apiGroups: + - "cis.cattle.io" + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "" + resources: + - "pods" + - "services" + - "configmaps" + - "nodes" + - "serviceaccounts" + verbs: + - "get" + - "list" + - "create" + - "update" + - "watch" + - "patch" +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "clusterrolebindings" + - "clusterroles" + verbs: + - "get" + - "list" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "list" + - "create" + - "patch" + - "update" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-scan-ns +rules: +- apiGroups: + - "" + resources: + - "namespaces" + - "nodes" + - "pods" + - "serviceaccounts" + - "services" + - "replicationcontrollers" + verbs: + - "get" + - "list" + - "watch" +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "clusterrolebindings" + - "clusterroles" + verbs: + - "get" + - "list" +- apiGroups: + - "batch" + resources: + - "jobs" + - "cronjobs" + verbs: + - "list" +- apiGroups: + - "apps" + resources: + - "daemonsets" + - "deployments" + - "replicasets" + - "statefulsets" + verbs: + - "list" +- apiGroups: + - "autoscaling" + resources: + - "horizontalpodautoscalers" + verbs: + - "list" +- apiGroups: + - "networking.k8s.io" + resources: + - "networkpolicies" + verbs: + - "get" + - "list" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cis-operator-role + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + namespace: {{ template "cis.namespace" . }} +rules: +- apiGroups: + - "" + resources: + - "services" + verbs: + - "watch" + - "list" + - "get" + - "patch" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "watch" + - "list" + - "get" + - "delete" +- apiGroups: + - "" + resources: + - "configmaps" + - "pods" + - "secrets" + verbs: + - "*" +- apiGroups: + - "apps" + resources: + - "daemonsets" + verbs: + - "*" +- apiGroups: + - monitoring.coreos.com + resources: + - prometheusrules + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-operator-clusterrole +subjects: +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cis-scan-ns + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-scan-ns +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-rolebinding + namespace: {{ template "cis.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cis-operator-role +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-cis-1.8.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-cis-1.8.yaml new file mode 100644 index 0000000000..40be06c946 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-cis-1.8.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.8-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.8 diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-k3s-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-k3s-cis-1.8-hardened.yml new file mode 100644 index 0000000000..03f6695689 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-k3s-cis-1.8-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.8-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-k3s-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-k3s-cis-1.8-permissive.yml new file mode 100644 index 0000000000..39932a4e5b --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-k3s-cis-1.8-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.8-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke-1.8-hardened.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke-1.8-hardened.yaml new file mode 100644 index 0000000000..54aa08691e --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke-1.8-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.8 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke-1.8-permissive.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke-1.8-permissive.yaml new file mode 100644 index 0000000000..f7d4fdd229 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke-1.8-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.8 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke2-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke2-cis-1.8-hardened.yml new file mode 100644 index 0000000000..d0a1180f56 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke2-cis-1.8-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.8-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke2-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke2-cis-1.8-permissive.yml new file mode 100644 index 0000000000..0aa72407c0 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofile-rke2-cis-1.8-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.8-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofileaks.yml new file mode 100644 index 0000000000..ac9f47a8fb --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofileaks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: aks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: aks-1.0 diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofileeks.yml new file mode 100644 index 0000000000..7cf7936cbf --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofileeks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: eks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: eks-1.2.0 diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofilegke-1.6.0.yml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofilegke-1.6.0.yml new file mode 100644 index 0000000000..1fc299fc57 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofilegke-1.6.0.