add CIS profiles for RKE RKE2 and K3s

2023-09-15 12:48:11 +05:30 · 2023-09-15 12:48:11 +05:30 · 2da1598eaa
parent 96143a7408
commit 2da1598eaa
28 changed files with 245 additions and 0 deletions
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-cis-1.24.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-cis-1.24.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: cis-1.24
+spec:
+  clusterProvider: ""
+  minKubernetesVersion: "1.24.0"
+  maxKubernetesVersion: "1.24.x"
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-cis-1.7.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-cis-1.7.yaml
@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: cis-1.7
+spec:
+  clusterProvider: ""
+  minKubernetesVersion: "1.25.0"
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-k3s-cis-1.24-hardened.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-k3s-cis-1.24-hardened.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.24-hardened
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.24.0"
+  maxKubernetesVersion: "1.24.x"
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-k3s-cis-1.24-permissive.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-k3s-cis-1.24-permissive.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.24-permissive
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.24.0"
+  maxKubernetesVersion: "1.24.x"
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-k3s-cis-1.7-hardened.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-k3s-cis-1.7-hardened.yaml
@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.7-hardened
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.25.0"
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-k3s-cis-1.7-permissive.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-k3s-cis-1.7-permissive.yaml
@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.7-permissive
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.25.0"
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-rke-cis-1.24-hardened.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-rke-cis-1.24-hardened.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.24-hardened
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.24.0"
+  maxKubernetesVersion: "1.24.x"
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-rke-cis-1.24-permissive.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-rke-cis-1.24-permissive.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.24-permissive
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.24.0"
+  maxKubernetesVersion: "1.24.x"
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-rke-cis-1.7-hardened.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-rke-cis-1.7-hardened.yaml
@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.7-hardened
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.25.0"
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-rke-cis-1.7-permissive.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-rke-cis-1.7-permissive.yaml
@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.7-permissive
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.25.0"
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-rke2-cis-1.24-hardened.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-rke2-cis-1.24-hardened.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.24-hardened
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.24.0"
+  maxKubernetesVersion: "1.24.x"
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-rke2-cis-1.24-permissive.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-rke2-cis-1.24-permissive.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.24-permissive
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.24.0"
+  maxKubernetesVersion: "1.24.x"
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-rke2-cis-1.7-hardened.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-rke2-cis-1.7-hardened.yaml
@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.7-hardened
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.25.0"
--- a/packages/rancher-cis-benchmark/charts/templates/benchmark-rke2-cis-1.7-permissive.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/benchmark-rke2-cis-1.7-permissive.yaml
@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.7-permissive
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.25.0"
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-cis-1.24.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-cis-1.24.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: cis-1.24-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: cis-1.24
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-cis-1.7.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-cis-1.7.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: cis-1.7-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: cis-1.7
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-k3s-cis-1.24-hardened.yml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-k3s-cis-1.24-hardened.yml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.24-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.24-hardened
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-k3s-cis-1.24-permissive.yml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-k3s-cis-1.24-permissive.yml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.24-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.24-permissive
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-k3s-cis-1.7-hardened.yml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-k3s-cis-1.7-hardened.yml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.7-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.7-hardened
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-k3s-cis-1.7-permissive.yml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-k3s-cis-1.7-permissive.yml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.7-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.7-permissive
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke-1.24-hardened.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke-1.24-hardened.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-hardened-1.24
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.24-hardened
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke-1.24-permissive.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke-1.24-permissive.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-permissive-1.24
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.24-permissive
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke-1.7-hardened.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke-1.7-hardened.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-hardened-1.7
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.7-hardened
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke-1.7-permissive.yaml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke-1.7-permissive.yaml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-permissive-1.7
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.7-permissive
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke2-cis-1.24-hardened.yml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke2-cis-1.24-hardened.yml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.24-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.24-hardened
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke2-cis-1.24-permissive.yml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke2-cis-1.24-permissive.yml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.24-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.24-permissive
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke2-cis-1.7-hardened.yml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke2-cis-1.7-hardened.yml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.7-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.7-hardened
--- a/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke2-cis-1.7-permissive.yml
+++ b/packages/rancher-cis-benchmark/charts/templates/scanprofile-rke2-cis-1.7-permissive.yml
@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.7-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.7-permissive