[dev-v2.10] rancher-cis-benchmark auto-bump 105.0.0+up7.0.0 (#4685)

Makefile

@@ -17,6 +17,14 @@ validate:
 	@./scripts/pull-scripts
 	@./bin/charts-build-scripts validate $(if $(filter true,$(remote)),--remote) $(if $(filter true,$(local)),--local)
 
+chart-bump:
+	@if [ -z "$(package)" ] || [ -z "$(branch)" ]; then \
+		echo "Error: package and branch arguments are required."; \
+		exit 1; \
+	fi
+	@./scripts/pull-scripts
+	@./bin/charts-build-scripts chart-bump --package="$(package)" --branch="$(branch)"
+
 TARGETS := prepare patch clean clean-cache charts list index unzip zip standardize template regsync check-images check-rc enforce-lifecycle lifecycle-status auto-forward-port
 
 $(TARGETS):

charts/rancher-cis-benchmark-crd/105.0.0+up7.0.0/Chart.yaml

@@ -7,4 +7,4 @@ apiVersion: v1
 description: Installs the CRDs for rancher-cis-benchmark.
 name: rancher-cis-benchmark-crd
 type: application
-version: 7.0.0-rc.2
+version: 105.0.0+up7.0.0

charts/rancher-cis-benchmark/105.0.0+up7.0.0/Chart.yaml

@@ -12,11 +12,11 @@ annotations:
   catalog.cattle.io/type: cluster-tool
   catalog.cattle.io/ui-component: rancher-cis-benchmark
 apiVersion: v1
-appVersion: v7.0.0-rc.2
+appVersion: v7.0.0
 description: The cis-operator enables running CIS benchmark security scans on a kubernetes
   cluster
 icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
 keywords:
 - security
 name: rancher-cis-benchmark
-version: 7.0.0-rc.2
+version: 105.0.0+up7.0.0

charts/rancher-cis-benchmark/105.0.0+up7.0.0/values.yaml

@@ -5,10 +5,10 @@
 image:
   cisoperator:
     repository: rancher/cis-operator
-    tag: v1.3.0-rc.1
+    tag: v1.3.0
   securityScan:
     repository: rancher/security-scan
-    tag: v0.5.0-rc.1
+    tag: v0.5.0
   sonobuoy:
     repository: rancher/mirrored-sonobuoy-sonobuoy
     tag: v0.57.2

charts/rancher-cis-benchmark/7.0.0-rc.2/Chart.yaml

@@ -1,22 +0,0 @@
-annotations:
-  catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
-  catalog.cattle.io/certified: rancher
-  catalog.cattle.io/display-name: CIS Benchmark
-  catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.32.0-0'
-  catalog.cattle.io/namespace: cis-operator-system
-  catalog.cattle.io/os: linux
-  catalog.cattle.io/permits-os: linux,windows
-  catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
-  catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0'
-  catalog.cattle.io/release-name: rancher-cis-benchmark
-  catalog.cattle.io/type: cluster-tool
-  catalog.cattle.io/ui-component: rancher-cis-benchmark
-apiVersion: v1
-appVersion: v7.0.0-rc.2
-description: The cis-operator enables running CIS benchmark security scans on a kubernetes
-  cluster
-icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
-keywords:
-- security
-name: rancher-cis-benchmark
-version: 7.0.0-rc.2

