andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

make charts

pull/2394/head
vardhaman 2023-02-07 17:56:14 +05:30
parent 7d0455b48c
commit 73bcc0d7be
77 changed files with 1360 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-3.0.1-rc8.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-cis-benchmark/rancher-cis-benchmark-3.0.1-rc8.tgz Normal file
View File

Binary file not shown.

10
charts/rancher-cis-benchmark-crd/3.0.1-rc8/Chart.yaml Normal file
View File

@ -0,0 +1,10 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cis-operator-system
catalog.cattle.io/release-name: rancher-cis-benchmark-crd
apiVersion: v1
description: Installs the CRDs for rancher-cis-benchmark.
name: rancher-cis-benchmark-crd
type: application
version: 3.0.1-rc8

2
charts/rancher-cis-benchmark-crd/3.0.1-rc8/README.md Normal file
View File

@ -0,0 +1,2 @@
# rancher-cis-benchmark-crd
A Rancher chart that installs the CRDs used by rancher-cis-benchmark.

148
charts/rancher-cis-benchmark-crd/3.0.1-rc8/templates/clusterscan.yaml Normal file
View File

@ -0,0 +1,148 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterscans.cis.cattle.io
spec:
group: cis.cattle.io
names:
kind: ClusterScan
plural: clusterscans
scope: Cluster
versions:
- name: v1
served: true
storage: true
additionalPrinterColumns:
- jsonPath: .status.lastRunScanProfileName
name: ClusterScanProfile
type: string
- jsonPath: .status.summary.total
name: Total
type: string
- jsonPath: .status.summary.pass
name: Pass
type: string
- jsonPath: .status.summary.fail
name: Fail
type: string
- jsonPath: .status.summary.skip
name: Skip
type: string
- jsonPath: .status.summary.warn
name: Warn
type: string
- jsonPath: .status.summary.notApplicable
name: Not Applicable
type: string
- jsonPath: .status.lastRunTimestamp
name: LastRunTimestamp
type: string
- jsonPath: .spec.scheduledScanConfig.cronSchedule
name: CronSchedule
type: string
subresources:
status: {}
schema:
openAPIV3Schema:
properties:
spec:
properties:
scanProfileName:
nullable: true
type: string
scheduledScanConfig:
nullable: true
properties:
cronSchedule:
nullable: true
type: string
retentionCount:
type: integer
scanAlertRule:
nullable: true
properties:
alertOnComplete:
type: boolean
alertOnFailure:
type: boolean
type: object
type: object
scoreWarning:
enum:
- pass
- fail
nullable: true
type: string
type: object
status:
properties:
NextScanAt:
nullable: true
type: string
ScanAlertingRuleName:
nullable: true
type: string
conditions:
items:
properties:
lastTransitionTime:
nullable: true
type: string
lastUpdateTime:
nullable: true
type: string
message:
nullable: true
type: string
reason:
nullable: true
type: string
status:
nullable: true
type: string
type:
nullable: true
type: string
type: object
nullable: true
type: array
display:
nullable: true
properties:
error:
type: boolean
message:
nullable: true
type: string
state:
nullable: true
type: string
transitioning:
type: boolean
type: object
lastRunScanProfileName:
nullable: true
type: string
lastRunTimestamp:
nullable: true
type: string
observedGeneration:
type: integer
summary:
nullable: true
properties:
fail:
type: integer
notApplicable:
type: integer
pass:
type: integer
skip:
type: integer
total:
type: integer
warn:
type: integer
type: object
type: object
type: object

54
charts/rancher-cis-benchmark-crd/3.0.1-rc8/templates/clusterscanbenchmark.yaml Normal file
View File

