From 20ed188b81045697a34c377a078b28cc07810256 Mon Sep 17 00:00:00 2001 From: Chirayu Kapoor Date: Wed, 25 Oct 2023 18:15:15 +0530 Subject: [PATCH 1/4] Add create verb to access prometheusrules resource of monitoring.coreos.com api group Signed-off-by: Chirayu Kapoor --- packages/rancher-cis-benchmark/charts/templates/rbac.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/packages/rancher-cis-benchmark/charts/templates/rbac.yaml b/packages/rancher-cis-benchmark/charts/templates/rbac.yaml index 6352b972a..33fb93f04 100644 --- a/packages/rancher-cis-benchmark/charts/templates/rbac.yaml +++ b/packages/rancher-cis-benchmark/charts/templates/rbac.yaml @@ -159,6 +159,12 @@ rules: - "daemonsets" verbs: - "*" +- apiGroups: + - monitoring.coreos.com + resources: + - prometheusrules + verbs: + - create --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding From 9de1e22d2fbb80f5e75146d8051595100cbd5230 Mon Sep 17 00:00:00 2001 From: Chirayu Kapoor Date: Wed, 25 Oct 2023 18:24:54 +0530 Subject: [PATCH 2/4] bump to v5.1.0-rc1 Signed-off-by: Chirayu Kapoor --- packages/rancher-cis-benchmark/charts/Chart.yaml | 4 ++-- packages/rancher-cis-benchmark/package.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/rancher-cis-benchmark/charts/Chart.yaml b/packages/rancher-cis-benchmark/charts/Chart.yaml index 11df267c1..1ee8c0f8e 100644 --- a/packages/rancher-cis-benchmark/charts/Chart.yaml +++ b/packages/rancher-cis-benchmark/charts/Chart.yaml @@ -12,11 +12,11 @@ annotations: catalog.cattle.io/type: cluster-tool catalog.cattle.io/ui-component: rancher-cis-benchmark apiVersion: v1 -appVersion: v5.0.0 +appVersion: v5.1.0-rc1 description: The cis-operator enables running CIS benchmark security scans on a kubernetes cluster icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg keywords: - security name: rancher-cis-benchmark -version: 5.0.0 +version: 5.1.0-rc1 diff --git a/packages/rancher-cis-benchmark/package.yaml b/packages/rancher-cis-benchmark/package.yaml index 49fd030b7..03f3cc968 100644 --- a/packages/rancher-cis-benchmark/package.yaml +++ b/packages/rancher-cis-benchmark/package.yaml @@ -1,5 +1,5 @@ url: local -version: 5.0.0 +version: 5.1.0-rc1 additionalCharts: - workingDir: charts-crd crdOptions: From 7bd5d29f98aa9bdc805caf3570a7a867ded1af97 Mon Sep 17 00:00:00 2001 From: Chirayu Kapoor Date: Wed, 25 Oct 2023 18:26:10 +0530 Subject: [PATCH 3/4] make charts Signed-off-by: Chirayu Kapoor --- .../rancher-cis-benchmark-crd-5.1.0-rc1.tgz | Bin 0 -> 1466 bytes .../rancher-cis-benchmark-5.1.0-rc1.tgz | Bin 0 -> 8390 bytes .../5.1.0-rc1/Chart.yaml | 10 + .../5.1.0-rc1/README.md | 2 + .../5.1.0-rc1/templates/clusterscan.yaml | 148 ++++++++++++ .../templates/clusterscanbenchmark.yaml | 54 +++++ .../templates/clusterscanprofile.yaml | 36 +++ .../templates/clusterscanreport.yaml | 39 ++++ .../5.1.0-rc1/Chart.yaml | 22 ++ .../rancher-cis-benchmark/5.1.0-rc1/README.md | 9 + .../5.1.0-rc1/app-readme.md | 33 +++ .../5.1.0-rc1/templates/_helpers.tpl | 27 +++ .../5.1.0-rc1/templates/alertingrule.yaml | 14 ++ .../templates/benchmark-aks-1.0.yaml | 8 + .../templates/benchmark-cis-1.20.yaml | 9 + .../templates/benchmark-cis-1.23.yaml | 9 + .../templates/benchmark-cis-1.24.yaml | 9 + .../templates/benchmark-cis-1.5.yaml | 9 + .../templates/benchmark-cis-1.6.yaml | 9 + .../templates/benchmark-cis-1.7.yaml | 8 + .../templates/benchmark-eks-1.0.1.yaml | 8 + .../templates/benchmark-gke-1.2.0.yaml | 8 + .../benchmark-k3s-cis-1.20-hardened.yaml | 9 + .../benchmark-k3s-cis-1.20-permissive.yaml | 9 + .../benchmark-k3s-cis-1.23-hardened.yaml | 9 + .../benchmark-k3s-cis-1.23-permissive.yaml | 9 + .../benchmark-k3s-cis-1.24-hardened.yaml | 9 + .../benchmark-k3s-cis-1.24-permissive.yaml | 9 + .../benchmark-k3s-cis-1.6-hardened.yaml | 9 + .../benchmark-k3s-cis-1.6-permissive.yaml | 9 + .../benchmark-k3s-cis-1.7-hardened.yaml | 8 + .../benchmark-k3s-cis-1.7-permissive.yaml | 8 + .../benchmark-rke-cis-1.20-hardened.yaml | 9 + .../benchmark-rke-cis-1.20-permissive.yaml | 9 + .../benchmark-rke-cis-1.23-hardened.yaml | 9 + .../benchmark-rke-cis-1.23-permissive.yaml | 9 + .../benchmark-rke-cis-1.24-hardened.yaml | 9 + .../benchmark-rke-cis-1.24-permissive.yaml | 9 + .../benchmark-rke-cis-1.5-hardened.yaml | 9 + .../benchmark-rke-cis-1.5-permissive.yaml | 9 + .../benchmark-rke-cis-1.6-hardened.yaml | 9 + .../benchmark-rke-cis-1.6-permissive.yaml | 9 + .../benchmark-rke-cis-1.7-hardened.yaml | 8 + .../benchmark-rke-cis-1.7-permissive.yaml | 8 + .../benchmark-rke2-cis-1.20-hardened.yaml | 9 + .../benchmark-rke2-cis-1.20-permissive.yaml | 9 + .../benchmark-rke2-cis-1.23-hardened.yaml | 9 + .../benchmark-rke2-cis-1.23-permissive.yaml | 9 + .../benchmark-rke2-cis-1.24-hardened.yaml | 9 + .../benchmark-rke2-cis-1.24-permissive.yaml | 9 + .../benchmark-rke2-cis-1.5-hardened.yaml | 9 + .../benchmark-rke2-cis-1.5-permissive.yaml | 9 + .../benchmark-rke2-cis-1.6-hardened.yaml | 9 + .../benchmark-rke2-cis-1.6-permissive.yaml | 9 + .../benchmark-rke2-cis-1.7-hardened.yaml | 8 + .../benchmark-rke2-cis-1.7-permissive.yaml | 8 + .../5.1.0-rc1/templates/cis-roles.yaml | 49 ++++ .../5.1.0-rc1/templates/configmap.yaml | 18 ++ .../5.1.0-rc1/templates/deployment.yaml | 61 +++++ .../templates/network_policy_allow_all.yaml | 15 ++ .../patch_default_serviceaccount.yaml | 29 +++ .../5.1.0-rc1/templates/psp.yaml | 59 +++++ .../5.1.0-rc1/templates/rbac.yaml | 219 ++++++++++++++++++ .../templates/scanprofile-cis-1.20.yaml | 9 + .../templates/scanprofile-cis-1.23.yaml | 9 + .../templates/scanprofile-cis-1.24.yaml | 9 + .../templates/scanprofile-cis-1.6.yaml | 9 + .../templates/scanprofile-cis-1.7.yaml | 9 + .../scanprofile-k3s-cis-1.20-hardened.yml | 9 + .../scanprofile-k3s-cis-1.20-permissive.yml | 9 + .../scanprofile-k3s-cis-1.23-hardened.yml | 9 + .../scanprofile-k3s-cis-1.23-permissive.yml | 9 + .../scanprofile-k3s-cis-1.24-hardened.yml | 9 + .../scanprofile-k3s-cis-1.24-permissive.yml | 9 + .../scanprofile-k3s-cis-1.6-hardened.yml | 9 + .../scanprofile-k3s-cis-1.6-permissive.yml | 9 + .../scanprofile-k3s-cis-1.7-hardened.yml | 9 + .../scanprofile-k3s-cis-1.7-permissive.yml | 9 + .../scanprofile-rke-1.20-hardened.yaml | 9 + .../scanprofile-rke-1.20-permissive.yaml | 9 + .../scanprofile-rke-1.23-hardened.yaml | 9 + .../scanprofile-rke-1.23-permissive.yaml | 9 + .../scanprofile-rke-1.24-hardened.yaml | 9 + .../scanprofile-rke-1.24-permissive.yaml | 9 + .../scanprofile-rke-1.6-hardened.yaml | 9 + .../scanprofile-rke-1.6-permissive.yaml | 9 + .../scanprofile-rke-1.7-hardened.yaml | 9 + .../scanprofile-rke-1.7-permissive.yaml | 9 + .../scanprofile-rke2-cis-1.20-hardened.yml | 9 + .../scanprofile-rke2-cis-1.20-permissive.yml | 9 + .../scanprofile-rke2-cis-1.23-hardened.yml | 9 + .../scanprofile-rke2-cis-1.23-permissive.yml | 9 + .../scanprofile-rke2-cis-1.24-hardened.yml | 9 + .../scanprofile-rke2-cis-1.24-permissive.yml | 9 + .../scanprofile-rke2-cis-1.6-hardened.yml | 9 + .../scanprofile-rke2-cis-1.6-permissive.yml | 9 + .../scanprofile-rke2-cis-1.7-hardened.yml | 9 + .../scanprofile-rke2-cis-1.7-permissive.yml | 9 + .../5.1.0-rc1/templates/scanprofileaks.yml | 9 + .../5.1.0-rc1/templates/scanprofileeks.yml | 9 + .../5.1.0-rc1/templates/scanprofilegke.yml | 9 + .../5.1.0-rc1/templates/serviceaccount.yaml | 14 ++ .../templates/validate-install-crd.yaml | 17 ++ .../templates/validate-psp-install.yaml | 7 + .../5.1.0-rc1/values.yaml | 55 +++++ index.yaml | 40 ++++ 106 files changed, 1696 insertions(+) create mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.1.0-rc1.tgz create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-5.1.0-rc1.tgz create mode 100644 charts/rancher-cis-benchmark-crd/5.1.0-rc1/Chart.yaml create mode 100644 charts/rancher-cis-benchmark-crd/5.1.0-rc1/README.md create mode 100644 charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscan.yaml create mode 100644 charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscanbenchmark.yaml create mode 100644 charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscanprofile.yaml create mode 100644 charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscanreport.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/Chart.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/README.md create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/app-readme.md create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/_helpers.tpl create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/alertingrule.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-aks-1.0.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.20.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.23.