From 2b6e0b09ce8eda64fab2281465fbf868651b4457 Mon Sep 17 00:00:00 2001 From: mitulshah-suse Date: Fri, 16 Sep 2022 09:56:56 +0530 Subject: [PATCH] make charts --- .../rancher-cis-benchmark-crd-3.0.0-rc1.tgz | Bin 0 -> 1467 bytes .../rancher-cis-benchmark-3.0.0-rc1.tgz | Bin 0 -> 6082 bytes .../3.0.0-rc1/Chart.yaml | 10 ++ .../3.0.0-rc1/README.md | 2 + .../3.0.0-rc1/templates/clusterscan.yaml | 148 ++++++++++++++++++ .../templates/clusterscanbenchmark.yaml | 54 +++++++ .../templates/clusterscanprofile.yaml | 36 +++++ .../templates/clusterscanreport.yaml | 39 +++++ .../3.0.0-rc1/Chart.yaml | 22 +++ .../rancher-cis-benchmark/3.0.0-rc1/README.md | 9 ++ .../3.0.0-rc1/app-readme.md | 15 ++ .../3.0.0-rc1/templates/_helpers.tpl | 27 ++++ .../3.0.0-rc1/templates/alertingrule.yaml | 14 ++ .../templates/benchmark-aks-1.0.yaml | 8 + .../templates/benchmark-cis-1.20.yaml | 9 ++ .../templates/benchmark-cis-1.23.yaml | 8 + .../templates/benchmark-cis-1.5.yaml | 9 ++ .../templates/benchmark-cis-1.6.yaml | 9 ++ .../templates/benchmark-eks-1.0.1.yaml | 8 + .../templates/benchmark-gke-1.0.yaml | 8 + .../benchmark-k3s-cis-1.20-hardened.yaml | 9 ++ .../benchmark-k3s-cis-1.20-permissive.yaml | 9 ++ .../benchmark-k3s-cis-1.23-hardened.yaml | 8 + .../benchmark-k3s-cis-1.23-permissive.yaml | 8 + .../benchmark-k3s-cis-1.6-hardened.yaml | 9 ++ .../benchmark-k3s-cis-1.6-permissive.yaml | 9 ++ .../benchmark-rke-cis-1.20-hardened.yaml | 9 ++ .../benchmark-rke-cis-1.20-permissive.yaml | 9 ++ .../benchmark-rke-cis-1.23-hardened.yaml | 8 + .../benchmark-rke-cis-1.23-permissive.yaml | 8 + .../benchmark-rke-cis-1.5-hardened.yaml | 9 ++ .../benchmark-rke-cis-1.5-permissive.yaml | 9 ++ .../benchmark-rke-cis-1.6-hardened.yaml | 9 ++ .../benchmark-rke-cis-1.6-permissive.yaml | 9 ++ .../benchmark-rke2-cis-1.20-hardened.yaml | 9 ++ .../benchmark-rke2-cis-1.20-permissive.yaml | 9 ++ .../benchmark-rke2-cis-1.23-hardened.yaml | 8 + .../benchmark-rke2-cis-1.23-permissive.yaml | 8 + .../benchmark-rke2-cis-1.5-hardened.yaml | 9 ++ .../benchmark-rke2-cis-1.5-permissive.yaml | 9 ++ .../benchmark-rke2-cis-1.6-hardened.yaml | 9 ++ .../benchmark-rke2-cis-1.6-permissive.yaml | 9 ++ .../3.0.0-rc1/templates/cis-roles.yaml | 49 ++++++ .../3.0.0-rc1/templates/configmap.yaml | 18 +++ .../3.0.0-rc1/templates/deployment.yaml | 55 +++++++ .../templates/network_policy_allow_all.yaml | 15 ++ .../patch_default_serviceaccount.yaml | 29 ++++ .../3.0.0-rc1/templates/rbac.yaml | 43 +++++ .../templates/scanprofile-cis-1.20.yaml | 9 ++ .../templates/scanprofile-cis-1.23.yaml | 9 ++ .../templates/scanprofile-cis-1.6.yaml | 9 ++ .../scanprofile-k3s-cis-1.20-hardened.yml | 9 ++ .../scanprofile-k3s-cis-1.20-permissive.yml | 9 ++ .../scanprofile-k3s-cis-1.23-hardened.yml | 9 ++ .../scanprofile-k3s-cis-1.23-permissive.yml | 9 ++ .../scanprofile-k3s-cis-1.6-hardened.yml | 9 ++ .../scanprofile-k3s-cis-1.6-permissive.yml | 9 ++ .../scanprofile-rke-1.20-hardened.yaml | 9 ++ .../scanprofile-rke-1.20-permissive.yaml | 9 ++ .../scanprofile-rke-1.23-hardened.yaml | 9 ++ .../scanprofile-rke-1.23-permissive.yaml | 9 ++ .../scanprofile-rke-1.6-hardened.yaml | 9 ++ .../scanprofile-rke-1.6-permissive.yaml | 9 ++ .../scanprofile-rke2-cis-1.20-hardened.yml | 9 ++ .../scanprofile-rke2-cis-1.20-permissive.yml | 9 ++ .../scanprofile-rke2-cis-1.23-hardened.yml | 9 ++ .../scanprofile-rke2-cis-1.23-permissive.yml | 9 ++ .../scanprofile-rke2-cis-1.6-hardened.yml | 9 ++ .../scanprofile-rke2-cis-1.6-permissive.yml | 9 ++ .../3.0.0-rc1/templates/scanprofileaks.yml | 9 ++ .../3.0.0-rc1/templates/scanprofileeks.yml | 9 ++ .../3.0.0-rc1/templates/scanprofilegke.yml | 9 ++ .../3.0.0-rc1/templates/serviceaccount.yaml | 14 ++ .../templates/validate-install-crd.yaml | 17 ++ .../3.0.0-rc1/values.yaml | 49 ++++++ index.yaml | 40 +++++ 76 files changed, 1172 insertions(+) create mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-3.0.0-rc1.tgz create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-3.0.0-rc1.tgz create mode 100644 charts/rancher-cis-benchmark-crd/3.0.0-rc1/Chart.yaml create mode 100644 charts/rancher-cis-benchmark-crd/3.0.0-rc1/README.md create mode 100644 charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscan.yaml create mode 100644 charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscanbenchmark.yaml create mode 100644 charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscanprofile.yaml create mode 100644 charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscanreport.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/Chart.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/README.md create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/app-readme.md create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/_helpers.tpl create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/alertingrule.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-aks-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.20.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.23.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.5.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.6.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-eks-1.0.1.