diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.3.0-rc.1.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.3.0-rc.1.tgz new file mode 100644 index 0000000000..707e370e48 Binary files /dev/null and b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.3.0-rc.1.tgz differ diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-6.3.0-rc.1.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-6.3.0-rc.1.tgz new file mode 100644 index 0000000000..0ba2450d54 Binary files /dev/null and b/assets/rancher-cis-benchmark/rancher-cis-benchmark-6.3.0-rc.1.tgz differ diff --git a/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/Chart.yaml b/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/Chart.yaml new file mode 100644 index 0000000000..888aab9846 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/Chart.yaml @@ -0,0 +1,10 @@ +annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd +apiVersion: v1 +description: Installs the CRDs for rancher-cis-benchmark. +name: rancher-cis-benchmark-crd +type: application +version: 6.3.0-rc.1 diff --git a/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/README.md b/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/README.md new file mode 100644 index 0000000000..f6d9ef621f --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/README.md @@ -0,0 +1,2 @@ +# rancher-cis-benchmark-crd +A Rancher chart that installs the CRDs used by rancher-cis-benchmark. diff --git a/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/templates/clusterscan.yaml new file mode 100644 index 0000000000..73cf1652b2 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/templates/clusterscan.yaml @@ -0,0 +1,149 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscans.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScan + plural: clusterscans + singular: clusterscan + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .status.lastRunScanProfileName + name: ClusterScanProfile + type: string + - jsonPath: .status.summary.total + name: Total + type: string + - jsonPath: .status.summary.pass + name: Pass + type: string + - jsonPath: .status.summary.fail + name: Fail + type: string + - jsonPath: .status.summary.skip + name: Skip + type: string + - jsonPath: .status.summary.warn + name: Warn + type: string + - jsonPath: .status.summary.notApplicable + name: Not Applicable + type: string + - jsonPath: .status.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.scheduledScanConfig.cronSchedule + name: CronSchedule + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + scanProfileName: + nullable: true + type: string + scheduledScanConfig: + nullable: true + properties: + cronSchedule: + nullable: true + type: string + retentionCount: + type: integer + scanAlertRule: + nullable: true + properties: + alertOnComplete: + type: boolean + alertOnFailure: + type: boolean + type: object + type: object + scoreWarning: + enum: + - pass + - fail + nullable: true + type: string + type: object + status: + properties: + NextScanAt: + nullable: true + type: string + ScanAlertingRuleName: + nullable: true + type: string + conditions: + items: + properties: + lastTransitionTime: + nullable: true + type: string + lastUpdateTime: + nullable: true + type: string + message: + nullable: true + type: string + reason: + nullable: true + type: string + status: + nullable: true + type: string + type: + nullable: true + type: string + type: object + nullable: true + type: array + display: + nullable: true + properties: + error: + type: boolean + message: + nullable: true + type: string + state: + nullable: true + type: string + transitioning: + type: boolean + type: object + lastRunScanProfileName: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + observedGeneration: + type: integer + summary: + nullable: true + properties: + fail: + type: integer + notApplicable: + type: integer + pass: + type: integer + skip: + type: integer + total: + type: integer + warn: + type: integer + type: object + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/templates/clusterscanbenchmark.yaml new file mode 100644 index 0000000000..261a84efd4 --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/templates/clusterscanbenchmark.yaml @@ -0,0 +1,55 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanbenchmarks.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanBenchmark + plural: clusterscanbenchmarks + singular: clusterscanbenchmark + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.clusterProvider + name: ClusterProvider + type: string + - jsonPath: .spec.minKubernetesVersion + name: MinKubernetesVersion + type: string + - jsonPath: .spec.maxKubernetesVersion + name: MaxKubernetesVersion + type: string + - jsonPath: .spec.customBenchmarkConfigMapName + name: customBenchmarkConfigMapName + type: string + - jsonPath: .spec.customBenchmarkConfigMapNamespace + name: customBenchmarkConfigMapNamespace + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + clusterProvider: + nullable: true + type: string + customBenchmarkConfigMapName: + nullable: true + type: string + customBenchmarkConfigMapNamespace: + nullable: true + type: string + maxKubernetesVersion: + nullable: true + type: string + minKubernetesVersion: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/templates/clusterscanprofile.yaml new file mode 100644 index 0000000000..b63d842fae --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/templates/clusterscanprofile.yaml @@ -0,0 +1,37 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanprofiles.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanProfile + plural: clusterscanprofiles + singular: clusterscanprofile + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + skipTests: + items: + nullable: true + type: string + nullable: true + type: array + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/templates/clusterscanreport.yaml new file mode 100644 index 0000000000..544d825f4b --- /dev/null +++ b/charts/rancher-cis-benchmark-crd/6.3.0-rc.1/templates/clusterscanreport.yaml @@ -0,0 +1,40 @@ +apiVersion: apiextensions.k8s.io/v1 +kind: CustomResourceDefinition +metadata: + name: clusterscanreports.cis.cattle.io +spec: + group: cis.cattle.io + names: + kind: ClusterScanReport + plural: clusterscanreports + singular: clusterscanreport + scope: Cluster + versions: + - additionalPrinterColumns: + - jsonPath: .spec.lastRunTimestamp + name: LastRunTimestamp + type: string + - jsonPath: .spec.benchmarkVersion + name: BenchmarkVersion + type: string + name: v1 + schema: + openAPIV3Schema: + properties: + spec: + properties: + benchmarkVersion: + nullable: true + type: string + lastRunTimestamp: + nullable: true + type: string + reportJSON: + nullable: true + type: string + type: object + type: object + served: true + storage: true + subresources: + status: {} diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/Chart.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/Chart.yaml new file mode 100644 index 0000000000..62d062e13e --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/Chart.yaml @@ -0,0 +1,22 @@ +annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.27.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark +apiVersion: v1 +appVersion: v6.3.0-rc.1 +description: The cis-operator enables running CIS benchmark security scans on a kubernetes + cluster +icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg +keywords: +- security +name: rancher-cis-benchmark +version: 6.3.0-rc.1 diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/README.md b/charts/rancher-cis-benchmark/6.3.0-rc.1/README.md new file mode 100644 index 0000000000..50beab58ba --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/README.md @@ -0,0 +1,9 @@ +# Rancher CIS Benchmark Chart + +The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded. + +# Installation + +``` +helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system +``` diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/app-readme.md b/charts/rancher-cis-benchmark/6.3.0-rc.1/app-readme.md new file mode 100644 index 0000000000..d4834a4824 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/app-readme.md @@ -0,0 +1,37 @@ +# Rancher CIS Benchmarks + +This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/). + +For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/cis-scan-guides). + +This chart installs the following components: + +- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded. +- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed. +- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans. +- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources. +- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish. + - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts. + - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart. + +## CIS Kubernetes Benchmark support + +| Source | Kubernetes distribution | scan profile | Kubernetes versions | +|--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------| +| CIS | any | [cis-1.7](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.7) | v1.25 | +| CIS | any | [cis-1.8](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.8) | v1.26+ | +| CIS | rke | [rke-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.7-permissive) | rke1-v1.25 | +| CIS | rke | [rke-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.7-hardened) | rke1-v1.25 | +| CIS | rke | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-permissive) | rke1-v1.26+ | +| CIS | rke | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-hardened) | rke1-v1.26+ | +| CIS | rke2 | [rke2-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.7-permissive)| rke2-v1.25 | +| CIS | rke2 | [rke2-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.7-hardened) | rke2-v1.25 | +| CIS | rke2 | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-permissive)| rke2-v1.26+ | +| CIS | rke2 | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-hardened) | rke2-v1.26+ | +| CIS | k3s | [k3s-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.7-permissive) | k3s-v1.25 | +| CIS | k3s | [k3s-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.7-hardened) | k3s-v1.25 | +| CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26+ | +| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26+ | +| CIS | eks | eks-1.2.0 | eks | +| CIS | aks | aks-1.0 | aks | +| CIS | gke | gke-1.2.0 | gke | \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/_helpers.tpl