From 8a2a1f792517e6c3754da2cc9c5768098e0c46d8 Mon Sep 17 00:00:00 2001 From: Vaishnav Gaikwad Date: Wed, 11 Jan 2023 11:51:20 +0530 Subject: [PATCH] make charts --- .../rancher-cis-benchmark-crd-3.0.1-rc4.tgz | Bin 0 -> 1467 bytes .../rancher-cis-benchmark-3.0.1-rc4.tgz | Bin 0 -> 6685 bytes .../3.0.1-rc4/Chart.yaml | 10 ++ .../3.0.1-rc4/README.md | 2 + .../3.0.1-rc4/templates/clusterscan.yaml | 148 ++++++++++++++++ .../templates/clusterscanbenchmark.yaml | 54 ++++++ .../templates/clusterscanprofile.yaml | 36 ++++ .../templates/clusterscanreport.yaml | 39 +++++ .../3.0.1-rc4/Chart.yaml | 22 +++ .../rancher-cis-benchmark/3.0.1-rc4/README.md | 9 + .../3.0.1-rc4/app-readme.md | 15 ++ .../3.0.1-rc4/templates/_helpers.tpl | 27 +++ .../3.0.1-rc4/templates/alertingrule.yaml | 14 ++ .../templates/benchmark-aks-1.0.yaml | 8 + .../templates/benchmark-cis-1.20.yaml | 9 + .../templates/benchmark-cis-1.23.yaml | 8 + .../templates/benchmark-cis-1.5.yaml | 9 + .../templates/benchmark-cis-1.6.yaml | 9 + .../templates/benchmark-eks-1.0.1.yaml | 8 + .../templates/benchmark-gke-1.0.yaml | 8 + .../benchmark-k3s-cis-1.20-hardened.yaml | 9 + .../benchmark-k3s-cis-1.20-permissive.yaml | 9 + .../benchmark-k3s-cis-1.23-hardened.yaml | 8 + .../benchmark-k3s-cis-1.23-permissive.yaml | 8 + .../benchmark-k3s-cis-1.6-hardened.yaml | 9 + .../benchmark-k3s-cis-1.6-permissive.yaml | 9 + .../benchmark-rke-cis-1.20-hardened.yaml | 9 + .../benchmark-rke-cis-1.20-permissive.yaml | 9 + .../benchmark-rke-cis-1.23-hardened.yaml | 8 + .../benchmark-rke-cis-1.23-permissive.yaml | 8 + .../benchmark-rke-cis-1.5-hardened.yaml | 9 + .../benchmark-rke-cis-1.5-permissive.yaml | 9 + .../benchmark-rke-cis-1.6-hardened.yaml | 9 + .../benchmark-rke-cis-1.6-permissive.yaml | 9 + .../benchmark-rke2-cis-1.20-hardened.yaml | 9 + .../benchmark-rke2-cis-1.20-permissive.yaml | 9 + .../benchmark-rke2-cis-1.23-hardened.yaml | 8 + .../benchmark-rke2-cis-1.23-permissive.yaml | 8 + .../benchmark-rke2-cis-1.5-hardened.yaml | 9 + .../benchmark-rke2-cis-1.5-permissive.yaml | 9 + .../benchmark-rke2-cis-1.6-hardened.yaml | 9 + .../benchmark-rke2-cis-1.6-permissive.yaml | 9 + .../3.0.1-rc4/templates/cis-roles.yaml | 49 ++++++ .../3.0.1-rc4/templates/configmap.yaml | 18 ++ .../templates/delete_rolebindings.yaml | 27 +++ .../3.0.1-rc4/templates/deployment.yaml | 57 ++++++ .../templates/network_policy_allow_all.yaml | 15 ++ .../patch_default_serviceaccount.yaml | 29 ++++ .../3.0.1-rc4/templates/psp.yaml | 59 +++++++ .../3.0.1-rc4/templates/rbac.yaml | 162 ++++++++++++++++++ .../templates/scanprofile-cis-1.20.yaml | 9 + .../templates/scanprofile-cis-1.23.yaml | 9 + .../templates/scanprofile-cis-1.6.yaml | 9 + .../scanprofile-k3s-cis-1.20-hardened.yml | 9 + .../scanprofile-k3s-cis-1.20-permissive.yml | 9 + .../scanprofile-k3s-cis-1.23-hardened.yml | 9 + .../scanprofile-k3s-cis-1.23-permissive.yml | 9 + .../scanprofile-k3s-cis-1.6-hardened.yml | 9 + .../scanprofile-k3s-cis-1.6-permissive.yml | 9 + .../scanprofile-rke-1.20-hardened.yaml | 9 + .../scanprofile-rke-1.20-permissive.yaml | 9 + .../scanprofile-rke-1.23-hardened.yaml | 9 + .../scanprofile-rke-1.23-permissive.yaml | 9 + .../scanprofile-rke-1.6-hardened.yaml | 9 + .../scanprofile-rke-1.6-permissive.yaml | 9 + .../scanprofile-rke2-cis-1.20-hardened.yml | 9 + .../scanprofile-rke2-cis-1.20-permissive.yml | 9 + .../scanprofile-rke2-cis-1.23-hardened.yml | 9 + .../scanprofile-rke2-cis-1.23-permissive.yml | 9 + .../scanprofile-rke2-cis-1.6-hardened.yml | 9 + .../scanprofile-rke2-cis-1.6-permissive.yml | 9 + .../3.0.1-rc4/templates/scanprofileaks.yml | 9 + .../3.0.1-rc4/templates/scanprofileeks.yml | 9 + .../3.0.1-rc4/templates/scanprofilegke.yml | 9 + .../3.0.1-rc4/templates/serviceaccount.yaml | 14 ++ .../templates/validate-install-crd.yaml | 17 ++ .../3.0.1-rc4/values.yaml | 49 ++++++ index.yaml | 40 +++++ 78 files changed, 1379 insertions(+) create mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-3.0.1-rc4.tgz create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-3.0.1-rc4.tgz create mode 100644 charts/rancher-cis-benchmark-crd/3.0.1-rc4/Chart.yaml create mode 100644 charts/rancher-cis-benchmark-crd/3.0.1-rc4/README.md create mode 100644 charts/rancher-cis-benchmark-crd/3.0.1-rc4/templates/clusterscan.yaml create mode 100644 charts/rancher-cis-benchmark-crd/3.0.1-rc4/templates/clusterscanbenchmark.yaml create mode 100644 charts/rancher-cis-benchmark-crd/3.0.1-rc4/templates/clusterscanprofile.yaml create mode 100644 charts/rancher-cis-benchmark-crd/3.0.1-rc4/templates/clusterscanreport.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/Chart.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/README.md create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/app-readme.md create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/_helpers.tpl create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/alertingrule.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-aks-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.20.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.23.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.5.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.6.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-eks-1.0.1.