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-gke-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.20-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.20-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.23-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.23-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.20-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.20-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.23-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.23-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.5-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.5-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.20-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.20-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.23-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.23-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.5-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.5-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/cis-roles.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/configmap.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/deployment.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/network_policy_allow_all.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/patch_default_serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/rbac.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-cis-1.20.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-cis-1.23.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-cis-1.6.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.20-hardened.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.20-permissive.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.23-hardened.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.23-permissive.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.6-hardened.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.6-permissive.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.20-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.20-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.23-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.23-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.20-hardened.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.20-permissive.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.23-hardened.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.23-permissive.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.6-hardened.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.6-permissive.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofileaks.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofileeks.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofilegke.yml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/templates/validate-install-crd.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.0-rc1/values.yaml diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-3.0.0-rc1.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-3.0.0-rc1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..56c5ebca3773b20a894dff2701f4f3058d77caaa GIT binary patch literal 1467 zcmV;s1w{HEiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI@dbE7s8&a?jt&Gp$F_(#(5Th4dwT-(cKob>v<78_d^kQix6 z&(rDu-Vu-(Fc@QF=Q`(o@mLbyO7QKs(t-xbm#F((nEo6kUxuI``&|2Pr%TY}tRM_7 z4m8(w-OJG^`E^~l{OgVfqYG~|^xUhf@yH!rxZb6EHN0T%p^kU4*bwLo_h4V;#r;nV zq*MeXlr)nbV;l$qwQx8P1?UL%mZK)|Akd$%j4PGHmcsW@PS_jLF}|rBA|XT*0mlim zY*P_xAf@|eWeCH{OEd-u2K)BX7yp}F?Lj2Ipf*Cu348K-J{qn?M9Ke;(hvlJVYEax zoxL~gLFsBNr`P0&RuN7ZL{T7ka@TrK&whuF>$rW*z20j-(>7Kg|Ab)_0HJxygV+#i z!$Iz)2ixP{a|fPRjQ@c*9J}ZEKZWHZ2O@#r2&MgJoX4My4Z$a`_b8-4Vbj=<3TJ3k ztU12N2O&ig0U;9jKw$MFjh`H0jKhUlM|96b$nC&|R&kUFL9R2sJ`p0uGOsDr9S51T zMnSA0D7xq|X1KC}nT_r-mW5@4)z7B&_Ce&LIBy$^%R_J6x7P6W6StOs3RV4$@C_@lrjbxu&6=uM zQni;9!V20V5y`UIn|vLhrr9AA-F`2uf%WlOPE{BMNHw0;6P_y-Ajs`tR&ru}5LP-u z&A%e28Uj^z8m=^2ff2HTIVj_Bv$fB1>YH!QY3bVbC3nrFvmo9v^ltDQ+0eMIVAcLn zclXRSAs3czT}L%nGR@%?EEI%cB{`d@YnA(6gER@U)#y6D?GPu8A)WgBGxCA(_`X6k z#_ocS>O>Gr(Scna_;b) zXqj*{aC*^!O4(ht4|YM%42yC+9kG{r$?+`QKC+&B%A2lwj$ZyyJMQ##JbE$V=C6`YSZB$Hm7uOnvbe*27x7?po`AOd*cId2%@SWmUgkyL3hitA|=Km-?jkJ3W*pUCd@nBfW z|AVXH)j9v4!j7H)Gs1M3{qyh6Dsum`!|pTx_ayKyp?Uy3F`PLS82k)vo3#)tWkZxry^PPmUhLj2e3|Lnu{`%fR7&_CEm z)AzsLXi)n8cRU)L>whP)pSFDLdd+5OALC2V#Ape`#Kz~eu|c2BS9PD%zV-^wcDA#f V?QB){UjP6A|Nrbwpn3o_004JZ<_`b> literal 0 HcmV?d00001 diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-3.0.0-rc1.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-3.0.0-rc1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..9bce3cec098fc9796255411ecd285b28d1796246 GIT binary patch literal 6082 zcmXw-byO70*TClD$41Zn8@jvI=`@Xv3+f1;Hq-h&iN%|JrJKVDOck{;Z`&kA$ zMV}Y;GIlOcx_kRer|x`EVyP3feouV~;;b>b-LUTPN3VuyRs*FjEA+&6k}Y7#v2YzDke#Y!_xwO8?jgKTrU52=2JcV~Q#Z^@;ISQ$13RB%a`PeI@4HF*J%Sf?6e$OycFIhUEOpjQ#QL^ zx3yHeWE)+>`+2Oi4(c*aP-?|j^JbDQ1C2|;rZ!97tyC(}K|ua)^|cH{7KDrfomqx} z#D}bOjPr7lVz74d_)C=#A5Za+dwg5NOL)^hR4knVV_^Ca#5;I%kSR*7RwT6JnlZO9 zeV+YWW|Y|ZtGo>Qwe&Rk`t@ZT=1G@1@ptUHJ;-coR$W5IW~I`G-aGXzw1&1t?9r3n zU@9~&MxNK281W&GyG+Q#u-*knuF4Y*UX0V@Z=R5_yB#r09Vl|{y}5G~cfwSx$^G2L zp9Bsea~cDZbwE)D;bwOust+#t5GWw zy!Pq+9kuEh`O2zNbVyudoi0Vz&ZtBSW})j%4DGkp{;jF)G04x6W|Hws=QYcgke!Tx zO74R*S14G4=h+fo)Mr&tDN&;tV%Qcs`9iHN{tKm6{867WKmA9gH*QQG(FuRCdrNK{ zVsR-xZ=7%=1;=ETZco_9zSeomPvOkFbyE}nlg+m+Fg*ByWR%!N4|o*H%U;|dvbJMw zVyg6dihE$Kh;n^A`muW8y5vTIfRvhEW{WQV=i7J9-ZmR<)=Ehn$1(Tl0vJ!Oi2mp8 zBz8XL%zIw?elNvhH3nq=5Y2*Ud^RRUzhgJ-5P^AOt5g{G+4x!z#})$vYmPqMr7FII zB-T{-cp353^2k?{w{#xhxol{ARm^qu=!jw{+TVO0Sp31$>#Vs^Px<7ID3^)^lN=R- z5?dF&v}t4g`>0cMvjch}INRi>UF&l~+{x7X&OnARRhMPMlAl!0c(sArZUK861oTiW z&Gv4Tl3l6cs$R`+t_ll;B%O=>7M*s<$w8Zg{=I9-5;tAzcvd3(DO^=yLfYWXz}Q0C zHG3{};zaElWW)Q`m>bU41KGd+xWQ_cU2Dvs`pU>S7ejl93mXH5e^3?w$cu3!v0{bO z>5G?@VR3b(V_xn9ojfwq?xVRj1jAY-a;&8_Sx&1{MeeZ+c;mrhCau4_Wj#oX=7Bk23T?mH8{6}?`) zM1x}EP5T+5JkqU-5FfiYbTo?cKh6K^b>sPX#W_C^dbfS+rRNy zP**iqnUDet=jjuYcE2HWeK)7Tw)+U1y(r`}G#IwNkg9eW5GN^?