b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/_helpers.tpl new file mode 100644 index 0000000000..b7bb000422 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/_helpers.tpl @@ -0,0 +1,27 @@ +{{/* Ensure namespace is set the same everywhere */}} +{{- define "cis.namespace" -}} + {{- .Release.Namespace | default "cis-operator-system" -}} +{{- end -}} + +{{- define "system_default_registry" -}} +{{- if .Values.global.cattle.systemDefaultRegistry -}} +{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}} +{{- else -}} +{{- "" -}} +{{- end -}} +{{- end -}} + +{{/* +Windows cluster will add default taint for linux nodes, +add below linux tolerations to workloads could be scheduled to those linux nodes +*/}} +{{- define "linux-node-tolerations" -}} +- key: "cattle.io/os" + value: "linux" + effect: "NoSchedule" + operator: "Equal" +{{- end -}} + +{{- define "linux-node-selector" -}} +kubernetes.io/os: linux +{{- end -}} diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/alertingrule.yaml new file mode 100644 index 0000000000..1787c88a07 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/alertingrule.yaml @@ -0,0 +1,14 @@ +{{- if .Values.alerts.enabled -}} +--- +apiVersion: monitoring.coreos.com/v1 +kind: PodMonitor +metadata: + name: rancher-cis-pod-monitor + namespace: {{ template "cis.namespace" . }} +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + podMetricsEndpoints: + - port: cismetrics +{{- end }} diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-aks-1.0.yaml new file mode 100644 index 0000000000..1ac866253f --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-aks-1.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: aks-1.0 +spec: + clusterProvider: aks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-cis-1.7.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-cis-1.7.yaml new file mode 100644 index 0000000000..fa8dfd8eb9 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-cis-1.7.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.7 +spec: + clusterProvider: "" + minKubernetesVersion: "1.25.0" + maxKubernetesVersion: "1.25.x" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-cis-1.8.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-cis-1.8.yaml new file mode 100644 index 0000000000..ae19007b2e --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-cis-1.8.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.8 +spec: + clusterProvider: "" + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-eks-1.2.0.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-eks-1.2.0.yaml new file mode 100644 index 0000000000..c1bdd9ed5e --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-eks-1.2.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: eks-1.2.0 +spec: + clusterProvider: eks + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-gke-1.2.0.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-gke-1.2.0.yaml new file mode 100644 index 0000000000..c609e736fd --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-gke-1.2.0.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: gke-1.2.0 +spec: + clusterProvider: gke + minKubernetesVersion: "1.15.0" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-k3s-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-k3s-cis-1.7-hardened.yaml new file mode 100644 index 0000000000..6fb369360c --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-k3s-cis-1.7-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.7-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.25.0" + maxKubernetesVersion: "1.25.x" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-k3s-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-k3s-cis-1.7-permissive.yaml new file mode 100644 index 0000000000..b556d70fe5 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-k3s-cis-1.7-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.7-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.25.0" + maxKubernetesVersion: "1.25.x" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-k3s-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-k3s-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..07b4300d20 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-k3s-cis-1.8-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.8-hardened +spec: + clusterProvider: k3s + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-k3s-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-k3s-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..c30fa7f725 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-k3s-cis-1.8-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.8-permissive +spec: + clusterProvider: k3s + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke-cis-1.7-hardened.yaml new file mode 100644 index 0000000000..39bac7833c --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke-cis-1.7-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.7-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.25.0" + maxKubernetesVersion: "1.25.x" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke-cis-1.7-permissive.yaml new file mode 100644 index 0000000000..2e2f09ac74 