@ -0,0 +1,54 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterscanbenchmarks.cis.cattle.io
spec:
group: cis.cattle.io
names:
kind: ClusterScanBenchmark
plural: clusterscanbenchmarks
scope: Cluster
versions:
- name: v1
served: true
storage: true
additionalPrinterColumns:
- jsonPath: .spec.clusterProvider
name: ClusterProvider
type: string
- jsonPath: .spec.minKubernetesVersion
name: MinKubernetesVersion
type: string
- jsonPath: .spec.maxKubernetesVersion
name: MaxKubernetesVersion
type: string
- jsonPath: .spec.customBenchmarkConfigMapName
name: customBenchmarkConfigMapName
type: string
- jsonPath: .spec.customBenchmarkConfigMapNamespace
name: customBenchmarkConfigMapNamespace
type: string
subresources:
status: {}
schema:
openAPIV3Schema:
properties:
spec:
properties:
clusterProvider:
nullable: true
type: string
customBenchmarkConfigMapName:
nullable: true
type: string
customBenchmarkConfigMapNamespace:
nullable: true
type: string
maxKubernetesVersion:
nullable: true
type: string
minKubernetesVersion:
nullable: true
type: string
type: object
type: object

36
charts/rancher-cis-benchmark-crd/3.0.1-rc8/templates/clusterscanprofile.yaml Normal file
View File

@ -0,0 +1,36 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterscanprofiles.cis.cattle.io
spec:
group: cis.cattle.io
names:
kind: ClusterScanProfile
plural: clusterscanprofiles
scope: Cluster
versions:
- name: v1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
properties:
spec:
properties:
benchmarkVersion:
nullable: true
type: string
skipTests:
items:
nullable: true
type: string
nullable: true
type: array
type: object
type: object
additionalPrinterColumns:
- jsonPath: .spec.benchmarkVersion
name: BenchmarkVersion
type: string

39
charts/rancher-cis-benchmark-crd/3.0.1-rc8/templates/clusterscanreport.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterscanreports.cis.cattle.io
spec:
group: cis.cattle.io
names:
kind: ClusterScanReport
plural: clusterscanreports
scope: Cluster
versions:
- name: v1
served: true
storage: true
additionalPrinterColumns:
- jsonPath: .spec.lastRunTimestamp
name: LastRunTimestamp
type: string
- jsonPath: .spec.benchmarkVersion
name: BenchmarkVersion
type: string
subresources:
status: {}
schema:
openAPIV3Schema:
properties:
spec:
properties:
benchmarkVersion:
nullable: true
type: string
lastRunTimestamp:
nullable: true
type: string
reportJSON:
nullable: true
type: string
type: object
type: object

22
charts/rancher-cis-benchmark/3.0.1-rc8/Chart.yaml Normal file
View File

@ -0,0 +1,22 @@
annotations:
catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: CIS Benchmark
catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.25.0-0'
catalog.cattle.io/namespace: cis-operator-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
catalog.cattle.io/release-name: rancher-cis-benchmark
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: rancher-cis-benchmark
apiVersion: v1
appVersion: v3.0.1-rc7
description: The cis-operator enables running CIS benchmark security scans on a kubernetes
cluster
icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
keywords:
- security
name: rancher-cis-benchmark
version: 3.0.1-rc8

9
charts/rancher-cis-benchmark/3.0.1-rc8/README.md Normal file
View File

@ -0,0 +1,9 @@
# Rancher CIS Benchmark Chart
The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded.
# Installation
```
helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system
```

15
charts/rancher-cis-benchmark/3.0.1-rc8/app-readme.md Normal file
View File

@ -0,0 +1,15 @@
# Rancher CIS Benchmarks
This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/).
For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/cis-scans/v2.5/).
This chart installs the following components:
- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded.
- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed.
- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans.
- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources.
- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish.
- If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts.
- Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart.

27
charts/rancher-cis-benchmark/3.0.1-rc8/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,27 @@
{{/* Ensure namespace is set the same everywhere */}}
{{- define "cis.namespace" -}}
{{- .Release.Namespace | default "cis-operator-system" -}}
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
kubernetes.io/os: linux
{{- end -}}

14
charts/rancher-cis-benchmark/3.0.1-rc8/templates/alertingrule.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if .Values.alerts.enabled -}}
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: rancher-cis-pod-monitor
namespace: {{ template "cis.namespace" . }}
spec:
selector:
matchLabels:
cis.cattle.io/operator: cis-operator
podMetricsEndpoints:
- port: cismetrics
{{- end }}

8
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-aks-1.0.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: aks-1.0
spec:
clusterProvider: aks
minKubernetesVersion: "1.15.0"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-cis-1.20.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: cis-1.20
spec:
clusterProvider: ""
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

