make forward-port rancher-cis 4.2.0

pull/3193/head
Venkata Krishna Rohit Sakala 2023-09-21 15:14:23 -07:00 committed by Lucas Machado
parent e796a967a9
commit 373ce2df50
107 changed files with 1692 additions and 0 deletions

View File

@ -0,0 +1,10 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cis-operator-system
catalog.cattle.io/release-name: rancher-cis-benchmark-crd
apiVersion: v1
description: Installs the CRDs for rancher-cis-benchmark.
name: rancher-cis-benchmark-crd
type: application
version: 4.2.0

View File

@ -0,0 +1,2 @@
# rancher-cis-benchmark-crd
A Rancher chart that installs the CRDs used by rancher-cis-benchmark.

View File

@ -0,0 +1,148 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterscans.cis.cattle.io
spec:
group: cis.cattle.io
names:
kind: ClusterScan
plural: clusterscans
scope: Cluster
versions:
- name: v1
served: true
storage: true
additionalPrinterColumns:
- jsonPath: .status.lastRunScanProfileName
name: ClusterScanProfile
type: string
- jsonPath: .status.summary.total
name: Total
type: string
- jsonPath: .status.summary.pass
name: Pass
type: string
- jsonPath: .status.summary.fail
name: Fail
type: string
- jsonPath: .status.summary.skip
name: Skip
type: string
- jsonPath: .status.summary.warn
name: Warn
type: string
- jsonPath: .status.summary.notApplicable
name: Not Applicable
type: string
- jsonPath: .status.lastRunTimestamp
name: LastRunTimestamp
type: string
- jsonPath: .spec.scheduledScanConfig.cronSchedule
name: CronSchedule
type: string
subresources:
status: {}
schema:
openAPIV3Schema:
properties:
spec:
properties:
scanProfileName:
nullable: true
type: string
scheduledScanConfig:
nullable: true
properties:
cronSchedule:
nullable: true
type: string
retentionCount:
type: integer
scanAlertRule:
nullable: true
properties:
alertOnComplete:
type: boolean
alertOnFailure:
type: boolean
type: object
type: object
scoreWarning:
enum:
- pass
- fail
nullable: true
type: string
type: object
status:
properties:
NextScanAt:
nullable: true
type: string
ScanAlertingRuleName:
nullable: true
type: string
conditions:
items:
properties:
lastTransitionTime:
nullable: true
type: string
lastUpdateTime:
nullable: true
type: string
message:
nullable: true
type: string
reason:
nullable: true
type: string
status:
nullable: true
type: string
type:
nullable: true
type: string
type: object
nullable: true
type: array
display:
nullable: true
properties:
error:
type: boolean
message:
nullable: true
type: string
state:
nullable: true
type: string
transitioning:
type: boolean
type: object
lastRunScanProfileName:
nullable: true
type: string
lastRunTimestamp:
nullable: true
type: string
observedGeneration:
type: integer
summary:
nullable: true
properties:
fail:
type: integer
notApplicable:
type: integer
pass:
type: integer
skip:
type: integer
total:
type: integer
warn:
type: integer
type: object
type: object
type: object

View File

@ -0,0 +1,54 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterscanbenchmarks.cis.cattle.io
spec:
group: cis.cattle.io
names:
kind: ClusterScanBenchmark
plural: clusterscanbenchmarks
scope: Cluster
versions:
- name: v1
served: true
storage: true
additionalPrinterColumns:
- jsonPath: .spec.clusterProvider
name: ClusterProvider
type: string
- jsonPath: .spec.minKubernetesVersion
name: MinKubernetesVersion
type: string
- jsonPath: .spec.maxKubernetesVersion
name: MaxKubernetesVersion
type: string
- jsonPath: .spec.customBenchmarkConfigMapName
name: customBenchmarkConfigMapName
type: string
- jsonPath: .spec.customBenchmarkConfigMapNamespace
name: customBenchmarkConfigMapNamespace
type: string
subresources:
status: {}
schema:
openAPIV3Schema:
properties:
spec:
properties:
clusterProvider:
nullable: true
type: string
customBenchmarkConfigMapName:
nullable: true
type: string
customBenchmarkConfigMapNamespace:
nullable: true
type: string
maxKubernetesVersion:
nullable: true
type: string
minKubernetesVersion:
nullable: true
type: string
type: object
type: object