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke-cis-1.7-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.7-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.25.0" + maxKubernetesVersion: "1.25.x" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..d3d357c023 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke-cis-1.8-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.8-hardened +spec: + clusterProvider: rke + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..208eb777cd --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke-cis-1.8-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke-cis-1.8-permissive +spec: + clusterProvider: rke + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke2-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke2-cis-1.7-hardened.yaml new file mode 100644 index 0000000000..6306e9601a --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke2-cis-1.7-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.7-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.25.0" + maxKubernetesVersion: "1.25.x" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke2-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke2-cis-1.7-permissive.yaml new file mode 100644 index 0000000000..76236e11af --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke2-cis-1.7-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.7-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.25.0" + maxKubernetesVersion: "1.25.x" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke2-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke2-cis-1.8-hardened.yaml new file mode 100644 index 0000000000..0237206a73 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke2-cis-1.8-hardened.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.8-hardened +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke2-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke2-cis-1.8-permissive.yaml new file mode 100644 index 0000000000..b5f9e4b50f --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/benchmark-rke2-cis-1.8-permissive.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.8-permissive +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.26.0" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/cis-roles.yaml new file mode 100644 index 0000000000..23c93dc659 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/cis-roles.yaml @@ -0,0 +1,49 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-admin +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["create", "update", "delete", "patch","get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: cis-view +rules: + - apiGroups: + - cis.cattle.io + resources: + - clusterscanbenchmarks + - clusterscanprofiles + - clusterscans + - clusterscanreports + verbs: ["get", "watch", "list"] + - apiGroups: + - catalog.cattle.io + resources: ["apps"] + resourceNames: ["rancher-cis-benchmark"] + verbs: ["get", "watch", "list"] + - apiGroups: + - "" + resources: + - configmaps + verbs: ["get", "watch", "list"] diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/configmap.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/configmap.yaml new file mode 100644 index 0000000000..094c9dfe0a --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/configmap.yaml @@ -0,0 +1,18 @@ +kind: ConfigMap +apiVersion: v1 +metadata: + name: default-clusterscanprofiles + namespace: {{ template "cis.namespace" . }} +data: + # Default ClusterScanProfiles per cluster provider type + rke: |- + <1.21.0: rke-profile-permissive-1.20 + >=1.21.0: rke-profile-permissive-1.8 + rke2: |- + <1.21.0: rke2-cis-1.20-profile-permissive + >=1.21.0: rke2-cis-1.8-profile-permissive + eks: "eks-profile" + gke: "gke-profile" + aks: "aks-profile" + k3s: "k3s-cis-1.8-profile-permissive" + default: "cis-1.8-profile" diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/deployment.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/deployment.yaml new file mode 100644 index 0000000000..8c9f72f5de --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/deployment.yaml @@ -0,0 +1,61 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: cis-operator + namespace: {{ template "cis.namespace" . }} + labels: + cis.cattle.io/operator: cis-operator +spec: + selector: + matchLabels: + cis.cattle.io/operator: cis-operator + template: + metadata: + labels: + cis.cattle.io/operator: cis-operator + spec: + serviceAccountName: cis-operator-serviceaccount + containers: + - name: cis-operator + image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}' + imagePullPolicy: IfNotPresent + ports: + - name: cismetrics + containerPort: {{ .Values.alerts.metricsPort }} + env: + - name: SECURITY_SCAN_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }} + - name: SECURITY_SCAN_IMAGE_TAG + value: {{ .Values.image.securityScan.tag }} + - name: SONOBUOY_IMAGE + value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }} + - name: SONOBUOY_IMAGE_TAG + value: {{ .Values.image.sonobuoy.tag }} + - name: CIS_ALERTS_METRICS_PORT + value: '{{ .Values.alerts.metricsPort }}' + - name: CIS_ALERTS_SEVERITY + value: {{ .Values.alerts.severity }} + - name: CIS_ALERTS_ENABLED + value: {{ .Values.alerts.enabled | default "false" | quote }} + - name: CLUSTER_NAME + value: '{{ .Values.global.cattle.clusterName }}' + - name: CIS_OPERATOR_DEBUG + value: '{{ .Values.image.cisoperator.debug }}' + {{- if .Values.securityScanJob.overrideTolerations }} + - name: SECURITY_SCAN_JOB_TOLERATIONS + value: '{{ .Values.securityScanJob.tolerations | toJson }}' + {{- end }} + resources: + {{- toYaml .Values.resources | nindent 12 }} + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/network_policy_allow_all.yaml new file mode 100644 index 0000000000..6ed5d645ea --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/network_policy_allow_all.