From 2dcc3b2d7b7579dd205a86d50d92994d1c99e09b Mon Sep 17 00:00:00 2001 From: vardhaman22 Date: Thu, 9 Jan 2025 22:50:21 +0530 Subject: [PATCH 1/4] Revert "revert cis-1.9 chart templates" This reverts commit a3d9e3c9d66c9d97bfe35e2816b42c956feb58b6. --- chart/app-readme.md | 8 +++++--- chart/templates/benchmark-cis-1.8.yaml | 1 + chart/templates/benchmark-cis-1.9.yaml | 8 ++++++++ chart/templates/benchmark-k3s-cis-1.8-hardened.yaml | 1 + chart/templates/benchmark-k3s-cis-1.8-permissive.yaml | 1 + chart/templates/benchmark-k3s-cis-1.9.yaml | 8 ++++++++ chart/templates/configmap.yaml | 4 ++-- chart/templates/scanprofile-cis-1.9.yaml | 9 +++++++++ chart/templates/scanprofile-k3s-cis-1.9.yaml | 9 +++++++++ tests/k3s-bench-test.yaml | 2 +- 10 files changed, 45 insertions(+), 6 deletions(-) create mode 100644 chart/templates/benchmark-cis-1.9.yaml create mode 100644 chart/templates/benchmark-k3s-cis-1.9.yaml create mode 100644 chart/templates/scanprofile-cis-1.9.yaml create mode 100644 chart/templates/scanprofile-k3s-cis-1.9.yaml diff --git a/chart/app-readme.md b/chart/app-readme.md index 60f34c72..9e9d56b5 100644 --- a/chart/app-readme.md +++ b/chart/app-readme.md @@ -18,13 +18,15 @@ This chart installs the following components: | Source | Kubernetes distribution | scan profile | Kubernetes versions | |--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------| -| CIS | any | [cis-1.8](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.8) | v1.26+ | +| CIS | any | [cis-1.9](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.9) | v1.27+ | +| CIS | any | [cis-1.8](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.8) | v1.26 | | CIS | rke | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-permissive) | rke1-v1.26+ | | CIS | rke | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-hardened) | rke1-v1.26+ | | CIS | rke2 | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.8-permissive) | rke2-v1.26+ | | CIS | rke2 | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.8-hardened) | rke2-v1.26+ | -| CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26+ | -| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26+ | +| CIS | k3s | [k3s-cis-1.9](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.9) | k3s-v1.27+ | +| CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26 | +| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26 | | CIS | eks | [eks-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/eks-1.2.0) | eks | | CIS | aks | [aks-1.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/aks-1.0) | aks | | CIS | gke | [gke-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.2.0) | gke-1.20 | diff --git a/chart/templates/benchmark-cis-1.8.yaml b/chart/templates/benchmark-cis-1.8.yaml index ae19007b..e1bbc72d 100644 --- a/chart/templates/benchmark-cis-1.8.yaml +++ b/chart/templates/benchmark-cis-1.8.yaml @@ -6,3 +6,4 @@ metadata: spec: clusterProvider: "" minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/chart/templates/benchmark-cis-1.9.yaml b/chart/templates/benchmark-cis-1.9.yaml new file mode 100644 index 00000000..480aad29 --- /dev/null +++ b/chart/templates/benchmark-cis-1.9.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.9 +spec: + clusterProvider: "" + minKubernetesVersion: "1.27.0" diff --git a/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml b/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml index 07b4300d..db52b9ba 100644 --- a/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml +++ b/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml @@ -6,3 +6,4 @@ metadata: spec: clusterProvider: k3s minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml b/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml index c30fa7f7..0afe6535 100644 --- a/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml +++ b/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml @@ -6,3 +6,4 @@ metadata: spec: clusterProvider: k3s minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/chart/templates/benchmark-k3s-cis-1.9.yaml b/chart/templates/benchmark-k3s-cis-1.9.yaml new file mode 100644 index 00000000..7b6ef228 --- /dev/null +++ b/chart/templates/benchmark-k3s-cis-1.9.