From ed962d492f3a267d4d985db8bf7d2ff1cda3f5ff Mon Sep 17 00:00:00 2001 From: dhruvmewada15 Date: Tue, 15 Feb 2022 23:04:51 +0530 Subject: [PATCH] make charts --- .../rancher-cis-benchmark-crd-2.0.3-rc1.tgz | Bin 0 -> 1467 bytes .../rancher-cis-benchmark-2.0.3-rc1.tgz | Bin 0 -> 5172 bytes .../2.0.3-rc1/Chart.yaml | 10 ++ .../2.0.3-rc1/README.md | 2 + .../2.0.3-rc1/templates/clusterscan.yaml | 148 ++++++++++++++++++ .../templates/clusterscanbenchmark.yaml | 54 +++++++ .../templates/clusterscanprofile.yaml | 36 +++++ .../templates/clusterscanreport.yaml | 39 +++++ .../2.0.3-rc1/Chart.yaml | 21 +++ .../rancher-cis-benchmark/2.0.3-rc1/README.md | 9 ++ .../2.0.3-rc1/app-readme.md | 15 ++ .../2.0.3-rc1/templates/_helpers.tpl | 23 +++ .../2.0.3-rc1/templates/alertingrule.yaml | 14 ++ .../templates/benchmark-aks-1.0.yaml | 8 + .../templates/benchmark-cis-1.5.yaml | 8 + .../templates/benchmark-cis-1.6.yaml | 8 + .../templates/benchmark-eks-1.0.yaml | 8 + .../templates/benchmark-gke-1.0.yaml | 8 + .../benchmark-k3s-cis-1.6-hardened.yaml | 8 + .../benchmark-k3s-cis-1.6-permissive.yaml | 8 + .../benchmark-rke-cis-1.5-hardened.yaml | 8 + .../benchmark-rke-cis-1.5-permissive.yaml | 8 + .../benchmark-rke-cis-1.6-hardened.yaml | 8 + .../benchmark-rke-cis-1.6-permissive.yaml | 8 + .../benchmark-rke2-cis-1.5-hardened.yaml | 8 + .../benchmark-rke2-cis-1.5-permissive.yaml | 8 + .../benchmark-rke2-cis-1.6-hardened.yaml | 8 + .../benchmark-rke2-cis-1.6-permissive.yaml | 8 + .../2.0.3-rc1/templates/cis-roles.yaml | 49 ++++++ .../2.0.3-rc1/templates/configmap.yaml | 18 +++ .../2.0.3-rc1/templates/deployment.yaml | 57 +++++++ .../templates/network_policy_allow_all.yaml | 15 ++ .../patch_default_serviceaccount.yaml | 20 +++ .../2.0.3-rc1/templates/rbac.yaml | 43 +++++ .../templates/scanprofile-cis-1.5.yml | 9 ++ .../templates/scanprofile-cis-1.6.yaml | 9 ++ .../scanprofile-k3s-cis-1.6-hardened.yml | 9 ++ .../scanprofile-k3s-cis-1.6-permissive.yml | 9 ++ .../scanprofile-rke-1.5-hardened.yml | 9 ++ .../scanprofile-rke-1.5-permissive.yml | 9 ++ .../scanprofile-rke-1.6-hardened.yaml | 9 ++ .../scanprofile-rke-1.6-permissive.yaml | 9 ++ .../scanprofile-rke2-cis-1.5-hardened.yml | 9 ++ .../scanprofile-rke2-cis-1.5-permissive.yml | 9 ++ .../scanprofile-rke2-cis-1.6-hardened.yml | 9 ++ .../scanprofile-rke2-cis-1.6-permissive.yml | 9 ++ .../2.0.3-rc1/templates/scanprofileaks.yml | 9 ++ .../2.0.3-rc1/templates/scanprofileeks.yml | 9 ++ .../2.0.3-rc1/templates/scanprofilegke.yml | 9 ++ .../2.0.3-rc1/templates/serviceaccount.yaml | 14 ++ .../templates/validate-install-crd.yaml | 17 ++ .../2.0.3-rc1/values.yaml | 45 ++++++ index.yaml | 39 +++++ 53 files changed, 943 insertions(+) create mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-2.0.3-rc1.tgz create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.3-rc1.tgz create mode 100644 charts/rancher-cis-benchmark-crd/2.0.3-rc1/Chart.yaml create mode 100644 charts/rancher-cis-benchmark-crd/2.0.3-rc1/README.md create mode 100644 charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscan.yaml create mode 100644 charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscanbenchmark.yaml create mode 100644 charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscanprofile.yaml create mode 100644 charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscanreport.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/Chart.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/README.md create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/app-readme.md create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/_helpers.tpl create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/alertingrule.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-aks-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-cis-1.5.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-cis-1.6.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-eks-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-gke-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-k3s-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-k3s-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.5-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.5-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.5-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.5-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/cis-roles.