andata
/
rancher-charts
mirror of https://git.rancher.io/charts
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

make charts

pull/1271/head
Jiaqi Luo 2021-06-18 12:23:17 -07:00
parent 37037db95d
commit f4aa9dd15e
175 changed files with 11808 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
assets/rancher-aks-operator-crd/rancher-aks-operator-crd-1.0.0+up1.0.1-rc7.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-aks-operator/rancher-aks-operator-1.0.0+up1.0.1-rc7.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-backup-crd/rancher-backup-crd-2.0.0+up2.0.0-rc1.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-backup/rancher-backup-2.0.0+up2.0.0-rc1.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-cis-benchmark/rancher-cis-benchmark-crd-2.0.0.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-eks-operator-crd/rancher-eks-operator-crd-2.0.0+up1.1.1-rc2.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-eks-operator/rancher-eks-operator-2.0.0+up1.1.1-rc2.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-external-ip-webhook/rancher-external-ip-webhook-100.0.0+up0.1.6.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-gke-operator-crd/rancher-gke-operator-crd-2.0.0+up1.1.1-rc2.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-gke-operator/rancher-gke-operator-2.0.0+up1.1.1-rc2.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-operator-crd/rancher-operator-crd-100.0.0+up0.1.4.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-operator/rancher-operator-100.0.0+up0.1.4.tgz Normal file
View File

Binary file not shown.

BIN
assets/rancher-webhook/rancher-webhook-1.0.0+up0.2.0-alpha02.tgz Normal file
View File

Binary file not shown.

BIN
assets/rio/rio-100.0.0.tgz Normal file
View File

Binary file not shown.

11
charts/rancher-aks-operator-crd/rancher-aks-operator-crd/1.0.0+up1.0.1-rc7/Chart.yaml Normal file
View File

@ -0,0 +1,11 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-system
catalog.cattle.io/os: linux
catalog.cattle.io/release-name: rancher-aks-operator-crd
apiVersion: v2
appVersion: 1.0.1-rc7
description: AKS Operator CustomResourceDefinitions
name: rancher-aks-operator-crd
version: 1.0.0+up1.0.1-rc7

165
charts/rancher-aks-operator-crd/rancher-aks-operator-crd/1.0.0+up1.0.1-rc7/templates/crds.yaml Normal file
View File

@ -0,0 +1,165 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
name: aksclusterconfigs.aks.cattle.io
spec:
group: aks.cattle.io
names:
kind: AKSClusterConfig
plural: aksclusterconfigs
shortNames:
- akscc
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
authBaseUrl:
nullable: true
type: string
authorizedIpRanges:
items:
nullable: true
type: string
nullable: true
type: array
azureCredentialSecret:
nullable: true
type: string
baseUrl:
nullable: true
type: string
clusterName:
nullable: true
type: string
dnsPrefix:
nullable: true
type: string
dnsServiceIp:
nullable: true
type: string
dockerBridgeCidr:
nullable: true
type: string
httpApplicationRouting:
nullable: true
type: boolean
imported:
type: boolean
kubernetesVersion:
nullable: true
type: string
linuxAdminUsername:
nullable: true
type: string
loadBalancerSku:
nullable: true
type: string
networkPlugin:
nullable: true
type: string
networkPolicy:
nullable: true
type: string
nodePools:
items:
properties:
availabilityZones:
items:
nullable: true
type: string
nullable: true
type: array
count:
nullable: true
type: integer
enableAutoScaling:
nullable: true
type: boolean
maxCount:
nullable: true
type: integer
maxPods:
nullable: true
type: integer
minCount:
nullable: true
type: integer
mode:
nullable: true
type: string
name:
nullable: true
type: string
orchestratorVersion:
nullable: true
type: string
osDiskSizeGB:
nullable: true
type: integer
osDiskType:
nullable: true
type: string
osType:
nullable: true
type: string
vmSize:
nullable: true
type: string
type: object
nullable: true
type: array
podCidr:
nullable: true
type: string
privateCluster:
nullable: true
type: boolean
resourceGroup:
nullable: true
type: string
resourceLocation:
nullable: true
type: string
serviceCidr:
nullable: true
type: string
sshPublicKey:
nullable: true
type: string
subnet:
nullable: true
type: string
tags:
additionalProperties:
nullable: true
type: string
nullable: true
type: object
virtualNetwork:
nullable: true
type: string
virtualNetworkResourceGroup:
nullable: true
type: string
type: object
status:
properties:
failureMessage:
nullable: true
type: string
phase:
nullable: true
type: string
type: object
type: object
version: v1
versions:
- name: v1
served: true
storage: true

18
charts/rancher-aks-operator/rancher-aks-operator/1.0.0+up1.0.1-rc7/Chart.yaml Normal file
View File

@ -0,0 +1,18 @@
annotations:
catalog.cattle.io/auto-install: rancher-aks-operator-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-system
catalog.cattle.io/os: linux
catalog.cattle.io/provides-gvr: aksclusterconfigs.aks.cattle.io/v1
catalog.cattle.io/rancher-version: '>= 2.6.0-alpha'
catalog.cattle.io/release-name: rancher-aks-operator
catalog.cattle.io/scope: management
apiVersion: v2
appVersion: 1.0.1-rc7
description: A Helm chart for provisioning AKS clusters
home: https://github.com/rancher/aks-operator
name: rancher-aks-operator
sources:
- https://github.com/rancher/aks-operator
version: 1.0.0+up1.0.1-rc7

4
charts/rancher-aks-operator/rancher-aks-operator/1.0.0+up1.0.1-rc7/templates/NOTES.txt Normal file
View File

@ -0,0 +1,4 @@
You have deployed the Rancher AKS operator
Version: {{ .Chart.AppVersion }}
Description: This operator provisions AKS clusters
from AKSClusterConfig CRs.

9
charts/rancher-aks-operator/rancher-aks-operator/1.0.0+up1.0.1-rc7/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,9 @@
{{/* vim: set filetype=mustache: */}}
{{- define "system_default_registry" -}}
{{- if .Values.global.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}

15
charts/rancher-aks-operator/rancher-aks-operator/1.0.0+up1.0.1-rc7/templates/clusterrole.yaml Normal file
View File

@ -0,0 +1,15 @@
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: aks-operator
namespace: cattle-system
rules:
- apiGroups: ['']
resources: ['secrets']
verbs: ['get', 'list', 'create', 'watch']
- apiGroups: ['aks.cattle.io']
resources: ['aksclusterconfigs']
verbs: ['get', 'list', 'update', 'watch']
- apiGroups: ['aks.cattle.io']
resources: ['aksclusterconfigs/status']
verbs: ['update']

13
charts/rancher-aks-operator/rancher-aks-operator/1.0.0+up1.0.1-rc7/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: aks-operator
namespace: cattle-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: aks-operator
subjects:
- kind: ServiceAccount
name: aks-operator
namespace: cattle-system