index.yaml

@@ -9357,18 +9357,18 @@ entries:
       catalog.cattle.io/type: cluster-tool
       catalog.cattle.io/ui-component: rancher-cis-benchmark
     apiVersion: v1
-    appVersion: v7.0.0-rc.2
+    appVersion: v7.0.0
-    created: "2024-10-24T10:31:04.343361694+05:30"
+    created: "2024-11-11T14:07:25.870024509-03:00"
     description: The cis-operator enables running CIS benchmark security scans on
       a kubernetes cluster
-    digest: d60489eeb4de5d34679b8f9337668c52bbea7c4f03ec14108d83c362acb60700
+    digest: f884d1167e7ee227e8cb67dbf96a7b0bd0e3351660fa6ebc2dd43ada78eebd76
     icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
     keywords:
     - security
     name: rancher-cis-benchmark
     urls:
-    - assets/rancher-cis-benchmark/rancher-cis-benchmark-7.0.0-rc.2.tgz
+    - assets/rancher-cis-benchmark/rancher-cis-benchmark-105.0.0+up7.0.0.tgz
-    version: 7.0.0-rc.2
+    version: 105.0.0+up7.0.0
   - annotations:
       catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
       catalog.cattle.io/certified: rancher
@@ -10023,14 +10023,14 @@ entries:
       catalog.cattle.io/namespace: cis-operator-system
       catalog.cattle.io/release-name: rancher-cis-benchmark-crd
     apiVersion: v1
-    created: "2024-10-24T10:31:04.352437187+05:30"
+    created: "2024-11-11T14:07:38.486536563-03:00"
     description: Installs the CRDs for rancher-cis-benchmark.
-    digest: d2ef89e55396bbfa91ff81b1772554d1e6b136c4238e1e4170c1d8ed1ea2da79
+    digest: c5e6f304babe0f86c8b51ae2ddf46178d0cad69ef366fcf14c039f6d856f6560
     name: rancher-cis-benchmark-crd
     type: application
     urls:
-    - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-7.0.0-rc.2.tgz
+    - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.0.0+up7.0.0.tgz
-    version: 7.0.0-rc.2
+    version: 105.0.0+up7.0.0
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"

packages/rancher-cis-benchmark/charts/README.md

@@ -1,9 +0,0 @@
-# Rancher CIS Benchmark Chart
-
-The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded.
-
-# Installation
-
-```
-helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system
-```

packages/rancher-cis-benchmark/charts/app-readme.md

@@ -1,31 +0,0 @@
-# Rancher CIS Benchmarks
-
-This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/).
-
-For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/cis-scan-guides).
-
-This chart installs the following components:
-
-- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded.
-- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed.
-- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans.
-- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources.
-- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish.
-    - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts.
-    - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart.
-
-## CIS Kubernetes Benchmark support
-
-| Source | Kubernetes distribution | scan profile                                                                                                       | Kubernetes versions |
-|--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------|
-| CIS    | any                     | [cis-1.8](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.8)                                | v1.26+              |
-| CIS    | rke                     | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-permissive)  | rke1-v1.26+         |
-| CIS    | rke                     | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-hardened)      | rke1-v1.26+         |
-| CIS    | rke2                    | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-permissive)| rke2-v1.26+         |
-| CIS    | rke2                    | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-hardened)    | rke2-v1.26+         |
-| CIS    | k3s                     | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-permissive)  | k3s-v1.26+          |
-| CIS    | k3s                     | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-hardened)      | k3s-v1.26+          |
-| CIS    | eks                     | eks-1.2.0                                                                                                          | eks                 |
-| CIS    | aks                     | aks-1.0                                                                                                            | aks                 |
-| CIS    | gke                     | gke-1.2.0                                                                                                          | gke                 |
-| CIS    | gke                     | gke-1.6.0                                                                                                          | gke-1.29+            |

packages/rancher-cis-benchmark/charts/templates/_helpers.tpl

@@ -1,27 +0,0 @@
-{{/* Ensure namespace is set the same everywhere */}}
-{{- define "cis.namespace" -}}
-  {{- .Release.Namespace | default "cis-operator-system" -}}
-{{- end -}}
-
-{{- define "system_default_registry" -}}
-{{- if .Values.global.cattle.systemDefaultRegistry -}}
-{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
-{{- else -}}
-{{- "" -}}
-{{- end -}}
-{{- end -}}
-
-{{/*
-Windows cluster will add default taint for linux nodes,
-add below linux tolerations to workloads could be scheduled to those linux nodes
-*/}}
-{{- define "linux-node-tolerations" -}}
-- key: "cattle.io/os"
-  value: "linux"
-  effect: "NoSchedule"
-  operator: "Equal"
-{{- end -}}
-
-{{- define "linux-node-selector" -}}
-kubernetes.io/os: linux
-{{- end -}}

packages/rancher-cis-benchmark/charts/templates/alertingrule.yaml

@@ -1,14 +0,0 @@
-{{- if .Values.alerts.enabled -}}
----
-apiVersion: monitoring.coreos.com/v1
-kind: PodMonitor
-metadata:
-  name: rancher-cis-pod-monitor
-  namespace: {{ template "cis.namespace" . }}
-spec:
-  selector:
-    matchLabels:
-      cis.cattle.io/operator: cis-operator
-  podMetricsEndpoints:
-  - port: cismetrics
-{{- end }}

