From aaddea7a4b91ba6bd1608838706439e77062ae50 Mon Sep 17 00:00:00 2001 From: Jake Hyde Date: Tue, 14 Sep 2021 15:18:04 -0400 Subject: [PATCH] make charts --- .../rancher-cis-benchmark-2.0.1.tgz | Bin 0 -> 5107 bytes .../rancher-cis-benchmark-crd-2.0.1.tgz | Bin 0 -> 1462 bytes .../2.0.1/Chart.yaml | 10 ++ .../rancher-cis-benchmark-crd/2.0.1/README.md | 2 + .../2.0.1/templates/clusterscan.yaml | 148 ++++++++++++++++++ .../2.0.1/templates/clusterscanbenchmark.yaml | 54 +++++++ .../2.0.1/templates/clusterscanprofile.yaml | 36 +++++ .../2.0.1/templates/clusterscanreport.yaml | 39 +++++ .../rancher-cis-benchmark/2.0.1/Chart.yaml | 20 +++ .../rancher-cis-benchmark/2.0.1/README.md | 9 ++ .../rancher-cis-benchmark/2.0.1/app-readme.md | 15 ++ .../2.0.1/templates/_helpers.tpl | 23 +++ .../2.0.1/templates/alertingrule.yaml | 14 ++ .../2.0.1/templates/benchmark-cis-1.5.yaml | 8 + .../2.0.1/templates/benchmark-cis-1.6.yaml | 8 + .../2.0.1/templates/benchmark-eks-1.0.yaml | 8 + .../2.0.1/templates/benchmark-gke-1.0.yaml | 8 + .../benchmark-k3s-cis-1.6-hardened.yaml | 8 + .../benchmark-k3s-cis-1.6-permissive.yaml | 8 + .../benchmark-rke-cis-1.5-hardened.yaml | 8 + .../benchmark-rke-cis-1.5-permissive.yaml | 8 + .../benchmark-rke-cis-1.6-hardened.yaml | 8 + .../benchmark-rke-cis-1.6-permissive.yaml | 8 + .../benchmark-rke2-cis-1.5-hardened.yaml | 8 + .../benchmark-rke2-cis-1.5-permissive.yaml | 8 + .../benchmark-rke2-cis-1.6-hardened.yaml | 8 + .../benchmark-rke2-cis-1.6-permissive.yaml | 8 + .../2.0.1/templates/cis-roles.yaml | 49 ++++++ .../2.0.1/templates/configmap.yaml | 17 ++ .../2.0.1/templates/deployment.yaml | 57 +++++++ .../templates/network_policy_allow_all.yaml | 15 ++ .../patch_default_serviceaccount.yaml | 20 +++ .../2.0.1/templates/rbac.yaml | 43 +++++ .../2.0.1/templates/scanprofile-cis-1.5.yml | 9 ++ .../2.0.1/templates/scanprofile-cis-1.6.yaml | 9 ++ .../scanprofile-k3s-cis-1.6-hardened.yml | 9 ++ .../scanprofile-k3s-cis-1.6-permissive.yml | 9 ++ .../scanprofile-rke-1.5-hardened.yml | 9 ++ .../scanprofile-rke-1.5-permissive.yml | 9 ++ .../scanprofile-rke-1.6-hardened.yaml | 9 ++ .../scanprofile-rke-1.6-permissive.yaml | 9 ++ .../scanprofile-rke2-cis-1.5-hardened.yml | 9 ++ .../scanprofile-rke2-cis-1.5-permissive.yml | 9 ++ .../scanprofile-rke2-cis-1.6-hardened.yml | 9 ++ .../scanprofile-rke2-cis-1.6-permissive.yml | 9 ++ .../2.0.1/templates/scanprofileeks.yml | 9 ++ .../2.0.1/templates/scanprofilegke.yml | 9 ++ .../2.0.1/templates/serviceaccount.yaml | 14 ++ .../2.0.1/templates/validate-install-crd.yaml | 17 ++ .../rancher-cis-benchmark/2.0.1/values.yaml | 45 ++++++ index.yaml | 38 +++++ 51 files changed, 923 insertions(+) create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.1.tgz create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-crd-2.0.1.tgz create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/Chart.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/README.md create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscan.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscanbenchmark.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscanprofile.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscanreport.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/Chart.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/README.md create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/app-readme.md create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/_helpers.tpl create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/alertingrule.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-cis-1.5.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-cis-1.6.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-eks-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-gke-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-k3s-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-k3s-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.5-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.5-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.5-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.5-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/cis-roles.