8
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-cis-1.23.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: cis-1.23
spec:
clusterProvider: ""
minKubernetesVersion: "1.22.0"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-cis-1.5.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: cis-1.5
spec:
clusterProvider: ""
minKubernetesVersion: "1.15.0"
maxKubernetesVersion: "1.15.x"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-cis-1.6.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: cis-1.6
spec:
clusterProvider: ""
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

8
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-eks-1.0.1.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: eks-1.0.1
spec:
clusterProvider: eks
minKubernetesVersion: "1.15.0"

8
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-gke-1.0.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: gke-1.0
spec:
clusterProvider: gke
minKubernetesVersion: "1.15.0"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-k3s-cis-1.20-hardened.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.20-hardened
spec:
clusterProvider: k3s
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-k3s-cis-1.20-permissive.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.20-permissive
spec:
clusterProvider: k3s
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

8
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-k3s-cis-1.23-hardened.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.23-hardened
spec:
clusterProvider: k3s
minKubernetesVersion: "1.22.0"

8
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-k3s-cis-1.23-permissive.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.23-permissive
spec:
clusterProvider: k3s
minKubernetesVersion: "1.22.0"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-k3s-cis-1.6-hardened.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.6-hardened
spec:
clusterProvider: k3s
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-k3s-cis-1.6-permissive.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.6-permissive
spec:
clusterProvider: k3s
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke-cis-1.20-hardened.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.20-hardened
spec:
clusterProvider: rke
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke-cis-1.20-permissive.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.20-permissive
spec:
clusterProvider: rke
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

8
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke-cis-1.23-hardened.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.23-hardened
spec:
clusterProvider: rke
minKubernetesVersion: "1.22.0"

8
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke-cis-1.23-permissive.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.23-permissive
spec:
clusterProvider: rke
minKubernetesVersion: "1.22.0"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke-cis-1.5-hardened.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.5-hardened
spec:
clusterProvider: rke
minKubernetesVersion: "1.15.0"
maxKubernetesVersion: "1.15.x"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke-cis-1.5-permissive.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.5-permissive
spec:
clusterProvider: rke
minKubernetesVersion: "1.15.0"
maxKubernetesVersion: "1.15.x"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke-cis-1.6-hardened.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.6-hardened
spec:
clusterProvider: rke
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke-cis-1.6-permissive.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.6-permissive
spec:
clusterProvider: rke
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke2-cis-1.20-hardened.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.20-hardened
spec:
clusterProvider: rke2
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke2-cis-1.20-permissive.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.20-permissive
spec:
clusterProvider: rke2
minKubernetesVersion: "1.19.0"
maxKubernetesVersion: "1.21.x"

8
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke2-cis-1.23-hardened.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.23-hardened
spec:
clusterProvider: rke2
minKubernetesVersion: "1.22.0"

8
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke2-cis-1.23-permissive.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.23-permissive
spec:
clusterProvider: rke2
minKubernetesVersion: "1.22.0"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke2-cis-1.5-hardened.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.5-hardened
spec:
clusterProvider: rke2
minKubernetesVersion: "1.15.0"
maxKubernetesVersion: "1.15.x"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke2-cis-1.5-permissive.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.5-permissive
spec:
clusterProvider: rke2
minKubernetesVersion: "1.15.0"
maxKubernetesVersion: "1.15.x"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke2-cis-1.6-hardened.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.6-hardened
spec:
clusterProvider: rke2
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/benchmark-rke2-cis-1.6-permissive.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.6-permissive
spec:
clusterProvider: rke2
minKubernetesVersion: "1.16.0"
maxKubernetesVersion: "1.18.x"

49
charts/rancher-cis-benchmark/3.0.1-rc8/templates/cis-roles.yaml Normal file
View File