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.24.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.5.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.6.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.7.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-eks-1.0.1.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-gke-1.2.0.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.20-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.20-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.23-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.23-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.24-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.24-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.7-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.7-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.20-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.20-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.23-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.23-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.24-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.24-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.5-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.5-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.7-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.7-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.20-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.20-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.23-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.23-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.24-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.24-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.5-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.5-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.7-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.7-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/cis-roles.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/configmap.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/deployment.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/network_policy_allow_all.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/patch_default_serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/psp.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/rbac.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.20.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.23.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.24.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.6.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.7.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.20-hardened.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.20-permissive.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.23-hardened.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.23-permissive.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.24-hardened.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.24-permissive.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.6-hardened.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.6-permissive.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.7-hardened.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.7-permissive.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.20-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.20-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.23-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.23-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.24-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.24-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.6-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.6-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.7-hardened.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.7-permissive.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.20-hardened.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.20-permissive.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.23-hardened.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.23-permissive.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.24-hardened.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.24-permissive.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.6-hardened.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.6-permissive.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.7-hardened.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.7-permissive.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofileaks.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofileeks.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofilegke.yml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/serviceaccount.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/validate-install-crd.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/templates/validate-psp-install.yaml create mode 100644 charts/rancher-cis-benchmark/5.1.0-rc1/values.yaml diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.1.0-rc1.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.1.0-rc1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..a3cd1f1de81e77648c76e4461eeed9ffe36d22cc GIT binary patch literal 1466 zcmV;r1x5NFiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc zVQyr3R8em|NM&qo0PI>(bK*7-&NIJ4bA85V6W}_$<+y9-+FmY0((CggZ$KAY@<{76 zOsD_7BijkKu`vciu5;`QgCu_|+24LEt*t@wCF(vGrawo?mm%nfKG*)+=@K+KD+q&& z1I=|^cRU;>zpm?+f8Ehwc;O94-gw}-o;SR3y|Fv?E|`0$<6SH^1p2}~*jIUR{}Tf# z6#)q)&7{W|2ZBH?91cVQIzqkWs7c%l^d~IiO69Pn@O_jM_J(wfZz_jK2+>5qal$Oy zRD>Ex>AqPR!m#oZjRAtezPi&_UJ z4nxo@hZI3jz`e`0w1SGjm;%zxx}g=&J&59zepxrP0x}OGDgfQC8(IPV4O$j}{#rM* z0+NcZQnjB4#m9NAh;4N3gq?BaPK0O(!s3emsP1e4j*vTsFVT+!^ew}tO5Tfw!?lvP zS$mO;n;jc2Ogz_FxM$3_v0|4nVgLM_4&h4-;ki>qD6eileZ9ObG&2@yo9#)gagvKO zEm&LixYSW0u*%(x$v6n?gUCg3-ZmDOhu*kvt>Nn@ZY}>5s`?w@8&+UVBcZgKHC3^s zYA-2-6|_Ynl4Y|u`6@t7vqL7j{a#oD>*I@@sxS(WYCNqcJXb0}klVqmqk(738#)&5a; z`^+^V7nW{aM>SV6&EXX+6og?VIh&|!mHSSEGzqfR=sLdb5GRcxo%;JT@`3R9zCtv{ z?t+f$L?aj_kL#m~-Cg@g1{~4DRw>#kC_rmimHK>Pq5xJMXE)SZ>1_$8UURo{?(m#w znQ%04deMPO*=LQ*-|~#BPZM3rV|fqSCAONUN335_qE4zLo9NrNBH7-%W18B;y5F{_ za0b{9!Y2DY_hb*E;^FLaWpYy7?^1hw+ULqzN>_Fi8eh8*@`GB-`ro=#+M*EHQ2!si z8;(o$zstek-MRjE3OjcF?}acO76RWtV-1c`<^G(?Px=^}2gUu)5a{=~mWK|20Oc^;cm{`ad3x%KATc&)3QSM0U&?cS^M1Zogcga36n!_^;Rh*~hC7pFcXGf3T0H z?|;4Fp!EIkXy~5ne UY*qGO00030{}Bv!*8nsC00Al5m;e9( literal 0 HcmV?d00001 diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-5.1.0-rc1.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-5.1.0-rc1.tgz new file mode 100644 index 0000000000000000000000000000000000000000..68f4d85345d8b70235d3d31289d92ad35cb7f2c0 GIT binary patch literal 8390 zcmYj%by!qi)HMwPN{dPDcW zSQ|XDe`z2ku47~*{?z!bgQc_edqX{_oSMyBCxU1L4G3GdrHD?b#RjuOpamt}~!% zS$qK<-ShBmS>$MJsZuOEBi~@p*%uAfr#lGWHBL@~&Uz93x?%i8Z(yaKbb(&kPu|Tm zCo%5YY5})lvr?*I$5~goYoojABGz6pQ3jb367_hPUs<@t&q_3|r;YcFP35}e2jgUk zeI@<2&f~g85*ba#_;=zT3Sc;f<8)lxrf1{+9%@+=d$8H5=|LxYTPRjhB9xr(<5CXS zUf!?YotpKmAv!P4w>zr{BT1iCCge*uoN;nLMgAm3lwy`_HZPWmL8y-#5(^ zS+i4db2#;{m&@pZ-ufN?b!4rCSytSW*R#DW;cm+wTk=CKOk<_Fl4lZksqDK}qXNaO z9ZXKSvtT+7t^aD&Xn(Y3O34+>&^ec_X1kMKO_ah}#yWD5c6WEEUg5Nku1rl8vcGbB z_$ukMvsaCDlEg$ljT9d!`%|9mywNjWmp2ypv^-*9Y$CVWQ6rvUp<#G9x-KT9<3ZZ@ zO^j6Pos{F;5|)iQleJFTKD(r=QJk&vnNnOY=s$(2V`x{iNwPX{XW{ED%~*&G%S$wp zB(u#iJ$}fTHbzRTVN%vBW1QjqK>>Xs2@%Ai*>@)OUBzvUY;uFGTN~ED+GWV##Bd2A%NaLyeUIvhZtD>blr}W0YB5^paR5Rtij*ms>R4L+?{WLf06VS% z35OaI4R%WA)f=s{)dZPsFwRg>?p7ELky-2W+ed+}c}-em8-F+Dybl(>853J(YAKe<|06jBANDb-xoLmP%IvZJNO#_6Zx zDF?21Cx*%ttt}WhEk2#Mf2OVQVb_!y#EKT(&m~SakZWFWt>=1M!jszj_clM(#b)UPJgo!W9%<2+=O#=lB6F z-Yv!nNi+U_jp*q0cC+_IU4>#)-@^-{eJ4L}S|s`_8^xfzOrgRRm}W2WGH*;~-I8JFK}Z~UQ&ZV|Aqd~7J>sEMl*4>_ zD#Oz{Dwh3;FjbpBcT2tq*|*NH)Fq#HD6*utV)^^-`Yk&{fw|8+wNfm-hrV1{2Neor z!+Eq(t#w7gyDG*PGyJ!BpNlbIleNpnIOQYX1X49`?8Nt4WiD$k)q9Ban_)9h<|g1F*$@eV~a|KKKN=)-$| z>4il^2jlP2KIGcnTjQfOPnVaiZuQ%IW1mBvU9y~f+#~MJUfsA!GT_1JD7iP{2h$`i zX}Pl>DKwt!z%vS;pp2yVk90fde!X4M7^(g9!gr-XWt{hlmiWtz<4OhH{QMyt^03;B zpZJ(3-(vc=(aKAARL%)p&pqXaY<+GkO~=vSU6JuwzKAQlF%ikU_cN@6WTY4v{ok|#S^*tO(O=Q}%A8Q(ud+Xxr6H@+*)Iee?#wKjSdDvE}> z$5*CO`2V;?^JNk^-@$Er4Tf_$f;5EzXBFqq4Cp6x+cFt7JZYqM)4e%w*Xm7gC&%_O z7xbEMe-VXJ8_)VO=e@bFOBctN)AC~}N3E?zJKfk%-aHroJX|Q zO<)|=ykg|({;35)$F~fF?12+s>|(AH$#-a*g`orGWM!*@u6}+mm9aun}0}C zWvcmK+(W~RHpL$w-fx_9^Rd&e!*zz+C?hDrNd!xuLyG!<-c4Zf5_fqVG=Dh(0YShM*oonz)|2L7C7^5fGm_bJ9nyIQ ze0)s;-{Im8F&wA&0LxFy3;4k2o$CZUY;DjhO-C@#sEo{!vU1|AbP#p|EGIhu=L*-m zJ#mB16^ZyviAXxnb+Dt5?@J)<#wlyPv13iua}L?K_7205o-u<(UP6MDRIQx}p82`l z8aQ`VS4Q9vDZ77<$85Kfzdjwj$8wzd;xV|Z%LR5Vp)Zr47@oWS-o`eP?63us~yh8ycg-Rrnb+NfL|`vEEENN4DW0 zXbeoOFa|XJ1A>-_IjjLh;1Cgjt=j`mB##aO0SbCwVXm+Pkez}T*#B@z#=>m=)iuE! zRF!cPtzd8qAO9JI55XJ>9aNZb@G%4!