View File

@ -0,0 +1,36 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterscanprofiles.cis.cattle.io
spec:
group: cis.cattle.io
names:
kind: ClusterScanProfile
plural: clusterscanprofiles
scope: Cluster
versions:
- name: v1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
properties:
spec:
properties:
benchmarkVersion:
nullable: true
type: string
skipTests:
items:
nullable: true
type: string
nullable: true
type: array
type: object
type: object
additionalPrinterColumns:
- jsonPath: .spec.benchmarkVersion
name: BenchmarkVersion
type: string

View File

@ -0,0 +1,39 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterscanreports.cis.cattle.io
spec:
group: cis.cattle.io
names:
kind: ClusterScanReport
plural: clusterscanreports
scope: Cluster
versions:
- name: v1
served: true
storage: true
additionalPrinterColumns:
- jsonPath: .spec.lastRunTimestamp
name: LastRunTimestamp
type: string
- jsonPath: .spec.benchmarkVersion
name: BenchmarkVersion
type: string
subresources:
status: {}
schema:
openAPIV3Schema:
properties:
spec:
properties:
benchmarkVersion:
nullable: true
type: string
lastRunTimestamp:
nullable: true
type: string
reportJSON:
nullable: true
type: string
type: object
type: object

View File

@ -0,0 +1,22 @@
annotations:
catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: CIS Benchmark
catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.27.0-0'
catalog.cattle.io/namespace: cis-operator-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
catalog.cattle.io/release-name: rancher-cis-benchmark
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: rancher-cis-benchmark
apiVersion: v1
appVersion: v4.2.0
description: The cis-operator enables running CIS benchmark security scans on a kubernetes
cluster
icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
keywords:
- security
name: rancher-cis-benchmark
version: 4.2.0

View File

@ -0,0 +1,9 @@
# Rancher CIS Benchmark Chart
The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded.
# Installation
```
helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system
```

View File

@ -0,0 +1,33 @@
# Rancher CIS Benchmarks
This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/).
For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/cis-scans/v2.5/).
This chart installs the following components:
- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded.
- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed.
- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans.
- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources.
- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish.
- If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts.
- Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart.
## Upgrading to Kubernetes v1.25+
Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
> **Note:**
> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
> **Note:**
> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
>
> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.

View File

@ -0,0 +1,27 @@
{{/* Ensure namespace is set the same everywhere */}}
{{- define "cis.namespace" -}}
{{- .Release.Namespace | default "cis-operator-system" -}}
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
kubernetes.io/os: linux
{{- end -}}

View File

@ -0,0 +1,14 @@
{{- if .Values.alerts.enabled -}}
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: rancher-cis-pod-monitor
namespace: {{ template "cis.namespace" . }}
spec:
selector:
matchLabels:
cis.cattle.io/operator: cis-operator
podMetricsEndpoints:
- port: cismetrics
{{- end }}

View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: aks-1.0
spec:
clusterProvider: aks
minKubernetesVersion: "1.15.0"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: cis-1.20
spec:
clusterProvider: ""
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: cis-1.23
spec:
clusterProvider: ""
minKubernetesVersion: "1.22.0"
maxKubernetesVersion: "1.23.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: cis-1.24
spec:
clusterProvider: ""
minKubernetesVersion: "1.24.0"
maxKubernetesVersion: "1.24.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: cis-1.5
spec:
clusterProvider: ""
minKubernetesVersion: "1.15.0"
maxKubernetesVersion: "1.15.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: cis-1.6
spec:
clusterProvider: ""
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: cis-1.7
spec:
clusterProvider: ""
minKubernetesVersion: "1.25.0"

View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: eks-1.0.1
spec:
clusterProvider: eks
minKubernetesVersion: "1.15.0"