39
charts/rancher-aks-operator/rancher-aks-operator/1.0.0+up1.0.1-rc7/templates/deployment.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: aks-config-operator
namespace: cattle-system
spec:
replicas: 1
selector:
matchLabels:
ke.cattle.io/operator: aks
template:
metadata:
labels:
ke.cattle.io/operator: aks
spec:
serviceAccountName: aks-operator
containers:
- name: aks-operator
image: {{ template "system_default_registry" . }}{{ .Values.aksOperator.image.repository }}:{{ .Values.aksOperator.image.tag }}
imagePullPolicy: IfNotPresent
env:
- name: HTTP_PROXY
value: {{ .Values.httpProxy }}
- name: HTTPS_PROXY
value: {{ .Values.httpsProxy }}
- name: NO_PROXY
value: {{ .Values.noProxy }}
{{- if .Values.additionalTrustedCAs }}
volumeMounts:
- mountPath: /etc/ssl/certs/ca-additional.pem
name: tls-ca-additional-volume
subPath: ca-additional.pem
readOnly: true
volumes:
- name: tls-ca-additional-volume
secret:
defaultMode: 0400
secretName: tls-ca-additional
{{- end }}

5
charts/rancher-aks-operator/rancher-aks-operator/1.0.0+up1.0.1-rc7/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: cattle-system
name: aks-operator

12
charts/rancher-aks-operator/rancher-aks-operator/1.0.0+up1.0.1-rc7/values.yaml Normal file
View File

@ -0,0 +1,12 @@
global:
systemDefaultRegistry: ""
aksOperator:
image:
repository: rancher/aks-operator
tag: v1.0.1-rc7
httpProxy: ""
httpsProxy: ""
noProxy: ""
additionalTrustedCAs: false

11
charts/rancher-backup-crd/rancher-backup-crd/2.0.0+up2.0.0-rc1/Chart.yaml Normal file
View File

@ -0,0 +1,11 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-resources-system
catalog.cattle.io/release-name: rancher-backup-crd
apiVersion: v2
appVersion: 2.0.0-rc1
description: Installs the CRDs for rancher-backup.
name: rancher-backup-crd
type: application
version: 2.0.0+up2.0.0-rc1

3
charts/rancher-backup-crd/rancher-backup-crd/2.0.0+up2.0.0-rc1/README.md Normal file
View File

@ -0,0 +1,3 @@
# Rancher Backup CRD
A Rancher chart that installs the CRDs used by `rancher-backup`.

119
charts/rancher-backup-crd/rancher-backup-crd/2.0.0+up2.0.0-rc1/templates/backup.yaml Normal file
View File

@ -0,0 +1,119 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: backups.resources.cattle.io
spec:
additionalPrinterColumns:
- JSONPath: .status.storageLocation
name: Location
type: string
- JSONPath: .status.backupType
name: Type
type: string
- JSONPath: .status.filename
name: Latest-Backup
type: string
- JSONPath: .spec.resourceSetName
name: ResourceSet
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
- JSONPath: .status.conditions[?(@.type=="Ready")].message
name: Status
type: string
group: resources.cattle.io
names:
kind: Backup
plural: backups
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
encryptionConfigSecretName:
description: Name of the Secret containing the encryption config
type: string
resourceSetName:
description: Name of the ResourceSet CR to use for backup
type: string
retentionCount:
minimum: 1
type: integer
schedule:
description: Cron schedule for recurring backups
example:
Descriptors: '@midnight'
Standard crontab specs: 0 0 * * *
type: string
storageLocation:
nullable: true
properties:
s3:
nullable: true
properties:
bucketName:
type: string
credentialSecretName:
type: string
credentialSecretNamespace:
type: string
endpoint:
type: string
endpointCA:
type: string
folder:
type: string
insecureTLSSkipVerify:
type: boolean
region:
type: string
type: object
type: object
required:
- resourceSetName
type: object
status:
properties:
backupType:
type: string
conditions:
items:
properties:
lastTransitionTime:
type: string
lastUpdateTime:
type: string
message:
type: string
reason:
type: string
status:
type: string
type:
type: string
type: object
nullable: true
type: array
filename:
type: string
lastSnapshotTs:
type: string
nextSnapshotAt:
type: string
observedGeneration:
type: integer
storageLocation:
type: string
summary:
type: string
type: object
type: object
version: v1
versions:
- name: v1
served: true
storage: true

94
charts/rancher-backup-crd/rancher-backup-crd/2.0.0+up2.0.0-rc1/templates/resourceset.yaml Normal file
View File

@ -0,0 +1,94 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: resourcesets.resources.cattle.io
spec:
group: resources.cattle.io
names:
kind: ResourceSet
plural: resourcesets
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
controllerReferences:
items:
properties:
apiVersion:
type: string
name:
type: string
namespace:
type: string
replicas:
type: integer
resource:
type: string
type: object
nullable: true
type: array
resourceSelectors:
items:
properties:
apiVersion:
type: string
kinds:
items:
type: string
nullable: true
type: array
kindsRegexp:
type: string
labelSelectors:
nullable: true
properties:
matchExpressions:
items:
properties:
key:
type: string
operator:
type: string
values:
items:
type: string
nullable: true
type: array
type: object
nullable: true
type: array
matchLabels:
additionalProperties:
type: string
nullable: true
type: object
type: object
namespaceRegexp:
type: string
namespaces:
items:
type: string
nullable: true
type: array
resourceNameRegexp:
type: string
resourceNames:
items:
type: string
nullable: true
type: array
type: object
nullable: true
required:
- apiVersion
type: array
required:
- resourceSelectors
type: object
version: v1
versions:
- name: v1
served: true
storage: true

102
charts/rancher-backup-crd/rancher-backup-crd/2.0.0+up2.0.0-rc1/templates/restore.yaml Normal file
View File

@ -0,0 +1,102 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
name: restores.resources.cattle.io
spec:
additionalPrinterColumns:
- JSONPath: .status.backupSource
name: Backup-Source
type: string
- JSONPath: .spec.backupFilename
name: Backup-File
type: string
- JSONPath: .metadata.creationTimestamp
name: Age
type: date
- JSONPath: .status.conditions[?(@.type=="Ready")].message
name: Status
type: string
group: resources.cattle.io
names:
kind: Restore
plural: restores
scope: Cluster
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
backupFilename:
type: string
deleteTimeoutSeconds:
maximum: 10
type: integer
encryptionConfigSecretName:
type: string
prune:
nullable: true
type: boolean
storageLocation:
nullable: true
properties:
s3:
nullable: true
properties:
bucketName:
type: string
credentialSecretName:
type: string
credentialSecretNamespace:
type: string
endpoint:
type: string
endpointCA:
type: string
folder:
type: string
insecureTLSSkipVerify:
type: boolean
region:
type: string
type: object
type: object
required:
- backupFilename
type: object
status:
properties:
backupSource:
type: string
conditions:
items:
properties:
lastTransitionTime:
type: string
lastUpdateTime:
type: string
message:
type: string
reason:
type: string
status:
type: string
type:
type: string
type: object
nullable: true
type: array
observedGeneration:
type: integer
restoreCompletionTs:
type: string
summary:
type: string
type: object
type: object
version: v1
versions:
- name: v1
served: true
storage: true