+yzhyj|1?JpckAvWu4^S0***vcLpRvQRlFa ztN5W?_@NTz05*z8nyWDCvc9ktzP<^h=m0^8t-CxL_di+xZ|ELyAn`bWC1Zh26wLDs ziY@E}(`Voejc*yr{{h%?jx0MRP-p;fBoLG2m|h3Be*U~bSjNisfYv$St7W(fg{wJdK9FNU-Oe6-fe*{y;?oFfdRa9^s))&Z^fj)W>z*n9?R~6wfAE@H@2r+Lf_% zDijhgLDOfF-zD6yUz2x!K?|gRwr;%@FOZI*{upI-en=W`PvYc+7;$rQSy;?YT0xVTtG>6* zjV_kdq0r_2awAyMnZSeN6_xw(gAYjQPBm=Pd&WW*xe(R~K8D~F-gvEF5b*us>ia}5 znAO@8c{(LCvu1aPQkwp939Awd)aKnwmeo{eW8d1MOnEgejmpeJ&n%i!?7x@Uj2S}g zH5E4_-b%BWVq5iWfgH78074%W(}Ib`F&+KZD&;9G`atZmV?&ZPkFNnE_(P zC$1F*Q{?-9NU)Q0rWR0*%08w~_c+v#hsO%~^Qd+{wDzymSUG<(dN9B{B7GHhzc)jS zRISKfKKHpkv#@D$xK@j>`%7MJg&Y!ftdv2hDC12#KdW%nEGp4<5m~csxA($KLh`?_ zgM_x5NgA`NEnt;O62=?w@vjK8j8Kw#ZEWm2?q{a6?d|R7!`~wN78VybeV&#+Mk1Ev zJ@&d>r2GfRk`yBBmkG3JYqln}X08{Kc-Z&|j4&CS@`;tiPt$UQ#cTUT$g@2yrs)3i zo8Ec88MTQzY#)R>o0~NQ_lw;nVW_C`eUH|L)FumI4RgB0rSNL2}I4 z`){A#5JWbBb6gik0P0{}db;~2JQUOV!{71IWR1Q0yvf&-t;4mE-!l>u9M1ABzDJ9w z!?FH?VvaHhqg%jBah**0FK7K}2*j|}(VLj%w>(06aVqK_$Y#X(;!fH`)5^zaEx+T1 zx(<_&)5LT7nSB-v{kt%hC?E7lf4Ia1eBPpY=E3aLZpwwu40J^ zW{!Yn+%c-32I6$1vmov(1r6_F$(q8)f>J1xq zQPLKi0B@&UvpUIB9r7Mi$T97-yv<@6n}2HpU*_71Kw7eNvMJQIDoT4@u=>lAME82l zc%Rnb+Y*zzPv4)6qOz_#*2!OwGt%a$&vj_!9CFu~y2YHpwQS_-clhXj^l^oM1|zo%!@@(d=kPbULn_pPw}H6ey%j{9wle!Xm!Ohu z>;^carlvoWS}^YvatP2DXW(0IB3`3dqj_?4)b9Uj_DOwosR$hTgd=Wl0?FBP4t4g) z6I${asw}?B*92yEnC8Jy6$VQ79;b8cT_y>P<)_-*#rUP;s|hHqOn=7)>-{}t#fEXM z7q|^TXRIjd4cU6Wakj$f{i#AyZ?j)d@XARm$@ti}Ba#v#>TdRgriCG8A(84|O8c7a z{ndLlEZch63G(G}#p123E2H1^|GaGTWfMp$bxGM|ykkD`#yHYwS#n)GJ*ybA6LqV> zU2kP-zBNa$`C&3Q3wOO=#qF;O95b$jsca-e=5Xk+IPu6mYz4yxKwym1LL-IUgVSm* z&_PH}blK?*E%$R;B#F3rSxPFpnr&R3e{2R;{gQxTY5s8Y_`aF$qYs%$-AERV6N`ZU z3?xM!8ZqED2s<8VvNHlKirS>(%n`>6yv6!7G>!p}xrYmS=Si5p%v05C}CfNVX|@A-@fBB$=DY%o*oxISl>$hxggRD59-{is-G|1>jEo9+&wxz zk4|ZpF*Yv1xg+n_d_FfSKB}#hK8UkRx1K7AZ!_9E_W7p3*9TEE?! zt-o37-!sLur-V4Wqo^MjBpO%wLVcUp zwMb4T2<;tXAXc&L?ETIBeqi65x2(iBwQ&)pqHHXAW?p3Dr2_R8XhZ*SOdYxx&3G(h zW{(!v%Llf*0eQr_Ibb~(vxhhy@IAfQvvtYpZ=Uj9TF8&uk|* zhGwH&Hd(wjThszW{VaXxUuBF~w0NPa#gg3CaPk`+XVdHrw~A8}a&LnwQO=ZFyRng( z!Nl5c&&$;HFZ|eWe|W?G)q1FY+6;PX=GIoSt(vm)m*+>jwdl_?*O@3R_VvuefdrQFyi(U-gv`bYF` z4!IpEnbV*#TqN!`7$hAzDD_ znANL6L5M9`Se#@oSXj4TB++(dTr9TwRPdR*!3H*_K32WiLL_*wkuuMG%Uls_8NAyb zXEH2d|Mnh@tcp68#ne%1wr5Oa(+%TM>A{9!HoaFYgA+CZe`JwK@@Lh1KDwK@vR_A_ z#SM)svn>Z`$P({S?Hk3@hWe*7N|A9_rMH!}A8!fvbPgGDc6j>0`7+X{id1w?*qUe% zc7_Weiw+le53jquaAfn>Zk2#!=PU;+QGVFoH_fN|N)EiW-B z0YD)EE8{#s?!3U8Dy2i1Qvi3uU4JU?mho51v(>GN`~pW1G}(R`7CZP04Z_=7WAHbD z9gKzVjG5K-+Xh<|zUMP4$~c;>aS$+Zh`2J^0e;e*z+RoeybRZ1{V2!=K5@|W1&kWY z@f?d}V#3e;2M+!M3!!&d0{b6Ph_7i~yR&-)Nf$6(>|hx%!9po(j=&8RJR_rPcLB;e zb`F_V#d!^ZUucd&@>8sEOcpyXE|wQ?v0(Q?iZDo}%ahKFXOO`kczL5NH9r#8F36|RX~#!2QJE_Zx1_T z&+8&}>9)v}dV#Hr8qN-;BbLhfXU};tNUSgpX{Tr~{>usgDy&&ubWZD?#wEznMgRdrQ z&@dK7Vid$78soW#oG<(Z>Ca7fEK=mnDE)-bqxKQIP&_6vvibIrK3BQ%VxJ#!As zP}~{o6a?(=*7epFtN$$TSs! zgpM`~ablJ<@PZLty5)25Z}t%H3kN}GCc&h*T**~$l4lo)K`H{lO@u$NyR=#{2m+U* zmFihxMGxG>5AX%VWCh?jl);Wr8=GDdK;tX#R5j0$q_ zr(|~3389>LfPiIA0P`}t3B0qrbD`sGqlCbgXl_X%pYp=mCquw%E(zu9wt!~C$ z+N+fB>A&Q~W`ltU{sY@5s;5{)%NQ_F41BZ8dBw~ z$US=Q__j2ri+#CEw-fLjd{<@k)T;7FEJtR*(K@=n!2H5J1Smj4s&Fta@55D1@(o5? z%FK)Ih19_dryB|;S|7JR>Gn5d0VnI(27i98f~>1MlXvhotv0&^$ic3eZOF=2X9f-& z#Tl@R(saUz;u;0q9_MIi*B;Gx+IJ4VX~&CMLDLH*(YRteIvJ@kvHH$Hs%OpSwBkxG z=AQ$#3U!#2H%(2=I!|?M_5bqsMPOLwc~|8OFe+DiY!_tXMzCe3N#pTvcm)zTM4{Vt zg+?%pI}xnI;=7@KoJson%b3hXVSDYA?<7@luLa&Ihn;pS$DFA5~VFJf)P$V;P# zLnku>zjD=^QX~@EWtO6fw2ckKf!V-r(oCW69q4Y4cvqxiArY>my~T>sRhVDZK@HG6s@3qzIgW zMy_DYhbZ|o$<2^a2Y(!<;gKrrvkwDHftX~$&}KbRO>7<^r~7ju(UxRN=DUMdaT;!u zeK2|wwxAA^g*$H*u7E+`^@j5@FHiaMJ(x3z$+_^O6N4a4HG~RO2__%IdY&?w?Rl`6 zJFqn+XpI_5q^ci<-w;p>J-z6$?S{#w2{LsbY;MlYWi0>wMjIYAwdtTy+Sk45RxpM_ zn6`0JUduPV7cDn*YCEu};7Vb`y=%ZN!01gxRKRz9lb!N>!&Sn-xsMRP7i8dnSIVXF zp9~_CQ|6JQ^mNW9mt8(aYp`$hNfBk< zJX;3&@N0~3_tPKf(1hzeUK`*~!vatcg)400<2>lZ{1LvRE`8>nbSlL+fbCw3{G@*S zwo;L9TnW2cnDpdw-@`apnml>8GV}qIbY!>fw_%)*H7H2blY&I#tJRW59882U{R2iv z$RL&kCvqVzLWPqPX;Z&bDFz={0Q>5~VxnlGi-c;vs`(Y^wBHPJV+H^IWza^LzkAR) z9kOCXYRWw}LJY0$Abx$TIDz*>q(qVFnS{CWM+a8B>b$?MfBoiiH&UK%-eVkQo$&js znqZXPHkaP$mQf<#Oy6Qt`Hgl&F-pkt>^8CcW@6((o4~chFJzxJHAe-A$;JC!i42-Y z#<;S}UKvoeUCmpH8V&j4qB_R<+)z8v+|WfIIs%O%^-1JA-aAPN_qo9sw|?f(?4DdI zn>ZGK#gs9vB`Z+TYbLr+i9a}Le9l&{uW@2IZZ)I!ibR0I*2kXI()|w z<@N03G0k>t!@eG$+3)RYq)dbpOu%iP?FtdRQIE&pP=92qI{usW1BPiym%kag%qZ{I z`JYCEsD{IS_x0${i8!vY)juR7+NCgP1e{p4QvF$47XQX4LFS2?r3;}dhaJ`(55CfM zTk}2G>W(Y!Y*~&La2{`QXG$oYZ2u+vmsOg(Rl4@X(O;Q|gwu>_f-La8?J>kWH>y$Y zFKgpk_Ah@%TgMAWhOOfWsfOFpebs}u19B3*j_Qqt@V?szy1&gbse8lL^)hG9$So*!<{C!(=gLVjdlXB&zxe^;Y+#)sS_)4Tz%k zZI_?P8$S*A!|a{%*_n-#wTnHn`T2D}v`Pmt3oq$H{C?OAo41Jxaqeo7_PoE9q3d5b z#PFvN7Laov{_%_E!32RB(^c)j$7so{`#jqut=G(RZoOIw%(LxyK0Ro{Y$~7TYQ!p^ zRx>lGP@urn7ZKgaMO*((HWBClb*PUN|4$Ta_CClIWJP!nqr^;0OJE&mKeeNqx!<=X z=IkjOws6sZOq|VAdGz$Y$8>R8akLg=c$jEPeBN&F_gbaIe!tK{553dnu3IKQJgk%A zOT~n=UVDf?9k#aYGE}9heSvBRZGS7)WZFoqwZVo}SFI++oE{ zE~1c~4@u6E@Td?BrT(6~(H|eNP&ZvKz{a_KEqA*$l6vm_Xv2su-wq;8mXoHpJBL5m zl@!0m@T;o+*S*XrxX!z$l7xn(N3+9nNvBC4Ri6K%W>RBntlRvX{C(;QiC%`;z(Zv% zri8%9ZlcTa1sRryW{wq4jI+cIO5j8T$FpLdixm++yxqYaPod?hJ@mos)PojT{Nfsi zl(*sLO$aZ}T^TzX@~D!v$smH3_gSR1tkwE!^eeRng?ueaIi17n|9**iDM+GkF{s3A zX~RR(kA}|ZVf9)$QKILRj711H*HG3e^<8(LSPWct`{cGZNqVFU^ p+7K2xF1Zv(ANRi<$-K0#C@(KRCp&-;;$K++BsU5P2s#J}{vUYAnH~TD literal 0 HcmV?d00001 diff --git a/charts/rancher-cis-benchmark-crd/5.1.0-rc1/Chart.yaml b/charts/rancher-cis-benchmark-crd/5.1.0-rc1/Chart.yaml new file mode 100644 index 000000000..209173ac0 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/5.1.0-rc1/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd +apiVersion: v1 +description: Installs the CRDs for rancher-cis-benchmark. +name: rancher-cis-benchmark-crd +type: application +version: 5.1.0-rc1 diff --git a/charts/rancher-cis-benchmark-crd/5.1.0-rc1/README.md b/charts/rancher-cis-benchmark-crd/5.1.0-rc1/README.md new file mode 100644 index 000000000..f6d9ef621 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/5.1.0-rc1/README.md @@ -0,0 +1,2 @@ +# rancher-cis-benchmark-crd +A Rancher chart that installs the CRDs used by rancher-cis-benchmark. diff --git a/charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscan.yaml new file mode 100644 index 000000000..3cbb0ffcd --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscan.yaml @@ -0,0 +1,148 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscans.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScan + plural: clusterscans + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .status.lastRunScanProfileName + name: ClusterScanProfile + type: string + - jsonPath: .status.summary.total + name: Total + type: string + - jsonPath: .status.summary.pass + name: Pass + type: string + - jsonPath: .status.summary.fail + name: Fail + type: string + - jsonPath: .status.summary.skip + name: Skip + type: string + - jsonPath: .status.summary.warn + name: Warn + type: string + - jsonPath: .status.summary.notApplicable + name: Not Applicable + type: string + - jsonPath: .status.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.scheduledScanConfig.cronSchedule + name: CronSchedule + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + scanProfileName: + nullable: true + type: string + scheduledScanConfig: + nullable: true + properties: + cronSchedule: + nullable: true + type: string + retentionCount: + type: integer + scanAlertRule: + nullable: true + properties: + alertOnComplete: + type: boolean + alertOnFailure: + type: boolean + type: object + type: object + scoreWarning: + enum: + - pass + - fail + nullable: true + type: string + type: object + status: + properties: + NextScanAt: + nullable: true + type: string + ScanAlertingRuleName: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + display: + nullable: true + properties: + error: + type: boolean + message: + nullable: true + type: string + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + lastRunScanProfileName: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + observedGeneration: + type: integer + summary: + nullable: true + properties: + fail: + type: integer + notApplicable: + type: integer + pass: + type: integer + skip: + type: integer + total: + type: integer + warn: + type: integer + type: object + type: object + type: object diff --git a/charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscanbenchmark.yaml new file mode 100644 index 000000000..fd291f8c3 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscanbenchmark.yaml @@ -0,0 +1,54 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanbenchmarks.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanBenchmark + plural: clusterscanbenchmarks + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .spec.clusterProvider + name: ClusterProvider + type: string + - jsonPath: .spec.minKubernetesVersion + name: MinKubernetesVersion + type: string + - jsonPath: .spec.maxKubernetesVersion + name: MaxKubernetesVersion + type: string + - jsonPath: .spec.customBenchmarkConfigMapName + name: customBenchmarkConfigMapName + type: string + - jsonPath: .spec.customBenchmarkConfigMapNamespace + name: customBenchmarkConfigMapNamespace + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + clusterProvider: + nullable: true + type: string + customBenchmarkConfigMapName: + nullable: true + type: string + customBenchmarkConfigMapNamespace: + nullable: true + type: string + maxKubernetesVersion: + nullable: true + type: string + minKubernetesVersion: + nullable: true + type: string + type: object + type: object diff --git a/charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscanprofile.yaml new file mode 100644 index 000000000..1e75501b7 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscanprofile.yaml @@ -0,0 +1,36 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanprofiles.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanProfile + plural: clusterscanprofiles + scope: Cluster + versions: + - name: v1 + served: true + storage: true + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + skipTests: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + additionalPrinterColumns: + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string diff --git a/charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscanreport.yaml new file mode 100644 index 000000000..6e8c0b7de --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/5.1.0-rc1/templates/clusterscanreport.yaml @@ -0,0 +1,39 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanreports.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanReport + plural: clusterscanreports + scope: Cluster + versions: + - name: v1 + served: true + storage: true + additionalPrinterColumns: + - jsonPath: .spec.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + subresources: + status: {} + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + reportJSON: + nullable: true + type: string + type: object + type: object \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/Chart.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/Chart.yaml new file mode 100644 index 000000000..1ee8c0f8e --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark +apiVersion: v1 +appVersion: v5.1.0-rc1 +description: The cis-operator enables running CIS benchmark security scans on a kubernetes + cluster +icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg +keywords: +- security +name: rancher-cis-benchmark +version: 5.1.0-rc1 diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/README.md b/charts/rancher-cis-benchmark/5.1.0-rc1/README.md new file mode 100644 index 000000000..50beab58b --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/README.md @@ -0,0 +1,9 @@ +# Rancher CIS Benchmark Chart + +The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded. + +# Installation + +``` +helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system +``` diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/app-readme.md b/charts/rancher-cis-benchmark/5.1.0-rc1/app-readme.md new file mode 100644 index 000000000..147e91ea2 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/app-readme.md @@ -0,0 +1,33 @@ +# Rancher CIS Benchmarks + +This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). + +For more information on how to use the feature, refer to our [docs](https://rancher.com/docs/rancher/v2.x/en/cis-scans/v2.5/). + +This chart installs the following components: + +- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. +- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed. +- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans. +- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. +- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish. + - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts. + - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart. + +## Upgrading to Kubernetes v1.25+ + +Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API. + +As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`. + +> **Note:** +> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`. + +> **Note:** +> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).** +> +> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets. + +Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart. + +As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards. diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/_helpers.tpl b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/_helpers.tpl new file mode 100644 index 000000000..b7bb00042 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "cis.namespace" -}} + {{- .Release.Namespace | default "cis-operator-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/alertingrule.yaml new file mode 100644 index 000000000..1787c88a0 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/alertingrule.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alerts.enabled -}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: rancher-cis-pod-monitor + namespace: {{ template "cis.namespace" . }} +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + podMetricsEndpoints: + - port: cismetrics +{{- end }} diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-aks-1.0.yaml new file mode 100644 index 000000000..1ac866253 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-aks-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: aks-1.0 +spec: + clusterProvider: aks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.20.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.20.yaml new file mode 100644 index 000000000..1203e5bcc --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.20.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.20 +spec: + clusterProvider: "" + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.23.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.23.yaml new file mode 100644 index 000000000..83002966d --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.23.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.23 +spec: + clusterProvider: "" + minKubernetesVersion: "1.22.0" + maxKubernetesVersion: "1.23.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.24.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.24.yaml new file mode 100644 index 000000000..ff00105a5 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.24.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.24 +spec: + clusterProvider: "" + minKubernetesVersion: "1.24.0" + maxKubernetesVersion: "1.24.x" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.5.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.5.yaml new file mode 100644 index 000000000..c9e6075fb --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.5.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.5 +spec: + clusterProvider: "" + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.6.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.6.yaml new file mode 100644 index 000000000..4f5d66e92 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.6.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.6 +spec: + clusterProvider: "" + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.7.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.7.yaml new file mode 100644 index 000000000..059040524 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-cis-1.7.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.7 +spec: + clusterProvider: "" + minKubernetesVersion: "1.25.0" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-eks-1.0.1.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-eks-1.0.1.yaml new file mode 100644 index 000000000..d1ba9d295 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-eks-1.0.1.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: eks-1.0.1 +spec: + clusterProvider: eks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-gke-1.2.0.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-gke-1.2.0.yaml new file mode 100644 index 000000000..106ff7b0d --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-gke-1.2.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.2.