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/configmap.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/deployment.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/network_policy_allow_all.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/patch_default_serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/rbac.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-cis-1.5.yml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-cis-1.6.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-k3s-cis-1.6-hardened.yml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-k3s-cis-1.6-permissive.yml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.5-hardened.yml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.5-permissive.yml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.5-hardened.yml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.5-permissive.yml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.6-hardened.yml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.6-permissive.yml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofileaks.yml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofileeks.yml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofilegke.yml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/templates/validate-install-crd.yaml create mode 100644 charts/rancher-cis-benchmark/2.0.3-rc1/values.yaml diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-2.0.3-rc1.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-2.0.3-rc1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..e6038ec38ae1e7280cb64882d83376693c0d5da0 GIT binary patch literal 1467 zcmV;s1w{HEiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI>(bK*7-&NIJ4bA85V10fyWa@@6ZZ7-K0>GgS$H=v6xd8BoE zOsD_7BijkKu`vciu5;`QgCu_|+24LEt*t@wCF(vGrawo?mm%oKKG*)+=@K+KD+q&& z1I=|^cRU&;zpm?+f8EQ$=)xNf+`-j&;0~`YTyN}Nc^Aw*)bTDB8v=dd9_*{Uxc`ZP zl!}0al4jCli~~WS77hoZ03D&;a?~Uq1o{(}aiwzDQusc~34232#y6EiB!p-p;5cEH zZ7MdulL%|w2jrrKVcXJKxp3bAU1^B zaFBcH!S?v~+=1s6Sxn>@)8Jx`pL?fRjRasl!gW7TEO>{wLx&Jg(TEd z6~v*;X4Yq4jgq%O%L#J~0ma4%z|bs~cAmFdJ%|8rAWXrY?@Ded*^sO|6%|8T$VIIK z6Ne$_l|zakDB#}bT3SIxU`zq&cHPhl=mA7=O24cdS^=3y5fy;$)(x$I{st`zK!2?p zS^-H#*QwgigW}`7QN%X7cEZlMaxX$O1YvQ-e^hri07u9j!<<~2rC_- z=3kLh4S^~<4ObeizzA8v9F%dm+1h70_02cuv~+FzlDlToSrG3SdN=ruY-n6puxkIP zyL;xEkPAzl1=n&Taj$<-7!sVV%=|B zR5%0d2Vs-_o_n%KQSoqgxiUE^?sus@KJ9a5Eu||v3XQK_2>C&+W&LkmDs52+Y^eVa zu14ch{ckuJUY+ZIr?6w!|6T~wVIlC{GiK6VQ4w4_ecjSvgxtxdb*t5r@LwdeP!TNk z?NI6oh5S99qn1c$vgcPo{!~9;7kK#A0AD{~2Y8+^>E$V=C6`YSZB$Hm7uOnvbe*27x7?po`AOd*cId2%@SWmUgkyL3hitA|=Km-?jkJ3W*pUCd%fYae z{|8sY%X9ueg&jNpXN2i6`{&=CRpkC>huvrX?@8caLiGq@Wlx;GPa>c7TFwf-usN&m-}mu3AQd*|;zPGZN_|CBHt z%Kt0@tW*EY-RmFwj`WWIU~ytUP$D~KjXNdUZ+D+>PPmUhLj2e3|Lnu{`%fR7&_CEm z)AzsLXi)n8_j2T&>whP)pSFDLdd+5OALC2V#Ape`#Kz~eu|c2BS9PD%zV-^wcDA#f V?QB){UjP6A|Nj&aYmopn006j}<5BDc zVQyr3R8em|NM&qo0PJ0TZ`(MN@4x3yF>s$l+eIwDB~D@7b3iuDEppp*i=?{`7JU{e zBaLl7mPnPP;`L?oUGB5oCp(aoWLcKum)J_Wt3lDo5;-J?{LKtWX($MDM<^ODm5m!@ z?kFH)+&mo-p`0lR{1-c*R;$(O9Uhv$tyU}lw|#ird(l4Zv^vMVPOE$TqSZd?b~`Vi zwTr@6Q6v=+FItZ-E8nVh~ zT;csaAj%yTa&S>7I-uyK*$b0-RE9p8HW&%852xo>@O@H1Vft}&gN<7hl5*CESO59< zw$tu8tw!rrVRFq@hQ!4_=*sgD1yNiyfhGv_kw}asRM-`T`P4Mjt+sV)D9-)DWD#w+JP0{M zrk1fMA^jz(?`^wA!f^Jpd~WA=GH}fHK8l$|C^^gU}}mrBkcXfDF-CA1V_qp??Ah47sF=i)jkVW>%M&M2ZZx zGICnZu>mEdaK3U0Th1s+)zF$I!>Q$ToL<6-Gkz2C>2fXs6@m-&8cEXhVvgle*Xh)1 z0ws@xi?R=Q_cef*@DGGYM#T50AkgJOfXoBNm6n?f(WQeacySM+i7z=&<_c|2B)B8OT>DojqnEYXMRrRCX8|%L zVM5gie5y@_;hk3H0A%EjbnzFIQLSPfI3MUf29Lvpu(_6GvPI0cR+-8TxbO1`WkbW= zr%Wdy-oGMgo(H-BhAv7;#Pqk-^Y_*1wM#K>l#P{6C1s9!lT(|{`Dm6 zs;2hw(C0VAkDV^%qa9+_9f>h{i9;%tE~H*JPh;En!B{DCPfOfY{_^n|CzwM@r=LO(Ex{f(q zi�%a?t@ezgW-JD%WIkQ>awaY@wh`4WRz-vRU7X0s0ctAN9pnkM<-rUr~r+oJ3YS=%7vIrihc`UVaL=&C-{Kk%!#e0@9h z?Vx`4H6ng}PBKr8guf=O(*MRuplm22AGe(kuF(Ij!{he6{_nJok9w8=0ViHyU%xJ^^Ri#iVTLxLhEYj?07QZM!z6%TwGWQxz~t! z#n0pAxx2e`cDP_&9Js%)>Dffzc&V|wZJb-P0QsKWpfBwWm|v7@&eTtC3K??m!aBES z%nLbX)+=s6Xnb9l%Gmc!_0^w8U9H0ZY>}6YWkXN0H&+6y@Zag=)_*$f&e3s&|1v0# z?s>?hs6Mrh%9TslY*l^{-|-kp5gPk9AMH}PFbVWjlCmGuCEc{>dfRCqIj#Di1zO(( zt&e}5qU{{*1^?Xz{8#J0<`uHD?u|)hIR`dT-Xt(%}$H;R0564*H|2fh6 z_#by=G6!gki13i1x1KUsiT}g=`hWMRdjGc^+AaQz#>jGIFz!C+40Kw~QKby_Oxxi< zL=jLa>Frv3f~)bLpZ_1Wk6IP}%b@+?e>O%c4e)$vef*0tCVK$;xBtC%W&cZ|-QvG! zj4VgLs3rqXPTS#s@Akjbt?Yj(v_Jf>WB)4+@YJ*o{!5tu_uAF^e<`#t{I4_rUxof^ zH*o*79sWzO|JC;&rO^KHzYF_cX@GsxM)>b+w*as?