*m3y&HIUgN*B~$U zw&Fx%y?Dwuyv$+A=QwLGIW8|6xht2w#UUKbTVhbdn`Ezz@po}ueKiThMo#$M6o5Cq zj2z+#6>0~0b7~n_ITDZp3fIA~YNaJr`r|w@2~;g(YnHI=XI2lVaHXLNR}z*%E|ju4 z0lpu1?O+*3TET5&${}%#A|GpWj3{jbaKZ_I1@-`8{WBmkwHJK-K{|XhM#|yn+(C|9 z1O!T==IM-9>M=rm0m#1tAKT|howk%OKHs3Chd^tRgxGuvuouwpz+?EIFH{44kRV+J zG^kQ`cB3F2R{+=d=f^pF$>jB%={!5I65e)Yo`kBrZi zqrjzsWowW!(G(%RgWWg=xBEAME3NDfpgq972(CAX0Bt8LKubj#;OPI(gDu)NBvHxTlfCZ@+F0NhVKkFX7=o?mgm1-ictTFyb3D{{TnW80AoD4)R zQ=XpFmk{3uUFRUF>)3t3b^9d=;YQQawvNFgy$kpO9s>@@Ihy(cK<^nSgBHW=NaKfe z%=#uOBn%pmXA;Pp2X9`HaP&3D62d<`wLdJI4FKs#WP=Z`i{IR>muAY7mVO(Cs#d>f z<&kuQVGT!{*t%|O;qY)Uy@6UNF+B2E&E0TF;2IuXx%yo62nBs~RJv8vlElQ0sMnH8 zw(-Rs(6UAlWE{2fa?Fk|Sp~4OF7-}25H5?8JuidsS89bXKqChI55*4NvCm+%FWnQc z3dC_|e92+okzqhD5o@_KWFEzoWLAk~UB8?DC2f6e_)E?PH#9J1!$Z&gnC{>m;t}Gv z1gP*%*YHM7fNxhv9Dx5c55P`tPVNKEq*ce^?l0Q4c~hJIbc~aoV$sw~7fXh161Mf0 zR6{mxGL8*8Ce?+*MGbY%T1&e?su?Tj{PrZ@;CKo?P@dILdoQSTX(xExNjiG;jA!c$ z?p-AJk5*#D(5^E2)w50EWJ{Loj0rv-XJ0nHU9%~B=TL7;_@fkdA}n>~r+rsLNORrs z+-R1qSIdXFjv^^J>WS@PILz(@*C{z$LMLrJ4MD9UtN!@k2RY0HO21~(_~8UFBNA{9 z*Rh>1SFSMT*D4qiXlQLiZ_m59^vM_UV_5HgOcaE!u5}9k{jVYKi$~>o6!bBaO|fq1 zIV~4IGY4am{jga2RLHJB*Cz>g}AUiUL9dS0du5 zMd@dDg8fRQ%%JxxQ~r3$1UxZ)UT(x>6zYdhs=Mdg6Cuqb-g|~YUvy2_U~i%JPP^JG zY-VfkXe`nU8*n&G=#A}>$4FROQV8N{BTerbMjaAM5YZNb#ZR8+*i}(8|Li6-^kCWT zS3=b1KjTs_C2D<>5tqdr#(MkE!YSri+WEWm7}Y z@%-`ufq8uMl@Q`OUPKR`66m?Vkm{0o#uFWt>YG?Ed#}=ee|e|D)D#Ejzi>H&cC~Hu z(_1J(j6tww&gV#Wo{{OT-+p4IkLftZ^@b(vrcbkyJylK;->7x8OqubJX4(2L8pnX6 z+2DCZvPP12PwV&17SY{gvDN)?Mcb*)Od|t)tKl+Ta^k>w(byo*Jx`I*#rn>&_JD%I zRl&8J_isqt2x`pAi)X>M)m*csD0#-5c@k#Ow>Z1&vd@S_oD4Ra`)3>Iio^mglEU^nNeHMcGVDbj>7(x0YLx7Bve^gJwEP!*+R{$yV zJ9|K9BD3;OpZZ4Tk%99ZJpHm{pgKT)ut~4iyK?Axa_7*d+n(A^TG@GH_8`6%+59wO zO>n12A)&50MgrbYj?hAFM(WGSxr5TwG*#3Q9Y-DN?yWAojFqY@jwXZcq2M*p1R z4XYCq=)bc!hzMiQtyAlql8g05RXuQZPWY=DC~41=@i`$*O-DR6fez;wS?3k*RR1u} z)@-u;roDFKbc17PHsb;F3ruVKLgE4C0>NdZjPJF`^g=A%Agv!xm$j>m?~Z>Jw!P<9 z(W8?ghJ661j0z{uGx5yY7l7skpDxNMZ`fslfCn5@@jjyV_E~+_gepUSqGt)6?XX8!cls|JI9=G5bZI!5)X zmfXt_d_6Qit}uF8+i4|az8dms(hu3*@sQj>-V-c9ZSf>DxLd5YV%SbO}T}Jy0FvMfHL8b+B&!n~dw7 zJtE_N_Qk2Fce}=la`JAtaJkFBMXTS`N5$ursfQDsz0$n<0!$Xnc@oVdEv3b`kOQ=U zctGrrKcyh%_e-E<2e7%_0$N(kXL^pYWb(?4qg5v|es+%pm%Rs)?SRPKCCZ9i#xepz zT*D!G)*Hbe!c&TT=))ak0rEqZus>6y#Y_F)@?|cf8g`Tw90ZJPVmHvhHz>%33^etX zf&7fO;{%#S!@zY;N~1wC2&*T6mj9*sQ!I%(Kw1&NT=6eZPr#~xPZvh|K<8IL;{=#B zWGRUWQsB&QFujTW-~Xx4473s*C|YAD@UYWF+e(64fd*w9lI!s)agFo>ElD8YL}u=k zBEfuoNpr4e{(!7q%YKQ|N`dy{B9h`S{v4)_Z7>wsAOEO3Q3q@cqCqDQcw$HSGG0Y; zr9CB{!=C%`&mm6aL^V1J+~?@2G10Xj=}4>d8{GC>$9Mv*(=49(6}$uSxtEE!V(8Zc zK+oL|1elSEQDAZx8Md2k4xDJu{RRd$i~sCTu`2N^g04KzJKb0CWBYDn`4kGz<$ zh{Sd?K?+GYbAXRuCt~Age~=`OOaj#3E~_klJa2x=GENlC2#w_^}RzJ|ui z^6;C|ES1p`kdlBHRRGxk7yt&ikW{&~o=-N?a+LtS8mOFZrjG#dcFLr2FwLp#T1^mr zRbcv+;?R$LNh`aJ-G)J8^s2H0-~^51a45n8&+s zlV)G;@8Hig)#eFDUJMz7123Wf7O35Me~ge(9&Ap(M~O4&2KPjoU*^Ywwya|?lk0># z)$sL(gELNP^;zaxWX_&>kXlC#MKO?O`PC%R|e=-7COh+ zJeRj}if%nqjlzWz3fp_gzRsTm--(Waanm#$ zw%G$l(H;`r1%1S)cx=<|U{?a*{LWUJ;1BuN;L2DIhrPEc8&mG>LldE0U4m*1{Lg+R z?JxEE1wdJw?&?=lt8~3>xy}RNR%l;V;^K*eC6P#Jo{sXuCwpGJIi9=8CCPoB zn9&oYSquNG^F?OY;#3Dt?EBJk71UXEI*RTZ32vRG)iqcZxy8CQvtn^$I-KUT2Ie6P zHVxKoHekJzynm(ZI^7I(a2)C%)y?;}Me{LJH;+{3?sGbHp|~+m&Nues-+NEUd|n>> zA(&P4p81HI`}g2?&(?rxZmQ^X`H#*A2vGJm=u3&HuzOy>j+6ROH=(pm^-TL~7QER7 zDF#|wb@snCqvt;9EBm7}=A||YM)XYTc|mi*gn2FcuSw!QKuL?QIJm=prtuk5lqz`0 zSW~jHo6Qd;x96;o&kIgI+kYe!$BAhx6}0e=sJ!qc?hKdLLaWa2y!L*nF8ObU-`yL| zba#dieY#ispz0&n%x_kBlvwHc?Bz}r)EGT&d-1}G!i8@l!`cIc#?Be3%%R5@bDCU^ zK5P~hDugYe{XDOm;4HYBh+cP-2X1qjx0)~;&+!q>;FedM$d*3O znljv-S4=yrVYuCX^2_{@q3jusk8JsH5%lup$mFvSRUyW(RF~bm@?rDZzygz2K2#l9 z$t(SR$))1Z$djX~IA1<6!zgL~JxBD5r^C>wa3N?2r9>bzI;E_JF`AFbNYr-7ImZx- zFWnsZTAtnmi5Pm^*!Oo@+ne~XZfQDM@@z58L0U~nHcLlLTN65*7f&P7q`=s{ zt@55(32kN9rI=^L9&$WFcOn2LAk7`?(6K+{5C?D9vt@R7Cz?>I~g7hYt>{kuG zOSsQgWGEa7nb6ZCQuzL3K$tfN6<+3YKHFIrEQ)5Bca84_YUjU2L`1a1V!*l6c0C}^ LkK{mZQbGO?f{>&s literal 0 HcmV?d00001 diff --git a/charts/rancher-cis-benchmark-crd/3.0.0-rc1/Chart.yaml b/charts/rancher-cis-benchmark-crd/3.0.0-rc1/Chart.yaml new file mode 100644 index 000000000..d03f6d6dd --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/3.0.0-rc1/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd +apiVersion: v1 +description: Installs the CRDs for rancher-cis-benchmark. +name: rancher-cis-benchmark-crd +type: application +version: 3.0.0-rc1 diff --git a/charts/rancher-cis-benchmark-crd/3.0.0-rc1/README.md b/charts/rancher-cis-benchmark-crd/3.0.0-rc1/README.md new file mode 100644 index 000000000..f6d9ef621 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/3.0.0-rc1/README.md @@ -0,0 +1,2 @@ +# rancher-cis-benchmark-crd +A Rancher chart that installs the CRDs used by rancher-cis-benchmark. diff --git a/charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscan.yaml new file mode 100644 index 000000000..3cbb0ffcd --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscan.yaml @@ -0,0 +1,148 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscans.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScan + plural: clusterscans + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.lastRunScanProfileName + name: ClusterScanProfile + type: string + - jsonPath: .status.summary.total + name: Total + type: string + - jsonPath: .status.summary.pass + name: Pass + type: string + - jsonPath: .status.summary.fail + name: Fail + type: string + - jsonPath: .status.summary.skip + name: Skip + type: string + - jsonPath: .status.summary.warn + name: Warn + type: string + - jsonPath: .status.summary.notApplicable + name: Not Applicable + type: string + - jsonPath: .status.