View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: gke-1.2.0
spec:
clusterProvider: gke
minKubernetesVersion: "1.15.0"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.20-hardened
spec:
clusterProvider: k3s
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.20-permissive
spec:
clusterProvider: k3s
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.23-hardened
spec:
clusterProvider: k3s
minKubernetesVersion: "1.22.0"
maxKubernetesVersion: "1.23.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.23-permissive
spec:
clusterProvider: k3s
minKubernetesVersion: "1.22.0"
maxKubernetesVersion: "1.23.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.24-hardened
spec:
clusterProvider: k3s
minKubernetesVersion: "1.24.0"
maxKubernetesVersion: "1.24.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.24-permissive
spec:
clusterProvider: k3s
minKubernetesVersion: "1.24.0"
maxKubernetesVersion: "1.24.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.6-hardened
spec:
clusterProvider: k3s
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.6-permissive
spec:
clusterProvider: k3s
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.7-hardened
spec:
clusterProvider: k3s
minKubernetesVersion: "1.25.0"

View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.7-permissive
spec:
clusterProvider: k3s
minKubernetesVersion: "1.25.0"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.20-hardened
spec:
clusterProvider: rke
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.20-permissive
spec:
clusterProvider: rke
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.23-hardened
spec:
clusterProvider: rke
minKubernetesVersion: "1.22.0"
maxKubernetesVersion: "1.23.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.23-permissive
spec:
clusterProvider: rke
minKubernetesVersion: "1.22.0"
maxKubernetesVersion: "1.23.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.24-hardened
spec:
clusterProvider: rke
minKubernetesVersion: "1.24.0"
maxKubernetesVersion: "1.24.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.24-permissive
spec:
clusterProvider: rke
minKubernetesVersion: "1.24.0"
maxKubernetesVersion: "1.24.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.5-hardened
spec:
clusterProvider: rke
minKubernetesVersion: "1.15.0"
maxKubernetesVersion: "1.15.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.5-permissive
spec:
clusterProvider: rke
minKubernetesVersion: "1.15.0"
maxKubernetesVersion: "1.15.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.6-hardened
spec:
clusterProvider: rke
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.6-permissive
spec:
clusterProvider: rke
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.7-hardened
spec:
clusterProvider: rke
minKubernetesVersion: "1.25.0"

View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.7-permissive
spec:
clusterProvider: rke
minKubernetesVersion: "1.25.0"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.20-hardened
spec:
clusterProvider: rke2
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.20-permissive
spec:
clusterProvider: rke2
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.23-hardened
spec:
clusterProvider: rke2
minKubernetesVersion: "1.22.0"
maxKubernetesVersion: "1.23.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.23-permissive
spec:
clusterProvider: rke2
minKubernetesVersion: "1.22.0"
maxKubernetesVersion: "1.23.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.24-hardened
spec:
clusterProvider: rke2
minKubernetesVersion: "1.24.0"
maxKubernetesVersion: "1.24.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.24-permissive
spec:
clusterProvider: rke2
minKubernetesVersion: "1.24.0"
maxKubernetesVersion: "1.24.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.5-hardened
spec:
clusterProvider: rke2
minKubernetesVersion: "1.15.0"
maxKubernetesVersion: "1.15.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.5-permissive
spec:
clusterProvider: rke2
minKubernetesVersion: "1.15.0"
maxKubernetesVersion: "1.15.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.6-hardened
spec:
clusterProvider: rke2
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.6-permissive
spec:
clusterProvider: rke2
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.7-hardened
spec:
clusterProvider: rke2
minKubernetesVersion: "1.25.0"

View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.7-permissive
spec:
clusterProvider: rke2
minKubernetesVersion: "1.25.0"