{=2>7>iz#xXy^D}93v0Hzw;pe z-&XkFGi{0gjU0g0_&>_q|8Bc_|F0C7Nt(6Y4&ds{Y&3cIM-3=GqFM>m&@NVKBRILgwgah4_pUr}f^fMsX~$ zB5`vzpu>QKS-GT7Uw!v#AsEC?hRZF*$u~G!{$k@`Isd2DVHIspEA4+W6!vHT+xj|Z z|2tLuw{j@f(WaL#NSF`syr{6_2xX08b-GCypM>u$1Z`%P@iFEJA&N9iS{!m)fSQI_ z13i1_!ygT!r2fNh7ur3@xJH>NhzU!e(7O;@ISDYHh zvJZ6}%jB_E$wS?$`fye|eUq4!WIpA%t8dP|biGiDP8auC-$vcbq^s9f;orm1=hFb$ zBaQ=Df&cFD;e!8vSbhIj4rTGK{g0X7_Ac%DC2m_Lg4QOm2kLQ0kH{^`g5iTWhgSvSfRiz*}&QGYEI@$ z!(?jd-`%C5-b`jE6LQ;`g%5`N`~HJT6&b?){j2$!e2jemBloF0?Zb&bAyb(?H}3OH zq?uMFq17OzR0uZIaHbw{bh=C=VmqKLA-i2H;p*)4=gad?zg}ORo_x4Izc~5fEK^h* zx$+V6%Z3`C7vMTox&CzWLt%9uD8!0>k^4^{e)|6BpMKp(8{>fHtJ*hLgLRvh@Ltla z)AOtAllNzrpRTSi&OTk9pI%*m{OR)3BIj4D#>uOPcwe3Ua;E#{!5YVGli=7Zs(bd~ zvn$2F0->+lDBjkv?lrgz=F5U*-QXR1+@7*P+qt z*TnbvME}2uH@Is5r+bw5|GM2O{$n|mU(k#Do3i1;Lf!}a$XfUZW`<^r=>NA2>l$)z z?jQvK%7y}EygF#^VE%?3pP!~-vWR$Y^O);1d->F|evY&X|7OuUbrj~E)^&Bjs`a1l zLj0G*c7^|PD3AXe-QP3J|2MxWK)M+e4M}PMx%1-y>Lc_6M~<2!&d2pWgj}lR{I~=A zD+-5#c(|CnVK-YE7R>cNn42!C=~L%pQ7Kxcq2dPf50qa~qv@(>gc1O>U;!+q>A>{+=?Avf;B5%1vA+ zeSL`oU6DjO4>Yd^u-Mnj1uvtUf1#_4>}|ezJwKOq!Om_nKhPbtRPJl{+{0_xiKl{M zvxY7ABsOVbrlTI{g7_R)`;yICUHSn2SLy%E{@yGC{D#(G<@~?Z$;W>@Jg&a~E`>IK z|1;j1T^{{C*<37|9W3q|JM$&pMATQ5^`Wjrg!R<9Pse7qre;(3sU`Sr)8_c!JOca{ z`0sTq|F0Cj%t>V9zLp#R*;@8n7Z2%NUo_%WR zK7ZO8{~Igo#TA`=XSeO zo&Qn_?Gpc)=wy4wx-O~hd^19R#w2fdAom&G&us zv9jq7HTa@68)%LF4|u_R@r&{M&#> z%!B^l!K1FqJdmi8hxNR-(aiW6bsHIKi=62RRok-zl^Bv79 z|L?Gq+y8AJ_KvFgUn%qwF6{__)AK7xH7A^EjMZwNG&(cx8`x0Q5=6w90qgnIY<>nw zpmH!LDFJ6dGO?f2b36$1V2Dh!)Zh<7pK6Z^;$xOTjfeu5Ft|bR_=NeKc<4E`+DkaM zy1+($tbO_Nr8Yu8NVQ4fa0aId4I3}gI%~#3ga*rbrY1C_;rZ0PQXUoKpM+sUAn^j+ zg$`JO|HF3v`_J~#aks*MDYOLtQbRv6wJGT5;BDZ~2iAbcz>c(uhtHbT>r-U<)_@B* z*H;V`T*VCD%yfqQ?e$2hQ1+Y6$zl6PY;#(`Yn( z=g5?wkxs08q%Dy9KA&hQXuZZ6G9~-9S_3|3b)M}&F0 zJA4u`cSPCn|Nd7O{aK61g1C@B`5KW#xXoGGH=sE8t2YPCsvZMEgNc57MHn#`KQYD-u)zcksY>5ZN zG*%~1>SJ1i%2qc$#7fsVX0)WzangLdt2oFp4S_OSa>~GgqA^ZjfRpr?ilP>P8%f23Sg)Qva(QjYBm=3xls@>Axvrc zS^JUXQrrL=eR_*}ifFjx3Qk}o4-6xQc0?ePkw7cR&$Gr|a7Gn3^Il!WL=+on_#oxb zAaU+k*U!m{N(e=|7N!*d^Gxr5zC;&wd!)H_$s>iESeT{d&kd;NOY<-wj10BUW}dw< z)9WOim6Pct9;sO5Nw=JM9@Tt^?@#9iD^bB0o49Wl4!&50fMA1#!>=b7?=@omx#>6; iV1v2m=H`DP2fCt)DyrxkrT-5A0RR7CVp{$H)Bpg}oTeQB literal 0 HcmV?d00001 diff --git a/charts/rancher-cis-benchmark-crd/2.0.3-rc1/Chart.yaml b/charts/rancher-cis-benchmark-crd/2.0.3-rc1/Chart.yaml new file mode 100644 index 000000000..4759432f0 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/2.0.3-rc1/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd +apiVersion: v1 +description: Installs the CRDs for rancher-cis-benchmark. +name: rancher-cis-benchmark-crd +type: application +version: 2.0.3-rc1 diff --git a/charts/rancher-cis-benchmark-crd/2.0.3-rc1/README.md b/charts/rancher-cis-benchmark-crd/2.0.3-rc1/README.md new file mode 100644 index 000000000..f6d9ef621 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/2.0.3-rc1/README.md @@ -0,0 +1,2 @@ +# rancher-cis-benchmark-crd +A Rancher chart that installs the CRDs used by rancher-cis-benchmark. diff --git a/charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscan.yaml new file mode 100644 index 000000000..3cbb0ffcd --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscan.yaml @@ -0,0 +1,148 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscans.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScan + plural: clusterscans + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.lastRunScanProfileName + name: ClusterScanProfile + type: string + - jsonPath: .status.summary.total + name: Total + type: string + - jsonPath: .status.summary.pass + name: Pass + type: string + - jsonPath: .status.summary.fail + name: Fail + type: string + - jsonPath: .status.summary.skip + name: Skip + type: string + - jsonPath: .status.summary.warn + name: Warn + type: string + - jsonPath: .status.summary.notApplicable + name: Not Applicable + type: string + - jsonPath: .status.