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.scheduledScanConfig.cronSchedule + name: CronSchedule + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + scanProfileName: + nullable: true + type: string + scheduledScanConfig: + nullable: true + properties: + cronSchedule: + nullable: true + type: string + retentionCount: + type: integer + scanAlertRule: + nullable: true + properties: + alertOnComplete: + type: boolean + alertOnFailure: + type: boolean + type: object + type: object + scoreWarning: + enum: + - pass + - fail + nullable: true + type: string + type: object + status: + properties: + NextScanAt: + nullable: true + type: string + ScanAlertingRuleName: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + display: + nullable: true + properties: + error: + type: boolean + message: + nullable: true + type: string + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + lastRunScanProfileName: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + observedGeneration: + type: integer + summary: + nullable: true + properties: + fail: + type: integer + notApplicable: + type: integer + pass: + type: integer + skip: + type: integer + total: + type: integer + warn: + type: integer + type: object + type: object + type: object diff --git a/charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscanbenchmark.yaml new file mode 100644 index 000000000..fd291f8c3 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscanbenchmark.yaml @@ -0,0 +1,54 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanbenchmarks.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanBenchmark + plural: clusterscanbenchmarks + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .spec.clusterProvider + name: ClusterProvider + type: string + - jsonPath: .spec.minKubernetesVersion + name: MinKubernetesVersion + type: string + - jsonPath: .spec.maxKubernetesVersion + name: MaxKubernetesVersion + type: string + - jsonPath: .spec.customBenchmarkConfigMapName + name: customBenchmarkConfigMapName + type: string + - jsonPath: .spec.customBenchmarkConfigMapNamespace + name: customBenchmarkConfigMapNamespace + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + clusterProvider: + nullable: true + type: string + customBenchmarkConfigMapName: + nullable: true + type: string + customBenchmarkConfigMapNamespace: + nullable: true + type: string + maxKubernetesVersion: + nullable: true + type: string + minKubernetesVersion: + nullable: true + type: string + type: object + type: object diff --git a/charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscanprofile.yaml new file mode 100644 index 000000000..1e75501b7 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscanprofile.yaml @@ -0,0 +1,36 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanprofiles.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanProfile + plural: clusterscanprofiles + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + skipTests: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + additionalPrinterColumns: + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string diff --git a/charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscanreport.yaml new file mode 100644 index 000000000..6e8c0b7de --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/3.0.0-rc1/templates/clusterscanreport.yaml @@ -0,0 +1,39 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanreports.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanReport + plural: clusterscanreports + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .spec.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + reportJSON: + nullable: true + type: string + type: object + type: object \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/Chart.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/Chart.yaml new file mode 100644 index 000000000..df864ac3f --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.25.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark +apiVersion: v1 +appVersion: v2.1.0 +description: The cis-operator enables running CIS benchmark security scans on a kubernetes + cluster +icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg +keywords: +- security +name: rancher-cis-benchmark +version: 3.0.0-rc1 diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/README.md b/charts/rancher-cis-benchmark/3.0.0-rc1/README.md new file mode 100644 index 000000000..50beab58b --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/README.md @@ -0,0 +1,9 @@ +# Rancher CIS Benchmark Chart + +The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded. + +# Installation + +``` +helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system +``` diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/app-readme.md b/charts/rancher-cis-benchmark/3.0.0-rc1/app-readme.md new file mode 100644 index 000000000..5e495d605 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/app-readme.md @@ -0,0 +1,15 @@ +# Rancher CIS Benchmarks + +This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/cis-scans/v2.5/). + +This chart installs the following components: + +- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. +- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed. +- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans. +- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. +- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish. + - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts. + - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart. diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/_helpers.tpl b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/_helpers.tpl new file mode 100644 index 000000000..b7bb00042 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "cis.namespace" -}} + {{- .Release.Namespace | default "cis-operator-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/alertingrule.yaml new file mode 100644 index 000000000..1787c88a0 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/alertingrule.