Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rancher cis benchmark mod upstream test #4560

Draft
wants to merge 3 commits into
base: dev-v2.10
Choose a base branch
from
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file not shown.
Binary file not shown.
10 changes: 10 additions & 0 deletions charts/rancher-cis-benchmark-crd/105.0.0+up6.3.0-rc.1/Chart.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cis-operator-system
catalog.cattle.io/release-name: rancher-cis-benchmark-crd
apiVersion: v1
description: Installs the CRDs for rancher-cis-benchmark.
name: rancher-cis-benchmark-crd
type: application
version: 105.0.0+up6.3.0-rc.1
Original file line number Diff line number Diff line change
@@ -0,0 +1,2 @@
# rancher-cis-benchmark-crd
A Rancher chart that installs the CRDs used by rancher-cis-benchmark.
File renamed without changes.
File renamed without changes.
File renamed without changes.
File renamed without changes.
Original file line number Diff line number Diff line change
Expand Up @@ -12,11 +12,11 @@ annotations:
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: rancher-cis-benchmark
apiVersion: v1
appVersion: v6.1.0-rc1
appVersion: v6.3.0-rc.1
description: The cis-operator enables running CIS benchmark security scans on a kubernetes
cluster
icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
keywords:
- security
name: rancher-cis-benchmark
version: 6.1.0-rc1
version: 105.0.0+up6.3.0-rc.1
Original file line number Diff line number Diff line change
Expand Up @@ -34,4 +34,4 @@ This chart installs the following components:
| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26+ |
| CIS | eks | eks-1.2.0 | eks |
| CIS | aks | aks-1.0 | aks |
| CIS | gke | gke-1.2.0 | gke |
| CIS | gke | gke-1.2.0 | gke |
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: cis-1.5
spec:
clusterProvider: ""
minKubernetesVersion: "1.15.0"
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: eks-1.0
spec:
clusterProvider: eks
minKubernetesVersion: "1.15.0"
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: gke-1.0
spec:
clusterProvider: gke
minKubernetesVersion: "1.15.0"
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.5-hardened
spec:
clusterProvider: rke
minKubernetesVersion: "1.15.0"
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanBenchmark
metadata:
name: rke-cis-1.5-permissive
spec:
clusterProvider: rke
minKubernetesVersion: "1.15.0"
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: cis-1.5-profile
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: cis-1.5
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-custom
spec:
benchmarkVersion: rke-cis-1.5-permissive
skipTests:
- "1.1.20"
- "1.1.21"

Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-hardened
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.5-hardened
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
apiVersion: cis.cattle.io/v1
kind: ClusterScanProfile
metadata:
name: rke-profile-permissive
annotations:
clusterscanprofile.cis.cattle.io/builtin: "true"
spec:
benchmarkVersion: rke-cis-1.5-permissive
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
# {{- $found := dict -}}
# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}}
# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}}
# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}}
# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}}
# {{- range .Capabilities.APIVersions -}}
# {{- if hasKey $found (toString .) -}}
# {{- set $found (toString .) true -}}
# {{- end -}}
# {{- end -}}
# {{- range $_, $exists := $found -}}
# {{- if (eq $exists false) -}}
# {{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
# {{- end -}}
# {{- end -}}
#{{- end -}}
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,13 @@
image:
cisoperator:
repository: rancher/cis-operator
tag: v1.0.14-rc4
tag: v1.0.16-rc.1
securityScan:
repository: rancher/security-scan
tag: v0.2.17-rc8
tag: v0.2.18-rc.1
sonobuoy:
repository: rancher/mirrored-sonobuoy-sonobuoy
tag: v0.57.1
tag: v0.57.2