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.scheduledScanConfig.cronSchedule + name: CronSchedule + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + scanProfileName: + nullable: true + type: string + scheduledScanConfig: + nullable: true + properties: + cronSchedule: + nullable: true + type: string + retentionCount: + type: integer + scanAlertRule: + nullable: true + properties: + alertOnComplete: + type: boolean + alertOnFailure: + type: boolean + type: object + type: object + scoreWarning: + enum: + - pass + - fail + nullable: true + type: string + type: object + status: + properties: + NextScanAt: + nullable: true + type: string + ScanAlertingRuleName: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + display: + nullable: true + properties: + error: + type: boolean + message: + nullable: true + type: string + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + lastRunScanProfileName: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + observedGeneration: + type: integer + summary: + nullable: true + properties: + fail: + type: integer + notApplicable: + type: integer + pass: + type: integer + skip: + type: integer + total: + type: integer + warn: + type: integer + type: object + type: object + type: object diff --git a/charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscanbenchmark.yaml new file mode 100644 index 000000000..fd291f8c3 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscanbenchmark.yaml @@ -0,0 +1,54 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanbenchmarks.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanBenchmark + plural: clusterscanbenchmarks + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .spec.clusterProvider + name: ClusterProvider + type: string + - jsonPath: .spec.minKubernetesVersion + name: MinKubernetesVersion + type: string + - jsonPath: .spec.maxKubernetesVersion + name: MaxKubernetesVersion + type: string + - jsonPath: .spec.customBenchmarkConfigMapName + name: customBenchmarkConfigMapName + type: string + - jsonPath: .spec.customBenchmarkConfigMapNamespace + name: customBenchmarkConfigMapNamespace + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + clusterProvider: + nullable: true + type: string + customBenchmarkConfigMapName: + nullable: true + type: string + customBenchmarkConfigMapNamespace: + nullable: true + type: string + maxKubernetesVersion: + nullable: true + type: string + minKubernetesVersion: + nullable: true + type: string + type: object + type: object diff --git a/charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscanprofile.yaml new file mode 100644 index 000000000..1e75501b7 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscanprofile.yaml @@ -0,0 +1,36 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanprofiles.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanProfile + plural: clusterscanprofiles + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + skipTests: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + additionalPrinterColumns: + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string diff --git a/charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscanreport.yaml new file mode 100644 index 000000000..6e8c0b7de --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/2.0.3-rc1/templates/clusterscanreport.yaml @@ -0,0 +1,39 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanreports.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanReport + plural: clusterscanreports + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .spec.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + reportJSON: + nullable: true + type: string + type: object + type: object \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/Chart.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/Chart.yaml new file mode 100644 index 000000000..516553383 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/Chart.yaml @@ -0,0 +1,21 @@ +annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>=1.16.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.6.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark +apiVersion: v1 +appVersion: v2.0.3-rc1 +description: The cis-operator enables running CIS benchmark security scans on a kubernetes + cluster +icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg +keywords: +- security +name: rancher-cis-benchmark +version: 2.0.3-rc1 diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/README.md b/charts/rancher-cis-benchmark/2.0.3-rc1/README.md new file mode 100644 index 000000000..50beab58b --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/README.md @@ -0,0 +1,9 @@ +# Rancher CIS Benchmark Chart + +The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded. + +# Installation + +``` +helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system +``` diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/app-readme.md