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.15.0" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.20-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.20-hardened.yaml new file mode 100644 index 000000000..147cac390 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.20-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.20-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.20-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.20-permissive.yaml new file mode 100644 index 000000000..d9584f722 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.20-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.20-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.23-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.23-hardened.yaml new file mode 100644 index 000000000..1a928db35 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.23-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.23-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.22.0" + maxKubernetesVersion: "1.23.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.23-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.23-permissive.yaml new file mode 100644 index 000000000..5a46787d5 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.23-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.23-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.22.0" + maxKubernetesVersion: "1.23.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.24-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.24-hardened.yaml new file mode 100644 index 000000000..969455914 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.24-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.24-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.24.0" + maxKubernetesVersion: "1.24.x" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.24-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.24-permissive.yaml new file mode 100644 index 000000000..1e7b48e2c --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.24-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.24-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.24.0" + maxKubernetesVersion: "1.24.x" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.6-hardened.yaml new file mode 100644 index 000000000..5160cf795 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.6-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.6-permissive.yaml new file mode 100644 index 000000000..10c075985 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.6-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.7-hardened.yaml new file mode 100644 index 000000000..5650be988 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.7-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.7-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.25.0" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.7-permissive.yaml new file mode 100644 index 000000000..d0facbba1 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-k3s-cis-1.7-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.7-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.25.0" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.20-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.20-hardened.yaml new file mode 100644 index 000000000..4924679cb --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.20-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.20-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.20-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.20-permissive.yaml new file mode 100644 index 000000000..2db66d7c6 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.20-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.20-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.23-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.23-hardened.yaml new file mode 100644 index 000000000..12de23173 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.23-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.23-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.22.0" + maxKubernetesVersion: "1.23.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.23-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.23-permissive.yaml new file mode 100644 index 000000000..f9d505254 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.23-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.23-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.22.0" + maxKubernetesVersion: "1.23.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.24-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.24-hardened.yaml new file mode 100644 index 000000000..34218fe3f --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.24-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.24-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.24.0" + maxKubernetesVersion: "1.24.x" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.24-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.24-permissive.yaml new file mode 100644 index 000000000..7fdf451d2 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.24-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.24-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.24.0" + maxKubernetesVersion: "1.24.x" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.5-hardened.yaml new file mode 100644 index 000000000..b9154f1ad --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.5-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.5-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.5-permissive.yaml new file mode 100644 index 000000000..9da65d55d --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.5-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.5-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.6-hardened.yaml new file mode 100644 index 000000000..77f8a31df --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.6-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.6-permissive.yaml new file mode 100644 index 000000000..600b8df35 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.6-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.7-hardened.yaml new file mode 100644 index 000000000..cb5a72c6b --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.7-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.7-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.25.0" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.7-permissive.yaml new file mode 100644 index 000000000..6d1782bcc --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke-cis-1.7-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.7-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.25.0" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.20-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.20-hardened.yaml new file mode 100644 index 000000000..b6cc88359 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.20-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.20-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.20-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.20-permissive.yaml new file mode 100644 index 000000000..fd898bfe8 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.20-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.20-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.19.0" + maxKubernetesVersion: "1.21.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.23-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.23-hardened.yaml new file mode 100644 index 000000000..55d96da59 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.23-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.23-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.22.0" + maxKubernetesVersion: "1.23.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.23-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.23-permissive.yaml new file mode 100644 index 000000000..55fffe320 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.23-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.23-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.22.0" + maxKubernetesVersion: "1.23.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.24-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.24-hardened.yaml new file mode 100644 index 000000000..512d05f5a --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.24-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.24-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.24.0" + maxKubernetesVersion: "1.24.x" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.24-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.24-permissive.yaml new file mode 100644 index 000000000..f2ec81ee0 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.24-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.24-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.24.0" + maxKubernetesVersion: "1.24.x" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.5-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.5-hardened.yaml new file mode 100644 index 000000000..20091ec2b --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.5-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.5-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.5-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.5-permissive.yaml new file mode 100644 index 000000000..9a86906b0 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.5-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.5-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.15.0" + maxKubernetesVersion: "1.15.