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-gke-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.20-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.20-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.23-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.23-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.20-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.20-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.23-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.23-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.5-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.5-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.20-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.20-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.23-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.23-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.5-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.5-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/cis-roles.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/configmap.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/delete_rolebindings.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/deployment.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/network_policy_allow_all.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/patch_default_serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/psp.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/rbac.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-cis-1.20.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-cis-1.23.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-cis-1.6.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.20-hardened.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.20-permissive.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.23-hardened.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.23-permissive.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.6-hardened.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.6-permissive.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.20-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.20-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.23-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.23-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.20-hardened.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.20-permissive.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.23-hardened.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.23-permissive.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.6-hardened.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.6-permissive.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofileaks.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofileeks.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofilegke.yml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/templates/validate-install-crd.yaml create mode 100644 charts/rancher-cis-benchmark/3.0.1-rc4/values.yaml diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-3.0.1-rc4.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-3.0.1-rc4.tgz new file mode 100644 index 0000000000000000000000000000000000000000..8f86dec584ecda4b5dc4689f23b9a1268044b2af GIT binary patch literal 1467 zcmV;s1w{HEiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI>(bK*7-&NIJ4bA85V3?v=ia@@6ZZ7-K0>GgS$H=v6xd8BoE zOsD_7BijkKu`vciu5;`QgCu_|+24LEt*t@wCF(vGrawo?mm%oKKG*)+=@K+KD+q&& z1I=|^_i{8!eqGls|GHyubTJqW$5*4VHy(Hw?%>kBy1ZcSp^kU4*bwLo_h4V;#r;nV zq*MeXlr)nbV;l$qwQx8P1?UL%mZK)|Akd$%j4PGHmcsW@PS_jLF}|rBA|XT*0mlim zY*P_xAf@|eWeCH{OEd-u2K)BX7yp}F?Lj2Ipf*Cu340p!d^B8(h?4&wr6C9c!)S?Y zI(u)}gVNPlPOr%ktsj)F z8xC?WJ=h-q1J@f2it+CahU4Km{!d}~$bm@UH$rLu8Rzk5V?*$1(0dfppRj3cNQE;r zD%Kp|W+g< zTB9J=5ENbX7&Bbiz|2PX7|X&k!RlwzdKx4U2KAGbGpkf-11Sv)%(Z~;Cu@V?Rtrg} zrz(g;na!-vz8WQOftC~I7y^oo6M&&vEbTmRwR#W%-awdwJ>QkwQnDdgcPc7|w2+Hh z2PO_f&?|=&K~TWG&$YCIiolox((SsT70?5S;*@?_H?#sWk0L4n-K`s10sReH7J&X* zH?#thimp?&p9jUqd83GJbnS$laphiwXb8gMivOtYYyggsJBBaOj|22A!=_3;h=s$o zl6P5qk&K%i8!k*d*IBq{%(t;(moQ=f{F@HpOAO(;Q$;ARZ$Ew+-W8e|i?q%5B-S{| z#hDhYt$JMQs1R7?ZpLIB1olDXqBw6Gi_1fA+_%>7^%J+2e+pIojqnXCu%?kvTFsiO zSW>l@6v7JHA`!{5*_(VFpr+X&6Wx9|~a_XCJ&S~k|_9b`Cq_ZI2G4yWm8`;pfu3**v zQFr&uH6a(4Ze2$;S2E4v6)Y5lVI?`6sB4w`UV}6VveoE1zU>evjUk=-`!n)^@c6z$ zG{)|Nj_O1s7$uMEql(>K`$z^H(Zg0L+9@bNYgm=~d|{#hRvl+I)LQ9n38!9jw{q_A zoM@SFG;n&+flAqDjmzKijH^!*UCLv5585TRnx{vsUs0k?swA7}+qNRv-n(O(+Qhow zwy1Ch*bl-c`#tw$kD}t?>~dvtQrz!SdwkmG%34ZSb`%<4yAbk&TFd(1x>VYt5ZF-v z_pU~lrTX8{8;#EOzf;(;>whnV>97#^?in-buBZsEoxW~qFhcHR)4J8_N%$|4S*Qq> z`gSPwghKuv&rwSxG}-ejAb+YKunRnVYk;pGume0#nDp`#(~`?4h&C#wI}AL~UGhF^ zXP^1e-*vUDM7mDT)m!e*sr;mG5j%8NMfgtfE5flm{6jWZE%Sero<`ce25iXxgRwU( z<$v#LouFDeT*+b6Qd;%6C0n?#s+;hU)6n5``Rl!+u6=` VwzE~)e*pjh|Np}7Fr5H2005-)+uZ;F literal 0 HcmV?d00001 diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-3.0.1-rc4.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-3.0.1-rc4.tgz new file mode 100644 index 0000000000000000000000000000000000000000..25bb77f3500a045dd15cb47789fee9d270e3639f GIT binary patch literal 6685 zcmXAuby!qi6UP@2QIHM=k)=~<>FyMekQAhmMnb72B&1V7K)Qtm44Oq6q+5waN<>O> zS$6ll_SkO*GS4`)X`1Hd19v(InAy1!pf(%6zfIm9uNO<0)SFjiZdH>jI zO{WMG8K-p-PDmK8#Ld2CeJU>r58mvgu+hrtO%voTzxUeme#1E3m-w=iubdxZl!xvs zMfG;dtCscj`Lvwx5o-sSy^A2ROq0YDNPNmL!p3^|_eb$dLc^1zqw67A_WBGs{=9HM za!U%eitP;nBCP>)Y>r3#vHBXT-F-$U`}tESO)fX%P@952 zKj;E-w@!)(S|8S&sonNb^t~lf_2=R#vos-usHw*NtXh1v@L{W=^)O6!24>~=D)Rz{ z@khvFL$mbGOJ>VQ_*Dl8i*6G=mco}?kqR=U852=V{4Qh~VRwC4=QYIHY-ygAMw3)9 zE1qi_C6jp@?