b/charts/rancher-cis-benchmark/2.0.3-rc1/app-readme.md new file mode 100644 index 000000000..5e495d605 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/app-readme.md @@ -0,0 +1,15 @@ +# Rancher CIS Benchmarks + +This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/cis-scans/v2.5/). + +This chart installs the following components: + +- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. +- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed. +- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans. +- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. +- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish. + - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts. + - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart. diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/_helpers.tpl b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/_helpers.tpl new file mode 100644 index 000000000..67f4ce116 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/_helpers.tpl @@ -0,0 +1,23 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "cis.namespace" -}} + {{- .Release.Namespace | default "cis-operator-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux_node_tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/alertingrule.yaml new file mode 100644 index 000000000..1787c88a0 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/alertingrule.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alerts.enabled -}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: rancher-cis-pod-monitor + namespace: {{ template "cis.namespace" . }} +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + podMetricsEndpoints: + - port: cismetrics +{{- end }} diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-aks-1.0.yaml new file mode 100644 index 000000000..1ac866253 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-aks-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: aks-1.0 +spec: + clusterProvider: aks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-cis-1.5.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-cis-1.5.yaml new file mode 100644 index 000000000..39e8b834a --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-cis-1.5.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.5 +spec: + clusterProvider: "" + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-cis-1.6.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-cis-1.6.yaml new file mode 100644 index 000000000..93ba064f4 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-cis-1.6.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.6 +spec: + clusterProvider: "" + minKubernetesVersion: "1.16.0" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-eks-1.0.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-eks-1.0.yaml new file mode 100644 index 000000000..bd2e32cd3 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-eks-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: eks-1.0 +spec: + clusterProvider: eks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-gke-1.0.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-gke-1.0.yaml new file mode 100644 index 000000000..72122e8c5 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-gke-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-k3s-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-k3s-cis-1.6-hardened.yaml new file mode 100644 index 000000000..3ca9b6009 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-k3s-cis-1.6-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.6-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-k3s-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-k3s-cis-1.6-permissive.yaml new file mode 100644 index 000000000..6d4253c6e --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-k3s-cis-1.6-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.6-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.5-hardened.yaml new file mode 100644 index 000000000..b5627f966 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.5-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.5-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.5-permissive.yaml new file mode 100644 index 000000000..95f80c0f0 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.5-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.5-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.6-hardened.yaml new file mode 100644 