20
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/Chart.yaml Normal file
View File

@ -0,0 +1,20 @@
annotations:
catalog.cattle.io/auto-install: rancher-backup-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: Rancher Backups
catalog.cattle.io/namespace: cattle-resources-system
catalog.cattle.io/os: linux
catalog.cattle.io/provides-gvr: resources.cattle.io.resourceset/v1
catalog.cattle.io/release-name: rancher-backup
catalog.cattle.io/scope: management
catalog.cattle.io/ui-component: rancher-backup
apiVersion: v2
appVersion: 2.0.0-rc1
description: Provides ability to back up and restore the Rancher application running
on any Kubernetes cluster
icon: https://charts.rancher.io/assets/logos/backup-restore.svg
keywords:
- applications
- infrastructure
name: rancher-backup
version: 2.0.0+up2.0.0-rc1

70
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/README.md Normal file
View File

@ -0,0 +1,70 @@
# Rancher Backup
This chart provides ability to back up and restore the Rancher application running on any Kubernetes cluster.
Refer [this](https://github.com/rancher/backup-restore-operator) repository for implementation details.
-----
### Get Repo Info
```bash
helm repo add rancher-chart https://charts.rancher.io
helm repo update
```
-----
### Install Chart
```bash
helm install rancher-backup-crd rancher-chart/rancher-backup-crd -n cattle-resources-system --create-namespace
helm install rancher-backup rancher-chart/rancher-backup -n cattle-resources-system
```
-----
### Configuration
The following table lists the configurable parameters of the rancher-backup chart and their default values:
| Parameter | Description | Default |
|----------|---------------|-------|
| image.repository | Container image repository | rancher/backup-restore-operator |
| image.tag | Container image tag | v0.1.0-rc1 |
| s3.enabled | Configure S3 compatible default storage location. Current version supports S3 and MinIO | false |
| s3.credentialSecretName | Name of the Secret containing S3 credentials. This is an optional field. Skip this field in order to use IAM Role authentication. The Secret must contain following two keys, `accessKey` and `secretKey` | "" |
| s3.credentialSecretNamespace | Namespace of the Secret containing S3 credentials. This can be any namespace. | "" |
| s3.region | Region of the S3 Bucket (Required for S3, not valid for MinIO) | "" |
| s3.bucketName | Name of the Bucket | "" |
| s3.folder | Base folder within the Bucket (optional) | "" |
| s3.endpoint | Endpoint for the S3 storage provider | "" |
| s3.endpointCA | Base64 encoded CA cert for the S3 storage provider (optional) | "" |
| s3.insecureTLSSkipVerify | Skip SSL verification | false |
| persistence.enabled | Configure a Persistent Volume as the default storage location. It accepts either a StorageClass name to create a PVC, or directly accepts the PV to use. The Persistent Volume is mounted at `/var/lib/backups` in the operator pod | false |
| persistence.storageClass | StorageClass to use for dynamically provisioning the Persistent Volume, which will be used for storing backups | "" |
| persistence.volumeName | Persistent Volume to use for storing backups | "" |
| persistence.size | Requested size of the Persistent Volume (Applicable when using dynamic provisioning) | "" |
| nodeSelector | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#nodeselector | {} |
| tolerations | https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration | [] |
| affinity | https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity | {} |
| serviceAccount.annotations | Annotations to apply to created service account | {} |
-----
### CRDs
Refer [this](https://github.com/rancher/backup-restore-operator#crds) section for information on CRDs that this chart installs. Also refer [this](https://github.com/rancher/backup-restore-operator/tree/master/examples) folder containing sample manifests for the CRDs.
-----
### Upgrading Chart
```bash
helm upgrade rancher-backup-crd -n cattle-resources-system
helm upgrade rancher-backup -n cattle-resources-system
```
-----
### Uninstall Chart
```bash
helm uninstall rancher-backup -n cattle-resources-system
helm uninstall rancher-backup-crd -n cattle-resources-system
```

15
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/app-readme.md Normal file
View File

@ -0,0 +1,15 @@
# Rancher Backup
This chart enables ability to capture backups of the Rancher application and restore from these backups. This chart can be used to migrate Rancher from one Kubernetes cluster to a different Kubernetes cluster.
For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/backups/v2.5/).
This chart installs the following components:
- [backup-restore-operator](https://github.com/rancher/backup-restore-operator)
- The operator handles backing up all Kubernetes resources and CRDs that Rancher creates and manages from the local cluster. It gathers these resources by querying the Kubernetes API server, packages all the resources to create a tarball file and saves it in the configured backup storage location.
- The operator can be configured to store backups in S3-compatible object stores such as AWS S3 and MinIO, and in persistent volumes. During deployment, you can create a default storage location, but there is always the option to override the default storage location with each backup, but will be limited to using an S3-compatible object store.
- It preserves the ownerReferences on all resources, hence maintaining dependencies between objects.
- This operator provides encryption support, to encrypt user specified resources before saving them in the backup file. It uses the same encryption configuration that is used to enable [Kubernetes Encryption at Rest](https://kubernetes.io/docs/tasks/administer-cluster/encrypt-data/).
- Backup - A backup is a CRD (`Backup`) that defines when to take backups, where to store the backup and what encryption to use (optional). Backups can be taken ad hoc or scheduled to be taken in intervals.
- Restore - A restore is a CRD (`Restore`) that defines which backup to use to restore the Rancher application to.

25
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/files/default-resourceset-contents/aks.yaml Normal file
View File

@ -0,0 +1,25 @@
- apiVersion: "apiextensions.k8s.io/v1beta1"
kindsRegexp: "."
resourceNameRegexp: "aks.cattle.io$"
- apiVersion: "aks.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
namespaces:
- "cattle-system"
resourceNames:
- "aks-config-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "aks-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "aks-operator"
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaces:
- "cattle-system"
resourceNames:
- "aks-operator"

17
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/files/default-resourceset-contents/eks.yaml Normal file
View File

@ -0,0 +1,17 @@
- apiVersion: "eks.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
resourceNames:
- "eks-config-operator"
- apiVersion: "apiextensions.k8s.io/v1beta1"
kindsRegexp: "."
resourceNameRegexp: "eks.cattle.io$"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "eks-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "eks-operator"

49
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/files/default-resourceset-contents/fleet.yaml Normal file
View File