View File

@ -0,0 +1,49 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cis-admin
rules:
- apiGroups:
- cis.cattle.io
resources:
- clusterscanbenchmarks
- clusterscanprofiles
- clusterscans
- clusterscanreports
verbs: ["create", "update", "delete", "patch","get", "watch", "list"]
- apiGroups:
- catalog.cattle.io
resources: ["apps"]
resourceNames: ["rancher-cis-benchmark"]
verbs: ["get", "watch", "list"]
- apiGroups:
- ""
resources:
- configmaps
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cis-view
rules:
- apiGroups:
- cis.cattle.io
resources:
- clusterscanbenchmarks
- clusterscanprofiles
- clusterscans
- clusterscanreports
verbs: ["get", "watch", "list"]
- apiGroups:
- catalog.cattle.io
resources: ["apps"]
resourceNames: ["rancher-cis-benchmark"]
verbs: ["get", "watch", "list"]
- apiGroups:
- ""
resources:
- configmaps
verbs: ["get", "watch", "list"]

View File

@ -0,0 +1,18 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: default-clusterscanprofiles
namespace: {{ template "cis.namespace" . }}
data:
# Default ClusterScanProfiles per cluster provider type
rke: |-
<1.21.0: rke-profile-permissive-1.20
>=1.21.0: rke-profile-permissive-1.7
rke2: |-
<1.21.0: rke2-cis-1.20-profile-permissive
>=1.21.0: rke2-cis-1.7-profile-permissive
eks: "eks-profile"
gke: "gke-profile"
aks: "aks-profile"
k3s: "k3s-cis-1.7-profile-permissive"
default: "cis-1.7-profile"

View File

@ -0,0 +1,61 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: cis-operator
namespace: {{ template "cis.namespace" . }}
labels:
cis.cattle.io/operator: cis-operator
spec:
selector:
matchLabels:
cis.cattle.io/operator: cis-operator
template:
metadata:
labels:
cis.cattle.io/operator: cis-operator
spec:
serviceAccountName: cis-operator-serviceaccount
containers:
- name: cis-operator
image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}'
imagePullPolicy: IfNotPresent
ports:
- name: cismetrics
containerPort: {{ .Values.alerts.metricsPort }}
env:
- name: SECURITY_SCAN_IMAGE
value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }}
- name: SECURITY_SCAN_IMAGE_TAG
value: {{ .Values.image.securityScan.tag }}
- name: SONOBUOY_IMAGE
value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }}
- name: SONOBUOY_IMAGE_TAG
value: {{ .Values.image.sonobuoy.tag }}
- name: CIS_ALERTS_METRICS_PORT
value: '{{ .Values.alerts.metricsPort }}'
- name: CIS_ALERTS_SEVERITY
value: {{ .Values.alerts.severity }}
- name: CIS_ALERTS_ENABLED
value: {{ .Values.alerts.enabled | default "false" | quote }}
- name: CLUSTER_NAME
value: '{{ .Values.global.cattle.clusterName }}'
- name: CIS_OPERATOR_DEBUG
value: '{{ .Values.image.cisoperator.debug }}'
{{- if .Values.securityScanJob.overrideTolerations }}
- name: SECURITY_SCAN_JOB_TOLERATIONS
value: '{{ .Values.securityScanJob.tolerations | toJson }}'
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}

View File

@ -0,0 +1,15 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-allow-all
namespace: {{ template "cis.namespace" . }}
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress

View File

@ -0,0 +1,29 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: patch-sa
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
spec:
template:
spec:
serviceAccountName: cis-operator-serviceaccount
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
restartPolicy: Never
containers:
- name: sa
image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
args: ["-n", {{ template "cis.namespace" . }}]
backoffLimit: 1

View File

@ -0,0 +1,59 @@
{{- if .Values.global.cattle.psp.enabled }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: cis-psp
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
fsGroup:
rule: RunAsAny
hostIPC: true
hostNetwork: true
hostPID: true
hostPorts:
- max: 65535
min: 0
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cis-psp-role
namespace: {{ template "cis.namespace" . }}
rules:
- apiGroups:
- policy
resourceNames:
- cis-psp
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cis-psp-rolebinding
namespace: {{ template "cis.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cis-psp-role
subjects:
- kind: ServiceAccount
name: cis-serviceaccount
namespace: {{ template "cis.namespace" . }}
- kind: ServiceAccount
name: cis-operator-serviceaccount
namespace: {{ template "cis.namespace" . }}
{{- end }}