`ZQ72<@F(a-6=tmt{^K%AyeWew?!| z{=eu0o7nLw!v)d5F{7@oV<=+nn@sPhp+;d(R?*o6tpj-~w=!>yLI~qDnOKd4KRL3f zQ<;P(bKGc~X5njx)P}@r+^Gv??Palv(CDA%DGD@`EF{ou*N;%4)Dn6=p~!RF(^4m( zBI9*qM)n~4Y!lI!>89qIUbs!hsM42}{E;}XF^QKZRH7XVS}$Z8#-;9&MMNzT3aLWn z{3!yXab(;yEN9qD8Mm5dIu^>g{s_hP%&psvvT!K?;xkNKBU3gn2Ey zm5S2+vl5yM+l=^)#k%$?$r}Xju+D61(cjqM7xF7XSU#_+e$6=%)J<=Nmx(V+(V`+} z5b?AkpKg=p&4g9;E|NkkBka@Ursb*d(Vf69-x|&wXO_h0e11Q-M$W$z6p`e&>Qxd) zbiksO63laCrGPy6jL(KQiL^UDc^JNZQTg zgT@+Tf(ZGRYsXe|#o6oD;4HBrcE0arl|6Ha1_wkA*;oljlud6mP9#<;S@r~%c!^1A z-c=Z(m7P_eV`XPL;Xdx7T8*s9uz?@%nyD|hP6phWC(z)ycz5H?0%KK-hHY`6wlI4R zTmyf*rJCp`^8|7VlOmSIDIn#|?GB30t!`X zG~y!aW5O)y-AB9b6W940HVv~qMSm}`1Qk;)0d3dhA^dLiGh&3*7{pJTjA`KH6d67V z+*f;IR_3=O;!+5-mRZZz2vvN{R%x00KArYZNfg3^pz{85!SxxBSZVa1TnM;~@Hfiw zelEvfm`{a2L+DOpWoPY|sRsDsJ{0rPR@OBM$Kfyc^DG^i?z`EhN;bk0?$2v@a3pC~ zwQH3S=IKkSFT-wkc+_6&x}AdCrgKfLF*x`$hGaVsq|Dq7N6B@+&k{?fTQ`q#4tV^{ z-}{GwqT}kv7?i(SAYUrzLgkOwbESM!vL;mRwu-ooF03VNvBz)Z@h9%6f|{G3+EXR( z*cVCb+sgf+<@;OrV8Dg($#U2Qqot(ka?>v7nDz1_cj=i9)WhD;fB7QdB2z$^tG+KIQ@O?E>9sHC$78-crKI1L-fHS?4U~ z<}ya(3>-QrTkEa*!*4D+)U0$&x3JCR7V~X&yixKsVQz@wFqyOPe#~z3p0(_ zbOaL~JBCS!p%Ju?ns<@swps15*@=9ARrzMlkmR< z78Teq(78=uV{-y)lgI$;oV!4C5+^V62T@yi6PN5-1H7Zq0sU%N=&FmIv< zV<34H1LKq62kSzOx!8DV!CjD7FAol)S*-}_-)09Xd|lLLF!~EyfNr7W^CTR>lYhqA z1A`teUgE(^bb>W_i6xxiltfP{g90{H*u``^c~$^ZW=@qG5u=m!Rb9#0T&>;`#;b8rG9tVY;#h3_aU{ zkzXPT!9X(1E{a0k1R(a#?dg^%h4U{q$#ZUT~!j=_b(^2nKcl8 z7xMf!?B55~k3#&q9yajZa}K;y)5VF`0irEzfyo3jNG=A6*PQ8$F;C7Vj}>QRF-`9P zK}8|B9P34aTIO+>Tu)u1a*KT)CRq-%*mLn~*GR=*{(F_iL62Z;t2buKsZ3n*TEe&ON!i1k?Ba8)EP}Ta zvZ~91hiiP~!LfDt_m>^cKea)sLgiHC4d%I&{9!9*djC*N`cK?SfH%dB{I0D|IbmyA zzD*}ai3jJ;IHsKHGsMM9UNoBiWM1U|J)I8MBaTsoIy5g)zeM4ye?u%tEac-1zX?X7 zD`&uvzVjm>jg7#t8yun|6!>*>dE6#j%h(uMzuHO zT888MUc9~hj;U4@4@k%YY~xzJxY7o+?h6==w#Mt?&FX$oUfW9vQ1*Lq*;5ncX4KWZ zUfwG51)l-@w!UqABrgo}%p{Run_=_yZss!O0OS4GyeniH8^P%D4cR{lxlh<`Y&`aBcd;aUzR*(4>)~z7_`>i@~1InxT%Vu8-LYQ z*rN~6i-tK#HHS!iHIk2h{&}MQJh`m?nE)y5_IG+;&r|*e_#UpFd&~0>EfV#Qe_dA3(YQ1of z1MXY!XwssYh)LduJ~LZ?mA=W&)yw_5$+gCAk}~S15#oQO+|=;AZL^+P>B!ICCK#3S z_SMgi^k;i*Uf1hR+&9N=veH|ZBtt9OdNkV=t~z(qH!oUr=;IRG8Os!1i%MR&iD~Li zi1?UIP$CU;)qciS=Y1B_jlZAD?`1J}nUON8M95NdEYkZaYLMCO1Ay z-qO1B^7q-+=EdUTH}PMvjzN1r_|$0PQjfX8e-Jx|hzXFLV4=8NpR2wKLWr zP#7Poj)>M#axsC!nqLKYhg_avbTtDCXh<_m)B5_OsdS_*HZN=9{~QM(t&yFrsQs8U z51Cg+DlY{|nxa&mm76KjCrXltkY))P=YK6f>t}|$rqtXeSK${|_LSrDb*147D9^VA z8``ZmDSsW!%q4s+s%!*2gGBuY9&88<-KAWRK7g)~8tnu6+h>4u^b)qmEDxy9#f##* zmG&364eWo)HVPLG#G--10JBg5!Ind5Tbl4|eu>zZex}H9Ormperv=dv>yZPEy0x`R zmfrGQ0b4Z+E-qWjx%Oqc5q_)k2bc~ZJ^<4HTHhQ7&P4OJD`*rg%#z+xHN8FW%@sb{ ze&FQfIQQ;+wuh%1>Q^VOAvWfg+~mw)`b68xJRA*rHCih*+I?B^z?5!>(WBZL~Ny%+;nJ)_e@Q1 zsHE`v?de#0`{)Imc13wL!2Kp@G?|pBAnk4!Y(%RYf6~d6UKBOSstrfS$mvY_X^i(t zS_M#;3$qBopO(L=LN?@n^gGx&nms$PXI)g{!z|M1_OJhxFxO%BjYAK!Xb$g|3AGHP zi132dU9Pp833sX@q)6;%m*~Yl@@ykYf--jToGpP#;< z38X!u)rV&lxu@@zg)n!2m;ajC`mCgW@k_VKhltD|jmdKjSd(OkhMJ>PgRaqUn5=~S zB&2czq~n~k=fPNx8So@j56od}b4-d<2r{1h7RVcj@v-@?zeuU9cSoN?Kmrv;Xv&-D zGPwpm}+hTNStOZzn zdq#bP10~m;jzSu2EYct@ROP_FmoTm_zN~;F{Ky!^l}k%p&$q~&ZfHiCgo>M>PT>7% z``jS)Rw>)NfxdlI;Jov2j#%z{#pHy<<_nRX7l@y^JIF@GcL{sLsb+{{sL;cvvyRWQ zOmegJ58QV@gbjXidE1#|vMhS)En$_T+kV%3{0Gg(;#+QCNt!lHen)Xcu_ahJiBR zVEAOez{bJ>EGrNE)=}HKET~;YVG2HJfj7?p*G~$ZlbmpxEaY%{9NeYr1mCY*nj-9u zV6MUJk(^j!ua8rOzHSWP_22x!jECZ(46n>KPl2Hqid1wW~GK+)vYI3xyg=YS)y{%5aO1Y*>{L3|*lfUy{NJ^}iUVf|ZJq{+lB zz@=A#<5IhXMqDAC0`{N?93x@(NV)oPo`kx`;N}eIbp}}P8{p#J#xLBt`OOb=;MFBe zLQ3S{_>m62AN=N0X1~}EO`myk@va2~R`!9&N1)~*_$3hyYOmn>w%&@fF8-Z8807gO zY#|PJb?!Gsh@F6X*|XdhKwuCL+_zypz+@r`=V^?82MdE-X%`*?4*CEFgY??S{zuRe zxPnh=p(5un!JR{(aB6Lb^_=-nG?NopE>)K^i1cCxM1D^pl^ZZ`?6?pTxDlyu!G^v! zKiGqCL-W+G8x_idb0pps3tz4EUudszOa)B>+T%*m&q%f{2QEj4J4?T6Oaeu6$awqS8VL{Z?aOxcwz~|rW#zbt*LE< z2}W@I3rLL(E`ZwAY)s4?ikuR-|EkJ8h#$biSTF7Ut@EVc*@hisk^WvfI03Os7{eA& zI#9W^Ww;Pg;{dMtC`2MJE}7&QjMaOt09Qh@{R+47dpv1Q=uV=T-4`^PPjQThTYBEH zOaAu?T9cv5wBVpYPv-vDsoArTZ<|2}mwNhNVNMcb`9Si{t+50wlK6ce7b8D=;68!s zcu4<#H^dJrOMP?qE0NQ6DJlMlusO)ZlnzLc&z-` zcGykezq8$n9$P%-20|mY=Id z`+h#BN9at2Y=Wuj2H$5Td=Eqo?(3yk;``A5V#Y5|{`=SsIF)#O5d8K2Du`R$j3u( zp7JL7NgdEgi)`J+k8_f{(W|WW&`iKn3`ei^s7`fwh&tBb^<;mbmW;ydsu(&2Ot_>~Mt zqKZ|SEiXkDH%ZMGnz9s|xq-FqkrT$#FS#sO;boBMs#19tRl9D zu{p3?DQP8WWOU>1i!T4~)fMmA#RJa?E}NJpp86=&=m+#m0i8d+jp{1&!bm6bYT67- zJDN(G=|=-f2Ok?9)6XLY9VDjBxLOHw^R6b0Z0?-fW4wDTm71+PqF>% zrqOBphJ8aUQDAjJV@W_X;me^>?k_QERa(C9Y4rTs=Qx_;iYq=v-Olo_=CbZ{?>MHny;jxsvwMkCZF-h**<@P3ZClk?Az34D z?go6Y*H}u0P%>=haoUtL3MEZ4G8z5#+SWEQA=rpkYMk8?^gL16pqk_^fV6Y3moBv~ zoA4dpc)JQWE{LhV%N{>)UXCzI_qd;t`0e#r{Oro)h|5W1^vV~9wAbv0pJG)Pqs4BJ zoIpC^xaz^cV)pqbcv~+CshVTk_6&an7@jDR)I>|3hie=6{`s_AtMa8FHqS36vWv^Z zNCR4`?>qOomxul&Z0>rVSJrBjT;2`~dxm(Fv7^w(Mx&=L{YwI!|Q;DQ| z-_W&RSn&yE@<|Nw!vb5+k=BtU)pAP6R>z{(%AzA)Y2?D= 1.21.0-0 < 1.25.