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-allow-all + namespace: {{ template "cis.namespace" . }} +spec: + podSelector: {} + ingress: + - {} + egress: + - {} + policyTypes: + - Ingress + - Egress diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/patch_default_serviceaccount.yaml new file mode 100644 index 0000000000..e78a6bd08a --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/patch_default_serviceaccount.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: patch-sa + annotations: + "helm.sh/hook": post-install, post-upgrade + "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation +spec: + template: + spec: + serviceAccountName: cis-operator-serviceaccount + nodeSelector: {{ include "linux-node-selector" . | nindent 8 }} +{{- if .Values.nodeSelector }} +{{ toYaml .Values.nodeSelector | indent 8 }} +{{- end }} + tolerations: {{ include "linux-node-tolerations" . | nindent 8 }} +{{- if .Values.tolerations }} +{{ toYaml .Values.tolerations | indent 8 }} +{{- end }} + restartPolicy: Never + containers: + - name: sa + image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}" + imagePullPolicy: {{ .Values.global.imagePullPolicy }} + command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"] + args: ["-n", {{ template "cis.namespace" . }}] + + backoffLimit: 1 diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/rbac.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/rbac.yaml new file mode 100644 index 0000000000..5fe075e34f --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/rbac.yaml @@ -0,0 +1,209 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-clusterrole +rules: +- apiGroups: + - "cis.cattle.io" + resources: + - "*" + verbs: + - "*" +- apiGroups: + - "" + resources: + - "pods" + - "services" + - "configmaps" + - "nodes" + - "serviceaccounts" + verbs: + - "get" + - "list" + - "create" + - "update" + - "watch" + - "patch" +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "clusterrolebindings" + - "clusterroles" + verbs: + - "get" + - "list" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "list" + - "create" + - "patch" + - "update" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-scan-ns +rules: +- apiGroups: + - "" + resources: + - "namespaces" + - "nodes" + - "pods" + - "serviceaccounts" + - "services" + - "replicationcontrollers" + verbs: + - "get" + - "list" + - "watch" +- apiGroups: + - "rbac.authorization.k8s.io" + resources: + - "rolebindings" + - "clusterrolebindings" + - "clusterroles" + verbs: + - "get" + - "list" +- apiGroups: + - "batch" + resources: + - "jobs" + - "cronjobs" + verbs: + - "list" +- apiGroups: + - "apps" + resources: + - "daemonsets" + - "deployments" + - "replicasets" + - "statefulsets" + verbs: + - "list" +- apiGroups: + - "autoscaling" + resources: + - "horizontalpodautoscalers" + verbs: + - "list" +- apiGroups: + - "networking.k8s.io" + resources: + - "networkpolicies" + verbs: + - "get" + - "list" + - "watch" +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: cis-operator-role + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + namespace: {{ template "cis.namespace" . }} +rules: +- apiGroups: + - "" + resources: + - "services" + verbs: + - "watch" + - "list" + - "get" + - "patch" +- apiGroups: + - "batch" + resources: + - "jobs" + verbs: + - "watch" + - "list" + - "get" + - "delete" +- apiGroups: + - "" + resources: + - "configmaps" + - "pods" + - "secrets" + verbs: + - "*" +- apiGroups: + - "apps" + resources: + - "daemonsets" + verbs: + - "*" +- apiGroups: + - monitoring.coreos.com + resources: + - prometheusrules + verbs: + - create +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-clusterrolebinding +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-operator-clusterrole +subjects: +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: cis-scan-ns + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: cis-scan-ns +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-operator-rolebinding + namespace: {{ template "cis.namespace" . }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: cis-operator-role +subjects: +- kind: ServiceAccount + name: cis-serviceaccount + namespace: {{ template "cis.namespace" . }} +- kind: ServiceAccount + name: cis-operator-serviceaccount + namespace: {{ template "cis.namespace" . }} diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-cis-1.7.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-cis-1.7.yaml new file mode 100644 index 0000000000..1a37aad835 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-cis-1.7.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.7-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.7 diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-cis-1.8.