View File

@ -0,0 +1,213 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
name: cis-operator-clusterrole
rules:
- apiGroups:
- "cis.cattle.io"
resources:
- "*"
verbs:
- "*"
- apiGroups:
- ""
resources:
- "pods"
- "services"
- "configmaps"
- "nodes"
- "serviceaccounts"
verbs:
- "get"
- "list"
- "create"
- "update"
- "watch"
- "patch"
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- "rolebindings"
- "clusterrolebindings"
- "clusterroles"
verbs:
- "get"
- "list"
- apiGroups:
- "batch"
resources:
- "jobs"
verbs:
- "list"
- "create"
- "patch"
- "update"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
name: cis-scan-ns
rules:
{{- if .Values.global.cattle.psp.enabled }}
- apiGroups:
- "*"
resources:
- "podsecuritypolicies"
verbs:
- "get"
- "list"
- "watch"
{{- end }}
- apiGroups:
- ""
resources:
- "namespaces"
- "nodes"
- "pods"
- "serviceaccounts"
- "services"
- "replicationcontrollers"
verbs:
- "get"
- "list"
- "watch"
- apiGroups:
- "rbac.authorization.k8s.io"
resources:
- "rolebindings"
- "clusterrolebindings"
- "clusterroles"
verbs:
- "get"
- "list"
- apiGroups:
- "batch"
resources:
- "jobs"
- "cronjobs"
verbs:
- "list"
- apiGroups:
- "apps"
resources:
- "daemonsets"
- "deployments"
- "replicasets"
- "statefulsets"
verbs:
- "list"
- apiGroups:
- "autoscaling"
resources:
- "horizontalpodautoscalers"
verbs:
- "list"
- apiGroups:
- "networking.k8s.io"
resources:
- "networkpolicies"
verbs:
- "get"
- "list"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cis-operator-role
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
namespace: {{ template "cis.namespace" . }}
rules:
- apiGroups:
- ""
resources:
- "services"
verbs:
- "watch"
- "list"
- "get"
- "patch"
- apiGroups:
- "batch"
resources:
- "jobs"
verbs:
- "watch"
- "list"
- "get"
- "delete"
- apiGroups:
- ""
resources:
- "configmaps"
- "pods"
- "secrets"
verbs:
- "*"
- apiGroups:
- "apps"
resources:
- "daemonsets"
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
name: cis-operator-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cis-operator-clusterrole
subjects:
- kind: ServiceAccount
name: cis-operator-serviceaccount
namespace: {{ template "cis.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cis-scan-ns
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cis-scan-ns
subjects:
- kind: ServiceAccount
name: cis-serviceaccount
namespace: {{ template "cis.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
name: cis-operator-rolebinding
namespace: {{ template "cis.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cis-operator-role
subjects:
- kind: ServiceAccount
name: cis-serviceaccount
namespace: {{ template "cis.namespace" . }}
- kind: ServiceAccount
name: cis-operator-serviceaccount
namespace: {{ template "cis.namespace" . }}

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: cis-1.20-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: cis-1.20

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: cis-1.23-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: cis-1.23

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: cis-1.24-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: cis-1.24

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: cis-1.6-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: cis-1.6

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: cis-1.7-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: cis-1.7

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.20-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.20-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.20-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.20-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.23-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.23-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.23-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.23-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.24-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.24-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.24-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.24-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.6-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.6-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.6-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.6-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.7-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.7-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.7-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.7-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-hardened-1.20
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.20-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-permissive-1.20
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.20-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-hardened-1.23
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.23-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-permissive-1.23
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.23-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-hardened-1.24
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.24-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-permissive-1.24
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.24-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-hardened-1.6
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.6-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-permissive-1.6
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.6-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-hardened-1.7
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.7-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-permissive-1.7
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.7-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.20-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.20-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.20-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.20-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.23-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.23-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.23-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.23-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.24-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.24-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.24-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.24-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.6-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.6-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.6-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.6-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.7-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.7-hardened

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.7-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.7-permissive

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: aks-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: aks-1.0

View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: eks-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: eks-1.0.1

Some files were not shown because too many files have changed in this diff Show More