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark +apiVersion: v1 +appVersion: v3.0.1-rc4 +description: The cis-operator enables running CIS benchmark security scans on a kubernetes + cluster +icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg +keywords: +- security +name: rancher-cis-benchmark +version: 3.0.1-rc4 diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/README.md b/charts/rancher-cis-benchmark/3.0.1-rc4/README.md new file mode 100644 index 000000000..50beab58b --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/README.md @@ -0,0 +1,9 @@ +# Rancher CIS Benchmark Chart + +The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded. + +# Installation + +``` +helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system +``` diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/app-readme.md b/charts/rancher-cis-benchmark/3.0.1-rc4/app-readme.md new file mode 100644 index 000000000..5e495d605 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/app-readme.md @@ -0,0 +1,15 @@ +# Rancher CIS Benchmarks + +This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/cis-scans/v2.5/). + +This chart installs the following components: + +- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. +- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed. +- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans. +- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. +- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish. + - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts. + - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart. diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/_helpers.tpl b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/_helpers.tpl new file mode 100644 index 000000000..b7bb00042 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "cis.namespace" -}} + {{- .Release.Namespace | default "cis-operator-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/alertingrule.yaml new file mode 100644 index 000000000..1787c88a0 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/alertingrule.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alerts.enabled -}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: rancher-cis-pod-monitor + namespace: {{ template "cis.namespace" . }} +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + podMetricsEndpoints: + - port: cismetrics +{{- end }} diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-aks-1.0.yaml new file mode 100644 index 000000000..1ac866253 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-aks-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: aks-1.0 +spec: + clusterProvider: aks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.20.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.20.yaml new file mode 100644 index 000000000..1203e5bcc --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.20.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.20 +spec: + clusterProvider: "" + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.23.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.23.yaml new file mode 100644 index 000000000..920b556ea --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.23.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.23 +spec: + clusterProvider: "" + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.5.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.5.yaml new file mode 100644 index 000000000..c9e6075fb --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.5.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.5 +spec: + clusterProvider: "" + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.6.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.6.yaml new file mode 100644 index 000000000..4f5d66e92 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-cis-1.6.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.6 +spec: + clusterProvider: "" + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-eks-1.0.1.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-eks-1.0.1.yaml new file mode 100644 index 000000000..d1ba9d295 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-eks-1.0.1.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: eks-1.0.1 +spec: + clusterProvider: eks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-gke-1.0.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-gke-1.0.yaml new file mode 100644 index 000000000..72122e8c5 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-gke-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.20-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.20-hardened.yaml new file mode 100644 index 000000000..147cac390 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.20-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.20-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.20-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.20-permissive.yaml new file mode 100644 index 000000000..d9584f722 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.20-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.20-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.23-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.23-hardened.yaml new file mode 100644 index 000000000..ee153603b --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.23-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.23-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.23-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.23-permissive.yaml new file mode 100644 index 000000000..51f2186f3 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.23-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.23-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.6-hardened.yaml new file mode 100644 index 000000000..5160cf795 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.6-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.6-permissive.yaml new file mode 100644 index 000000000..10c075985 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-k3s-cis-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.6-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.20-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.20-hardened.yaml