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alerts.enabled -}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: rancher-cis-pod-monitor + namespace: {{ template "cis.namespace" . }} +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + podMetricsEndpoints: + - port: cismetrics +{{- end }} diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-aks-1.0.yaml new file mode 100644 index 000000000..1ac866253 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-aks-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: aks-1.0 +spec: + clusterProvider: aks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.20.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.20.yaml new file mode 100644 index 000000000..1203e5bcc --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.20.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.20 +spec: + clusterProvider: "" + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.23.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.23.yaml new file mode 100644 index 000000000..920b556ea --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.23.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.23 +spec: + clusterProvider: "" + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.5.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.5.yaml new file mode 100644 index 000000000..c9e6075fb --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.5.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.5 +spec: + clusterProvider: "" + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.6.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.6.yaml new file mode 100644 index 000000000..4f5d66e92 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-cis-1.6.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.6 +spec: + clusterProvider: "" + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-eks-1.0.1.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-eks-1.0.1.yaml new file mode 100644 index 000000000..d1ba9d295 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-eks-1.0.1.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: eks-1.0.1 +spec: + clusterProvider: eks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-gke-1.0.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-gke-1.0.yaml new file mode 100644 index 000000000..72122e8c5 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-gke-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.20-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.20-hardened.yaml new file mode 100644 index 000000000..147cac390 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.20-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.20-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.20-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.20-permissive.yaml new file mode 100644 index 000000000..d9584f722 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.20-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.20-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.23-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.23-hardened.yaml new file mode 100644 index 000000000..ee153603b --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.23-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.23-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.23-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.23-permissive.yaml new file mode 100644 index 000000000..51f2186f3 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.23-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.23-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.6-hardened.yaml new file mode 100644 index 000000000..5160cf795 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.6-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.6-permissive.yaml new file mode 100644 index 000000000..10c075985 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-k3s-cis-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.6-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.20-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.20-hardened.yaml new file mode 100644 index 000000000..4924679cb --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.20-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.20-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.20-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.20-permissive.yaml new file mode 100644 index 000000000..2db66d7c6 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.20-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.20-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.23-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.23-hardened.yaml new file mode 100644 index 000000000..f6a99698e --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.23-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.23-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.23-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.23-permissive.yaml new file mode 100644 index 000000000..a26bd63cf --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.23-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.23-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.5-hardened.yaml new file mode 100644 index 000000000..b9154f1ad --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.5-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.5-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.5-permissive.yaml