@ -0,0 +1,49 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cis-admin
rules:
- apiGroups:
- cis.cattle.io
resources:
- clusterscanbenchmarks
- clusterscanprofiles
- clusterscans
- clusterscanreports
verbs: ["create", "update", "delete", "patch","get", "watch", "list"]
- apiGroups:
- catalog.cattle.io
resources: ["apps"]
resourceNames: ["rancher-cis-benchmark"]
verbs: ["get", "watch", "list"]
- apiGroups:
- ""
resources:
- configmaps
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cis-view
rules:
- apiGroups:
- cis.cattle.io
resources:
- clusterscanbenchmarks
- clusterscanprofiles
- clusterscans
- clusterscanreports
verbs: ["get", "watch", "list"]
- apiGroups:
- catalog.cattle.io
resources: ["apps"]
resourceNames: ["rancher-cis-benchmark"]
verbs: ["get", "watch", "list"]
- apiGroups:
- ""
resources:
- configmaps
verbs: ["get", "watch", "list"]

18
charts/rancher-cis-benchmark/3.0.1-rc8/templates/configmap.yaml Normal file
View File

@ -0,0 +1,18 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: default-clusterscanprofiles
namespace: {{ template "cis.namespace" . }}
data:
# Default ClusterScanProfiles per cluster provider type
rke: |-
<1.21.0: rke-profile-permissive-1.20
>=1.21.0: rke-profile-permissive-1.23
rke2: |-
<1.21.0: rke2-cis-1.20-profile-permissive
>=1.21.0: rke2-cis-1.23-profile-permissive
eks: "eks-profile"
gke: "gke-profile"
aks: "aks-profile"
k3s: "k3s-cis-1.23-profile-permissive"
default: "cis-1.23-profile"

61
charts/rancher-cis-benchmark/3.0.1-rc8/templates/deployment.yaml Normal file
View File

@ -0,0 +1,61 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: cis-operator
namespace: {{ template "cis.namespace" . }}
labels:
cis.cattle.io/operator: cis-operator
spec:
selector:
matchLabels:
cis.cattle.io/operator: cis-operator
template:
metadata:
labels:
cis.cattle.io/operator: cis-operator
spec:
serviceAccountName: cis-operator-serviceaccount
containers:
- name: cis-operator
image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}'
imagePullPolicy: IfNotPresent
ports:
- name: cismetrics
containerPort: {{ .Values.alerts.metricsPort }}
env:
- name: SECURITY_SCAN_IMAGE
value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }}
- name: SECURITY_SCAN_IMAGE_TAG
value: {{ .Values.image.securityScan.tag }}
- name: SONOBUOY_IMAGE
value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }}
- name: SONOBUOY_IMAGE_TAG
value: {{ .Values.image.sonobuoy.tag }}
- name: CIS_ALERTS_METRICS_PORT
value: '{{ .Values.alerts.metricsPort }}'
- name: CIS_ALERTS_SEVERITY
value: {{ .Values.alerts.severity }}
- name: CIS_ALERTS_ENABLED
value: {{ .Values.alerts.enabled | default "false" | quote }}
- name: CLUSTER_NAME
value: '{{ .Values.global.cattle.clusterName }}'
- name: CIS_OPERATOR_DEBUG
value: '{{ .Values.image.cisoperator.debug }}'
{{- if .Values.securityScanJob.overrideTolerations }}
- name: SECURITY_SCAN_JOB_TOLERATIONS
value: '{{ .Values.securityScanJob.tolerations | toJson }}'
{{- end }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}

15
charts/rancher-cis-benchmark/3.0.1-rc8/templates/network_policy_allow_all.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-allow-all
namespace: {{ template "cis.namespace" . }}
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress

29
charts/rancher-cis-benchmark/3.0.1-rc8/templates/patch_default_serviceaccount.yaml Normal file
View File

@ -0,0 +1,29 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: patch-sa
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
spec:
template:
spec:
serviceAccountName: cis-operator-serviceaccount
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
{{- if .Values.nodeSelector }}
{{ toYaml .Values.nodeSelector | indent 8 }}
{{- end }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
{{- if .Values.tolerations }}
{{ toYaml .Values.tolerations | indent 8 }}
{{- end }}
restartPolicy: Never
containers:
- name: sa
image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
args: ["-n", {{ template "cis.namespace" . }}]
backoffLimit: 1

59
charts/rancher-cis-benchmark/3.0.1-rc8/templates/psp.yaml Normal file
View File