new file mode 100644 index 000000000..4924679cb --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.20-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.20-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.20-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.20-permissive.yaml new file mode 100644 index 000000000..2db66d7c6 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.20-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.20-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.23-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.23-hardened.yaml new file mode 100644 index 000000000..f6a99698e --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.23-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.23-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.23-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.23-permissive.yaml new file mode 100644 index 000000000..a26bd63cf --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.23-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.23-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.5-hardened.yaml new file mode 100644 index 000000000..b9154f1ad --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.5-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.5-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.5-permissive.yaml new file mode 100644 index 000000000..9da65d55d --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.5-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.5-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.6-hardened.yaml new file mode 100644 index 000000000..77f8a31df --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.6-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.6-permissive.yaml new file mode 100644 index 000000000..600b8df35 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke-cis-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.6-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.20-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.20-hardened.yaml new file mode 100644 index 000000000..b6cc88359 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.20-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.20-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.20-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.20-permissive.yaml new file mode 100644 index 000000000..fd898bfe8 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.20-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.20-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.23-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.23-hardened.yaml new file mode 100644 index 000000000..90e356d72 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.23-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.23-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.23-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.23-permissive.yaml new file mode 100644 index 000000000..deafdbda6 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.23-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.23-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.22.0" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.5-hardened.yaml new file mode 100644 index 000000000..20091ec2b --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.5-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.5-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.5-permissive.yaml new file mode 100644 index 000000000..9a86906b0 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.5-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.5-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.6-hardened.yaml new file mode 100644 index 000000000..ea2549ef3 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.6-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.6-permissive.yaml new file mode 100644 index 000000000..0afdaaa19 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/benchmark-rke2-cis-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.6-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/cis-roles.yaml new file mode 100644 index 000000000..23c93dc65 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/cis-roles.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-admin +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["create", "update", "delete", "patch","get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-view +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/configmap.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/configmap.yaml new file mode 100644 index 000000000..1a9cd1809 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/configmap.yaml @@ -0,0 +1,18 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-clusterscanprofiles + namespace: {{ template "cis.namespace" . }} +data: + # Default ClusterScanProfiles per cluster provider type + rke: |- + <1.21.0: rke-profile-permissive-1.20 + >=1.21.0: rke-profile-permissive-1.23 + rke2: |- + <1.21.0: rke2-cis-1.20-profile-permissive + >=1.21.0: rke2-cis-1.23-profile-permissive + eks: "eks-profile" + gke: "gke-profile" + aks: "aks-profile" + k3s: "k3s-cis-1.23-profile-permissive" + default: "cis-1.23-profile" diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/delete_rolebindings.