Merge pull request #664 from prachidamle/new_cis_fixes

CIS chart fixes to update image tag, fixes for hardened cluster

packages/rancher-cis-benchmark/charts/templates/network_policy_allow_all.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-allow-all
+  namespace: {{ template "cis.namespace" . }}
+spec:
+  podSelector: {}
+  ingress:
+  - {}
+  egress:
+  - {}
+  policyTypes:
+  - Ingress
+  - Egress

packages/rancher-cis-benchmark/charts/templates/patch_default_serviceaccount.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: patch-sa
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  template:
+    spec:
+      serviceAccountName: cis-operator-serviceaccount
+      restartPolicy: Never
+      containers:
+      - name: sa
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+        args: ["-n", {{ template "cis.namespace" . }}]
+  backoffLimit: 1

packages/rancher-cis-benchmark/charts/values.yaml

@@ -5,7 +5,7 @@
 image:
   cisoperator:
     repository: rancher/cis-operator
-    tag: v0.0.5
+    tag: v0.0.6
   securityScan:
     repository: rancher/security-scan
     tag: v0.2.0
@@ -33,4 +33,7 @@ affinity: {}
 
 global:
   cattle:
-    systemDefaultRegistry: ""
+    systemDefaultRegistry: ""
+  kubectl:
+    repository: rancher/kubectl
+    tag: v1.18.6