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile-1.6.0 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.6.0 diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofilegke.yml new file mode 100644 index 0000000000..42fa4f23a2 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/scanprofilegke.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.2.0 diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/serviceaccount.yaml new file mode 100644 index 0000000000..ec48ec6224 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + name: cis-operator-serviceaccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-serviceaccount diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..562295791b --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/templates/validate-install-crd.yaml @@ -0,0 +1,17 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/105.0.1+up7.0.1/values.yaml b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/values.yaml new file mode 100644 index 0000000000..e2a7c39a77 --- /dev/null +++ b/charts/rancher-cis-benchmark/105.0.1+up7.0.1/values.yaml @@ -0,0 +1,53 @@ +# Default values for rancher-cis-benchmark. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + cisoperator: + repository: rancher/cis-operator + tag: v1.3.1 + securityScan: + repository: rancher/security-scan + tag: v0.5.1 + sonobuoy: + repository: rancher/mirrored-sonobuoy-sonobuoy + tag: v0.57.2 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +securityScanJob: + overrideTolerations: false + tolerations: [] + +affinity: {} + +global: + cattle: + systemDefaultRegistry: "" + clusterName: "" + kubectl: + repository: rancher/kubectl + tag: v1.30.7 + +alerts: + enabled: false + severity: warning + metricsPort: 8080 diff --git a/index.yaml b/index.yaml index 0397b3d819..38bbb691c1 100755 --- a/index.yaml +++ b/index.yaml @@ -12297,6 +12297,32 @@ entries: urls: - assets/rancher-cis-benchmark/rancher-cis-benchmark-105.1.0+up7.1.1.tgz version: 105.1.0+up7.1.1 + - annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.32.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark + apiVersion: v1 + appVersion: v7.0.1 + created: "2025-03-02T13:08:15.737387745-03:00" + description: The cis-operator enables running CIS benchmark security scans on + a kubernetes cluster + digest: bb6f150c7b5ef815299dc1420e9cbf9a4b35ac8eda0b72d78b897456d6fddceb + icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg + keywords: + - security + name: rancher-cis-benchmark + urls: + - assets/rancher-cis-benchmark/rancher-cis-benchmark-105.0.1+up7.0.1.tgz + version: 105.0.1+up7.0.1 - annotations: catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/certified: rancher diff --git a/release.yaml b/release.yaml index eff167d6ed..a3ff854a8d 100644 --- a/release.yaml +++ b/release.yaml @@ -2,3 +2,4 @@ rancher-cis-benchmark: - 105.3.0+up7.3.0 - 105.2.0+up7.2.0 - 105.1.0+up7.1.1 + - 105.0.1+up7.0.1 From b7e9976993b1e31c0e8807d0b6e360c85099c8b7 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Sun, 2 Mar 2025 13:08:25 -0300 Subject: [PATCH 6/9] fp: rancher-cis-benchmark-crd-105.3.0+up7.3.0 --- ...cher-cis-benchmark-crd-105.3.0+up7.3.0.tgz | Bin 0 -> 1480 bytes .../105.3.0+up7.3.0/Chart.yaml | 10 ++ .../105.3.0+up7.3.0/README.md | 2 + .../templates/clusterscan.yaml | 149 ++++++++++++++++++ .../templates/clusterscanbenchmark.yaml | 55 +++++++ .../templates/clusterscanprofile.yaml | 37 +++++ .../templates/clusterscanreport.yaml | 40 +++++ index.yaml | 14 ++ release.yaml | 2 + 9 files changed, 309 insertions(+) create mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.3.0+up7.3.0.tgz create mode 100644 charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/Chart.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/README.md create mode 100644 charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscan.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscanbenchmark.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscanprofile.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscanreport.yaml diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.3.0+up7.3.0.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.3.0+up7.3.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..fee4625c198ee839416b087f8110f5a85e6dd431 GIT binary patch literal 1480 zcmV;(1vmO1iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI>(liD^AzGr@gCVlMS*art4-Yz8Vq-`!Y+%+w?AlWBWnh8E4FF_|nO%;~mxm5=R82j2KOKt@E<<8~8U~&+~syKz>ngC-T5E**Zp2O|F47I&~Nkq5>m_@kPN>VBGvncij1z4{ zJV7lIMe!{@G0xHqh|xd@1}uMM`BMlO?NO%J8QswmsWqG_k;s$?3d-#Il!yq)y=G7k z6nHu+qeMYec9AMHWn_LQH;+j9q1&EK`lHZ z3`8Z|$HGW0C<$7ZknYz5wSb<0m8bOUdY~4NerB=+^spYN1@sRnUIO}iJx~jX3v-+C z`ZOxv&O2eqmg*qvJXRiAjM_k4Uh$u9_Z8@HDX!cx~PrMFG7n|vFg zGLus#x_d9Ifc5c_k3}paG!>rK6P^kYA@JQ`mRu5b5>{p*rk|0TiU4vdH5Cdil`!sz z9OOy7J=!G&o-Ga+SaU7M26x4zGsZbI_3rSCv8i$Eh^phW?qL~gjL&SiHJ#N|@a(j9 zL?JU6JA-py=vt0`RKRtLY}vRf-VVriteU; zqy}g7u#<`oN(xX478|;dX&J$y;nNM35^C3hQ_Zoei zTenJUGy?bZ|9gHAZ1n$n*S$g8|GR{oyZ^Temt1Cab0%*AI zTjh_detP3pej_!