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/configmap.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/deployment.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/network_policy_allow_all.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/patch_default_serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/rbac.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-cis-1.5.yml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-cis-1.6.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-k3s-cis-1.6-hardened.yml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-k3s-cis-1.6-permissive.yml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.5-hardened.yml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.5-permissive.yml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.5-hardened.yml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.5-permissive.yml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.6-hardened.yml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.6-permissive.yml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofileeks.yml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofilegke.yml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/validate-install-crd.yaml create mode 100644 charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/values.yaml diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.1.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..00d1e41c51e9fad31991d578a31baffffae46f24 GIT binary patch literal 5107 zcmVDc zVQyr3R8em|NM&qo0PKDLa@#nPfByaIDY}&XR+1@;`faCFH(TX#d|SSaGbuZ}TT|IB z2PRt*RwTdxpfx&=-{qd=p6m($Nl_GK{fI<6Gwe#m6ah4V20q;lfNToF+%bxVOJ(C0 znL7@Mm^9DEL?~xQ0{_JxsMTthfDB|;x;}WHObSQ67I;7~O#S61}RE9p8H5dtS0B0B1@KaJjVSb%YhQ!4I=+^KM1yNiy ze)N;W(s%&AWDC`9wB%C?w@<0I&Z1 zBXpc&r}e5hKl(@{#vLw{Y+*Sy3w57uiyDe^zc5=w8!it*&XB29>`6%fp0xI^T_a(b z`RTNr1yR8ow&tj4oZniHhn(gvZ))Ox!7(v@@`a{;B3l;CkM4gT50Vu zv8F@RaavBh_S7JJLMqn(cf^lS?#lqI(f^&+NiVPe`~Ble|Cd28;T;Z1W5`87ltK@N)JL7+9lAad2zNwKs~QxCTZB+U*aONGhZ&Cq zC=5cMD3ngEMguZJV|}PhREz!zATZ>TDlTRzlABotWHKo-O4L*_BlqgpRJa52l-P{6CXs9!lT(|{`Db zdxre?m7uQt$b}lf+t%CGAK7gFZm8J)r`oxBGe$o|AsrR&>mrY8I?FBkd>Y@*m>6wlr(8^YPCN-Nk9?gKq&r40^3nJUYRn~OIo6g&(bA|H2M53bSwt=>s{QU7;ZC;fJ%|I479-n2fU6FY?|bvo7K_Ye3mw({13i=6c&{_nlV#_kyhNgSN&0aas63sqkM09RmNyJLCVj z!hgxMIsS2?$F_A4{P!yR|3tK3{Ks=-HU4oTD+k~?(dPIcO|V4#_c|5+%b@+@Kb|A2 z@jseih5zS7o8y1dmB|{QF($%8hTdk%U@iW8`Tf6czf(Q`R|@SH|3!0TwKAA=A9V&g zEvH{8g9FoU_zzJ8R7!fc(V4({{O8yIy>_o#;lB(z9RBBXq|yM-mo~@0m|$`SaCrNF z+^Xz{2$!@cRH2*FNF?=|4r;L0cwf|oV z9SZ-OtpC@czd8*(Jne@666}BV{C6pIIQ;L!{#P2{(6kl)JG*TFY>)r$@k#akZz;5Q z{4dXuN8#Uj6#s84{2!Qh#Q#24(82J(;Re8?=&#QI4o*Ab|KRq&-Ky|k1|1Op`>_9&1~@RS!@s^Sxc^PTpw{5O z({AOT|82ETy>xQQqSR3EA@#8^t?;J6kPBs#?oiyy0er5z0*S)< z5!9p5i?2NN(O!i_x#Rj#eS}K?oZ6pI_o-C%f356iJ}_Udukg7}!cZCp^ZO=bhE6NQ zXPh~0_jWCcV+j?Bo3kMu1tiSMB~5+x!>gs2!S^yF3w~txl&}|Cd6sjy9uwNy2-uFZICS$DF$^+F`S zzqwR4tzaqladB>($N|)GB9mmTl1I8%_0ha_CeB}1=UjNcdWoUV7Z1eK5g3dOu2kh%Xe2jemBloF08^EbQ zB{P|(8~1rG(oCu4rUkaP^NF`SE%iMqd@bgc9`}vnc^f3--ysm!> zE!ebc3GWr%I=i^OIemYA_38TN^8C})#o6`E$Dgl0EpvXgZl1h)jQ92V-_P~fJlf)z zZ4w-JO>@sboc{Fw{M{xTlW=R9@R%kNZykPvuMt;RSk?Q#U4J^iy7_Q=Sv=gup)4~Y zgtJ_iR)L!C?;D`_FC_3&X7d=-zX7AnL#CkJnR8kQgPgLONBz%#h9RlO1ei`L$ugO< z&bB5~``g7Fad@^BoRbjD^DJpl=G|+_271oqq0IFo?~$0A3;b8NIUD42Ct*Bh|JV6{ z4Aqp2$xUeV`VH}YKGpwk;|;D`|8@I$|F7HaSN>lql;6;c$D6Xz(nj6~n`ABgBP&BQ zNA&+YhII_Nw-87jfU=Q58Sf67JD9&==jW$cm~0|m*fQq&++IGlte+#T!@t?|P923s zr*%^uum=C_?o#}hUc177Ih4o$tsd_==KqV|79ibBiiRXLfZX?^0P17(14oXVW6me_ z0fbzte)a+rI>6X51g!=#cf7VH)c%U;}FO0$`K0)@+di>3ahxjPNcw}N^ zP8%AmezewV=wi3To$%rCJq@TDz#sZ^PFvGD{cjHVzVSOy>-7Ig{`sHwN&BRF{-+e$ z(_wCQ&y0kjv$)`U{0nzQC5*vf+HK5!C9iP%(LA1#93STnI_;r#Zgrd7OpmwsakTvt zWgcatXC;)|xJ~-{3WvHOiF6+6UJYP*tXB(OMz{Y)R~gyca*KL?q3DvG-DZ8D2WX|- zHy*ji_p%dD1;ut9TkT0~)5FX_Ju(FGhac@jHX9A;BlusZ|1;-%^9b-;T7$Lg|5hg- z|FL&mz5iVbZU6jdd@{Q_`g?NXShPA=J~eh0YrKu9uP7TpU5NhmZbqQl|Hq6 zpF3@Xe_^8g_qVeBFE+t{=Ol0cJN?T4FNOAr|LgX3IZKJ<#g8#h#-|bc3|1XD1u>Z%Up}$)D zZ%w=4f4k_fyV(C;tBU_x4wYj6%hUjs{ojhV#D7r)*l&*i-0dDOJ^x$9e=mpjjQ{1g zqf0sfD2_b))Y5(av@`y<*aTRM|6cz5zt?Y9@t;begX6!n1AtYrXP;Wa&zp9{|5gtG z>}3Bd{Fg!p!hh)x02D`_eQN1Gf7%)U2e$v6>in-1IynBH!v0sg02|X5_{WLd`q6(w z>+s(>$;W?gx2x~JmqYu+ebnv0Gp4op-znn9BCW%Je<}WByHkDtr5wt|do6s?HIMYoBR#HvK{l^{ z_TPplcndq%$EP0S$7mh??