resources: {}
# We usually recommend not to specify default resources and to leave this as a conscious
Expand Down
40 changes: 40 additions & 0 deletions index.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -7465,6 +7465,32 @@ entries:
- assets/rancher-backup-crd/rancher-backup-crd-1.0.200.tgz
version: 1.0.200
rancher-cis-benchmark:
- annotations:
catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
catalog.cattle.io/certified: rancher
catalog.cattle.io/display-name: CIS Benchmark
catalog.cattle.io/kube-version: '>= 1.27.0-0 < 1.31.0-0'
catalog.cattle.io/namespace: cis-operator-system
catalog.cattle.io/os: linux
catalog.cattle.io/permits-os: linux,windows
catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0'
catalog.cattle.io/release-name: rancher-cis-benchmark
catalog.cattle.io/type: cluster-tool
catalog.cattle.io/ui-component: rancher-cis-benchmark
apiVersion: v1
appVersion: v6.3.0-rc.1
created: "2024-10-10T22:14:45.318344671-03:00"
description: The cis-operator enables running CIS benchmark security scans on
a kubernetes cluster
digest: 3eb026b2bf0f6d550ad162f8c426453a97b11fb17054d9f3ad88945c9c2a8989
icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
keywords:
- security
name: rancher-cis-benchmark
urls:
- assets/rancher-cis-benchmark/rancher-cis-benchmark-105.0.0+up6.3.0-rc.1.tgz
version: 105.0.0+up6.3.0-rc.1
- annotations:
catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
catalog.cattle.io/certified: rancher
Expand Down Expand Up @@ -8087,6 +8113,20 @@ entries:
- assets/rancher-cis-benchmark/rancher-cis-benchmark-2.0.0.tgz
version: 2.0.0
rancher-cis-benchmark-crd:
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
catalog.cattle.io/namespace: cis-operator-system
catalog.cattle.io/release-name: rancher-cis-benchmark-crd
apiVersion: v1
created: "2024-10-10T22:14:45.342735912-03:00"
description: Installs the CRDs for rancher-cis-benchmark.
digest: 62251d61465ca3d24a26307121393c5420055dd9677bd70e7f9c0324d949c807
name: rancher-cis-benchmark-crd
type: application
urls:
- assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-105.0.0+up6.3.0-rc.1.tgz
version: 105.0.0+up6.3.0-rc.1
- annotations:
catalog.cattle.io/certified: rancher
catalog.cattle.io/hidden: "true"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,149 @@
apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
metadata:
name: clusterscans.cis.cattle.io
spec:
group: cis.cattle.io
names:
kind: ClusterScan
plural: clusterscans
singular: clusterscan
scope: Cluster
versions:
- additionalPrinterColumns:
- jsonPath: .status.lastRunScanProfileName
name: ClusterScanProfile
type: string
- jsonPath: .status.summary.total
name: Total
type: string
- jsonPath: .status.summary.pass
name: Pass
type: string
- jsonPath: .status.summary.fail
name: Fail
type: string
- jsonPath: .status.summary.skip
name: Skip
type: string
- jsonPath: .status.summary.warn
name: Warn
type: string
- jsonPath: .status.summary.notApplicable
name: Not Applicable
type: string
- jsonPath: .status.lastRunTimestamp
name: LastRunTimestamp
type: string
- jsonPath: .spec.scheduledScanConfig.cronSchedule
name: CronSchedule
type: string
name: v1
schema:
openAPIV3Schema:
properties:
spec:
properties:
scanProfileName:
nullable: true
type: string
scheduledScanConfig:
nullable: true
properties:
cronSchedule:
nullable: true
type: string
retentionCount:
type: integer
scanAlertRule:
nullable: true
properties:
alertOnComplete:
type: boolean
alertOnFailure:
type: boolean
type: object
type: object
scoreWarning:
enum:
- pass
- fail
nullable: true
type: string
type: object
status:
properties:
NextScanAt:
nullable: true
type: string
ScanAlertingRuleName:
nullable: true
type: string
conditions:
items:
properties:
lastTransitionTime:
nullable: true
type: string
lastUpdateTime:
nullable: true
type: string
message:
nullable: true
type: string
reason:
nullable: true
type: string
status:
nullable: true
type: string
type:
nullable: true
type: string
type: object
nullable: true
type: array
display:
nullable: true
properties:
error:
type: boolean
message:
nullable: true
type: string
state:
nullable: true
type: string
transitioning:
type: boolean
type: object
lastRunScanProfileName:
nullable: true
type: string
lastRunTimestamp:
nullable: true
type: string
observedGeneration:
type: integer
summary:
nullable: true
properties:
fail:
type: integer
notApplicable:
type: integer
pass:
type: integer
skip:
type: integer
total:
type: integer
warn:
type: integer
type: object
type: object
type: object
served: true
storage: true
subresources:
status: {}
Loading
Loading