index 000000000..d75de8154 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.6-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.6-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.16.0" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.6-permissive.yaml new file mode 100644 index 000000000..52428f4a7 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke-cis-1.6-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.6-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.16.0" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.5-hardened.yaml new file mode 100644 index 000000000..3d83e9bd8 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.5-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.5-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.18.0" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.5-permissive.yaml new file mode 100644 index 000000000..f66aa8f6e --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.5-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.5-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.18.0" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.6-hardened.yaml new file mode 100644 index 000000000..3593bf371 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.6-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.6-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.6-permissive.yaml new file mode 100644 index 000000000..522f846ae --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/benchmark-rke2-cis-1.6-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.6-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.20.5" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/cis-roles.yaml new file mode 100644 index 000000000..23c93dc65 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/cis-roles.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-admin +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["create", "update", "delete", "patch","get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-view +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/configmap.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/configmap.yaml new file mode 100644 index 000000000..3de10e55e --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/configmap.yaml @@ -0,0 +1,18 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-clusterscanprofiles + namespace: {{ template "cis.namespace" . }} +data: + # Default ClusterScanProfiles per cluster provider type + rke: |- + <1.16.0: rke-profile-permissive-1.5 + >=1.16.0: rke-profile-permissive-1.6 + rke2: |- + <1.20.5: rke2-cis-1.5-profile-permissive + >=1.20.5: rke2-cis-1.6-profile-permissive + eks: "eks-profile" + gke: "gke-profile" + aks: "aks-profile" + k3s: "k3s-cis-1.6-profile-permissive" + default: "cis-1.6-profile" diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/deployment.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/deployment.yaml new file mode 100644 index 000000000..0d3c75e39 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/deployment.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cis-operator + namespace: {{ template "cis.namespace" . }} + labels: + cis.cattle.io/operator: cis-operator +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + template: + metadata: + labels: + cis.cattle.io/operator: cis-operator + spec: + serviceAccountName: cis-operator-serviceaccount + containers: + - name: cis-operator + image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}' + imagePullPolicy: Always + ports: + - name: cismetrics + containerPort: {{ .Values.alerts.metricsPort }} + env: + - name: SECURITY_SCAN_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }} + - name: SECURITY_SCAN_IMAGE_TAG + value: {{ .Values.image.securityScan.tag }} + - name: SONOBUOY_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }} + - name: SONOBUOY_IMAGE_TAG + value: {{ .Values.image.sonobuoy.tag }} + - name: CIS_ALERTS_METRICS_PORT + value: '{{ .Values.alerts.metricsPort }}' + - name: CIS_ALERTS_SEVERITY + value: {{ .Values.alerts.severity }} + - name: CIS_ALERTS_ENABLED + value: {{ .Values.alerts.enabled | default "false" | quote }} + - name: CLUSTER_NAME + value: {{ .Values.global.cattle.clusterName }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + nodeSelector: + kubernetes.io/os: linux + {{- with .Values.nodeSelector }} + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + tolerations: + {{- include "linux_node_tolerations" . | nindent 8}} + {{- with .Values.tolerations }} + {{- toYaml . | nindent 8 }} + {{- end }} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/network_policy_allow_all.yaml new file mode 100644 index 000000000..6ed5d645e --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ template "cis.namespace" . }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/patch_default_serviceaccount.yaml new file mode 100644 index 000000000..1efa3ed1c --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: cis-operator-serviceaccount + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ template "cis.namespace" . }}] + backoffLimit: 1 diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/rbac.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/rbac.yaml new file mode 100644 index 000000000..4ff88ea5f --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/rbac.yaml @@ -0,0 +1,43 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-role +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-rolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-operator-role +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: cis-operator-installer +subjects: +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} +roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-cis-1.5.yml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-cis-1.5.yml new file mode 100644 index 000000000..d69ae9dd5 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-cis-1.5.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.5-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.5 diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-cis-1.6.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-cis-1.6.yaml new file mode 100644 index 000000000..8a8d8bf88 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-cis-1.6.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.6-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.6 diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-k3s-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-k3s-cis-1.6-hardened.yml new file mode 100644 index 000000000..095e977ab --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-k3s-cis-1.6-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.6-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-k3s-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-k3s-cis-1.6-permissive.yml new file mode 100644 index 000000000..3b22a80c8 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-k3s-cis-1.6-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.6-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.5-hardened.yml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.5-hardened.yml new file mode 100644 index 000000000..4eabe158a --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.5-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.5 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.5-hardened \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.5-permissive.yml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.5-permissive.yml new file mode 100644 index 000000000..1f78751d1 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.5-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.5 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.5-permissive diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.6-hardened.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.6-hardened.yaml new file mode 100644 index 000000000..d38febd80 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.6 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.6-permissive.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.6-permissive.yaml new file mode 100644 index 000000000..d31b5b0d2 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.6 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.5-hardened.yml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.5-hardened.yml new file mode 100644 index 000000000..83eb3131e --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.5-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.5-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.5-hardened diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.5-permissive.yml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.5-permissive.yml new file mode 100644 index 