new file mode 100644 index 000000000..9da65d55d --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.5-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.5-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.6-hardened.yaml new file mode 100644 index 000000000..77f8a31df --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.6-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.6-permissive.yaml new file mode 100644 index 000000000..600b8df35 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke-cis-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.6-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.20-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.20-hardened.yaml new file mode 100644 index 000000000..b6cc88359 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.20-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.20-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.20-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.20-permissive.yaml new file mode 100644 index 000000000..fd898bfe8 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.20-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.20-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.23-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.23-hardened.yaml new file mode 100644 index 000000000..90e356d72 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.23-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.23-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.23-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.23-permissive.yaml new file mode 100644 index 000000000..deafdbda6 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.23-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.23-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.5-hardened.yaml new file mode 100644 index 000000000..20091ec2b --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.5-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.5-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.5-permissive.yaml new file mode 100644 index 000000000..9a86906b0 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.5-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.5-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.6-hardened.yaml new file mode 100644 index 000000000..ea2549ef3 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.6-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.6-permissive.yaml new file mode 100644 index 000000000..0afdaaa19 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/benchmark-rke2-cis-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.6-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/cis-roles.yaml new file mode 100644 index 000000000..23c93dc65 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/cis-roles.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-admin +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["create", "update", "delete", "patch","get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-view +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/configmap.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/configmap.yaml new file mode 100644 index 000000000..1a9cd1809 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/configmap.yaml @@ -0,0 +1,18 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-clusterscanprofiles + namespace: {{ template "cis.namespace" . }} +data: + # Default ClusterScanProfiles per cluster provider type + rke: |- + <1.21.0: rke-profile-permissive-1.20 + >=1.21.0: rke-profile-permissive-1.23 + rke2: |- + <1.21.0: rke2-cis-1.20-profile-permissive + >=1.21.0: rke2-cis-1.23-profile-permissive + eks: "eks-profile" + gke: "gke-profile" + aks: "aks-profile" + k3s: "k3s-cis-1.23-profile-permissive" + default: "cis-1.23-profile" diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/deployment.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/deployment.yaml new file mode 100644 index 000000000..ab0bb3e24 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/deployment.yaml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cis-operator + namespace: {{ template "cis.namespace" . }} + labels: + cis.cattle.io/operator: cis-operator +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + template: + metadata: + labels: + cis.cattle.io/operator: cis-operator + spec: + serviceAccountName: cis-operator-serviceaccount + containers: + - name: cis-operator + image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}' + imagePullPolicy: Always + ports: + - name: cismetrics + containerPort: {{ .Values.alerts.metricsPort }} + env: + - name: SECURITY_SCAN_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }} + - name: SECURITY_SCAN_IMAGE_TAG + value: {{ .Values.image.securityScan.tag }} + - name: SONOBUOY_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }} + - name: SONOBUOY_IMAGE_TAG + value: {{ .Values.image.sonobuoy.tag }} + - name: CIS_ALERTS_METRICS_PORT + value: '{{ .Values.alerts.metricsPort }}' + - name: CIS_ALERTS_SEVERITY + value: {{ .Values.alerts.severity }} + - name: CIS_ALERTS_ENABLED + value: {{ .Values.alerts.enabled | default "false" | quote }} + - name: CLUSTER_NAME + value: '{{ .Values.global.cattle.clusterName }}' + resources: + {{- toYaml .Values.resources | nindent 12 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/network_policy_allow_all.yaml new file mode 100644 index 000000000..6ed5d645e --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ template "cis.namespace" . }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/patch_default_serviceaccount.yaml new file mode 100644 index 000000000..e78a6bd08 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: cis-operator-serviceaccount + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ template "cis.namespace" . }}] + + backoffLimit: 1 diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/rbac.