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/delete_rolebindings.yaml new file mode 100644 index 000000000..9c9946464 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/delete_rolebindings.yaml @@ -0,0 +1,27 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: delete-rolebinding + annotations: + "helm.sh/hook": pre-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation, hook-failed +spec: + template: + spec: + serviceAccountName: cis-operator-serviceaccount + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + restartPolicy: Never + containers: + - name: delete-binding + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "delete", "clusterrolebinding", "cis-operator-rolebinding", "cis-operator-installer"] + backoffLimit: 1 diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/deployment.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/deployment.yaml new file mode 100644 index 000000000..e57dd2ff1 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/deployment.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cis-operator + namespace: {{ template "cis.namespace" . }} + labels: + cis.cattle.io/operator: cis-operator +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + template: + metadata: + labels: + cis.cattle.io/operator: cis-operator + spec: + serviceAccountName: cis-operator-serviceaccount + containers: + - name: cis-operator + image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}' + imagePullPolicy: IfNotPresent + ports: + - name: cismetrics + containerPort: {{ .Values.alerts.metricsPort }} + env: + - name: SECURITY_SCAN_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }} + - name: SECURITY_SCAN_IMAGE_TAG + value: {{ .Values.image.securityScan.tag }} + - name: SONOBUOY_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }} + - name: SONOBUOY_IMAGE_TAG + value: {{ .Values.image.sonobuoy.tag }} + - name: CIS_ALERTS_METRICS_PORT + value: '{{ .Values.alerts.metricsPort }}' + - name: CIS_ALERTS_SEVERITY + value: {{ .Values.alerts.severity }} + - name: CIS_ALERTS_ENABLED + value: {{ .Values.alerts.enabled | default "false" | quote }} + - name: CLUSTER_NAME + value: '{{ .Values.global.cattle.clusterName }}' + - name: CIS_OPERATOR_DEBUG + value: '{{ .Values.image.cisoperator.debug }}' + resources: + {{- toYaml .Values.resources | nindent 12 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/network_policy_allow_all.yaml new file mode 100644 index 000000000..6ed5d645e --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ template "cis.namespace" . }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/patch_default_serviceaccount.yaml new file mode 100644 index 000000000..e78a6bd08 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: cis-operator-serviceaccount + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ template "cis.namespace" . }}] + + backoffLimit: 1 diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/psp.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/psp.yaml new file mode 100644 index 000000000..4cc0cecf7 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/psp.yaml @@ -0,0 +1,59 @@ +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: cis-psp +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + fsGroup: + rule: RunAsAny + hostIPC: true + hostNetwork: true + hostPID: true + hostPorts: + - max: 65535 + min: 0 + privileged: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cis-psp-role + namespace: {{ template "cis.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - cis-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cis-psp-rolebinding + namespace: {{ template "cis.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cis-psp-role +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} +{{- end }} diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/rbac.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/rbac.yaml new file mode 100644 index 000000000..e9caf8cff --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/rbac.yaml @@ -0,0 +1,162 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-clusterrole +rules: +- apiGroups: + - "cis.cattle.io" + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "" + resources: + - "pods" + - "services" + - "configmaps" + - "nodes" + - "serviceaccounts" + verbs: + - "get" + - "list" + - "create" + - "update" + - "watch" + - "patch" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "list" + - "create" + - "patch" + - "update" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-scan-ns +rules: +{{- if .Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy" }} +- apiGroups: + - "*" + resources: + - "podsecuritypolicies" + verbs: + - "get" + - "list" + - "watch" +{{- end }} +- apiGroups: + - "" + resources: + - "namespaces" + - "nodes" + - "pods" + verbs: + - "get" + - "list" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cis-operator-role + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + namespace: {{ template "cis.namespace" . }} +rules: +- apiGroups: + - "" + resources: + - "services" + verbs: + - "watch" + - "list" + - "get" + - "patch" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "watch" + - "list" + - "get" + - "delete" +- apiGroups: + - "" + resources: + - "configmaps" + - "pods" + - "secrets" + verbs: + - "*" +- apiGroups: + - "apps" + resources: + - "daemonsets" + verbs: + - "*" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-operator-clusterrole +subjects: +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cis-scan-ns + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-scan-ns +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-rolebinding + namespace: {{ template "cis.