@ -0,0 +1,49 @@
- apiVersion: "v1"
kindsRegexp: "^namespaces$"
resourceNameRegexp: "^fleet-|^cluster-fleet-"
- apiVersion: "v1"
kindsRegexp: "^secrets$"
namespaceRegexp: "^fleet-|^cluster-fleet-"
labelSelectors:
matchExpressions:
- key: "owner"
operator: "NotIn"
values: ["helm"]
- key: "fleet.cattle.io/managed"
operator: "In"
values: ["true"]
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaceRegexp: "^fleet-|^cluster-fleet-"
- apiVersion: "v1"
kindsRegexp: "^configmaps$"
namespaceRegexp: "^fleet-|^cluster-fleet-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^roles$|^rolebindings$"
namespaceRegexp: "^fleet-|^cluster-fleet-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNameRegexp: "^fleet-|^gitjob-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNameRegexp: "^fleet-"
resourceNames:
- "gitjob"
- apiVersion: "apiextensions.k8s.io/v1beta1"
kindsRegexp: "."
resourceNameRegexp: "fleet.cattle.io$|gitjob.cattle.io$"
- apiVersion: "fleet.cattle.io/v1alpha1"
kindsRegexp: "."
- apiVersion: "gitjob.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
namespaceRegexp: "^fleet-|^cluster-fleet-"
resourceNameRegexp: "^fleet-"
resourceNames:
- "gitjob"
- apiVersion: "apps/v1"
kindsRegexp: "^services$"
namespaceRegexp: "^fleet-|^cluster-fleet-"
resourceNames:
- "gitjob"

17
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/files/default-resourceset-contents/gke.yaml Normal file
View File

@ -0,0 +1,17 @@
- apiVersion: "apiextensions.k8s.io/v1beta1"
kindsRegexp: "."
resourceNameRegexp: "gke.cattle.io$"
- apiVersion: "gke.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
resourceNames:
- "gke-config-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "gke-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "gke-operator"

27
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/files/default-resourceset-contents/rancher-operator.yaml Normal file
View File

@ -0,0 +1,27 @@
- apiVersion: "rancher.cattle.io/v1"
kindsRegexp: "."
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
resourceNames:
- "rancher-operator"
namespaces:
- "rancher-operator-system"
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaces:
- "rancher-operator-system"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNames:
- "rancher-operator"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNames:
- "rancher-operator"
- apiVersion: "apiextensions.k8s.io/v1beta1"
kindsRegexp: "."
resourceNameRegexp: "rancher.cattle.io$"
- apiVersion: "v1"
kindsRegexp: "^namespaces$"
resourceNames:
- "rancher-operator-system"

44
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/files/default-resourceset-contents/rancher.yaml Normal file
View File

@ -0,0 +1,44 @@
- apiVersion: "v1"
kindsRegexp: "^namespaces$"
resourceNameRegexp: "^cattle-|^p-|^c-|^user-|^u-"
resourceNames:
- "local"
- apiVersion: "apps/v1"
kindsRegexp: "^deployments$"
namespaces:
- "cattle-system"
- apiVersion: "v1"
kindsRegexp: "^secrets$"
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
labelSelectors:
matchExpressions:
- key: "owner"
operator: "NotIn"
values: ["helm"]
- apiVersion: "v1"
kindsRegexp: "^serviceaccounts$"
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
- apiVersion: "v1"
kindsRegexp: "^configmaps$"
namespaces:
- "cattle-system"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^roles$|^rolebindings$"
namespaceRegexp: "^cattle-|^p-|^c-|^local$|^user-|^u-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterrolebindings$"
resourceNameRegexp: "^cattle-|^clusterrolebinding-|^globaladmin-user-|^grb-u-|^crb-"
- apiVersion: "rbac.authorization.k8s.io/v1"
kindsRegexp: "^clusterroles$"
resourceNameRegexp: "^cattle-|^p-|^c-|^local-|^user-|^u-|^project-|^create-ns$"
- apiVersion: "apiextensions.k8s.io/v1beta1"
kindsRegexp: "."
resourceNameRegexp: "management.cattle.io$|project.cattle.io$|catalog.cattle.io$|resources.cattle.io$"
- apiVersion: "management.cattle.io/v3"
kindsRegexp: "."
- apiVersion: "project.cattle.io/v3"
kindsRegexp: "."
- apiVersion: "catalog.cattle.io/v1"
kindsRegexp: "^clusterrepos$"
- apiVersion: "resources.cattle.io/v1"
kindsRegexp: "^ResourceSet$"

83
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,83 @@
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux-node-tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}
{{- define "linux-node-selector" -}}
{{- if semverCompare "<1.14-0" .Capabilities.KubeVersion.GitVersion -}}
beta.kubernetes.io/os: linux
{{- else -}}
kubernetes.io/os: linux
{{- end -}}
{{- end -}}
{{/*
Create a default fully qualified app name.
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
*/}}
{{- define "backupRestore.fullname" -}}
{{- .Chart.Name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "backupRestore.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "backupRestore.labels" -}}
helm.sh/chart: {{ include "backupRestore.chart" . }}
{{ include "backupRestore.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "backupRestore.selectorLabels" -}}
app.kubernetes.io/name: {{ include "backupRestore.fullname" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
resources.cattle.io/operator: backup-restore
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "backupRestore.serviceAccountName" -}}
{{ include "backupRestore.fullname" . }}
{{- end }}
{{- define "backupRestore.s3SecretName" -}}
{{- printf "%s-%s" .Chart.Name "s3" | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create PVC name using release and revision number.
*/}}
{{- define "backupRestore.pvcName" -}}
{{- printf "%s-%d" .Release.Name .Release.Revision }}
{{- end }}

14
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/templates/clusterrolebinding.yaml Normal file
View File

@ -0,0 +1,14 @@
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: {{ include "backupRestore.fullname" . }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
subjects:
- kind: ServiceAccount
name: {{ include "backupRestore.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

62
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/templates/deployment.yaml Normal file
View File

@ -0,0 +1,62 @@
{{- if and .Values.s3.enabled .Values.persistence.enabled }}
{{- fail "\n\nCannot configure both s3 and PV for storing backups" }}
{{- end }}
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "backupRestore.fullname" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
spec:
selector:
matchLabels:
{{- include "backupRestore.selectorLabels" . | nindent 6 }}
template:
metadata:
labels:
{{- include "backupRestore.selectorLabels" . | nindent 8 }}
annotations:
checksum/s3: {{ include (print $.Template.BasePath "/s3-secret.yaml") . | sha256sum }}
checksum/pvc: {{ include (print $.Template.BasePath "/pvc.yaml") . | sha256sum }}
spec:
serviceAccountName: {{ include "backupRestore.serviceAccountName" . }}
{{- if .Values.priorityClassName }}
priorityClassName: {{ .Values.priorityClassName }}
{{- end }}
containers:
- name: {{ .Chart.Name }}
image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }}
imagePullPolicy: Always
env:
- name: CHART_NAMESPACE
value: {{ .Release.Namespace }}
{{- if .Values.s3.enabled }}
- name: DEFAULT_S3_BACKUP_STORAGE_LOCATION
value: {{ include "backupRestore.s3SecretName" . }}
{{- end }}
{{- if .Values.persistence.enabled }}
- name: DEFAULT_PERSISTENCE_ENABLED
value: "persistence-enabled"
volumeMounts:
- mountPath: "/var/lib/backups"
name: pv-storage
volumes:
- name: pv-storage
persistentVolumeClaim:
claimName: {{ include "backupRestore.pvcName" . }}
{{- end }}
nodeSelector:
kubernetes.io/os: linux
{{- with .Values.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
{{- include "linux-node-tolerations" . | nindent 8}}
{{- with .Values.tolerations }}
{{- toYaml . | nindent 8 }}
{{- end }}