packages/rancher-cis-benchmark/charts/templates/benchmark-aks-1.0.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanBenchmark
-metadata:
-  name: aks-1.0
-spec:
-  clusterProvider: aks
-  minKubernetesVersion: "1.15.0"

packages/rancher-cis-benchmark/charts/templates/benchmark-cis-1.8.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanBenchmark
-metadata:
-  name: cis-1.8
-spec:
-  clusterProvider: ""
-  minKubernetesVersion: "1.26.0"

packages/rancher-cis-benchmark/charts/templates/benchmark-eks-1.2.0.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanBenchmark
-metadata:
-  name: eks-1.2.0
-spec:
-  clusterProvider: eks
-  minKubernetesVersion: "1.15.0"

packages/rancher-cis-benchmark/charts/templates/benchmark-gke-1.2.0.yaml

@@ -1,9 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanBenchmark
-metadata:
-  name: gke-1.2.0
-spec:
-  clusterProvider: gke
-  minKubernetesVersion: "1.15.0"
-  maxKubernetesVersion: "1.28.x"

packages/rancher-cis-benchmark/charts/templates/benchmark-gke-1.6.0.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanBenchmark
-metadata:
-  name: gke-1.6.0
-spec:
-  clusterProvider: gke
-  minKubernetesVersion: "1.29.0"

packages/rancher-cis-benchmark/charts/templates/benchmark-k3s-cis-1.8-hardened.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanBenchmark
-metadata:
-  name: k3s-cis-1.8-hardened
-spec:
-  clusterProvider: k3s
-  minKubernetesVersion: "1.26.0"

packages/rancher-cis-benchmark/charts/templates/benchmark-k3s-cis-1.8-permissive.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanBenchmark
-metadata:
-  name: k3s-cis-1.8-permissive
-spec:
-  clusterProvider: k3s
-  minKubernetesVersion: "1.26.0"

packages/rancher-cis-benchmark/charts/templates/benchmark-rke-cis-1.8-hardened.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanBenchmark
-metadata:
-  name: rke-cis-1.8-hardened
-spec:
-  clusterProvider: rke
-  minKubernetesVersion: "1.26.0"

packages/rancher-cis-benchmark/charts/templates/benchmark-rke-cis-1.8-permissive.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanBenchmark
-metadata:
-  name: rke-cis-1.8-permissive
-spec:
-  clusterProvider: rke
-  minKubernetesVersion: "1.26.0"

packages/rancher-cis-benchmark/charts/templates/benchmark-rke2-cis-1.8-hardened.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanBenchmark
-metadata:
-  name: rke2-cis-1.8-hardened
-spec:
-  clusterProvider: rke2
-  minKubernetesVersion: "1.26.0"

packages/rancher-cis-benchmark/charts/templates/benchmark-rke2-cis-1.8-permissive.yaml

@@ -1,8 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanBenchmark
-metadata:
-  name: rke2-cis-1.8-permissive
-spec:
-  clusterProvider: rke2
-  minKubernetesVersion: "1.26.0"

packages/rancher-cis-benchmark/charts/templates/cis-roles.yaml

@@ -1,49 +0,0 @@
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cis-admin
-rules:
-  - apiGroups:
-      - cis.cattle.io
-    resources:
-      - clusterscanbenchmarks
-      - clusterscanprofiles
-      - clusterscans
-      - clusterscanreports
-    verbs: ["create", "update", "delete", "patch","get", "watch", "list"]
-  - apiGroups:
-      - catalog.cattle.io
-    resources: ["apps"]
-    resourceNames: ["rancher-cis-benchmark"]
-    verbs: ["get", "watch", "list"]
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs:
-      - '*'
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: cis-view
-rules:
-  - apiGroups:
-      - cis.cattle.io
-    resources:
-      - clusterscanbenchmarks
-      - clusterscanprofiles
-      - clusterscans
-      - clusterscanreports
-    verbs: ["get", "watch", "list"]
-  - apiGroups:
-      - catalog.cattle.io
-    resources: ["apps"]
-    resourceNames: ["rancher-cis-benchmark"]
-    verbs: ["get", "watch", "list"]
-  - apiGroups:
-      - ""
-    resources:
-      - configmaps
-    verbs: ["get", "watch", "list"]