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cis-operator-role +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-cis-1.20.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-cis-1.20.yaml new file mode 100644 index 000000000..05263ce7d --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-cis-1.20.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.20-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.20 diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-cis-1.23.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-cis-1.23.yaml new file mode 100644 index 000000000..c59d8f51f --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-cis-1.23.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.23-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.23 diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-cis-1.6.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-cis-1.6.yaml new file mode 100644 index 000000000..8a8d8bf88 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-cis-1.6.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.6-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.6 diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.20-hardened.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.20-hardened.yml new file mode 100644 index 000000000..a0b6cb6f6 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.20-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.20-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.20-hardened diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.20-permissive.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.20-permissive.yml new file mode 100644 index 000000000..89885548d --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.20-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.20-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.20-permissive diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.23-hardened.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.23-hardened.yml new file mode 100644 index 000000000..724412d3a --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.23-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.23-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.23-hardened diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.23-permissive.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.23-permissive.yml new file mode 100644 index 000000000..9f9213de1 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.23-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.23-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.23-permissive diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.6-hardened.yml new file mode 100644 index 000000000..095e977ab --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.6-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.6-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.6-permissive.yml new file mode 100644 index 000000000..3b22a80c8 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-k3s-cis-1.6-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.6-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.20-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.20-hardened.yaml new file mode 100644 index 000000000..c36cf38c9 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.20-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.20 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.20-hardened diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.20-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.20-permissive.yaml new file mode 100644 index 000000000..cfeb4b34c --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.20-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.20 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.20-permissive diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.23-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.23-hardened.yaml new file mode 100644 index 000000000..007331149 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.23-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.23 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.23-hardened diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.23-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.23-permissive.yaml new file mode 100644 index 000000000..085b60dfa --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.23-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.23 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.23-permissive diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.6-hardened.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.6-hardened.yaml new file mode 100644 index 000000000..d38febd80 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.6 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.6-permissive.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.6-permissive.yaml new file mode 100644 index 000000000..d31b5b0d2 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.6 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.20-hardened.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.20-hardened.yml new file mode 100644 index 000000000..decc9b651 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.20-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.20-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.20-hardened diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.20-permissive.