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.6-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.6-hardened.yaml new file mode 100644 index 000000000..ea2549ef3 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.6-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.6-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.6-permissive.yaml new file mode 100644 index 000000000..0afdaaa19 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.6-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.16.0" + maxKubernetesVersion: "1.18.x" diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.7-hardened.yaml new file mode 100644 index 000000000..87fa56802 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.7-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.7-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.25.0" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.7-permissive.yaml new file mode 100644 index 000000000..acc35d162 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/benchmark-rke2-cis-1.7-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.7-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.25.0" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/cis-roles.yaml new file mode 100644 index 000000000..23c93dc65 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/cis-roles.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-admin +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["create", "update", "delete", "patch","get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-view +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/configmap.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/configmap.yaml new file mode 100644 index 000000000..1b9afc157 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/configmap.yaml @@ -0,0 +1,18 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-clusterscanprofiles + namespace: {{ template "cis.namespace" . }} +data: + # Default ClusterScanProfiles per cluster provider type + rke: |- + <1.21.0: rke-profile-permissive-1.20 + >=1.21.0: rke-profile-permissive-1.7 + rke2: |- + <1.21.0: rke2-cis-1.20-profile-permissive + >=1.21.0: rke2-cis-1.7-profile-permissive + eks: "eks-profile" + gke: "gke-profile" + aks: "aks-profile" + k3s: "k3s-cis-1.7-profile-permissive" + default: "cis-1.7-profile" \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/deployment.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/deployment.yaml new file mode 100644 index 000000000..8c9f72f5d --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cis-operator + namespace: {{ template "cis.namespace" . }} + labels: + cis.cattle.io/operator: cis-operator +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + template: + metadata: + labels: + cis.cattle.io/operator: cis-operator + spec: + serviceAccountName: cis-operator-serviceaccount + containers: + - name: cis-operator + image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}' + imagePullPolicy: IfNotPresent + ports: + - name: cismetrics + containerPort: {{ .Values.alerts.metricsPort }} + env: + - name: SECURITY_SCAN_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }} + - name: SECURITY_SCAN_IMAGE_TAG + value: {{ .Values.image.securityScan.tag }} + - name: SONOBUOY_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }} + - name: SONOBUOY_IMAGE_TAG + value: {{ .Values.image.sonobuoy.tag }} + - name: CIS_ALERTS_METRICS_PORT + value: '{{ .Values.alerts.metricsPort }}' + - name: CIS_ALERTS_SEVERITY + value: {{ .Values.alerts.severity }} + - name: CIS_ALERTS_ENABLED + value: {{ .Values.alerts.enabled | default "false" | quote }} + - name: CLUSTER_NAME + value: '{{ .Values.global.cattle.clusterName }}' + - name: CIS_OPERATOR_DEBUG + value: '{{ .Values.image.cisoperator.debug }}' + {{- if .Values.securityScanJob.overrideTolerations }} + - name: SECURITY_SCAN_JOB_TOLERATIONS + value: '{{ .Values.securityScanJob.tolerations | toJson }}' + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/network_policy_allow_all.yaml new file mode 100644 index 000000000..6ed5d645e --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ template "cis.namespace" . }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/patch_default_serviceaccount.yaml new file mode 100644 index 000000000..e78a6bd08 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: cis-operator-serviceaccount + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ template "cis.namespace" . }}] + + backoffLimit: 1 diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/psp.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/psp.yaml new file mode 100644 index 000000000..9b8a5995e --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/psp.yaml @@ -0,0 +1,59 @@ +{{- if .Values.global.cattle.psp.enabled }} +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: cis-psp +spec: + allowPrivilegeEscalation: true + allowedCapabilities: + - '*' + fsGroup: + rule: RunAsAny + hostIPC: true + hostNetwork: true + hostPID: true + hostPorts: + - max: 65535 + min: 0 + privileged: true + runAsUser: + rule: RunAsAny + seLinux: + rule: RunAsAny + supplementalGroups: + rule: RunAsAny + volumes: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cis-psp-role + namespace: {{ template "cis.namespace" . }} +rules: +- apiGroups: + - policy + resourceNames: + - cis-psp + resources: + - podsecuritypolicies + verbs: + - use +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: cis-psp-rolebinding + namespace: {{ template "cis.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cis-psp-role +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} +{{- end }} diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/rbac.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/rbac.yaml new file mode 100644 index 000000000..33fb93f04 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/rbac.yaml @@ -0,0 +1,219 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-clusterrole +rules: +- apiGroups: + - "cis.cattle.io" + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "" + resources: + - "pods" + - "services" + - "configmaps" + - "nodes" + - "serviceaccounts" + verbs: + - "get" + - "list" + - "create" + - "update" + - "watch" + - "patch" +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "clusterrolebindings" + - "clusterroles" + verbs: + - "get" + - "list" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "list" + - "create" + - "patch" + - "update" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-scan-ns +rules: +{{- if .Values.global.cattle.psp.enabled }} +- apiGroups: + - "*" + resources: + - "podsecuritypolicies" + verbs: + - "get" + - "list" + - "watch" +{{- end }} +- apiGroups: + - "" + resources: + - "namespaces" + - "nodes" + - "pods" + - "serviceaccounts" + - "services" + - "replicationcontrollers" + verbs: + - "get" + - "list" + - "watch" +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "clusterrolebindings" + - "clusterroles" + verbs: + - "get" + - "list" +- apiGroups: + - "batch" + resources: + - "jobs" + - "cronjobs" + verbs: + - "list" +- apiGroups: + - "apps" + resources: + - "daemonsets" + - "deployments" + - "replicasets" + - "statefulsets" + verbs: + - "list" +- apiGroups: + - "autoscaling" + resources: + - "horizontalpodautoscalers" + verbs: + - "list" +- apiGroups: + - "networking.k8s.io" + resources: + - "networkpolicies" + verbs: + - "get" + - "list" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cis-operator-role + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + namespace: {{ template "cis.namespace" . }} +rules: +- apiGroups: + - "" + resources: + - "services" + verbs: + - "watch" + - "list" + - "get" + - "patch" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "watch" + - "list" + - "get" + - "delete" +- apiGroups: + - "" + resources: + - "configmaps" + - "pods" + - "secrets" + verbs: + - "*" +- apiGroups: + - "apps" + resources: + - "daemonsets" + verbs: + - "*" +- apiGroups: + - monitoring.coreos.com + resources: + - prometheusrules + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-operator-clusterrole +subjects: +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cis-scan-ns + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-scan-ns +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-rolebinding + namespace: {{ template "cis.