packages/rancher-cis-benchmark/charts/templates/configmap.yaml

@@ -1,18 +0,0 @@
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: default-clusterscanprofiles
-  namespace: {{ template "cis.namespace" . }}
-data:
-  # Default ClusterScanProfiles per cluster provider type
-  rke: |-
-    <1.21.0: rke-profile-permissive-1.20
-    >=1.21.0: rke-profile-permissive-1.8
-  rke2: |-
-    <1.21.0: rke2-cis-1.20-profile-permissive
-    >=1.21.0: rke2-cis-1.8-profile-permissive
-  eks: "eks-profile"
-  gke: "gke-profile"
-  aks: "aks-profile"
-  k3s: "k3s-cis-1.8-profile-permissive"
-  default: "cis-1.8-profile"

packages/rancher-cis-benchmark/charts/templates/deployment.yaml

@@ -1,61 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: cis-operator
-  namespace: {{ template "cis.namespace" . }}
-  labels:
-    cis.cattle.io/operator: cis-operator
-spec:
-  selector:
-    matchLabels:
-      cis.cattle.io/operator: cis-operator
-  template:
-    metadata:
-      labels:
-        cis.cattle.io/operator: cis-operator
-    spec:
-      serviceAccountName: cis-operator-serviceaccount
-      containers:
-      - name: cis-operator
-        image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}'
-        imagePullPolicy: IfNotPresent
-        ports:
-        - name: cismetrics
-          containerPort: {{ .Values.alerts.metricsPort }}
-        env:
-        - name: SECURITY_SCAN_IMAGE
-          value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }}
-        - name: SECURITY_SCAN_IMAGE_TAG
-          value: {{ .Values.image.securityScan.tag }}
-        - name: SONOBUOY_IMAGE
-          value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }}
-        - name: SONOBUOY_IMAGE_TAG
-          value: {{ .Values.image.sonobuoy.tag }}
-        - name: CIS_ALERTS_METRICS_PORT
-          value: '{{ .Values.alerts.metricsPort }}'
-        - name: CIS_ALERTS_SEVERITY
-          value: {{ .Values.alerts.severity }}
-        - name: CIS_ALERTS_ENABLED
-          value: {{ .Values.alerts.enabled | default "false" | quote }}
-        - name: CLUSTER_NAME
-          value: '{{ .Values.global.cattle.clusterName }}'
-        - name: CIS_OPERATOR_DEBUG
-          value: '{{ .Values.image.cisoperator.debug }}'
-        {{- if .Values.securityScanJob.overrideTolerations }}
-        - name: SECURITY_SCAN_JOB_TOLERATIONS
-          value: '{{ .Values.securityScanJob.tolerations | toJson  }}'
-        {{- end }}
-        resources:
-          {{- toYaml .Values.resources | nindent 12 }}
-      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
-{{- if .Values.nodeSelector }}
-{{ toYaml .Values.nodeSelector | indent 8 }}
-{{- end }}
-      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
-{{- if .Values.tolerations }}
-{{ toYaml .Values.tolerations | indent 8 }}
-{{- end }}
-      {{- with .Values.affinity }}
-      affinity:
-      {{- toYaml . | nindent 8 }}
-      {{- end }}

packages/rancher-cis-benchmark/charts/templates/network_policy_allow_all.yaml

@@ -1,15 +0,0 @@
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
-  name: default-allow-all
-  namespace: {{ template "cis.namespace" . }}
-spec:
-  podSelector: {}
-  ingress:
-  - {}
-  egress:
-  - {}
-  policyTypes:
-  - Ingress
-  - Egress

packages/rancher-cis-benchmark/charts/templates/patch_default_serviceaccount.yaml

@@ -1,29 +0,0 @@
----
-apiVersion: batch/v1
-kind: Job
-metadata:
-  name: patch-sa
-  annotations:
-    "helm.sh/hook": post-install, post-upgrade
-    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
-spec:
-  template:
-    spec:
-      serviceAccountName: cis-operator-serviceaccount
-      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
-{{- if .Values.nodeSelector }}
-{{ toYaml .Values.nodeSelector | indent 8 }}
-{{- end }}
-      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
-{{- if .Values.tolerations }}
-{{ toYaml .Values.tolerations | indent 8 }}
-{{- end }}
-      restartPolicy: Never
-      containers:
-      - name: sa
-        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
-        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
-        command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
-        args: ["-n", {{ template "cis.namespace" . }}]
-
-  backoffLimit: 1