114
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/templates/hardened.yaml Normal file
View File

@ -0,0 +1,114 @@
apiVersion: batch/v1
kind: Job
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
namespace: {{ .Release.Namespace }}
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
spec:
backoffLimit: 1
template:
spec:
serviceAccountName: {{ include "backupRestore.fullname" . }}-patch-sa
securityContext:
runAsNonRoot: true
runAsUser: 1000
restartPolicy: Never
nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
containers:
- name: {{ include "backupRestore.fullname" . }}-patch-sa
image: {{ include "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}
imagePullPolicy: IfNotPresent
command: ["kubectl", "-n", {{ .Release.Namespace | quote }}, "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
namespace: {{ .Release.Namespace }}
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
rules:
- apiGroups: [""]
resources: ["serviceaccounts"]
verbs: ["get", "patch"]
- apiGroups: ["policy"]
resources: ["podsecuritypolicies"]
verbs: ["use"]
resourceNames:
- {{ include "backupRestore.fullname" . }}-patch-sa
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: {{ include "backupRestore.fullname" . }}-patch-sa
subjects:
- kind: ServiceAccount
name: {{ include "backupRestore.fullname" . }}-patch-sa
namespace: {{ .Release.Namespace }}
---
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "backupRestore.fullname" . }}-patch-sa
labels: {{ include "backupRestore.labels" . | nindent 4 }}
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
spec:
privileged: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'secret'
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: {{ include "backupRestore.fullname" . }}-default-allow-all
namespace: {{ .Release.Namespace }}
spec:
podSelector: {}
egress:
- {}
policyTypes:
- Ingress
- Egress

29
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/templates/psp.yaml Normal file
View File

@ -0,0 +1,29 @@
apiVersion: policy/v1beta1
kind: PodSecurityPolicy
metadata:
name: {{ include "backupRestore.fullname" . }}-psp
labels: {{ include "backupRestore.labels" . | nindent 4 }}
spec:
privileged: false
allowPrivilegeEscalation: false
hostNetwork: false
hostIPC: false
hostPID: false
runAsUser:
rule: 'MustRunAsNonRoot'
seLinux:
rule: 'RunAsAny'
supplementalGroups:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
fsGroup:
rule: 'MustRunAs'
ranges:
- min: 1
max: 65535
readOnlyRootFilesystem: false
volumes:
- 'persistentVolumeClaim'
- 'secret'

27
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/templates/pvc.yaml Normal file
View File

@ -0,0 +1,27 @@
{{- if and .Values.persistence.enabled -}}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "backupRestore.pvcName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
spec:
accessModes:
- ReadWriteOnce
resources:
{{- with .Values.persistence }}
requests:
storage: {{ .size | quote }}
{{- if .storageClass }}
{{- if (eq "-" .storageClass) }}
storageClassName: ""
{{- else }}
storageClassName: {{ .storageClass | quote }}
{{- end }}
{{- end }}
{{- if .volumeName }}
volumeName: {{ .volumeName | quote }}
{{- end }}
{{- end }}
{{- end }}

13
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/templates/rancher-resourceset.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: resources.cattle.io/v1
kind: ResourceSet
metadata:
name: rancher-resource-set
controllerReferences:
- apiVersion: "apps/v1"
resource: "deployments"
name: "rancher"
namespace: "cattle-system"
resourceSelectors:
{{- range $path, $_ := .Files.Glob "files/default-resourceset-contents/*.yaml" -}}
{{- $.Files.Get $path | nindent 2 -}}
{{- end -}}

31
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/templates/s3-secret.yaml Normal file
View File

@ -0,0 +1,31 @@
{{- if .Values.s3.enabled -}}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "backupRestore.s3SecretName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
type: Opaque
stringData:
{{- with .Values.s3 }}
{{- if .credentialSecretName }}
credentialSecretName: {{ .credentialSecretName }}
credentialSecretNamespace: {{ required "When providing a Secret containing S3 credentials, a valid .Values.credentialSecretNamespace must be provided" .credentialSecretNamespace }}
{{- end }}
{{- if .region }}
region: {{ .region | quote }}
{{- end }}
bucketName: {{ required "A valid .Values.bucketName is required for configuring S3 compatible storage as the default backup storage location" .bucketName | quote }}
{{- if .folder }}
folder: {{ .folder | quote }}
{{- end }}
endpoint: {{ required "A valid .Values.endpoint is required for configuring S3 compatible storage as the default backup storage location" .endpoint | quote }}
{{- if .endpointCA }}
endpointCA: {{ .endpointCA }}
{{- end }}
{{- if .insecureTLSSkipVerify }}
insecureTLSSkipVerify: {{ .insecureTLSSkipVerify | quote }}
{{- end }}
{{- end }}
{{ end }}

11
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "backupRestore.serviceAccountName" . }}
namespace: {{ .Release.Namespace }}
labels:
{{- include "backupRestore.labels" . | nindent 4 }}
{{- if .Values.serviceAccount.annotations }}
annotations:
{{- toYaml .Values.serviceAccount.annotations | nindent 4 }}
{{- end }}

16
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/templates/validate-install-crd.yaml Normal file
View File

@ -0,0 +1,16 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "resources.cattle.io/v1/Backup" false -}}
# {{- set $found "resources.cattle.io/v1/ResourceSet" false -}}
# {{- set $found "resources.cattle.io/v1/Restore" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}

57
charts/rancher-backup/rancher-backup/2.0.0+up2.0.0-rc1/values.yaml Normal file
View File

@ -0,0 +1,57 @@
image:
repository: rancher/backup-restore-operator
tag: v2.0.0-rc1
## Default s3 bucket for storing all backup files created by the backup-restore-operator
s3:
enabled: false
## credentialSecretName if set, should be the name of the Secret containing AWS credentials.
## To use IAM Role, don't set this field
credentialSecretName: ""
credentialSecretNamespace: ""
region: ""
bucketName: ""
folder: ""
endpoint: ""
endpointCA: ""
insecureTLSSkipVerify: false
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
## If persistence is enabled, operator will create a PVC with mountPath /var/lib/backups
persistence:
enabled: false
## If defined, storageClassName: <storageClass>
## If set to "-", storageClassName: "", which disables dynamic provisioning
## If undefined (the default) or set to null, no storageClassName spec is
## set, choosing the default provisioner. (gp2 on AWS, standard on
## GKE, AWS & OpenStack).
## Refer https://kubernetes.io/docs/concepts/storage/persistent-volumes/#class-1
##
storageClass: "-"
## If you want to disable dynamic provisioning by setting storageClass to "-" above,
## and want to target a particular PV, provide name of the target volume
volumeName: ""
## Only certain StorageClasses allow resizing PVs; Refer https://kubernetes.io/blog/2018/07/12/resizing-persistent-volumes-using-kubernetes/
size: 2Gi
global:
cattle:
systemDefaultRegistry: ""
kubectl:
repository: rancher/kubectl
tag: v2.0.0-rc1
nodeSelector: {}
tolerations: []
affinity: {}
serviceAccount:
annotations: {}
priorityClassName: ""

10
charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.0/Chart.yaml Normal file
View File

@ -0,0 +1,10 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cis-operator-system
catalog.cattle.io/release-name: rancher-cis-benchmark-crd
apiVersion: v1
description: Installs the CRDs for rancher-cis-benchmark.
name: rancher-cis-benchmark-crd
type: application
version: 2.0.0

2
charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.0/README.md Normal file
View File

@ -0,0 +1,2 @@
# rancher-cis-benchmark-crd
A Rancher chart that installs the CRDs used by rancher-cis-benchmark.