@ -0,0 +1,59 @@
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: cis-psp
spec:
allowPrivilegeEscalation: true
allowedCapabilities:
- '*'
fsGroup:
rule: RunAsAny
hostIPC: true
hostNetwork: true
hostPID: true
hostPorts:
- max: 65535
min: 0
privileged: true
runAsUser:
rule: RunAsAny
seLinux:
rule: RunAsAny
supplementalGroups:
rule: RunAsAny
volumes:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cis-psp-role
namespace: {{ template "cis.namespace" . }}
rules:
- apiGroups:
- policy
resourceNames:
- cis-psp
resources:
- podsecuritypolicies
verbs:
- use
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: cis-psp-rolebinding
namespace: {{ template "cis.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cis-psp-role
subjects:
- kind: ServiceAccount
name: cis-serviceaccount
namespace: {{ template "cis.namespace" . }}
- kind: ServiceAccount
name: cis-operator-serviceaccount
namespace: {{ template "cis.namespace" . }}
{{- end }}

162
charts/rancher-cis-benchmark/3.0.1-rc8/templates/rbac.yaml Normal file
View File

@ -0,0 +1,162 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
name: cis-operator-clusterrole
rules:
- apiGroups:
- "cis.cattle.io"
resources:
- "*"
verbs:
- "*"
- apiGroups:
- ""
resources:
- "pods"
- "services"
- "configmaps"
- "nodes"
- "serviceaccounts"
verbs:
- "get"
- "list"
- "create"
- "update"
- "watch"
- "patch"
- apiGroups:
- "batch"
resources:
- "jobs"
verbs:
- "list"
- "create"
- "patch"
- "update"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
name: cis-scan-ns
rules:
{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }}
- apiGroups:
- "*"
resources:
- "podsecuritypolicies"
verbs:
- "get"
- "list"
- "watch"
{{- end }}
- apiGroups:
- ""
resources:
- "namespaces"
- "nodes"
- "pods"
verbs:
- "get"
- "list"
- "watch"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: cis-operator-role
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
namespace: {{ template "cis.namespace" . }}
rules:
- apiGroups:
- ""
resources:
- "services"
verbs:
- "watch"
- "list"
- "get"
- "patch"
- apiGroups:
- "batch"
resources:
- "jobs"
verbs:
- "watch"
- "list"
- "get"
- "delete"
- apiGroups:
- ""
resources:
- "configmaps"
- "pods"
- "secrets"
verbs:
- "*"
- apiGroups:
- "apps"
resources:
- "daemonsets"
verbs:
- "*"
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
name: cis-operator-clusterrolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cis-operator-clusterrole
subjects:
- kind: ServiceAccount
name: cis-operator-serviceaccount
namespace: {{ template "cis.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: cis-scan-ns
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cis-scan-ns
subjects:
- kind: ServiceAccount
name: cis-serviceaccount
namespace: {{ template "cis.namespace" . }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
name: cis-operator-rolebinding
namespace: {{ template "cis.namespace" . }}
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cis-operator-role
subjects:
- kind: ServiceAccount
name: cis-serviceaccount
namespace: {{ template "cis.namespace" . }}
- kind: ServiceAccount
name: cis-operator-serviceaccount
namespace: {{ template "cis.namespace" . }}

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-cis-1.20.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: cis-1.20-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: cis-1.20

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-cis-1.23.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: cis-1.23-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: cis-1.23

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-cis-1.6.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: cis-1.6-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: cis-1.6

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-k3s-cis-1.20-hardened.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.20-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.20-hardened

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-k3s-cis-1.20-permissive.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.20-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.20-permissive

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-k3s-cis-1.23-hardened.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.23-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.23-hardened

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-k3s-cis-1.23-permissive.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.23-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.23-permissive

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-k3s-cis-1.6-hardened.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.6-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.6-hardened

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-k3s-cis-1.6-permissive.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.6-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.6-permissive

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-rke-1.20-hardened.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-hardened-1.20
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.20-hardened

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-rke-1.20-permissive.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-permissive-1.20
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.20-permissive

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-rke-1.23-hardened.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-hardened-1.23
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.23-hardened

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-rke-1.23-permissive.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-permissive-1.23
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.23-permissive

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-rke-1.6-hardened.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-hardened-1.6
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.6-hardened

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-rke-1.6-permissive.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-permissive-1.6
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.6-permissive

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-rke2-cis-1.20-hardened.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.20-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.20-hardened

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-rke2-cis-1.20-permissive.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.20-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.20-permissive