-=F}T~7x&EMBWhEpX}`CXx3iIVWHa?gJZfw5zd|W$e-*fo|A)a~ zlm7?3pymHd$hrAH3z!D!f06=Lv48Han*7!B@`kzpOkaAmN6N+DbYv0o`@_e(AK@Xc zn*S&7Zr^@*=f&a49JBBH@1Vc={r643*Khg%67tiIkDYJHB-0T(2W5zvgCT6|bLvE6 iNT!RbPpZH63R`KVl~!7D$^QWW0RR7JV7o&AHUI!+(&1VF literal 0 HcmV?d00001 diff --git a/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/Chart.yaml b/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/Chart.yaml new file mode 100644 index 0000000000..7f85e6e609 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd +apiVersion: v1 +description: Installs the CRDs for rancher-cis-benchmark. +name: rancher-cis-benchmark-crd +type: application +version: 105.3.0+up7.3.0 diff --git a/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/README.md b/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/README.md new file mode 100644 index 0000000000..f6d9ef621f --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/README.md @@ -0,0 +1,2 @@ +# rancher-cis-benchmark-crd +A Rancher chart that installs the CRDs used by rancher-cis-benchmark. diff --git a/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscan.yaml new file mode 100644 index 0000000000..73cf1652b2 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscan.yaml @@ -0,0 +1,149 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscans.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScan + plural: clusterscans + singular: clusterscan + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.lastRunScanProfileName + name: ClusterScanProfile + type: string + - jsonPath: .status.summary.total + name: Total + type: string + - jsonPath: .status.summary.pass + name: Pass + type: string + - jsonPath: .status.summary.fail + name: Fail + type: string + - jsonPath: .status.summary.skip + name: Skip + type: string + - jsonPath: .status.summary.warn + name: Warn + type: string + - jsonPath: .status.summary.notApplicable + name: Not Applicable + type: string + - jsonPath: .status.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.scheduledScanConfig.cronSchedule + name: CronSchedule + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + scanProfileName: + nullable: true + type: string + scheduledScanConfig: + nullable: true + properties: + cronSchedule: + nullable: true + type: string + retentionCount: + type: integer + scanAlertRule: + nullable: true + properties: + alertOnComplete: + type: boolean + alertOnFailure: + type: boolean + type: object + type: object + scoreWarning: + enum: + - pass + - fail + nullable: true + type: string + type: object + status: + properties: + NextScanAt: + nullable: true + type: string + ScanAlertingRuleName: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + display: + nullable: true + properties: + error: + type: boolean + message: + nullable: true + type: string + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + lastRunScanProfileName: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + observedGeneration: + type: integer + summary: + nullable: true + properties: + fail: + type: integer + notApplicable: + type: integer + pass: + type: integer + skip: + type: integer + total: + type: integer + warn: + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscanbenchmark.yaml new file mode 100644 index 0000000000..261a84efd4 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscanbenchmark.yaml @@ -0,0 +1,55 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanbenchmarks.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanBenchmark + plural: clusterscanbenchmarks + singular: clusterscanbenchmark + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.clusterProvider + name: ClusterProvider + type: string + - jsonPath: .spec.minKubernetesVersion + name: MinKubernetesVersion + type: string + - jsonPath: .spec.maxKubernetesVersion + name: MaxKubernetesVersion + type: string + - jsonPath: .spec.customBenchmarkConfigMapName + name: customBenchmarkConfigMapName + type: string + - jsonPath: .spec.customBenchmarkConfigMapNamespace + name: customBenchmarkConfigMapNamespace + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + clusterProvider: + nullable: true + type: string + customBenchmarkConfigMapName: + nullable: true + type: string + customBenchmarkConfigMapNamespace: + nullable: true + type: string + maxKubernetesVersion: + nullable: true + type: string + minKubernetesVersion: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscanprofile.yaml new file mode 100644 index 0000000000..b63d842fae --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscanprofile.yaml @@ -0,0 +1,37 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanprofiles.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanProfile + plural: clusterscanprofiles + singular: clusterscanprofile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + skipTests: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscanreport.yaml new file mode 100644 index 0000000000..544d825f4b --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.3.0+up7.3.0/templates/clusterscanreport.yaml @@ -0,0 +1,40 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanreports.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanReport + plural: clusterscanreports + singular: clusterscanreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + reportJSON: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/index.yaml b/index.yaml index 38bbb691c1..2dbdca2c67 100755 --- a/index.yaml +++ b/index.yaml @@ -13153,6 +13153,20 @@ entries: - assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.0.tgz version: 2.0.0 rancher-cis-benchmark-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd + apiVersion: v1 + created: "2025-03-02T13:08:22.547025859-03:00" + description: Installs the CRDs for rancher-cis-benchmark. + digest: 2a5109708deff83445af7715278f39562deea5508d95b09c8337540da7a42bf6 + name: rancher-cis-benchmark-crd + type: application + urls: + - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.3.0+up7.3.0.tgz + version: 105.3.0+up7.3.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index a3ff854a8d..828d9c1b36 100644 --- a/release.yaml +++ b/release.yaml @@ -3,3 +3,5 @@ rancher-cis-benchmark: - 105.2.0+up7.2.0 - 105.1.0+up7.1.1 - 105.0.1+up7.0.1 +rancher-cis-benchmark-crd: + - 105.3.0+up7.3.0 From 2391356a97ffd937e592f74f50180cd3c1acff22 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Sun, 2 Mar 2025 13:08:32 -0300 Subject: [PATCH 7/9] fp: rancher-cis-benchmark-crd-105.2.0+up7.2.0 --- ...cher-cis-benchmark-crd-105.2.0+up7.2.0.tgz | Bin 0 -> 1482 bytes .../105.2.0+up7.2.0/Chart.yaml | 10 ++ .../105.2.0+up7.2.0/README.md | 2 + .../templates/clusterscan.yaml | 149 ++++++++++++++++++ .../templates/clusterscanbenchmark.yaml | 55 +++++++ .../templates/clusterscanprofile.yaml | 37 +++++ .../templates/clusterscanreport.yaml | 40 +++++ index.yaml | 14 ++ release.yaml | 1 + 9 files changed, 308 insertions(+) create mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.2.0+up7.2.0.tgz create mode 100644 charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/Chart.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/README.md create mode 100644 charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscan.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscanbenchmark.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscanprofile.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscanreport.yaml diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.2.0+up7.2.0.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.2.0+up7.2.0.tgz new file mode 100644 index 0000000000000000000000000000000000000000..4795f8a8d33949e902d4ba464885dd4bd021ae67 GIT binary patch literal 1482 zcmV;*1vUB~iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI>(liD^AzGr@gCVlMS*uZfe-Yz8Vq-`!Y+%FyLcoyVY_yHtg*$8%7|TR+u;5Mw%hdH#h(=TmZbCLh`;#%GlQbP~s) z7M>9Xq7v?7VWbw61g%R*_v?XLKu^HROZs&^Pzy*uGg$(9SP#?!`Uey*0sXxms0GA@ zxy^Ka8kKM7oiJp}br5#Wl}8q%HV~K3_)oWU53oe)X*$O+i7>Pb8w>u#W*$|7Kjhvf-IBh9Ag;ebA?2Hd;k7Z|DiNYh*Wk5H*A@&nJx2sZSHwlpi&BLx(VS) z6xmBYBDSj7a&MhR5qj$i)rPNLxV7T-cKP?h?>Pf&3Jr3rPGga9Mv|$@+X|}-nhQSp_rLF?k@lTh z&HmrIRa&DFxTpW$_k&=g|JU#J`fdO35_azX--<8|HUi%)F;lmrBe)Kl>5Hp1I4yuQ z*dvrky*$dj5-%)VDQc-TxZyjX=MyvjM>0jl(V)(6Sqb?=^@Ky<;maQQ>InzH)08}` z8<%xtK7ib6ogOgp#Bk{=sDon`XMZDYvkiJR`hdOTN?a;V_KL8W{e9*3^H6Qq=w`aG(C) z1j9}J9|pr#|1V+Z*8hw!4a)x{1*}s4JY2Q-tL5PhYyX+P^k}z~i@)i}81nnW$Gacl zA+B2gC+}|Get74_;mI1a@B8myu=)M>^`IBD`hN-gX~)OTw`7v}2%Up6#LU4Ew)Hu6 kqA?`XMb#(OU;7MOYpu1`T65X|0RRC1|Al)Owg5H&08LrnjQ{`u literal 0 HcmV?d00001 diff --git a/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/Chart.yaml b/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/Chart.yaml new file mode 100644 index 0000000000..057466fd68 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd +apiVersion: v1 +description: Installs the CRDs for rancher-cis-benchmark. +name: rancher-cis-benchmark-crd +type: application +version: 105.2.0+up7.2.0 diff --git a/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/README.md b/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/README.md new file mode 100644 index 0000000000..f6d9ef621f --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/README.md @@ -0,0 +1,2 @@ +# rancher-cis-benchmark-crd +A Rancher chart that installs the CRDs used by rancher-cis-benchmark. diff --git a/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscan.yaml new file mode 100644 index 0000000000..73cf1652b2 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscan.yaml @@ -0,0 +1,149 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscans.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScan + plural: clusterscans + singular: clusterscan + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.lastRunScanProfileName + name: ClusterScanProfile + type: string + - jsonPath: .status.summary.total + name: Total + type: string + - jsonPath: .status.summary.pass + name: Pass + type: string + - jsonPath: .status.summary.fail + name: Fail + type: string + - jsonPath: .status.summary.skip + name: Skip + type: string + - jsonPath: .status.summary.warn + name: Warn + type: string + - jsonPath: .status.summary.notApplicable + name: Not Applicable + type: string + - jsonPath: .status.