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cis-operator-role +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.20.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.20.yaml new file mode 100644 index 000000000..05263ce7d --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.20.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.20-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.20 diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.23.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.23.yaml new file mode 100644 index 000000000..c59d8f51f --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.23.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.23-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.23 diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.24.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.24.yaml new file mode 100644 index 000000000..dcc38c9a9 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.24.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.24-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.24 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.6.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.6.yaml new file mode 100644 index 000000000..8a8d8bf88 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.6.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.6-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.6 diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.7.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.7.yaml new file mode 100644 index 000000000..edac79e2a --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-cis-1.7.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.7-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.7 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.20-hardened.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.20-hardened.yml new file mode 100644 index 000000000..a0b6cb6f6 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.20-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.20-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.20-hardened diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.20-permissive.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.20-permissive.yml new file mode 100644 index 000000000..89885548d --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.20-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.20-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.20-permissive diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.23-hardened.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.23-hardened.yml new file mode 100644 index 000000000..724412d3a --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.23-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.23-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.23-hardened diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.23-permissive.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.23-permissive.yml new file mode 100644 index 000000000..9f9213de1 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.23-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.23-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.23-permissive diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.24-hardened.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.24-hardened.yml new file mode 100644 index 000000000..4360d1145 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.24-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.24-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.24-hardened \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.24-permissive.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.24-permissive.yml new file mode 100644 index 000000000..09a5aca05 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.24-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.24-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.24-permissive \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.6-hardened.yml new file mode 100644 index 000000000..095e977ab --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.6-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.6-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.6-permissive.yml new file mode 100644 index 000000000..3b22a80c8 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.6-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.6-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.7-hardened.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.7-hardened.yml new file mode 100644 index 000000000..51fd6baf0 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.7-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.7-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.7-hardened \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.7-permissive.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.7-permissive.yml new file mode 100644 index 000000000..0c1baf774 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-k3s-cis-1.7-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.7-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.7-permissive \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.20-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.20-hardened.yaml new file mode 100644 index 000000000..c36cf38c9 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.20-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.20 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.20-hardened diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.20-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.20-permissive.yaml new file mode 100644 index 000000000..cfeb4b34c --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.20-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.20 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.20-permissive diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.23-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.23-hardened.yaml new file mode 100644 index 000000000..007331149 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.23-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.23 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.23-hardened diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.23-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.23-permissive.yaml new file mode 100644 index 000000000..085b60dfa --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.23-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.23 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.23-permissive diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.24-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.24-hardened.yaml new file mode 100644 index 000000000..b312d3fb0 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.24-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.24 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.24-hardened \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.24-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.24-permissive.yaml new file mode 100644 index 000000000..e35211c78 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.24-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.24 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.24-permissive \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.6-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.6-hardened.yaml new file mode 100644 index 000000000..d38febd80 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.6-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.6 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.6-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.6-permissive.yaml new file mode 100644 index 000000000..d31b5b0d2 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.6-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.6 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.7-hardened.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.7-hardened.yaml new file mode 100644 index 000000000..e488eaedf --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.7-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.7 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.7-hardened \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.7-permissive.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.7-permissive.yaml new file mode 100644 index 000000000..8e6df750d --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke-1.7-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.7 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.7-permissive \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.20-hardened.