}$%5qA+CuesCSLTZW%jE@OBLwG+gyfd`R8f@9>Boy$|H({F zI)pKif5ll+-)qIMm7r_{&YL*j|I0OLA&YjRGW?KvD}UKm{psci{)E3$siYpanCC)^ zUgOs^i|N`zO9Xz6s6Y?uSIO1c)jJ79AeikKHge#jQJN6z6HsFWmkWV1_#OzhV* zjz3`@jF4%T8vH@%Q|(bf{FxO{W1_$%3~muTK4m^99(qo#_7X0vF0hf`YG1y5sg2PO zQf*Q=oxy2B!^VrV&YE!$p}}&VsR_+ycs}*0lt;z*Ct=tSNW1{|p##?7zt_&c|JClF zbSwOqLM!kuHS`lxn}U7;-Uj}BXbpG_>`0q<_^esIK0~H&4Y_~|eZ^40bCY3l`jOL%8Y|hn4^Nmxh{U;X?Sm$8KMPT%S);D851;rtfXc{&| zq9TDuAaIC6r|?L?XOFv?dSeVYE)SYICArbO>o~tQk(rO+8I7jz^iBO4>BPE6+6uYv z^Qo4C)@z(0Q*uzNHQ;kr*Ual4Q8kWkP1Q-Q*^FRb^q2?S(B73#6o1F29udz_i>G47$%DKjm{zb>hE z2Tq52)UEy>Qby(Y$WD=L4-)0CD_he4E7gAkt_|A;oSF)N>hjuMeElWkdVhIiIe0jv z3?)p*$n?l7K}Vx_qNnyLJ9}@5L@&8%OM8%PRl;e~JU#HnmUuu+XLa_ZJ*GFPY;)6( z*yt9=j8-%{&YEw#^^Vz)jv^ZZ+~7&yO?q(z(=m0&nytP)H+px;k|KtKHoAn(Okh+x zq;5R0ii4cc5Gb=Xrwkk@n&Sk9I8DRU7xe(#NGcx8WA52#=FHX;qGu~k+HK?(1n5zs z(4XlskMuAo9?$RjcxjQ&J(T&92~L;0y+X`s@ghMl`Z5V4#WgHq)i#F>5D8QCef?J# zHX9|mu?mSG0V)(S9=30h@4V?t64rt_^-(C@#H&>9jYPMs?$u39M6rd24^j>d5|@s3{erBhgixe= zVOjw&&y4=(D|Au!N19t#JW{xgg;`nu!h~wRG>HLWWTbsIllI0euakUMPG*pJq+*dL z!*c3*RP!OeKU);6LDc zVQyr3R8em|NM&qo0PI>(bE7s8&a;1o=K5?7h?DF1E$6#-uI=SAPI`S_i;b-dNQ|_k z@pSs%I|32|24igOT<5$m9!ug|3BLVSTF@Z*0`-s!Gn}F1iwN|?kn7;>WC5C-B}C!b zp60r)dpR1Vzpm?6f87h;J@ZDM?|Se2i;;ikdYA5{d&b;-9dBcaA<$>;-oC1f`=1y{ zsR&3YX~qM_I1q$t?rxo zref4UN)OG_5Jt6^Xbcey4(+8c{@1xWfLMG*ZG@6z_UH`)G+c|A(*K{NAqYdmXn|}p z{b1O=()C!*pv@62V;nPx<52MQt_>ca{rZmUc!Sq|o?Wdu{t2Tv1VZzchlwH7hJ)Nm z4>rfY=lY&kj(^`fA9<(vKZX?}2V#Lwgwp;q&cn~fhTx+&cn~revq@q|MN>2?(HuYE zy^tb}fCvc!Ah7z8#ZQ4S#^J)OB6?tA zmR$@OGhErg%tsFx%fm9o8s^h_^il|e`q9dnRjRCkl!iGLS|AA0wLy5Jg(TDy6(*6) zXEtQtjFLA%i!pNy0VT!>!O%33cAhs{-HQ;fA?@D1Q`H;Lj6BR>R$a$j!lSC2d zr9+A!EaBc2S~@|+U`z?=X4TLM=pICQO24ccIsusn5to2&R}Gzj{st{eK!2?oIsr*V zSDD(+!t&$1R>ao2w!+T2awj4*1W|d#f7Exj0LRE3!xtDNAqJLV6D9A(+~Hcu+q}I@ z#`TUh7bcnMJlu2U+gPzn7_)!=&4%y=M)2IJVw6`mpT3^omYNxhwaxYsf%Wl4PE-_!NDZD=6P_s*BFN2PR&o-(7gjbx&AuV0 z1_IS~8m=^2ff2HXIVh88y>-Y6>RW6sXz9v!C3nN5^B~?b^se!VY-n87uxj_HyM5-G zkaJ77zN4BendR^r77D_smYi+WwaR^`L7EiVYIGCdwuqC~kk0)583#akcwZ43V|PIZ zb)pfBl85zC$L_v;qyrAC&+WBqScD(z4RY^neI??#uE z`ro;K?w{&^$FM`!|6T~wVt<8 literal 0 HcmV?d00001 diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/Chart.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/Chart.yaml new file mode 100644 index 000000000..7ea72327e --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd +apiVersion: v1 +description: Installs the CRDs for rancher-cis-benchmark. +name: rancher-cis-benchmark-crd +type: application +version: 2.0.1 diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/README.md b/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/README.md new file mode 100644 index 000000000..f6d9ef621 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/README.md @@ -0,0 +1,2 @@ +# rancher-cis-benchmark-crd +A Rancher chart that installs the CRDs used by rancher-cis-benchmark. diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscan.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscan.yaml new file mode 100644 index 000000000..3cbb0ffcd --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscan.yaml @@ -0,0 +1,148 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscans.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScan + plural: clusterscans + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.lastRunScanProfileName + name: ClusterScanProfile + type: string + - jsonPath: .status.summary.total + name: Total + type: string + - jsonPath: .status.summary.pass + name: Pass + type: string + - jsonPath: .status.summary.fail + name: Fail + type: string + - jsonPath: .status.summary.skip + name: Skip + type: string + - jsonPath: .status.summary.warn + name: Warn + type: string + - jsonPath: .status.summary.notApplicable + name: Not Applicable + type: string + - jsonPath: .status.