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/rbac.yaml new file mode 100644 index 000000000..4ff88ea5f --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/rbac.yaml @@ -0,0 +1,43 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-operator-role +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cis-operator-installer +subjects: +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-cis-1.20.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-cis-1.20.yaml new file mode 100644 index 000000000..05263ce7d --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-cis-1.20.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.20-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.20 diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-cis-1.23.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-cis-1.23.yaml new file mode 100644 index 000000000..c59d8f51f --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-cis-1.23.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.23-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.23 diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-cis-1.6.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-cis-1.6.yaml new file mode 100644 index 000000000..8a8d8bf88 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-cis-1.6.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.6-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.6 diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.20-hardened.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.20-hardened.yml new file mode 100644 index 000000000..a0b6cb6f6 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.20-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.20-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.20-hardened diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.20-permissive.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.20-permissive.yml new file mode 100644 index 000000000..89885548d --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.20-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.20-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.20-permissive diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.23-hardened.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.23-hardened.yml new file mode 100644 index 000000000..724412d3a --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.23-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.23-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.23-hardened diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.23-permissive.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.23-permissive.yml new file mode 100644 index 000000000..9f9213de1 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.23-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.23-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.23-permissive diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.6-hardened.yml new file mode 100644 index 000000000..095e977ab --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.6-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.6-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.6-permissive.yml new file mode 100644 index 000000000..3b22a80c8 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-k3s-cis-1.6-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.6-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.20-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.20-hardened.yaml new file mode 100644 index 000000000..c36cf38c9 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.20-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.20 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.20-hardened diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.20-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.20-permissive.yaml new file mode 100644 index 000000000..cfeb4b34c --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.20-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.20 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.20-permissive diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.23-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.23-hardened.yaml new file mode 100644 index 000000000..007331149 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.23-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.23 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.23-hardened diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.23-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.23-permissive.yaml new file mode 100644 index 000000000..085b60dfa --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.23-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.23 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.23-permissive diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.6-hardened.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.6-hardened.yaml new file mode 100644 index 000000000..d38febd80 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.6 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.6-permissive.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.6-permissive.yaml new file mode 100644 index 000000000..d31b5b0d2 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.6 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.20-hardened.