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.scheduledScanConfig.cronSchedule + name: CronSchedule + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + scanProfileName: + nullable: true + type: string + scheduledScanConfig: + nullable: true + properties: + cronSchedule: + nullable: true + type: string + retentionCount: + type: integer + scanAlertRule: + nullable: true + properties: + alertOnComplete: + type: boolean + alertOnFailure: + type: boolean + type: object + type: object + scoreWarning: + enum: + - pass + - fail + nullable: true + type: string + type: object + status: + properties: + NextScanAt: + nullable: true + type: string + ScanAlertingRuleName: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + display: + nullable: true + properties: + error: + type: boolean + message: + nullable: true + type: string + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + lastRunScanProfileName: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + observedGeneration: + type: integer + summary: + nullable: true + properties: + fail: + type: integer + notApplicable: + type: integer + pass: + type: integer + skip: + type: integer + total: + type: integer + warn: + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscanbenchmark.yaml new file mode 100644 index 0000000000..261a84efd4 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscanbenchmark.yaml @@ -0,0 +1,55 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanbenchmarks.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanBenchmark + plural: clusterscanbenchmarks + singular: clusterscanbenchmark + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.clusterProvider + name: ClusterProvider + type: string + - jsonPath: .spec.minKubernetesVersion + name: MinKubernetesVersion + type: string + - jsonPath: .spec.maxKubernetesVersion + name: MaxKubernetesVersion + type: string + - jsonPath: .spec.customBenchmarkConfigMapName + name: customBenchmarkConfigMapName + type: string + - jsonPath: .spec.customBenchmarkConfigMapNamespace + name: customBenchmarkConfigMapNamespace + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + clusterProvider: + nullable: true + type: string + customBenchmarkConfigMapName: + nullable: true + type: string + customBenchmarkConfigMapNamespace: + nullable: true + type: string + maxKubernetesVersion: + nullable: true + type: string + minKubernetesVersion: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscanprofile.yaml new file mode 100644 index 0000000000..b63d842fae --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscanprofile.yaml @@ -0,0 +1,37 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanprofiles.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanProfile + plural: clusterscanprofiles + singular: clusterscanprofile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + skipTests: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscanreport.yaml new file mode 100644 index 0000000000..544d825f4b --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.2.0+up7.2.0/templates/clusterscanreport.yaml @@ -0,0 +1,40 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanreports.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanReport + plural: clusterscanreports + singular: clusterscanreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + reportJSON: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/index.yaml b/index.yaml index 2dbdca2c67..0f8457ddda 100755 --- a/index.yaml +++ b/index.yaml @@ -13167,6 +13167,20 @@ entries: urls: - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.3.0+up7.3.0.tgz version: 105.3.0+up7.3.0 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd + apiVersion: v1 + created: "2025-03-02T13:08:29.435405646-03:00" + description: Installs the CRDs for rancher-cis-benchmark. + digest: 5650ec8c7e9a78acba240e18de8cd5e994cf67aaa9c4f7eac7e0b54ef220838b + name: rancher-cis-benchmark-crd + type: application + urls: + - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.2.0+up7.2.0.tgz + version: 105.2.0+up7.2.0 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index 828d9c1b36..6f9a432364 100644 --- a/release.yaml +++ b/release.yaml @@ -5,3 +5,4 @@ rancher-cis-benchmark: - 105.0.1+up7.0.1 rancher-cis-benchmark-crd: - 105.3.0+up7.3.0 + - 105.2.0+up7.2.0 From 58fa73fd45a3ef28c3c2fc64e7d69ca60d3a6be1 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Sun, 2 Mar 2025 13:08:39 -0300 Subject: [PATCH 8/9] fp: rancher-cis-benchmark-crd-105.1.0+up7.1.1 --- ...cher-cis-benchmark-crd-105.1.0+up7.1.1.tgz | Bin 0 -> 1483 bytes .../105.1.0+up7.1.1/Chart.yaml | 10 ++ .../105.1.0+up7.1.1/README.md | 2 + .../templates/clusterscan.yaml | 149 ++++++++++++++++++ .../templates/clusterscanbenchmark.yaml | 55 +++++++ .../templates/clusterscanprofile.yaml | 37 +++++ .../templates/clusterscanreport.yaml | 40 +++++ index.yaml | 14 ++ release.yaml | 1 + 9 files changed, 308 insertions(+) create mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.1.0+up7.1.1.tgz create mode 100644 charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/Chart.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/README.md create mode 100644 charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscan.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscanbenchmark.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscanprofile.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscanreport.yaml diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.1.0+up7.1.1.