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.scheduledScanConfig.cronSchedule + name: CronSchedule + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + scanProfileName: + nullable: true + type: string + scheduledScanConfig: + nullable: true + properties: + cronSchedule: + nullable: true + type: string + retentionCount: + type: integer + scanAlertRule: + nullable: true + properties: + alertOnComplete: + type: boolean + alertOnFailure: + type: boolean + type: object + type: object + scoreWarning: + enum: + - pass + - fail + nullable: true + type: string + type: object + status: + properties: + NextScanAt: + nullable: true + type: string + ScanAlertingRuleName: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + display: + nullable: true + properties: + error: + type: boolean + message: + nullable: true + type: string + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + lastRunScanProfileName: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + observedGeneration: + type: integer + summary: + nullable: true + properties: + fail: + type: integer + notApplicable: + type: integer + pass: + type: integer + skip: + type: integer + total: + type: integer + warn: + type: integer + type: object + type: object + type: object diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscanbenchmark.yaml new file mode 100644 index 000000000..fd291f8c3 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscanbenchmark.yaml @@ -0,0 +1,54 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanbenchmarks.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanBenchmark + plural: clusterscanbenchmarks + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .spec.clusterProvider + name: ClusterProvider + type: string + - jsonPath: .spec.minKubernetesVersion + name: MinKubernetesVersion + type: string + - jsonPath: .spec.maxKubernetesVersion + name: MaxKubernetesVersion + type: string + - jsonPath: .spec.customBenchmarkConfigMapName + name: customBenchmarkConfigMapName + type: string + - jsonPath: .spec.customBenchmarkConfigMapNamespace + name: customBenchmarkConfigMapNamespace + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + clusterProvider: + nullable: true + type: string + customBenchmarkConfigMapName: + nullable: true + type: string + customBenchmarkConfigMapNamespace: + nullable: true + type: string + maxKubernetesVersion: + nullable: true + type: string + minKubernetesVersion: + nullable: true + type: string + type: object + type: object diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscanprofile.yaml new file mode 100644 index 000000000..1e75501b7 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscanprofile.yaml @@ -0,0 +1,36 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanprofiles.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanProfile + plural: clusterscanprofiles + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + skipTests: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + additionalPrinterColumns: + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscanreport.yaml new file mode 100644 index 000000000..6e8c0b7de --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.1/templates/clusterscanreport.yaml @@ -0,0 +1,39 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanreports.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanReport + plural: clusterscanreports + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .spec.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + reportJSON: + nullable: true + type: string + type: object + type: object \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/Chart.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/Chart.yaml new file mode 100644 index 000000000..157345620 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/Chart.yaml @@ -0,0 +1,20 @@ +annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.6.0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark +apiVersion: v1 +appVersion: v1.0.6 +description: The cis-operator enables running CIS benchmark security scans on a kubernetes + cluster +icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg +keywords: +- security +name: rancher-cis-benchmark +version: 2.0.1 diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/README.md b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/README.md new file mode 100644 index 000000000..50beab58b --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/README.md @@ -0,0 +1,9 @@ +# Rancher CIS Benchmark Chart + +The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded. + +# Installation + +``` +helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system +``` diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/app-readme.md b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/app-readme.md new file mode 100644 index 000000000..5e495d605 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/app-readme.md @@ -0,0 +1,15 @@ +# Rancher CIS Benchmarks + +This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/cis-scans/v2.5/). + +This chart installs the following components: + +- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. +- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed. +- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans. +- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. +- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish. + - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts. + - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart. diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/_helpers.tpl b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/_helpers.tpl new file mode 100644 index 000000000..67f4ce116 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "cis.namespace" -}} + {{- .Release.Namespace | default "cis-operator-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux_node_tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/alertingrule.yaml new file mode 100644 index 000000000..1787c88a0 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/alertingrule.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alerts.enabled -}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: rancher-cis-pod-monitor + namespace: {{ template "cis.namespace" . }} +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + podMetricsEndpoints: + - port: cismetrics +{{- end }} diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-cis-1.5.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-cis-1.5.yaml new file mode 100644 index 000000000..39e8b834a --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-cis-1.5.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.5 +spec: + clusterProvider: "" + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-cis-1.6.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-cis-1.6.yaml new file mode 100644 index 000000000..93ba064f4 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-cis-1.6.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.6 +spec: + clusterProvider: "" + minKubernetesVersion: "1.16.0" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-eks-1.0.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-eks-1.0.yaml new file mode 100644 index 000000000..bd2e32cd3 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-eks-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: eks-1.0 +spec: + clusterProvider: eks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-gke-1.0.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-gke-1.0.yaml new file mode 100644 index 000000000..72122e8c5 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-gke-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-k3s-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-k3s-cis-1.6-hardened.yaml new file mode 100644 index 000000000..3ca9b6009 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-k3s-cis-1.6-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.6-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-k3s-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-k3s-cis-1.6-permissive.yaml new file mode 100644 index 000000000..6d4253c6e --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-k3s-cis-1.6-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.6-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.5-hardened.yaml new file mode 100644 index 000000000..b5627f966 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.5-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.5-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.5-permissive.yaml new file mode 100644 index 000000000..95f80c0f0 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.5-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.5-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.6-hardened.yaml