146
charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.0/templates/clusterscan.yaml Normal file
View File

@ -0,0 +1,146 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterscans.cis.cattle.io
spec:
group: cis.cattle.io
names:
kind: ClusterScan
plural: clusterscans
scope: Cluster
versions:
- name: v1
served: true
storage: true
additionalPrinterColumns:
- jsonPath: .status.lastRunScanProfileName
name: ClusterScanProfile
type: string
- jsonPath: .status.summary.total
name: Total
type: string
- jsonPath: .status.summary.pass
name: Pass
type: string
- jsonPath: .status.summary.fail
name: Fail
type: string
- jsonPath: .status.summary.skip
name: Skip
type: string
- jsonPath: .status.summary.warn
name: Warn
type: string
- jsonPath: .status.summary.notApplicable
name: Not Applicable
type: string
- jsonPath: .status.lastRunTimestamp
name: LastRunTimestamp
type: string
- jsonPath: .spec.scheduledScanConfig.cronSchedule
name: CronSchedule
type: string
schema:
openAPIV3Schema:
properties:
spec:
properties:
scanProfileName:
nullable: true
type: string
scheduledScanConfig:
nullable: true
properties:
cronSchedule:
nullable: true
type: string
retentionCount:
type: integer
scanAlertRule:
nullable: true
properties:
alertOnComplete:
type: boolean
alertOnFailure:
type: boolean
type: object
type: object
scoreWarning:
enum:
- pass
- fail
nullable: true
type: string
type: object
status:
properties:
NextScanAt:
nullable: true
type: string
ScanAlertingRuleName:
nullable: true
type: string
conditions:
items:
properties:
lastTransitionTime:
nullable: true
type: string
lastUpdateTime:
nullable: true
type: string
message:
nullable: true
type: string
reason:
nullable: true
type: string
status:
nullable: true
type: string
type:
nullable: true
type: string
type: object
nullable: true
type: array
display:
nullable: true
properties:
error:
type: boolean
message:
nullable: true
type: string
state:
nullable: true
type: string
transitioning:
type: boolean
type: object
lastRunScanProfileName:
nullable: true
type: string
lastRunTimestamp:
nullable: true
type: string
observedGeneration:
type: integer
summary:
nullable: true
properties:
fail:
type: integer
notApplicable:
type: integer
pass:
type: integer
skip:
type: integer
total:
type: integer
warn:
type: integer
type: object
type: object
type: object

54
charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.0/templates/clusterscanbenchmark.yaml Normal file
View File

@ -0,0 +1,54 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterscanbenchmarks.cis.cattle.io
spec:
group: cis.cattle.io
names:
kind: ClusterScanBenchmark
plural: clusterscanbenchmarks
scope: Cluster
versions:
- name: v1
served: true
storage: true
additionalPrinterColumns:
- jsonPath: .spec.clusterProvider
name: ClusterProvider
type: string
- jsonPath: .spec.minKubernetesVersion
name: MinKubernetesVersion
type: string
- jsonPath: .spec.maxKubernetesVersion
name: MaxKubernetesVersion
type: string
- jsonPath: .spec.customBenchmarkConfigMapName
name: customBenchmarkConfigMapName
type: string
- jsonPath: .spec.customBenchmarkConfigMapNamespace
name: customBenchmarkConfigMapNamespace
type: string
subresources:
status: {}
schema:
openAPIV3Schema:
properties:
spec:
properties:
clusterProvider:
nullable: true
type: string
customBenchmarkConfigMapName:
nullable: true
type: string
customBenchmarkConfigMapNamespace:
nullable: true
type: string
maxKubernetesVersion:
nullable: true
type: string
minKubernetesVersion:
nullable: true
type: string
type: object
type: object

36
charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.0/templates/clusterscanprofile.yaml Normal file
View File

@ -0,0 +1,36 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterscanprofiles.cis.cattle.io
spec:
group: cis.cattle.io
names:
kind: ClusterScanProfile
plural: clusterscanprofiles
scope: Cluster
versions:
- name: v1
served: true
storage: true
subresources:
status: {}
schema:
openAPIV3Schema:
properties:
spec:
properties:
benchmarkVersion:
nullable: true
type: string
skipTests:
items:
nullable: true
type: string
nullable: true
type: array
type: object
type: object
additionalPrinterColumns:
- jsonPath: .spec.benchmarkVersion
name: BenchmarkVersion
type: string

39
charts/rancher-cis-benchmark/rancher-cis-benchmark-crd/2.0.0/templates/clusterscanreport.yaml Normal file
View File

@ -0,0 +1,39 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterscanreports.cis.cattle.io
spec:
group: cis.cattle.io
names:
kind: ClusterScanReport
plural: clusterscanreports
scope: Cluster
versions:
- name: v1
served: true
storage: true
additionalPrinterColumns:
- jsonPath: .spec.lastRunTimestamp
name: LastRunTimestamp
type: string
- jsonPath: .spec.benchmarkVersion
name: BenchmarkVersion
type: string
subresources:
status: {}
schema:
openAPIV3Schema:
properties:
spec:
properties:
benchmarkVersion:
nullable: true
type: string
lastRunTimestamp:
nullable: true
type: string
reportJSON:
nullable: true
type: string
type: object
type: object

18
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/Chart.yaml Normal file
View File

@ -0,0 +1,18 @@
annotations:
catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: CIS Benchmark
catalog.cattle.io/namespace: cis-operator-system
catalog.cattle.io/os: linux
catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
catalog.cattle.io/release-name: rancher-cis-benchmark
catalog.cattle.io/ui-component: rancher-cis-benchmark
apiVersion: v1
appVersion: v1.0.5
description: The cis-operator enables running CIS benchmark security scans on a kubernetes
cluster
icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
keywords:
- security
name: rancher-cis-benchmark
version: 2.0.0

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/README.md Normal file
View File

@ -0,0 +1,9 @@
# Rancher CIS Benchmark Chart
The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded.
# Installation
```
helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system
```

15
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/app-readme.md Normal file
View File

@ -0,0 +1,15 @@
# Rancher CIS Benchmarks
This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/).
For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/cis-scans/v2.5/).
This chart installs the following components:
- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded.
- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed.
- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans.
- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources.
- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish.
- If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts.
- Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart.