packages/rancher-cis-benchmark/charts/templates/rbac.yaml

@@ -1,209 +0,0 @@
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/name: rancher-cis-benchmark
-    app.kubernetes.io/instance: release-name
-  name: cis-operator-clusterrole
-rules:
-- apiGroups:
-  - "cis.cattle.io"
-  resources:
-  - "*"
-  verbs:
-  - "*"
-- apiGroups:
-  - ""
-  resources:
-  - "pods"
-  - "services"
-  - "configmaps"
-  - "nodes"
-  - "serviceaccounts"
-  verbs:
-  - "get"
-  - "list"
-  - "create"
-  - "update"
-  - "watch"
-  - "patch"
-- apiGroups:
-  - "rbac.authorization.k8s.io"
-  resources:
-  - "rolebindings"
-  - "clusterrolebindings"
-  - "clusterroles"
-  verbs:
-  - "get"
-  - "list"
-- apiGroups:
-  - "batch"
-  resources:
-  - "jobs"
-  verbs:
-  - "list"
-  - "create"
-  - "patch"
-  - "update"
-  - "watch"
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    app.kubernetes.io/name: rancher-cis-benchmark
-    app.kubernetes.io/instance: release-name
-  name: cis-scan-ns
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - "namespaces"
-  - "nodes"
-  - "pods"
-  - "serviceaccounts"
-  - "services"
-  - "replicationcontrollers"
-  verbs:
-  - "get"
-  - "list"
-  - "watch"
-- apiGroups: 
-  - "rbac.authorization.k8s.io"
-  resources:
-  - "rolebindings"
-  - "clusterrolebindings"
-  - "clusterroles"
-  verbs:
-  - "get"
-  - "list"
-- apiGroups:
-   - "batch"
-  resources:
-   - "jobs"
-   - "cronjobs"
-  verbs:
-   - "list"
-- apiGroups:
-    - "apps"
-  resources:
-    - "daemonsets"
-    - "deployments"
-    - "replicasets"
-    - "statefulsets"
-  verbs:
-    - "list"
-- apiGroups:
-    - "autoscaling"
-  resources:
-    - "horizontalpodautoscalers"
-  verbs:
-    - "list"
-- apiGroups:
-    - "networking.k8s.io"
-  resources:
-    - "networkpolicies"
-  verbs:
-    - "get"
-    - "list"
-    - "watch"
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: cis-operator-role
-  labels:
-    app.kubernetes.io/name: rancher-cis-benchmark
-    app.kubernetes.io/instance: release-name
-  namespace: {{ template "cis.namespace" . }}
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - "services"
-  verbs:
-  - "watch"
-  - "list"
-  - "get"
-  - "patch"
-- apiGroups:
-  - "batch"
-  resources:
-  - "jobs"
-  verbs:
-  - "watch"
-  - "list"
-  - "get"
-  - "delete"
-- apiGroups:
-  - ""
-  resources:
-  - "configmaps"
-  - "pods"
-  - "secrets"
-  verbs:
-  - "*"
-- apiGroups:
-  - "apps"
-  resources:
-  - "daemonsets"
-  verbs:
-  - "*"
-- apiGroups:
-  - monitoring.coreos.com
-  resources:
-  - prometheusrules
-  verbs:
-  - create
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/name: rancher-cis-benchmark
-    app.kubernetes.io/instance: release-name
-  name: cis-operator-clusterrolebinding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cis-operator-clusterrole
-subjects:
-- kind: ServiceAccount
-  name: cis-operator-serviceaccount
-  namespace: {{ template "cis.namespace" . }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: cis-scan-ns
-  labels:
-    app.kubernetes.io/name: rancher-cis-benchmark
-    app.kubernetes.io/instance: release-name
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: cis-scan-ns
-subjects:
-- kind: ServiceAccount
-  name: cis-serviceaccount
-  namespace: {{ template "cis.namespace" . }}
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  labels:
-    app.kubernetes.io/name: rancher-cis-benchmark
-    app.kubernetes.io/instance: release-name
-  name: cis-operator-rolebinding
-  namespace: {{ template "cis.namespace" . }}
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: cis-operator-role
-subjects:
-- kind: ServiceAccount
-  name: cis-serviceaccount
-  namespace: {{ template "cis.namespace" . }}
-- kind: ServiceAccount
-  name: cis-operator-serviceaccount
-  namespace: {{ template "cis.namespace" . }}

packages/rancher-cis-benchmark/charts/templates/scanprofile-cis-1.8.yaml

@@ -1,9 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanProfile
-metadata:
-  name: cis-1.8-profile
-  annotations:
-    clusterscanprofile.cis.cattle.io/builtin: "true"
-spec:
-  benchmarkVersion: cis-1.8

packages/rancher-cis-benchmark/charts/templates/scanprofile-k3s-cis-1.8-hardened.yml