new file mode 100644 index 000000000..d75de8154 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.6-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.6-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.16.0" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.6-permissive.yaml new file mode 100644 index 000000000..52428f4a7 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke-cis-1.6-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.6-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.16.0" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.5-hardened.yaml new file mode 100644 index 000000000..3d83e9bd8 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.5-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.5-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.18.0" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.5-permissive.yaml new file mode 100644 index 000000000..f66aa8f6e --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.5-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.5-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.18.0" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.6-hardened.yaml new file mode 100644 index 000000000..3593bf371 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.6-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.6-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.6-permissive.yaml new file mode 100644 index 000000000..522f846ae --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/benchmark-rke2-cis-1.6-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.6-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/cis-roles.yaml new file mode 100644 index 000000000..23c93dc65 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/cis-roles.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-admin +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["create", "update", "delete", "patch","get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-view +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/configmap.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/configmap.yaml new file mode 100644 index 000000000..6cbc23db4 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/configmap.yaml @@ -0,0 +1,17 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-clusterscanprofiles + namespace: {{ template "cis.namespace" . }} +data: + # Default ClusterScanProfiles per cluster provider type + rke: |- + <1.16.0: rke-profile-permissive-1.5 + >=1.16.0: rke-profile-permissive-1.6 + rke2: |- + <1.20.5: rke2-cis-1.5-profile-permissive + >=1.20.5: rke2-cis-1.6-profile-permissive + eks: "eks-profile" + gke: "gke-profile" + k3s: "k3s-cis-1.6-profile-permissive" + default: "cis-1.6-profile" diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/deployment.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/deployment.yaml new file mode 100644 index 000000000..0d3c75e39 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/deployment.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cis-operator + namespace: {{ template "cis.namespace" . }} + labels: + cis.cattle.io/operator: cis-operator +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + template: + metadata: + labels: + cis.cattle.io/operator: cis-operator + spec: + serviceAccountName: cis-operator-serviceaccount + containers: + - name: cis-operator + image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}' + imagePullPolicy: Always + ports: + - name: cismetrics + containerPort: {{ .Values.alerts.metricsPort }} + env: + - name: SECURITY_SCAN_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }} + - name: SECURITY_SCAN_IMAGE_TAG + value: {{ .Values.image.securityScan.tag }} + - name: SONOBUOY_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }} + - name: SONOBUOY_IMAGE_TAG + value: {{ .Values.image.sonobuoy.tag }} + - name: CIS_ALERTS_METRICS_PORT + value: '{{ .Values.alerts.metricsPort }}' + - name: CIS_ALERTS_SEVERITY + value: {{ .Values.alerts.severity }} + - name: CIS_ALERTS_ENABLED + value: {{ .Values.alerts.enabled | default "false" | quote }} + - name: CLUSTER_NAME + value: {{ .Values.global.cattle.clusterName }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + nodeSelector: + kubernetes.io/os: linux + {{- with .Values.