diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 35409232..a9da590d 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -12,11 +12,11 @@ annotations: catalog.cattle.io/type: cluster-tool catalog.cattle.io/ui-component: rancher-cis-benchmark apiVersion: v1 -appVersion: v6.4.0 +appVersion: v6.5.0 description: The cis-operator enables running CIS benchmark security scans on a kubernetes cluster icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg keywords: - security name: rancher-cis-benchmark -version: 6.4.0 +version: 6.5.0 diff --git a/chart/app-readme.md b/chart/app-readme.md index aea7514e..9e9d56b5 100644 --- a/chart/app-readme.md +++ b/chart/app-readme.md @@ -18,14 +18,16 @@ This chart installs the following components: | Source | Kubernetes distribution | scan profile | Kubernetes versions | |--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------| -| CIS | any | [cis-1.8](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.8) | v1.26+ | -| CIS | rke | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-permissive) | rke1-v1.26+ | -| CIS | rke | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-hardened) | rke1-v1.26+ | -| CIS | rke2 | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-permissive)| rke2-v1.26+ | -| CIS | rke2 | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-hardened) | rke2-v1.26+ | -| CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26+ | -| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26+ | -| CIS | eks | eks-1.2.0 | eks | -| CIS | aks | aks-1.0 | aks | -| CIS | gke | gke-1.2.0 | gke | -| CIS | gke | gke-1.6.0 | gke-1.29+ | +| CIS | any | [cis-1.9](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.9) | v1.27+ | +| CIS | any | [cis-1.8](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.8) | v1.26 | +| CIS | rke | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-permissive) | rke1-v1.26+ | +| CIS | rke | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-hardened) | rke1-v1.26+ | +| CIS | rke2 | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.8-permissive) | rke2-v1.26+ | +| CIS | rke2 | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.8-hardened) | rke2-v1.26+ | +| CIS | k3s | [k3s-cis-1.9](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.9) | k3s-v1.27+ | +| CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26 | +| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26 | +| CIS | eks | [eks-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/eks-1.2.0) | eks | +| CIS | aks | [aks-1.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/aks-1.0) | aks | +| CIS | gke | [gke-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.2.0) | gke-1.20 | +| CIS | gke | [gke-1.6.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.6.0) | gke-1.29+ | diff --git a/chart/templates/benchmark-cis-1.8.yaml b/chart/templates/benchmark-cis-1.8.yaml index ae19007b..e1bbc72d 100644 --- a/chart/templates/benchmark-cis-1.8.yaml +++ b/chart/templates/benchmark-cis-1.8.yaml @@ -6,3 +6,4 @@ metadata: spec: clusterProvider: "" minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/chart/templates/benchmark-cis-1.9.yaml b/chart/templates/benchmark-cis-1.9.yaml new file mode 100644 index 00000000..480aad29 --- /dev/null +++ b/chart/templates/benchmark-cis-1.9.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.9 +spec: + clusterProvider: "" + minKubernetesVersion: "1.27.0" diff --git a/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml b/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml index 07b4300d..db52b9ba 100644 --- a/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml +++ b/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml @@ -6,3 +6,4 @@ metadata: spec: clusterProvider: k3s minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml b/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml index c30fa7f7..0afe6535 100644 --- a/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml +++ b/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml @@ -6,3 +6,4 @@ metadata: spec: clusterProvider: k3s minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/chart/templates/benchmark-k3s-cis-1.9.yaml b/chart/templates/benchmark-k3s-cis-1.9.yaml new file mode 100644 index 00000000..7b6ef228 --- /dev/null +++ b/chart/templates/benchmark-k3s-cis-1.9.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.9 +spec: + clusterProvider: k3s + minKubernetesVersion: "1.27.0" diff --git a/chart/templates/configmap.yaml b/chart/templates/configmap.yaml index 2988b183..dcdd2937 100644 --- a/chart/templates/configmap.yaml +++ b/chart/templates/configmap.yaml @@ -14,5 +14,5 @@ data: eks: "eks-profile" gke: "gke-profile-1.6.0" aks: "aks-profile" - k3s: "k3s-cis-1.8-profile-permissive" - default: "cis-1.8-profile" + k3s: "k3s-cis-1.9-profile" + default: "cis-1.9-profile" diff --git a/chart/templates/scanprofile-cis-1.9.yaml b/chart/templates/scanprofile-cis-1.9.yaml new file mode 100644 index 00000000..9f0c9f58 --- /dev/null +++ b/chart/templates/scanprofile-cis-1.9.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.9-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.9 diff --git a/chart/templates/scanprofile-k3s-cis-1.9.yaml b/chart/templates/scanprofile-k3s-cis-1.9.yaml new file mode 100644 index 00000000..3d9ea843 --- /dev/null +++ b/chart/templates/scanprofile-k3s-cis-1.9.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.9-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.9 diff --git a/chart/values.yaml b/chart/values.yaml index ee095083..50e4a475 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -5,10 +5,10 @@ image: cisoperator: repository: rancher/cis-operator - tag: v1.2.0 + tag: v1.2.1 securityScan: repository: rancher/security-scan - tag: v0.4.0 + tag: v0.4.1 sonobuoy: repository: rancher/mirrored-sonobuoy-sonobuoy tag: v0.57.2 @@ -45,7 +45,7 @@ global: clusterName: "" kubectl: repository: rancher/kubectl - tag: v1.29.7 + tag: v1.29.11 alerts: enabled: false diff --git a/hack/make/deps.mk b/hack/make/deps.mk index 1be87152..2d020a64 100644 --- a/hack/make/deps.mk +++ b/hack/make/deps.mk @@ -4,6 +4,6 @@ GOLANGCI_VERSION = v1.62.2 K3D_VERSION = v5.7.5 # TODO: Bump aligned with Rancher Manager release line -KUBECTL_VERSION = 1.28.12 +KUBECTL_VERSION = 1.29.11 # renovate: datasource=github-release-attachments depName=helm/helm HELM_VERSION = v3.16.3 diff --git a/tests/k3s-bench-test.yaml b/tests/k3s-bench-test.yaml index 74c37967..4fe5e7f2 100644 --- a/tests/k3s-bench-test.yaml +++ b/tests/k3s-bench-test.yaml @@ -4,5 +4,5 @@ metadata: name: k3s-e2e-scan namespace: cis-operator-system spec: - scanProfileName: k3s-cis-1.8-profile-permissive + scanProfileName: k3s-cis-1.9-profile scoreWarning: pass