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-rke2-cis-1.23-hardened.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.23-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.23-hardened

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-rke2-cis-1.23-permissive.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.23-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.23-permissive

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-rke2-cis-1.6-hardened.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.6-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.6-hardened

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofile-rke2-cis-1.6-permissive.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.6-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.6-permissive

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofileaks.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: aks-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: aks-1.0

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofileeks.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: eks-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: eks-1.0.1

9
charts/rancher-cis-benchmark/3.0.1-rc8/templates/scanprofilegke.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: gke-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: gke-1.0

14
charts/rancher-cis-benchmark/3.0.1-rc8/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: {{ template "cis.namespace" . }}
name: cis-operator-serviceaccount
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: {{ template "cis.namespace" . }}
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
name: cis-serviceaccount

17
charts/rancher-cis-benchmark/3.0.1-rc8/templates/validate-install-crd.yaml Normal file
View File

@ -0,0 +1,17 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}}
# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}}
# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}}
# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}

53
charts/rancher-cis-benchmark/3.0.1-rc8/values.yaml Normal file
View File

@ -0,0 +1,53 @@
# Default values for rancher-cis-benchmark.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
image:
cisoperator:
repository: rancher/cis-operator
tag: v1.0.11-rc5
securityScan:
repository: rancher/security-scan
tag: v0.2.10-rc3
sonobuoy:
repository: rancher/mirrored-sonobuoy-sonobuoy
tag: v0.56.7
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
## Node labels for pod assignment
## Ref: https://kubernetes.io/docs/user-guide/node-selection/
##
nodeSelector: {}
## List of node taints to tolerate (requires Kubernetes >= 1.6)
tolerations: []
securityScanJob:
overrideTolerations: false
tolerations: []
affinity: {}
global:
cattle:
systemDefaultRegistry: ""
clusterName: ""
kubectl:
repository: rancher/kubectl
tag: v1.20.2
alerts:
enabled: false
severity: warning
metricsPort: 8080

40
index.yaml
View File

@ -4698,6 +4698,32 @@ entries:
- assets/rancher-backup-crd/rancher-backup-crd-1.0.200.tgz - assets/rancher-backup-crd/rancher-backup-crd-1.0.200.tgz
version: 1.0.200 version: 1.0.200
rancher-cis-benchmark: rancher-cis-benchmark:
- annotations:
catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: CIS Benchmark
catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.25.0-0'
catalog.cattle.io/namespace: cis-operator-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0'
catalog.cattle.io/release-name: rancher-cis-benchmark
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: rancher-cis-benchmark
apiVersion: v1
appVersion: v3.0.1-rc7
created: "2023-02-07T17:56:05.329310355+05:30"
description: The cis-operator enables running CIS benchmark security scans on
a kubernetes cluster
digest: 31a9b78c38a0105747f95eb0d73359e73ebb0209380b84ca25fba7768fb21dae
icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
keywords:
- security
name: rancher-cis-benchmark
urls:
- assets/rancher-cis-benchmark/rancher-cis-benchmark-3.0.1-rc8.tgz
version: 3.0.1-rc8
- annotations: - annotations:
catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
catalog.cattle.io/certified: rancher catalog.cattle.io/certified: rancher
@ -5038,6 +5064,20 @@ entries:
- assets/rancher-cis-benchmark/rancher-cis-benchmark-1.0.100.tgz - assets/rancher-cis-benchmark/rancher-cis-benchmark-1.0.100.tgz
version: 1.0.100 version: 1.0.100
rancher-cis-benchmark-crd: rancher-cis-benchmark-crd:
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cis-operator-system
catalog.cattle.io/release-name: rancher-cis-benchmark-crd
apiVersion: v1
created: "2023-02-07T17:56:05.331694648+05:30"
description: Installs the CRDs for rancher-cis-benchmark.
digest: 14aa3e0cb95ac722a5326fea60435aa28994b900b20369346e45950ec45fbe9e
name: rancher-cis-benchmark-crd
type: application
urls:
- assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-3.0.1-rc8.tgz
version: 3.0.1-rc8
- annotations: - annotations:
catalog.cattle.io/certified: rancher catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true" catalog.cattle.io/hidden: "true"