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + {{- include "linux_node_tolerations" . | nindent 8}} + {{- with .Values.tolerations }} + {{- toYaml . | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/network_policy_allow_all.yaml new file mode 100644 index 000000000..6ed5d645e --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ template "cis.namespace" . }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/patch_default_serviceaccount.yaml new file mode 100644 index 000000000..1efa3ed1c --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: cis-operator-serviceaccount + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ template "cis.namespace" . }}] + backoffLimit: 1 diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/rbac.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/rbac.yaml new file mode 100644 index 000000000..4ff88ea5f --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/rbac.yaml @@ -0,0 +1,43 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-operator-role +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cis-operator-installer +subjects: +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-cis-1.5.yml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-cis-1.5.yml new file mode 100644 index 000000000..d69ae9dd5 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-cis-1.5.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.5-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.5 diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-cis-1.6.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-cis-1.6.yaml new file mode 100644 index 000000000..8a8d8bf88 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-cis-1.6.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.6-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.6 diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-k3s-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-k3s-cis-1.6-hardened.yml new file mode 100644 index 000000000..095e977ab --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-k3s-cis-1.6-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.6-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-k3s-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-k3s-cis-1.6-permissive.yml new file mode 100644 index 000000000..3b22a80c8 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-k3s-cis-1.6-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.6-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.5-hardened.yml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.5-hardened.yml new file mode 100644 index 000000000..4eabe158a --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.5-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.5 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.5-hardened \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.5-permissive.yml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.5-permissive.yml new file mode 100644 index 000000000..1f78751d1 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.5-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.5 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.5-permissive diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.6-hardened.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.6-hardened.yaml new file mode 100644 index 000000000..d38febd80 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.6 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.6-permissive.