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-cis-1.8.yaml new file mode 100644 index 0000000000..40be06c946 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-cis-1.8.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.8-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.8 diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-k3s-cis-1.7-hardened.yml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-k3s-cis-1.7-hardened.yml new file mode 100644 index 0000000000..22ae9e0d23 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-k3s-cis-1.7-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.7-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.7-hardened diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-k3s-cis-1.7-permissive.yml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-k3s-cis-1.7-permissive.yml new file mode 100644 index 0000000000..f79e9ed966 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-k3s-cis-1.7-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.7-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.7-permissive diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-k3s-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-k3s-cis-1.8-hardened.yml new file mode 100644 index 0000000000..03f6695689 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-k3s-cis-1.8-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.8-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-k3s-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-k3s-cis-1.8-permissive.yml new file mode 100644 index 0000000000..39932a4e5b --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-k3s-cis-1.8-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.8-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke-1.7-hardened.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke-1.7-hardened.yaml new file mode 100644 index 0000000000..7b83f95bcd --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke-1.7-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.7 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.7-hardened diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke-1.7-permissive.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke-1.7-permissive.yaml new file mode 100644 index 0000000000..52327c4af1 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke-1.7-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.7 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.7-permissive diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke-1.8-hardened.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke-1.8-hardened.yaml new file mode 100644 index 0000000000..54aa08691e --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke-1.8-hardened.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-hardened-1.8 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke-1.8-permissive.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke-1.8-permissive.yaml new file mode 100644 index 0000000000..f7d4fdd229 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke-1.8-permissive.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke-profile-permissive-1.8 + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke2-cis-1.7-hardened.yml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke2-cis-1.7-hardened.yml new file mode 100644 index 0000000000..193753a0bc --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke2-cis-1.7-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.7-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.7-hardened diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke2-cis-1.7-permissive.yml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke2-cis-1.7-permissive.yml new file mode 100644 index 0000000000..409645dc76 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke2-cis-1.7-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.7-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.7-permissive diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke2-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke2-cis-1.8-hardened.yml new file mode 100644 index 0000000000..d0a1180f56 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke2-cis-1.8-hardened.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.8-profile-hardened + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.8-hardened diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke2-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke2-cis-1.8-permissive.yml new file mode 100644 index 0000000000..0aa72407c0 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofile-rke2-cis-1.8-permissive.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.8-profile-permissive + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.8-permissive diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofileaks.yml new file mode 100644 index 0000000000..ac9f47a8fb --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofileaks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: aks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: aks-1.0 diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofileeks.yml new file mode 100644 index 0000000000..7cf7936cbf --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofileeks.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: eks-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: eks-1.2.0 diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofilegke.yml new file mode 100644 index 0000000000..42fa4f23a2 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/scanprofilegke.yml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: gke-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: gke-1.2.0 diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/serviceaccount.yaml new file mode 100644 index 0000000000..ec48ec6224 --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/serviceaccount.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + name: cis-operator-serviceaccount +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + namespace: {{ template "cis.namespace" . }} + labels: + app.kubernetes.io/name: rancher-cis-benchmark + app.kubernetes.io/instance: release-name + name: cis-serviceaccount diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/validate-install-crd.yaml new file mode 100644 index 0000000000..562295791b --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/templates/validate-install-crd.yaml @@ -0,0 +1,17 @@ +#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}} +# {{- $found := dict -}} +# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}} +# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}} +# {{- range .Capabilities.APIVersions -}} +# {{- if hasKey $found (toString .) -}} +# {{- set $found (toString .) true -}} +# {{- end -}} +# {{- end -}} +# {{- range $_, $exists := $found -}} +# {{- if (eq $exists false) -}} +# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}} +# {{- end -}} +# {{- end -}} +#{{- end -}} \ No newline at end of file diff --git a/charts/rancher-cis-benchmark/6.3.0-rc.1/values.yaml b/charts/rancher-cis-benchmark/6.3.0-rc.1/values.yaml new file mode 100644 index 0000000000..c1499c8a5d --- /dev/null +++ b/charts/rancher-cis-benchmark/6.3.0-rc.1/values.yaml @@ -0,0 +1,53 @@ +# Default values for rancher-cis-benchmark. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +image: + cisoperator: + repository: rancher/cis-operator + tag: v1.0.16-rc.1 + securityScan: + repository: rancher/security-scan + tag: v0.2.18-rc.1 + sonobuoy: + repository: rancher/mirrored-sonobuoy-sonobuoy + tag: v0.57.2 + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +## Node labels for pod assignment +## Ref: https://kubernetes.io/docs/user-guide/node-selection/ +## +nodeSelector: {} + +## List of node taints to tolerate (requires Kubernetes >= 1.6) +tolerations: [] + +securityScanJob: + overrideTolerations: false + tolerations: [] + +affinity: {} + +global: + cattle: + systemDefaultRegistry: "" + clusterName: "" + kubectl: + repository: rancher/kubectl + tag: v1.29.7 + +alerts: + enabled: false + severity: warning + metricsPort: 8080 diff --git a/index.yaml b/index.yaml index 135f560ec2..97fa67c434 100755 --- a/index.yaml +++ b/index.yaml @@ -11950,6 +11950,32 @@ entries: - assets/rancher-backup-crd/rancher-backup-crd-1.0.200.tgz version: 1.0.200 rancher-cis-benchmark: + - annotations: + catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match + catalog.cattle.io/certified: rancher + catalog.cattle.io/display-name: CIS Benchmark + catalog.cattle.io/kube-version: '>= 1.27.0-0 < 1.31.0-0' + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/os: linux + catalog.cattle.io/permits-os: linux,windows + catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1 + catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0' + catalog.cattle.io/release-name: rancher-cis-benchmark + catalog.cattle.io/type: cluster-tool + catalog.cattle.io/ui-component: rancher-cis-benchmark + apiVersion: v1 + appVersion: v6.3.0-rc.1 + created: "2024-10-09T15:41:56.717171867-03:00" + description: The cis-operator enables running CIS benchmark security scans on + a kubernetes cluster + digest: caad6199ece80e35d827f54b8d6747f4623d1367d478b175dbbcdf1e07ba21bb + icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg + keywords: + - security + name: rancher-cis-benchmark + urls: + - assets/rancher-cis-benchmark/rancher-cis-benchmark-6.3.0-rc.1.tgz + version: 6.3.0-rc.1 - annotations: catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match catalog.cattle.io/certified: rancher @@ -12706,6 +12732,20 @@ entries: - assets/rancher-cis-benchmark/rancher-cis-benchmark-1.0.100.tgz version: 1.0.100 rancher-cis-benchmark-crd: + - annotations: + catalog.cattle.io/certified: rancher + catalog.cattle.io/hidden: "true" + catalog.cattle.io/namespace: cis-operator-system + catalog.cattle.io/release-name: rancher-cis-benchmark-crd + apiVersion: v1 + created: "2024-10-09T15:41:56.719770012-03:00" + description: Installs the CRDs for rancher-cis-benchmark. + digest: a4dfc7b4332dd1c4fa8af649bad2bec64e1ecd5976486384b706a2648970ef3f + name: rancher-cis-benchmark-crd + type: application + urls: + - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.3.0-rc.1.tgz + version: 6.3.0-rc.1 - annotations: catalog.cattle.io/certified: rancher catalog.cattle.io/hidden: "true"