000000000..40dc44bdf --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.5-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.5-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.5-permissive diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.6-hardened.yml new file mode 100644 index 000000000..c7ac7f949 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.6-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.6-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.6-permissive.yml new file mode 100644 index 000000000..96ca1345a --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofile-rke2-cis-1.6-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.6-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofileaks.yml new file mode 100644 index 000000000..ea7b25b40 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofileaks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: aks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: aks-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofileeks.yml new file mode 100644 index 000000000..49c7e0246 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofileeks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: eks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: eks-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofilegke.yml new file mode 100644 index 000000000..2ddd0686f --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/scanprofilegke.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/serviceaccount.yaml new file mode 100644 index 000000000..ec48ec622 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + name: cis-operator-serviceaccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-serviceaccount diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/validate-install-crd.yaml new file mode 100644 index 000000000..562295791 --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/templates/validate-install-crd.yaml @@ -0,0 +1,17 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/2.0.3-rc1/values.yaml b/charts/rancher-cis-benchmark/2.0.3-rc1/values.yaml new file mode 100644 index 000000000..bec9d9a5b --- /dev/null +++ b/charts/rancher-cis-benchmark/2.0.3-rc1/values.yaml @@ -0,0 +1,45 @@ +# Default values for rancher-cis-benchmark. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + cisoperator: + repository: rancher/cis-operator + tag: v1.0.7-rc1 + securityScan: + repository: rancher/security-scan + tag: v0.2.6-rc1 + sonobuoy: + repository: rancher/mirrored-sonobuoy-sonobuoy + tag: v0.53.2 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +global: + cattle: + systemDefaultRegistry: "" + clusterName: "" + kubectl: + repository: rancher/kubectl + tag: v1.20.2 + +alerts: + enabled: false + severity: warning + metricsPort: 8080 diff --git a/index.yaml b/index.yaml index 43857da3f..9892abe6c 100755 --- a/index.yaml +++ b/index.yaml @@ -2071,6 +2071,31 @@ entries: - assets/rancher-backup-crd/rancher-backup-crd-1.0.200.tgz version: 1.0.200 rancher-cis-benchmark: + - annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>=1.16.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.6.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark + apiVersion: v1 + appVersion: v2.0.3-rc1 + created: "2022-02-15T23:04:23.237773749+05:30" + description: The cis-operator enables running CIS benchmark security scans on + a kubernetes cluster + digest: 882468cf87be0774bee79cfa4392cc54dabfb62f33c1bc1e9ae528137c2fd0d0 + icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg + keywords: + - security + name: rancher-cis-benchmark + urls: + - assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.3-rc1.tgz + version: 2.0.3-rc1 - annotations: catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/certified: rancher @@ -2282,6 +2307,20 @@ entries: - assets/rancher-cis-benchmark/rancher-cis-benchmark-1.0.100.tgz version: 1.0.100 rancher-cis-benchmark-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd + apiVersion: v1 + created: "2022-02-15T23:04:23.23959135+05:30" + description: Installs the CRDs for rancher-cis-benchmark. + digest: aa8ed957a42c131916f0a1318306d55badcad388f3558a83c40fdd08b64f7d82 + name: rancher-cis-benchmark-crd + type: application + urls: + - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-2.0.3-rc1.tgz + version: 2.0.3-rc1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true"