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.9 +spec: + clusterProvider: k3s + minKubernetesVersion: "1.27.0" diff --git a/chart/templates/configmap.yaml b/chart/templates/configmap.yaml index 2988b183..dcdd2937 100644 --- a/chart/templates/configmap.yaml +++ b/chart/templates/configmap.yaml @@ -14,5 +14,5 @@ data: eks: "eks-profile" gke: "gke-profile-1.6.0" aks: "aks-profile" - k3s: "k3s-cis-1.8-profile-permissive" - default: "cis-1.8-profile" + k3s: "k3s-cis-1.9-profile" + default: "cis-1.9-profile" diff --git a/chart/templates/scanprofile-cis-1.9.yaml b/chart/templates/scanprofile-cis-1.9.yaml new file mode 100644 index 00000000..9f0c9f58 --- /dev/null +++ b/chart/templates/scanprofile-cis-1.9.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.9-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.9 diff --git a/chart/templates/scanprofile-k3s-cis-1.9.yaml b/chart/templates/scanprofile-k3s-cis-1.9.yaml new file mode 100644 index 00000000..3d9ea843 --- /dev/null +++ b/chart/templates/scanprofile-k3s-cis-1.9.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.9-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.9 diff --git a/tests/k3s-bench-test.yaml b/tests/k3s-bench-test.yaml index 74c37967..4fe5e7f2 100644 --- a/tests/k3s-bench-test.yaml +++ b/tests/k3s-bench-test.yaml @@ -4,5 +4,5 @@ metadata: name: k3s-e2e-scan namespace: cis-operator-system spec: - scanProfileName: k3s-cis-1.8-profile-permissive + scanProfileName: k3s-cis-1.9-profile scoreWarning: pass From 1ce153e8b95cc03abbebec066835394114ca9d30 Mon Sep 17 00:00:00 2001 From: vardhaman22 Date: Fri, 10 Jan 2025 17:15:40 +0530 Subject: [PATCH 2/4] added rke2 cis 1.9 templates --- chart/app-readme.md | 15 ++++++++------- .../benchmark-rke2-cis-1.8-hardened.yaml | 1 + .../benchmark-rke2-cis-1.8-permissive.yaml | 1 + chart/templates/benchmark-rke2-cis-1.9.yaml | 8 ++++++++ chart/templates/configmap.yaml | 2 +- chart/templates/scanprofile-rke2-cis-1.9.yaml | 9 +++++++++ 6 files changed, 28 insertions(+), 8 deletions(-) create mode 100644 chart/templates/benchmark-rke2-cis-1.9.yaml create mode 100644 chart/templates/scanprofile-rke2-cis-1.9.yaml diff --git a/chart/app-readme.md b/chart/app-readme.md index 9e9d56b5..06e56290 100644 --- a/chart/app-readme.md +++ b/chart/app-readme.md @@ -20,13 +20,14 @@ This chart installs the following components: |--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------| | CIS | any | [cis-1.9](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.9) | v1.27+ | | CIS | any | [cis-1.8](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.8) | v1.26 | -| CIS | rke | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-permissive) | rke1-v1.26+ | -| CIS | rke | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-hardened) | rke1-v1.26+ | -| CIS | rke2 | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.8-permissive) | rke2-v1.26+ | -| CIS | rke2 | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.8-hardened) | rke2-v1.26+ | -| CIS | k3s | [k3s-cis-1.9](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.9) | k3s-v1.27+ | -| CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26 | -| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26 | +| CIS | rke | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-permissive) | rke1-v1.26+ | +| CIS | rke | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-hardened) | rke1-v1.26+ | +| CIS | rke2 | [rke2-cis-1.9](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.9) | rke2-v1.27+ | +| CIS | rke2 | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.8-permissive) | rke2-v1.26 | +| CIS | rke2 | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.8-hardened) | rke2-v1.26 | +| CIS | k3s | [k3s-cis-1.9](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.9) | k3s-v1.27+ | +| CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26 | +| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26 | | CIS | eks | [eks-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/eks-1.2.0) | eks | | CIS | aks | [aks-1.