@@ -1,9 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanProfile
-metadata:
-  name: k3s-cis-1.8-profile-hardened
-  annotations:
-    clusterscanprofile.cis.cattle.io/builtin: "true"
-spec:
-  benchmarkVersion: k3s-cis-1.8-hardened

packages/rancher-cis-benchmark/charts/templates/scanprofile-k3s-cis-1.8-permissive.yml

@@ -1,9 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanProfile
-metadata:
-  name: k3s-cis-1.8-profile-permissive
-  annotations:
-    clusterscanprofile.cis.cattle.io/builtin: "true"
-spec:
-  benchmarkVersion: k3s-cis-1.8-permissive

packages/rancher-cis-benchmark/charts/templates/scanprofile-rke-1.8-hardened.yaml

@@ -1,9 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanProfile
-metadata:
-  name: rke-profile-hardened-1.8
-  annotations:
-    clusterscanprofile.cis.cattle.io/builtin: "true"
-spec:
-  benchmarkVersion: rke-cis-1.8-hardened

packages/rancher-cis-benchmark/charts/templates/scanprofile-rke-1.8-permissive.yaml

@@ -1,9 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanProfile
-metadata:
-  name: rke-profile-permissive-1.8
-  annotations:
-    clusterscanprofile.cis.cattle.io/builtin: "true"
-spec:
-  benchmarkVersion: rke-cis-1.8-permissive

packages/rancher-cis-benchmark/charts/templates/scanprofile-rke2-cis-1.8-hardened.yml

@@ -1,9 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanProfile
-metadata:
-  name: rke2-cis-1.8-profile-hardened
-  annotations:
-    clusterscanprofile.cis.cattle.io/builtin: "true"
-spec:
-  benchmarkVersion: rke2-cis-1.8-hardened

packages/rancher-cis-benchmark/charts/templates/scanprofile-rke2-cis-1.8-permissive.yml

@@ -1,9 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanProfile
-metadata:
-  name: rke2-cis-1.8-profile-permissive
-  annotations:
-    clusterscanprofile.cis.cattle.io/builtin: "true"
-spec:
-  benchmarkVersion: rke2-cis-1.8-permissive

packages/rancher-cis-benchmark/charts/templates/scanprofileaks.yml

@@ -1,9 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanProfile
-metadata:
-  name: aks-profile
-  annotations:
-    clusterscanprofile.cis.cattle.io/builtin: "true"
-spec:
-  benchmarkVersion: aks-1.0

packages/rancher-cis-benchmark/charts/templates/scanprofileeks.yml

@@ -1,9 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanProfile
-metadata:
-  name: eks-profile
-  annotations:
-    clusterscanprofile.cis.cattle.io/builtin: "true"
-spec:
-  benchmarkVersion: eks-1.2.0

packages/rancher-cis-benchmark/charts/templates/scanprofilegke-1.6.0.yml

@@ -1,9 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanProfile
-metadata:
-  name: gke-profile-1.6.0
-  annotations:
-    clusterscanprofile.cis.cattle.io/builtin: "true"
-spec:
-  benchmarkVersion: gke-1.6.0

packages/rancher-cis-benchmark/charts/templates/scanprofilegke.yml

@@ -1,9 +0,0 @@
----
-apiVersion: cis.cattle.io/v1
-kind: ClusterScanProfile
-metadata:
-  name: gke-profile
-  annotations:
-    clusterscanprofile.cis.cattle.io/builtin: "true"
-spec:
-  benchmarkVersion: gke-1.2.0