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.20-hardened.yml new file mode 100644 index 000000000..decc9b651 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.20-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.20-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.20-hardened diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.20-permissive.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.20-permissive.yml new file mode 100644 index 000000000..74c96ffc4 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.20-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.20-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.20-permissive diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.23-hardened.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.23-hardened.yml new file mode 100644 index 000000000..abc1c2a21 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.23-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.23-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.23-hardened diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.23-permissive.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.23-permissive.yml new file mode 100644 index 000000000..51cc519ac --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.23-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.23-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.23-permissive diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.6-hardened.yml new file mode 100644 index 000000000..c7ac7f949 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.6-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.6-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.6-permissive.yml new file mode 100644 index 000000000..96ca1345a --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofile-rke2-cis-1.6-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.6-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofileaks.yml new file mode 100644 index 000000000..ea7b25b40 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofileaks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: aks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: aks-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofileeks.yml new file mode 100644 index 000000000..3b4e34437 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofileeks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: eks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: eks-1.0.1 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofilegke.yml new file mode 100644 index 000000000..2ddd0686f --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/scanprofilegke.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/serviceaccount.yaml new file mode 100644 index 000000000..ec48ec622 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + name: cis-operator-serviceaccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-serviceaccount diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/validate-install-crd.yaml new file mode 100644 index 000000000..562295791 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/templates/validate-install-crd.yaml @@ -0,0 +1,17 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/3.0.0-rc1/values.yaml b/charts/rancher-cis-benchmark/3.0.0-rc1/values.yaml new file mode 100644 index 000000000..6d8e41cf2 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.0-rc1/values.yaml @@ -0,0 +1,49 @@ +# Default values for rancher-cis-benchmark. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + cisoperator: + repository: rancher/cis-operator + tag: v1.0.9 + securityScan: + repository: rancher/security-scan + tag: v0.2.9-rc1 + sonobuoy: + repository: rancher/mirrored-sonobuoy-sonobuoy + tag: v0.56.7 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +affinity: {} + +global: + cattle: + systemDefaultRegistry: "" + clusterName: "" + kubectl: + repository: rancher/kubectl + tag: v1.20.2 + +alerts: + enabled: false + severity: warning + metricsPort: 8080 diff --git a/index.yaml b/index.yaml index 4e0ddc40a..40117822f 100755 --- a/index.yaml +++ b/index.yaml @@ -3150,6 +3150,32 @@ entries: - assets/rancher-backup-crd/rancher-backup-crd-1.0.200.tgz version: 1.0.200 rancher-cis-benchmark: + - annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.25.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark + apiVersion: v1 + appVersion: v2.1.0 + created: "2022-09-16T09:56:44.317467111+05:30" + description: The cis-operator enables running CIS benchmark security scans on + a kubernetes cluster + digest: 1f619f9763d466dca014a5d381607bd867118bc81c0159963b2577fa3c972d17 + icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg + keywords: + - security + name: rancher-cis-benchmark + urls: + - assets/rancher-cis-benchmark/rancher-cis-benchmark-3.0.0-rc1.tgz + version: 3.0.0-rc1 - annotations: catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/certified: rancher @@ -3464,6 +3490,20 @@ entries: - assets/rancher-cis-benchmark/rancher-cis-benchmark-1.0.100.tgz version: 1.0.100 rancher-cis-benchmark-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd + apiVersion: v1 + created: "2022-09-16T09:56:44.321160527+05:30" + description: Installs the CRDs for rancher-cis-benchmark. + digest: 990e8df24efb67f93187fee6f1f5c85302f1f3fe7c0bfeb78ca88e08377f84d8 + name: rancher-cis-benchmark-crd + type: application + urls: + - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-3.0.0-rc1.tgz + version: 3.0.0-rc1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true"