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.1.0+up7.1.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..31bd5e96701d5a5c10bc4d89ea5f7965b80fb845 GIT binary patch literal 1483 zcmV;+1vL5}iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI>(liD^AzGr@gCVlMS*l-6O-Yz8Vq-`!Y+%FyLcoyVY_yHtg*$8%7|TR+Mv=D_)&VWJO2Z}cik`Ne=q0{dTst+!it##lHnJF-2T(v^Do+_;7ibXW;`5` zaiWcgC#XfDD89uf##x#HF&YTLfYpyIe+q=r9%Xu+(H$+3+KDqI5}67?!I>SO3K1cB z)C}r@0#8R}lqiVGAyS8Ce3nF@O0EtenhKk;IZlU=JYmx)T>@d4o&`krigAN#ETSal z`5L<9vljdw%zQ*VZNMbji$I%6!tILgm3U$i-a(A%^yT>%7M)MY-I;u7qZpr62GB_y zgIah-7>G)^kA;z1P!hB*A>FSBY5_d~D=+ES^*}8k{mf(u=wUrj3+NwEyae?3dY~2% z7v?t8^=VYTop-{JE!RQVIaeN8jM_k4KI1>#&ON{qsi)~2!z9AcGHfjP6PtNd3I33e zm&v&8*b0%&dGzGk+}@3pz-Wr0d5wCN^< zCsAZC`H0x6V#~dC8b#=>D^wf4dg0cJ*W2aa3%}>LjdehM0avYAOiibZROT zS}9@N!5rjCygk|_1)VJp7gTd?$CA5Z(V5~LntFHm#n{xib+GFAtb15;jq#bKThm!h z1Id}S=Xqj*}aI?|@r|grx zr@!MKyPq4Hl*i3#vq@|*)u>)D{0%v(wDYlzzN-|;tL%npYB$#7%A!)We;kC}?2oL; zo|)t39CBp(OnBU(_Ce{GBP%KGbZiY~v?<(OZG^J=P#8(3DsL;SE@&?JsD!vM&O?Qf8P&+js9Q1*Z150-zDta{l67q8f*l{{=UL>y7%aH@pej`tK5U?)on$OoP>5@r|mZ_FD$5uKeT* zpy9f2l|Qcf>5bd@jnovIOK{U7xDt^Qxa&aM9$VH%YGNeWn{{&~1+@mI^k8`l0aed*C|DHng!kul`=hmUtZ z!b4oO{!iZBzWwmdi^G#OX5aVU!S&|%-#6F2L973lu%C8(?0icmnUBypC_~H~3}IWJ lQzsfjGF?=CQvJ2hu(j4&Yppex{T~1T|NpmKI2iyo001YZ>v;eG literal 0 HcmV?d00001 diff --git a/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/Chart.yaml b/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/Chart.yaml new file mode 100644 index 0000000000..6a7e67e3ea --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd +apiVersion: v1 +description: Installs the CRDs for rancher-cis-benchmark. +name: rancher-cis-benchmark-crd +type: application +version: 105.1.0+up7.1.1 diff --git a/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/README.md b/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/README.md new file mode 100644 index 0000000000..f6d9ef621f --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/README.md @@ -0,0 +1,2 @@ +# rancher-cis-benchmark-crd +A Rancher chart that installs the CRDs used by rancher-cis-benchmark. diff --git a/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscan.yaml new file mode 100644 index 0000000000..73cf1652b2 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscan.yaml @@ -0,0 +1,149 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscans.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScan + plural: clusterscans + singular: clusterscan + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.lastRunScanProfileName + name: ClusterScanProfile + type: string + - jsonPath: .status.summary.total + name: Total + type: string + - jsonPath: .status.summary.pass + name: Pass + type: string + - jsonPath: .status.summary.fail + name: Fail + type: string + - jsonPath: .status.summary.skip + name: Skip + type: string + - jsonPath: .status.summary.warn + name: Warn + type: string + - jsonPath: .status.summary.notApplicable + name: Not Applicable + type: string + - jsonPath: .status.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.scheduledScanConfig.cronSchedule + name: CronSchedule + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + scanProfileName: + nullable: true + type: string + scheduledScanConfig: + nullable: true + properties: + cronSchedule: + nullable: true + type: string + retentionCount: + type: integer + scanAlertRule: + nullable: true + properties: + alertOnComplete: + type: boolean + alertOnFailure: + type: boolean + type: object + type: object + scoreWarning: + enum: + - pass + - fail + nullable: true + type: string + type: object + status: + properties: + NextScanAt: + nullable: true + type: string + ScanAlertingRuleName: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + display: + nullable: true + properties: + error: + type: boolean + message: + nullable: true + type: string + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + lastRunScanProfileName: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + observedGeneration: + type: integer + summary: + nullable: true + properties: + fail: + type: integer + notApplicable: + type: integer + pass: + type: integer + skip: + type: integer + total: + type: integer + warn: + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscanbenchmark.yaml new file mode 100644 index 0000000000..261a84efd4 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscanbenchmark.yaml @@ -0,0 +1,55 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanbenchmarks.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanBenchmark + plural: clusterscanbenchmarks + singular: clusterscanbenchmark + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.clusterProvider + name: ClusterProvider + type: string + - jsonPath: .spec.minKubernetesVersion + name: MinKubernetesVersion + type: string + - jsonPath: .spec.maxKubernetesVersion + name: MaxKubernetesVersion + type: string + - jsonPath: .spec.customBenchmarkConfigMapName + name: customBenchmarkConfigMapName + type: string + - jsonPath: .spec.customBenchmarkConfigMapNamespace + name: customBenchmarkConfigMapNamespace + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + clusterProvider: + nullable: true + type: string + customBenchmarkConfigMapName: + nullable: true + type: string + customBenchmarkConfigMapNamespace: + nullable: true + type: string + maxKubernetesVersion: + nullable: true + type: string + minKubernetesVersion: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscanprofile.yaml new file mode 100644 index 0000000000..b63d842fae --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscanprofile.yaml @@ -0,0 +1,37 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanprofiles.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanProfile + plural: clusterscanprofiles + singular: clusterscanprofile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + skipTests: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscanreport.yaml new file mode 100644 index 0000000000..544d825f4b --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.1.0+up7.1.1/templates/clusterscanreport.yaml @@ -0,0 +1,40 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanreports.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanReport + plural: clusterscanreports + singular: clusterscanreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + reportJSON: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/index.yaml b/index.yaml index 0f8457ddda..d2b5525731 100755 --- a/index.yaml +++ b/index.yaml @@ -13181,6 +13181,20 @@ entries: urls: - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.2.0+up7.2.0.tgz version: 105.2.0+up7.2.0 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd + apiVersion: v1 + created: "2025-03-02T13:08:36.26464175-03:00" + description: Installs the CRDs for rancher-cis-benchmark. + digest: f6efdb6242fe5327ed152037ac04ce2654606df83e8479e3d0db36776835fad8 + name: rancher-cis-benchmark-crd + type: application + urls: + - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.1.0+up7.1.1.tgz + version: 105.1.0+up7.1.1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index 6f9a432364..86d07f6e78 100644 --- a/release.yaml +++ b/release.yaml @@ -6,3 +6,4 @@ rancher-cis-benchmark: rancher-cis-benchmark-crd: - 105.3.0+up7.3.0 - 105.2.0+up7.2.0 + - 105.1.0+up7.1.1 From a7ed8a7ed7b45144badf4ad4ac1afb24dbdbd202 Mon Sep 17 00:00:00 2001 From: nicholasSUSE Date: Sun, 2 Mar 2025 13:08:46 -0300 Subject: [PATCH 9/9] fp: rancher-cis-benchmark-crd-105.0.1+up7.0.1 --- ...cher-cis-benchmark-crd-105.0.1+up7.0.1.tgz | Bin 0 -> 1482 bytes .../105.0.1+up7.0.1/Chart.yaml | 10 ++ .../105.0.1+up7.0.1/README.md | 2 + .../templates/clusterscan.yaml | 149 ++++++++++++++++++ .../templates/clusterscanbenchmark.yaml | 55 +++++++ .../templates/clusterscanprofile.yaml | 37 +++++ .../templates/clusterscanreport.yaml | 40 +++++ index.yaml | 14 ++ release.yaml | 1 + 9 files changed, 308 insertions(+) create mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.0.1+up7.0.1.tgz create mode 100644 charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/Chart.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/README.md create mode 100644 charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscan.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscanbenchmark.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscanprofile.yaml create mode 100644 charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscanreport.yaml diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.0.1+up7.0.1.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.0.1+up7.0.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..247eff66ba1c03df0630dffdc81a955f7bc1f91a GIT binary patch literal 1482 zcmV;*1vUB~iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI>(liD^AzGr@gCVlMS*uZfe-Yz8Vq-`!Y+%FyLcoyVY_yHtg*$8%7|TREE+u;5Mw%hdH#h(=TmZbCLh`;#%GlQbP~s) z7M>9Xq7v?7VWbw61g%R*_v?XLKu^HROZs&^Pzy*uGg$(9SP#?!`Uey*0sXxms0GA@ zxy^Ka8kKM7oiJp}br5#Wl}8q%HV~K3_)oWU53oe)X*$O+i7>Pb8w>u#W*$|7Kjhvf-IBh9Ag;ebA?2Hd;k7Z|DiNYh*Wk5H*A@&nJx2sZSHwlpi&BLx(VS) z6xmBYBDSj7a&MhR5qj$i)rPNLxV7T-cKP?h?>Pf&3Jr3rPGga9Mv|$@+X|}-nhQSp_rLF?k@lTh z&HmrIRa&DFxTpW$_k&=g|JU#J`fdO35_azX--<8|HUi%)F;lmrBe)Kl>5Hp1I4yuQ z*dvrky*$dj5-%)VDQc-TxZyjX=MyvjM>0jl(V)(6Sqb?=^@Ky<;maQQ>InzH)08}` z8<%xtK7ib6ogOgp#Bk{=sDon`XMZDYvkiJR`hdOTN?a;V_KL8W{e9*3^H6Qq=w`aG(C) z1j9}J9|pr#|1V+Z*8hw!4a)x{1*}s4JY2Q-tL5PhYyX+P^k}z~i@)i}81nnW$Gacl zA+B2gC+}|Get74_;mI1a@B8myu=)M>^`IBD`hN-gX~)OTw`7v}2%Up6#LU4Ew)Hu6 kqA?`XMb#(OU;7MOYpu1`T65X|0RRC1|F}P;N&q$h0KOXE@&Et; literal 0 HcmV?d00001 diff --git a/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/Chart.yaml b/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/Chart.yaml new file mode 100644 index 0000000000..bbbd95360b --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd +apiVersion: v1 +description: Installs the CRDs for rancher-cis-benchmark. +name: rancher-cis-benchmark-crd +type: application +version: 105.0.1+up7.0.1 diff --git a/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/README.md b/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/README.md new file mode 100644 index 0000000000..f6d9ef621f --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/README.md @@ -0,0 +1,2 @@ +# rancher-cis-benchmark-crd +A Rancher chart that installs the CRDs used by rancher-cis-benchmark. diff --git a/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscan.yaml new file mode 100644 index 0000000000..73cf1652b2 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscan.yaml @@ -0,0 +1,149 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscans.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScan + plural: clusterscans + singular: clusterscan + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.lastRunScanProfileName + name: ClusterScanProfile + type: string + - jsonPath: .status.summary.total + name: Total + type: string + - jsonPath: .status.summary.pass + name: Pass + type: string + - jsonPath: .status.summary.fail + name: Fail + type: string + - jsonPath: .status.summary.skip + name: Skip + type: string + - jsonPath: .status.summary.warn + name: Warn + type: string + - jsonPath: .status.summary.notApplicable + name: Not Applicable + type: string + - jsonPath: .status.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.scheduledScanConfig.cronSchedule + name: CronSchedule + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + scanProfileName: + nullable: true + type: string + scheduledScanConfig: + nullable: true + properties: + cronSchedule: + nullable: true + type: string + retentionCount: + type: integer + scanAlertRule: + nullable: true + properties: + alertOnComplete: + type: boolean + alertOnFailure: + type: boolean + type: object + type: object + scoreWarning: + enum: + - pass + - fail + nullable: true + type: string + type: object + status: + properties: + NextScanAt: + nullable: true + type: string + ScanAlertingRuleName: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + display: + nullable: true + properties: + error: + type: boolean + message: + nullable: true + type: string + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + lastRunScanProfileName: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + observedGeneration: + type: integer + summary: + nullable: true + properties: + fail: + type: integer + notApplicable: + type: integer + pass: + type: integer + skip: + type: integer + total: + type: integer + warn: + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscanbenchmark.yaml new file mode 100644 index 0000000000..261a84efd4 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscanbenchmark.yaml @@ -0,0 +1,55 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanbenchmarks.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanBenchmark + plural: clusterscanbenchmarks + singular: clusterscanbenchmark + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.clusterProvider + name: ClusterProvider + type: string + - jsonPath: .spec.minKubernetesVersion + name: MinKubernetesVersion + type: string + - jsonPath: .spec.maxKubernetesVersion + name: MaxKubernetesVersion + type: string + - jsonPath: .spec.customBenchmarkConfigMapName + name: customBenchmarkConfigMapName + type: string + - jsonPath: .spec.customBenchmarkConfigMapNamespace + name: customBenchmarkConfigMapNamespace + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + clusterProvider: + nullable: true + type: string + customBenchmarkConfigMapName: + nullable: true + type: string + customBenchmarkConfigMapNamespace: + nullable: true + type: string + maxKubernetesVersion: + nullable: true + type: string + minKubernetesVersion: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscanprofile.yaml new file mode 100644 index 0000000000..b63d842fae --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscanprofile.yaml @@ -0,0 +1,37 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanprofiles.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanProfile + plural: clusterscanprofiles + singular: clusterscanprofile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + skipTests: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscanreport.yaml new file mode 100644 index 0000000000..544d825f4b --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/105.0.1+up7.0.1/templates/clusterscanreport.yaml @@ -0,0 +1,40 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanreports.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanReport + plural: clusterscanreports + singular: clusterscanreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + reportJSON: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/index.yaml b/index.yaml index d2b5525731..5763237505 100755 --- a/index.yaml +++ b/index.yaml @@ -13195,6 +13195,20 @@ entries: urls: - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.1.0+up7.1.1.tgz version: 105.1.0+up7.1.1 + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd + apiVersion: v1 + created: "2025-03-02T13:08:43.042365184-03:00" + description: Installs the CRDs for rancher-cis-benchmark. + digest: 8e68bf5483baae513c358dfeb1fe28f2f636b3d4943171e35a0ae2939e8b8223 + name: rancher-cis-benchmark-crd + type: application + urls: + - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.0.1+up7.0.1.tgz + version: 105.0.1+up7.0.1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" diff --git a/release.yaml b/release.yaml index 86d07f6e78..ffbc52f808 100644 --- a/release.yaml +++ b/release.yaml @@ -7,3 +7,4 @@ rancher-cis-benchmark-crd: - 105.3.0+up7.3.0 - 105.2.0+up7.2.0 - 105.1.0+up7.1.1 + - 105.0.1+up7.0.1