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/aks-1.0) | aks | | CIS | gke | [gke-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.2.0) | gke-1.20 | diff --git a/chart/templates/benchmark-rke2-cis-1.8-hardened.yaml b/chart/templates/benchmark-rke2-cis-1.8-hardened.yaml index 0237206a..1bbb5404 100644 --- a/chart/templates/benchmark-rke2-cis-1.8-hardened.yaml +++ b/chart/templates/benchmark-rke2-cis-1.8-hardened.yaml @@ -6,3 +6,4 @@ metadata: spec: clusterProvider: rke2 minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/chart/templates/benchmark-rke2-cis-1.8-permissive.yaml b/chart/templates/benchmark-rke2-cis-1.8-permissive.yaml index b5f9e4b5..39470566 100644 --- a/chart/templates/benchmark-rke2-cis-1.8-permissive.yaml +++ b/chart/templates/benchmark-rke2-cis-1.8-permissive.yaml @@ -6,3 +6,4 @@ metadata: spec: clusterProvider: rke2 minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/chart/templates/benchmark-rke2-cis-1.9.yaml b/chart/templates/benchmark-rke2-cis-1.9.yaml new file mode 100644 index 00000000..57ce01b4 --- /dev/null +++ b/chart/templates/benchmark-rke2-cis-1.9.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: rke2-cis-1.9 +spec: + clusterProvider: rke2 + minKubernetesVersion: "1.27.0" diff --git a/chart/templates/configmap.yaml b/chart/templates/configmap.yaml index dcdd2937..ab915498 100644 --- a/chart/templates/configmap.yaml +++ b/chart/templates/configmap.yaml @@ -10,7 +10,7 @@ data: >=1.21.0: rke-profile-permissive-1.8 rke2: |- <1.21.0: rke2-cis-1.20-profile-permissive - >=1.21.0: rke2-cis-1.8-profile-permissive + >=1.21.0: rke2-cis-1.9-profile eks: "eks-profile" gke: "gke-profile-1.6.0" aks: "aks-profile" diff --git a/chart/templates/scanprofile-rke2-cis-1.9.yaml b/chart/templates/scanprofile-rke2-cis-1.9.yaml new file mode 100644 index 00000000..047d5e86 --- /dev/null +++ b/chart/templates/scanprofile-rke2-cis-1.9.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: rke2-cis-1.9-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: rke2-cis-1.9 From 3ad18cc1f1eca124c0ef81ba5f6dbabd5d55e6da Mon Sep 17 00:00:00 2001 From: vardhaman22 Date: Fri, 10 Jan 2025 20:41:57 +0530 Subject: [PATCH 3/4] added roles permission required by 5.1.3 check in cis 1.9 --- chart/templates/rbac.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/chart/templates/rbac.yaml b/chart/templates/rbac.yaml index 5fe075e3..cba20d18 100644 --- a/chart/templates/rbac.yaml +++ b/chart/templates/rbac.yaml @@ -33,6 +33,7 @@ rules: - "rolebindings" - "clusterrolebindings" - "clusterroles" + - "roles" verbs: - "get" - "list" @@ -74,6 +75,7 @@ rules: - "rolebindings" - "clusterrolebindings" - "clusterroles" + - "roles" verbs: - "get" - "list" From 5415589d9ffc2515380da8b84cccbf4f90dc8d99 Mon Sep 17 00:00:00 2001 From: vardhaman22 Date: Thu, 9 Jan 2025 22:51:53 +0530 Subject: [PATCH 4/4] update Chart.yaml and values.yaml --- chart/Chart.yaml | 4 ++-- chart/values.yaml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 206ddeec..29564f16 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -12,11 +12,11 @@ annotations: catalog.cattle.io/type: cluster-tool catalog.cattle.io/ui-component: rancher-cis-benchmark apiVersion: v1 -appVersion: v6.5.1 +appVersion: v6.6.0-rc.1 description: The cis-operator enables running CIS benchmark security scans on a kubernetes cluster icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg keywords: - security name: rancher-cis-benchmark -version: 6.5.1 +version: 6.6.0-rc.1 diff --git a/chart/values.yaml b/chart/values.yaml index 36f63461..2bb6c003 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -5,10 +5,10 @@ image: cisoperator: repository: rancher/cis-operator - tag: v1.2.3 + tag: v1.2.4-rc.1 securityScan: repository: rancher/security-scan - tag: v0.4.1 + tag: v0.4.2-rc.1 sonobuoy: repository: rancher/mirrored-sonobuoy-sonobuoy tag: v0.57.2