23
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/_helpers.tpl Normal file
View File

@ -0,0 +1,23 @@
{{/* Ensure namespace is set the same everywhere */}}
{{- define "cis.namespace" -}}
{{- .Release.Namespace | default "cis-operator-system" -}}
{{- end -}}
{{- define "system_default_registry" -}}
{{- if .Values.global.cattle.systemDefaultRegistry -}}
{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
{{- else -}}
{{- "" -}}
{{- end -}}
{{- end -}}
{{/*
Windows cluster will add default taint for linux nodes,
add below linux tolerations to workloads could be scheduled to those linux nodes
*/}}
{{- define "linux_node_tolerations" -}}
- key: "cattle.io/os"
value: "linux"
effect: "NoSchedule"
operator: "Equal"
{{- end -}}

14
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/alertingrule.yaml Normal file
View File

@ -0,0 +1,14 @@
{{- if .Values.alerts.enabled -}}
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: rancher-cis-pod-monitor
namespace: {{ template "cis.namespace" . }}
spec:
selector:
matchLabels:
cis.cattle.io/operator: cis-operator
podMetricsEndpoints:
- port: cismetrics
{{- end }}

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-cis-1.5.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: cis-1.5
spec:
clusterProvider: ""
minKubernetesVersion: "1.15.0"

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-cis-1.6.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: cis-1.6
spec:
clusterProvider: ""
minKubernetesVersion: "1.16.0"

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-eks-1.0.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: eks-1.0
spec:
clusterProvider: eks
minKubernetesVersion: "1.15.0"

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-gke-1.0.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: gke-1.0
spec:
clusterProvider: gke
minKubernetesVersion: "1.15.0"

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-k3s-cis-1.6-hardened.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.6-hardened
spec:
clusterProvider: k3s
minKubernetesVersion: "1.20.5"

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-k3s-cis-1.6-permissive.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: k3s-cis-1.6-permissive
spec:
clusterProvider: k3s
minKubernetesVersion: "1.20.5"

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-rke-cis-1.5-hardened.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.5-hardened
spec:
clusterProvider: rke
minKubernetesVersion: "1.15.0"

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-rke-cis-1.5-permissive.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.5-permissive
spec:
clusterProvider: rke
minKubernetesVersion: "1.15.0"

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-rke-cis-1.6-hardened.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.6-hardened
spec:
clusterProvider: rke
minKubernetesVersion: "1.16.0"

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-rke-cis-1.6-permissive.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.6-permissive
spec:
clusterProvider: rke
minKubernetesVersion: "1.16.0"

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-rke2-cis-1.5-hardened.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.5-hardened
spec:
clusterProvider: rke2
minKubernetesVersion: "1.18.0"

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-rke2-cis-1.5-permissive.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.5-permissive
spec:
clusterProvider: rke2
minKubernetesVersion: "1.18.0"

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-rke2-cis-1.6-hardened.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.6-hardened
spec:
clusterProvider: rke2
minKubernetesVersion: "1.20.5"

8
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/benchmark-rke2-cis-1.6-permissive.yaml Normal file
View File

@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke2-cis-1.6-permissive
spec:
clusterProvider: rke2
minKubernetesVersion: "1.20.5"

49
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/cis-roles.yaml Normal file
View File

@ -0,0 +1,49 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cis-admin
rules:
- apiGroups:
- cis.cattle.io
resources:
- clusterscanbenchmarks
- clusterscanprofiles
- clusterscans
- clusterscanreports
verbs: ["create", "update", "delete", "patch","get", "watch", "list"]
- apiGroups:
- catalog.cattle.io
resources: ["apps"]
resourceNames: ["rancher-cis-benchmark"]
verbs: ["get", "watch", "list"]
- apiGroups:
- ""
resources:
- configmaps
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: cis-view
rules:
- apiGroups:
- cis.cattle.io
resources:
- clusterscanbenchmarks
- clusterscanprofiles
- clusterscans
- clusterscanreports
verbs: ["get", "watch", "list"]
- apiGroups:
- catalog.cattle.io
resources: ["apps"]
resourceNames: ["rancher-cis-benchmark"]
verbs: ["get", "watch", "list"]
- apiGroups:
- ""
resources:
- configmaps
verbs: ["get", "watch", "list"]

17
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/configmap.yaml Normal file
View File

@ -0,0 +1,17 @@
kind: ConfigMap
apiVersion: v1
metadata:
name: default-clusterscanprofiles
namespace: {{ template "cis.namespace" . }}
data:
# Default ClusterScanProfiles per cluster provider type
rke: |-
<1.16.0: rke-profile-permissive-1.5
>=1.16.0: rke-profile-permissive-1.6
rke2: |-
<1.20.5: rke2-cis-1.5-profile-permissive
>=1.20.5: rke2-cis-1.6-profile-permissive
eks: "eks-profile"
gke: "gke-profile"
k3s: "k3s-cis-1.6-profile-permissive"
default: "cis-1.6-profile"

57
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/deployment.yaml Normal file
View File

@ -0,0 +1,57 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: cis-operator
namespace: {{ template "cis.namespace" . }}
labels:
cis.cattle.io/operator: cis-operator
spec:
selector:
matchLabels:
cis.cattle.io/operator: cis-operator
template:
metadata:
labels:
cis.cattle.io/operator: cis-operator
spec:
serviceAccountName: cis-operator-serviceaccount
containers:
- name: cis-operator
image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}'
imagePullPolicy: Always
ports:
- name: cismetrics
containerPort: {{ .Values.alerts.metricsPort }}
env:
- name: SECURITY_SCAN_IMAGE
value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }}
- name: SECURITY_SCAN_IMAGE_TAG
value: {{ .Values.image.securityScan.tag }}
- name: SONOBUOY_IMAGE
value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }}
- name: SONOBUOY_IMAGE_TAG
value: {{ .Values.image.sonobuoy.tag }}
- name: CIS_ALERTS_METRICS_PORT
value: '{{ .Values.alerts.metricsPort }}'
- name: CIS_ALERTS_SEVERITY
value: {{ .Values.alerts.severity }}
- name: CIS_ALERTS_ENABLED
value: {{ .Values.alerts.enabled | default "false" | quote }}
- name: CLUSTER_NAME
value: {{ .Values.global.cattle.clusterName }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
nodeSelector:
kubernetes.io/os: linux
{{- with .Values.nodeSelector }}
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
tolerations:
{{- include "linux_node_tolerations" . | nindent 8}}
{{- with .Values.tolerations }}
{{- toYaml . | nindent 8 }}
{{- end }}

15
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/network_policy_allow_all.yaml Normal file
View File

@ -0,0 +1,15 @@
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-allow-all
namespace: {{ template "cis.namespace" . }}
spec:
podSelector: {}
ingress:
- {}
egress:
- {}
policyTypes:
- Ingress
- Egress

20
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/patch_default_serviceaccount.yaml Normal file
View File

@ -0,0 +1,20 @@
---
apiVersion: batch/v1
kind: Job
metadata:
name: patch-sa
annotations:
"helm.sh/hook": post-install, post-upgrade
"helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
spec:
template:
spec:
serviceAccountName: cis-operator-serviceaccount
restartPolicy: Never
containers:
- name: sa
image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
imagePullPolicy: {{ .Values.global.imagePullPolicy }}
command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
args: ["-n", {{ template "cis.namespace" . }}]
backoffLimit: 1