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.20-hardened.yml new file mode 100644 index 000000000..decc9b651 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.20-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.20-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.20-hardened diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.20-permissive.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.20-permissive.yml new file mode 100644 index 000000000..74c96ffc4 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.20-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.20-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.20-permissive diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.23-hardened.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.23-hardened.yml new file mode 100644 index 000000000..abc1c2a21 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.23-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.23-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.23-hardened diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.23-permissive.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.23-permissive.yml new file mode 100644 index 000000000..51cc519ac --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.23-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.23-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.23-permissive diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.24-hardened.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.24-hardened.yml new file mode 100644 index 000000000..412190d1d --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.24-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.24-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.24-hardened \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.24-permissive.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.24-permissive.yml new file mode 100644 index 000000000..3079ba2fe --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.24-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.24-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.24-permissive \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.6-hardened.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.6-hardened.yml new file mode 100644 index 000000000..c7ac7f949 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.6-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.6-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.6-hardened diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.6-permissive.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.6-permissive.yml new file mode 100644 index 000000000..96ca1345a --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.6-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.6-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.6-permissive diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.7-hardened.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.7-hardened.yml new file mode 100644 index 000000000..9e90d769a --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.7-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.7-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.7-hardened \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.7-permissive.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.7-permissive.yml new file mode 100644 index 000000000..4363d3afa --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofile-rke2-cis-1.7-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.7-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.7-permissive \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofileaks.yml new file mode 100644 index 000000000..ea7b25b40 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofileaks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: aks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: aks-1.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofileeks.yml new file mode 100644 index 000000000..3b4e34437 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofileeks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: eks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: eks-1.0.1 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofilegke.yml new file mode 100644 index 000000000..3e5e2439a --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/scanprofilegke.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.2.0 \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/serviceaccount.yaml new file mode 100644 index 000000000..ec48ec622 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + name: cis-operator-serviceaccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-serviceaccount diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/validate-install-crd.yaml new file mode 100644 index 000000000..562295791 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/validate-install-crd.yaml @@ -0,0 +1,17 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/templates/validate-psp-install.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/validate-psp-install.yaml new file mode 100644 index 000000000..a30c59d3b --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/templates/validate-psp-install.yaml @@ -0,0 +1,7 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +#{{- if .Values.global.cattle.psp.enabled }} +#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }} +#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}} +#{{- end }} +#{{- end }} +#{{- end }} diff --git a/charts/rancher-cis-benchmark/5.1.0-rc1/values.yaml b/charts/rancher-cis-benchmark/5.1.0-rc1/values.yaml new file mode 100644 index 000000000..4f337e447 --- /dev/null +++ b/charts/rancher-cis-benchmark/5.1.0-rc1/values.yaml @@ -0,0 +1,55 @@ +# Default values for rancher-cis-benchmark. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + cisoperator: + repository: rancher/cis-operator + tag: v1.0.12 + securityScan: + repository: rancher/security-scan + tag: v0.2.13 + sonobuoy: + repository: rancher/mirrored-sonobuoy-sonobuoy + tag: v0.56.16 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +securityScanJob: + overrideTolerations: false + tolerations: [] + +affinity: {} + +global: + cattle: + systemDefaultRegistry: "" + clusterName: "" + psp: + enabled: false + kubectl: + repository: rancher/kubectl + tag: v1.28.1 + +alerts: + enabled: false + severity: warning + metricsPort: 8080 diff --git a/index.yaml b/index.yaml index 58584ae04..34014f48c 100755 --- a/index.yaml +++ b/index.yaml @@ -7791,6 +7791,32 @@ entries: - assets/rancher-backup-crd/rancher-backup-crd-1.0.200.tgz version: 1.0.200 rancher-cis-benchmark: + - annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.23.0-0 < 1.28.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark + apiVersion: v1 + appVersion: v5.1.0-rc1 + created: "2023-10-25T18:25:40.040726603+05:30" + description: The cis-operator enables running CIS benchmark security scans on + a kubernetes cluster + digest: bcd2acf99789ce92a65f82774505b7246092cf7680f3daaae0d91bb6b75ec605 + icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg + keywords: + - security + name: rancher-cis-benchmark + urls: + - assets/rancher-cis-benchmark/rancher-cis-benchmark-5.1.0-rc1.tgz + version: 5.1.0-rc1 - annotations: catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/certified: rancher @@ -8287,6 +8313,20 @@ entries: - assets/rancher-cis-benchmark/rancher-cis-benchmark-1.0.100.tgz version: 1.0.100 rancher-cis-benchmark-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd + apiVersion: v1 + created: "2023-10-25T18:25:40.043927436+05:30" + description: Installs the CRDs for rancher-cis-benchmark. + digest: 55b154558288944259c0e3f5021c209e808c712591294d4614a8740d11b1e52d + name: rancher-cis-benchmark-crd + type: application + urls: + - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.1.0-rc1.tgz + version: 5.1.0-rc1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true" From 8ead4d51fd4ab3645578fa494e80481953f8dab2 Mon Sep 17 00:00:00 2001 From: Chirayu Kapoor Date: Mon, 18 Dec 2023 15:34:16 +0530 Subject: [PATCH 4/4] Add rancher-cis v5.1.0-rc1 --- release.yaml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/release.yaml b/release.yaml index 8bd818e8d..89cc678cf 100644 --- a/release.yaml +++ b/release.yaml @@ -16,6 +16,10 @@ neuvector-monitor: - 102.0.6+up2.6.6 prometheus-federator: - 103.0.1+up0.4.1 +rancher-cis-benchmark: + - 5.1.0-rc1 +rancher-cis-benchmark-crd: + - 5.1.0-rc1 rancher-monitoring: - 103.0.1+up45.31.1 - 103.0.2+up45.31.1