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.6-permissive.yaml new file mode 100644 index 000000000..d31b5b0d2 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.6 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.5-hardened.yml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.5-hardened.yml new file mode 100644 index 000000000..83eb3131e --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.5-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.5-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.5-hardened diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.5-permissive.yml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.5-permissive.yml new file mode 100644 index 000000000..40dc44bdf --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.5-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.5-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.5-permissive diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.6-hardened.yml new file mode 100644 index 000000000..c7ac7f949 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.6-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.6-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.6-permissive.yml new file mode 100644 index 000000000..96ca1345a --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofile-rke2-cis-1.6-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.6-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofileeks.yml new file mode 100644 index 000000000..49c7e0246 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofileeks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: eks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: eks-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofilegke.yml new file mode 100644 index 000000000..2ddd0686f --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/scanprofilegke.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/serviceaccount.yaml new file mode 100644 index 000000000..ec48ec622 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + name: cis-operator-serviceaccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-serviceaccount diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/validate-install-crd.yaml new file mode 100644 index 000000000..562295791 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/templates/validate-install-crd.yaml @@ -0,0 +1,17 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/values.yaml b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/values.yaml new file mode 100644 index 000000000..8c3fc3e16 --- /dev/null +++ b/charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.1/values.yaml @@ -0,0 +1,45 @@ +# Default values for rancher-cis-benchmark. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + cisoperator: + repository: rancher/cis-operator + tag: v1.0.6-rc1 + securityScan: + repository: rancher/security-scan + tag: v0.2.4-rc1 + sonobuoy: + repository: rancher/mirrored-sonobuoy-sonobuoy + tag: v0.53.2 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +global: + cattle: + systemDefaultRegistry: "" + clusterName: "" + kubectl: + repository: rancher/kubectl + tag: v1.20.2 + +alerts: + enabled: false + severity: warning + metricsPort: 8080 diff --git a/index.yaml b/index.yaml index 8a5723e84..8b6c035b9 100755 --- a/index.yaml +++ b/index.yaml @@ -1020,6 +1020,30 @@ entries: - assets/rancher-backup/rancher-backup-crd-1.0.200.tgz version: 1.0.200 rancher-cis-benchmark: + - annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.6.0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark + apiVersion: v1 + appVersion: v1.0.6 + created: "2021-09-14T15:17:53.674729471-04:00" + description: The cis-operator enables running CIS benchmark security scans on + a kubernetes cluster + digest: ce6a352037c25e40902e5a90bdd1c3e25f7fbbcdc96b2d574eae6e83617d72dc + icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg + keywords: + - security + name: rancher-cis-benchmark + urls: + - assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.1.tgz + version: 2.0.1 - annotations: catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/certified: rancher @@ -1153,6 +1177,20 @@ entries: - assets/rancher-cis-benchmark/rancher-cis-benchmark-1.0.100.tgz version: 1.0.100 rancher-cis-benchmark-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd + apiVersion: v1 + created: "2021-09-14T15:17:53.675706803-04:00" + description: Installs the CRDs for rancher-cis-benchmark. + digest: a07236a3f8c025600416189c5cc60a309be12c00b39b9d3b1f58af8c0b4b36ac + name: rancher-cis-benchmark-crd + type: application + urls: + - assets/rancher-cis-benchmark/rancher-cis-benchmark-crd-2.0.1.tgz + version: 2.0.1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true"