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.20-permissive.yml new file mode 100644 index 000000000..74c96ffc4 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.20-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.20-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.20-permissive diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.23-hardened.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.23-hardened.yml new file mode 100644 index 000000000..abc1c2a21 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.23-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.23-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.23-hardened diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.23-permissive.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.23-permissive.yml new file mode 100644 index 000000000..51cc519ac --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.23-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.23-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.23-permissive diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.6-hardened.yml new file mode 100644 index 000000000..c7ac7f949 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.6-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.6-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.6-permissive.yml new file mode 100644 index 000000000..96ca1345a --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofile-rke2-cis-1.6-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.6-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofileaks.yml new file mode 100644 index 000000000..ea7b25b40 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofileaks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: aks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: aks-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofileeks.yml new file mode 100644 index 000000000..3b4e34437 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofileeks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: eks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: eks-1.0.1 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofilegke.yml new file mode 100644 index 000000000..2ddd0686f --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/scanprofilegke.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/serviceaccount.yaml new file mode 100644 index 000000000..ec48ec622 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + name: cis-operator-serviceaccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-serviceaccount diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/validate-install-crd.yaml new file mode 100644 index 000000000..562295791 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/templates/validate-install-crd.yaml @@ -0,0 +1,17 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/3.0.1-rc4/values.yaml b/charts/rancher-cis-benchmark/3.0.1-rc4/values.yaml new file mode 100644 index 000000000..f8b0a0e20 --- /dev/null +++ b/charts/rancher-cis-benchmark/3.0.1-rc4/values.yaml @@ -0,0 +1,49 @@ +# Default values for rancher-cis-benchmark. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + cisoperator: + repository: rancher/cis-operator + tag: v1.0.11-rc2 + securityScan: + repository: rancher/security-scan + tag: v0.2.10-rc1 + sonobuoy: + repository: rancher/mirrored-sonobuoy-sonobuoy + tag: v0.56.7 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +affinity: {} + +global: + cattle: + systemDefaultRegistry: "" + clusterName: "" + kubectl: + repository: rancher/kubectl + tag: v1.20.2 + +alerts: + enabled: false + severity: warning + metricsPort: 8080 diff --git a/index.yaml b/index.yaml index 8dd3c8df7..d61c22a51 100755 --- a/index.yaml +++ b/index.yaml @@ -4548,6 +4548,32 @@ entries: - assets/rancher-backup-crd/rancher-backup-crd-1.0.200.tgz version: 1.0.200 rancher-cis-benchmark: + - annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.21.0-0 < 1.25.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.7.0-0 < 2.8.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark + apiVersion: v1 + appVersion: v3.0.1-rc4 + created: "2023-01-11T11:50:58.307406972+05:30" + description: The cis-operator enables running CIS benchmark security scans on + a kubernetes cluster + digest: bee1086cb33596bcda762eb93e49cc9e6960f0016952d4ec0a0ab1edda78b417 + icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg + keywords: + - security + name: rancher-cis-benchmark + urls: + - assets/rancher-cis-benchmark/rancher-cis-benchmark-3.0.1-rc4.tgz + version: 3.0.1-rc4 - annotations: catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/certified: rancher @@ -4888,6 +4914,20 @@ entries: - assets/rancher-cis-benchmark/rancher-cis-benchmark-1.0.100.tgz version: 1.0.100 rancher-cis-benchmark-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd + apiVersion: v1 + created: "2023-01-11T11:50:58.309425052+05:30" + description: Installs the CRDs for rancher-cis-benchmark. + digest: f63f9707dc101072902edfd557b0f03303b6d0e07c95b96e1be5bdd55f28726b + name: rancher-cis-benchmark-crd + type: application + urls: + - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-3.0.1-rc4.tgz + version: 3.0.1-rc4 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true"