43
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/rbac.yaml Normal file
View File

@ -0,0 +1,43 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
name: cis-operator-role
rules:
- apiGroups:
- '*'
resources:
- '*'
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
name: cis-operator-rolebinding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cis-operator-role
subjects:
- kind: ServiceAccount
name: cis-serviceaccount
namespace: {{ template "cis.namespace" . }}
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: cis-operator-installer
subjects:
- kind: ServiceAccount
name: cis-operator-serviceaccount
namespace: {{ template "cis.namespace" . }}
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofile-cis-1.5.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: cis-1.5-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: cis-1.5

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofile-cis-1.6.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: cis-1.6-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: cis-1.6

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofile-k3s-cis-1.6-hardened.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.6-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.6-hardened

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofile-k3s-cis-1.6-permissive.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: k3s-cis-1.6-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: k3s-cis-1.6-permissive

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofile-rke-1.5-hardened.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-hardened-1.5
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.5-hardened

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofile-rke-1.5-permissive.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-permissive-1.5
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.5-permissive

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofile-rke-1.6-hardened.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-hardened-1.6
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.6-hardened

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofile-rke-1.6-permissive.yaml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-permissive-1.6
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.6-permissive

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofile-rke2-cis-1.5-hardened.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.5-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.5-hardened

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofile-rke2-cis-1.5-permissive.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.5-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.5-permissive

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofile-rke2-cis-1.6-hardened.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.6-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.6-hardened

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofile-rke2-cis-1.6-permissive.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke2-cis-1.6-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke2-cis-1.6-permissive

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofileeks.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: eks-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: eks-1.0

9
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/scanprofilegke.yml Normal file
View File

@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: gke-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: gke-1.0

14
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/serviceaccount.yaml Normal file
View File

@ -0,0 +1,14 @@
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: {{ template "cis.namespace" . }}
name: cis-operator-serviceaccount
---
apiVersion: v1
kind: ServiceAccount
metadata:
namespace: {{ template "cis.namespace" . }}
labels:
app.kubernetes.io/name: rancher-cis-benchmark
app.kubernetes.io/instance: release-name
name: cis-serviceaccount

17
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/templates/validate-install-crd.yaml Normal file
View File

@ -0,0 +1,17 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}}
# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}}
# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}}
# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}

45
charts/rancher-cis-benchmark/rancher-cis-benchmark/2.0.0/values.yaml Normal file
View File

@ -0,0 +1,45 @@
# Default values for rancher-cis-benchmark.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
image:
cisoperator:
repository: rancher/cis-operator
tag: v1.0.5-rc1
securityScan:
repository: rancher/security-scan
tag: v0.2.3
sonobuoy:
repository: rancher/mirrored-sonobuoy-sonobuoy
tag: v0.16.3
resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
# choice for the user. This also increases chances charts run on environments with little
# resources, such as Minikube. If you do want to specify resources, uncomment the following
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
nodeSelector: {}
tolerations: []
affinity: {}
global:
cattle:
systemDefaultRegistry: ""
clusterName: ""
kubectl:
repository: rancher/kubectl
tag: v1.20.2
alerts:
enabled: false
severity: warning
metricsPort: 8080

11
charts/rancher-eks-operator-crd/rancher-eks-operator-crd/2.0.0+up1.1.1-rc2/Chart.yaml Normal file
View File

@ -0,0 +1,11 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cattle-system
catalog.cattle.io/os: linux
catalog.cattle.io/release-name: rancher-eks-operator-crd
apiVersion: v2
appVersion: 1.1.1-rc2
description: EKS Operator CustomResourceDefinitions
name: rancher-eks-operator-crd
version: 2.0.0+up1.1.1-rc2

216
charts/rancher-eks-operator-crd/rancher-eks-operator-crd/2.0.0+up1.1.1-rc2/templates/crds.yaml Normal file
View File

@ -0,0 +1,216 @@
apiVersion: apiextensions.k8s.io/v1beta1
kind: CustomResourceDefinition
metadata:
annotations:
helm.sh/resource-policy: keep
name: eksclusterconfigs.eks.cattle.io
spec:
group: eks.cattle.io
names:
kind: EKSClusterConfig
plural: eksclusterconfigs
shortNames:
- ekscc
scope: Namespaced
subresources:
status: {}
validation:
openAPIV3Schema:
properties:
spec:
properties:
amazonCredentialSecret:
nullable: true
type: string
displayName:
nullable: true
type: string
imported:
type: boolean
kmsKey:
nullable: true
type: string
kubernetesVersion:
nullable: true
type: string
loggingTypes:
items:
nullable: true
type: string
nullable: true
type: array
nodeGroups:
items:
properties:
desiredSize:
nullable: true
type: integer
diskSize:
nullable: true
type: integer
ec2SshKey:
nullable: true
type: string
gpu:
nullable: true
type: boolean
imageId:
nullable: true
type: string
instanceType:
nullable: true
type: string
labels:
additionalProperties:
nullable: true
type: string
nullable: true
type: object
launchTemplate:
nullable: true
properties:
id:
nullable: true
type: string
name:
nullable: true
type: string
version:
nullable: true
type: integer
type: object
maxSize:
nullable: true
type: integer
minSize:
nullable: true
type: integer
nodegroupName:
nullable: true
type: string
requestSpotInstances:
nullable: true
type: boolean
resourceTags:
additionalProperties:
nullable: true
type: string
nullable: true
type: object
spotInstanceTypes:
items:
nullable: true
type: string
nullable: true
type: array
subnets:
items:
nullable: true
type: string
nullable: true
type: array
tags:
additionalProperties:
nullable: true
type: string
nullable: true
type: object
userData:
nullable: true
type: string
version:
nullable: true
type: string
required:
- nodegroupName
type: object
nullable: true
type: array
privateAccess:
nullable: true
type: boolean
publicAccess:
nullable: true
type: boolean
publicAccessSources:
items:
nullable: true
type: string
nullable: true
type: array
region:
nullable: true
type: string
secretsEncryption:
nullable: true
type: boolean
securityGroups:
items:
nullable: true
type: string
nullable: true
type: array
serviceRole:
nullable: true
type: string
subnets:
items:
nullable: true
type: string
nullable: true
type: array
tags:
additionalProperties:
nullable: true
type: string
nullable: true
type: object
type: object
status:
properties:
failureMessage:
nullable: true
type: string
managedLaunchTemplateID:
nullable: true
type: string
managedLaunchTemplateVersions:
additionalProperties:
nullable: true
type: string
nullable: true
type: object
networkFieldsSource:
nullable: true
type: string
phase:
nullable: true
type: string
securityGroups:
items:
nullable: true
type: string
nullable: true
type: array
subnets:
items:
nullable: true
type: string
nullable: true
type: array
templateVersionsToDelete:
items:
nullable: true
type: string
nullable: true
type: array
virtualNetwork:
nullable: true
type: string
type: object
type: object
version: v1
versions:
- name: v1
served: true
storage: true

Some files were not shown because too many files have changed in this diff Show More