packages/rancher-cis-benchmark/charts/templates/serviceaccount.yaml

@@ -1,14 +0,0 @@
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: {{ template "cis.namespace" . }}
-  name: cis-operator-serviceaccount
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  namespace: {{ template "cis.namespace" . }}
-  labels:
-    app.kubernetes.io/name: rancher-cis-benchmark
-    app.kubernetes.io/instance: release-name
-  name: cis-serviceaccount

packages/rancher-cis-benchmark/charts/values.yaml

@@ -1,53 +0,0 @@
-# Default values for rancher-cis-benchmark.
-# This is a YAML-formatted file.
-# Declare variables to be passed into your templates.
-
-image:
-  cisoperator:
-    repository: rancher/cis-operator
-    tag: v1.3.0-rc.1
-  securityScan:
-    repository: rancher/security-scan
-    tag: v0.5.0-rc.1
-  sonobuoy:
-    repository: rancher/mirrored-sonobuoy-sonobuoy
-    tag: v0.57.2
-
-resources: {}
-  # We usually recommend not to specify default resources and to leave this as a conscious
-  # choice for the user. This also increases chances charts run on environments with little
-  # resources, such as Minikube. If you do want to specify resources, uncomment the following
-  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
-## Node labels for pod assignment
-## Ref: https://kubernetes.io/docs/user-guide/node-selection/
-##
-nodeSelector: {}
-
-## List of node taints to tolerate (requires Kubernetes >= 1.6)
-tolerations: []
-
-securityScanJob:
-  overrideTolerations: false
-  tolerations: []
-
-affinity: {}
-
-global:
-  cattle:
-    systemDefaultRegistry: ""
-    clusterName: ""
-  kubectl:
-    repository: rancher/kubectl
-    tag: v1.30.5
-
-alerts:
-  enabled: false
-  severity: warning
-  metricsPort: 8080

packages/rancher-cis-benchmark/package.yaml

@@ -1,8 +1,14 @@
-url: local
+auto: true
-version: 7.0.0-rc.2
+url: https://github.com/rancher/cis-operator.git
+chartRepoBranch: release/v1.3
+subdirectory: chart
 additionalCharts:
   - workingDir: charts-crd
+    upstreamOptions:
+      url: https://github.com/rancher/cis-operator.git
+      chartRepoBranch: release/v1.3
+      subdirectory: crds
     crdOptions:
       templateDirectory: crd-template
       crdDirectory: templates
-      addCRDValidationToMainChart: true
+      addCRDValidationToMainChart: true

release.yaml

@@ -22,6 +22,10 @@ rancher-backup:
   - 105.0.0+up6.0.0
 rancher-backup-crd:
   - 105.0.0+up6.0.0
+rancher-cis-benchmark:
+  - 105.0.0+up7.0.0
+rancher-cis-benchmark-crd:
+  - 105.0.0+up7.0.0
 rancher-csp-adapter:
   - 105.0.0+up5.0.1-rc1
 rancher-eks-operator:
@@ -32,6 +36,14 @@ rancher-gke-operator:
   - 105.0.0+up1.10.0
 rancher-gke-operator-crd:
   - 105.0.0+up1.10.0
+rancher-istio:
+  - 104.4.1+up1.22.1
+  - 104.5.0+up1.23.2
+  - 105.0.0+up1.19.6
+  - 105.1.0+up1.20.3
+  - 105.2.0+up1.21.1
+  - 105.3.0+up1.22.1
+  - 105.4.0+up1.23.2
 rancher-logging:
   - 105.0.0+up4.8.0
 rancher-logging-crd:
@@ -55,11 +67,3 @@ rancher-webhook:
   - 2.0.13+up0.3.13
 system-upgrade-controller:
   - 105.0.0
-rancher-istio:
-  - 104.4.1+up1.22.1
-  - 104.5.0+up1.23.2
-  - 105.0.0+up1.19.6
-  - 105.1.0+up1.20.3
-  - 105.2.0+up1.21.1
-  - 105.3.0+up1.22.1
-  - 105.4.0+up1.23.2

scripts/version

@@ -2,4 +2,4 @@
 set -e
 
 CHARTS_BUILD_SCRIPTS_REPO=https://github.com/rancher/charts-build-scripts.git
-CHARTS_BUILD_SCRIPT_VERSION="${CHARTS_BUILD_SCRIPT_VERSION:-v1.0.0}"
+CHARTS_BUILD_SCRIPT_VERSION="${CHARTS_BUILD_SCRIPT_VERSION:-v1.1.0}"