From 3b52b9e8d46a12893708546532e7d1dfb0e1776f Mon Sep 17 00:00:00 2001 From: vardhaman22 Date: Tue, 3 Dec 2024 16:05:58 +0530 Subject: [PATCH 1/4] added cis 1.9 generic and k3s profile templates --- chart/app-readme.md | 24 ++++++++++--------- chart/templates/benchmark-cis-1.8.yaml | 1 + chart/templates/benchmark-cis-1.9.yaml | 8 +++++++ .../benchmark-k3s-cis-1.8-hardened.yaml | 1 + .../benchmark-k3s-cis-1.8-permissive.yaml | 1 + chart/templates/benchmark-k3s-cis-1.9.yaml | 8 +++++++ chart/templates/configmap.yaml | 4 ++-- chart/templates/scanprofile-cis-1.9.yaml | 9 +++++++ chart/templates/scanprofile-k3s-cis-1.9.yaml | 9 +++++++ tests/k3s-bench-test.yaml | 2 +- 10 files changed, 53 insertions(+), 14 deletions(-) create mode 100644 chart/templates/benchmark-cis-1.9.yaml create mode 100644 chart/templates/benchmark-k3s-cis-1.9.yaml create mode 100644 chart/templates/scanprofile-cis-1.9.yaml create mode 100644 chart/templates/scanprofile-k3s-cis-1.9.yaml diff --git a/chart/app-readme.md b/chart/app-readme.md index aea7514e..bb8aed4c 100644 --- a/chart/app-readme.md +++ b/chart/app-readme.md @@ -18,14 +18,16 @@ This chart installs the following components: | Source | Kubernetes distribution | scan profile | Kubernetes versions | |--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------| -| CIS | any | [cis-1.8](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.8) | v1.26+ | -| CIS | rke | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-permissive) | rke1-v1.26+ | -| CIS | rke | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-hardened) | rke1-v1.26+ | -| CIS | rke2 | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-permissive)| rke2-v1.26+ | -| CIS | rke2 | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-hardened) | rke2-v1.26+ | -| CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26+ | -| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26+ | -| CIS | eks | eks-1.2.0 | eks | -| CIS | aks | aks-1.0 | aks | -| CIS | gke | gke-1.2.0 | gke | -| CIS | gke | gke-1.6.0 | gke-1.29+ | +| CIS | any | cis-1.9 | v1.27+ | +| CIS | any | cis-1.8 | v1.26 | +| CIS | rke | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-permissive) | rke1-v1.26+ | +| CIS | rke | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-hardened) | rke1-v1.26+ | +| CIS | rke2 | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.8-permissive) | rke2-v1.26+ | +| CIS | rke2 | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.8-hardened) | rke2-v1.26+ | +| CIS | k3s | [k3s-cis-1.9](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.9) | k3s-v1.27+ | +| CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26 | +| CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26 | +| CIS | eks | eks-1.2.0 | eks | +| CIS | aks | aks-1.0 | aks | +| CIS | gke | gke-1.2.0 | gke | +| CIS | gke | gke-1.6.0 | gke-1.29+ | \ No newline at end of file diff --git a/chart/templates/benchmark-cis-1.8.yaml b/chart/templates/benchmark-cis-1.8.yaml index ae19007b..e1bbc72d 100644 --- a/chart/templates/benchmark-cis-1.8.yaml +++ b/chart/templates/benchmark-cis-1.8.yaml @@ -6,3 +6,4 @@ metadata: spec: clusterProvider: "" minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/chart/templates/benchmark-cis-1.9.yaml b/chart/templates/benchmark-cis-1.9.yaml new file mode 100644 index 00000000..480aad29 --- /dev/null +++ b/chart/templates/benchmark-cis-1.9.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: cis-1.9 +spec: + clusterProvider: "" + minKubernetesVersion: "1.27.0" diff --git a/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml b/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml index 07b4300d..db52b9ba 100644 --- a/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml +++ b/chart/templates/benchmark-k3s-cis-1.8-hardened.yaml @@ -6,3 +6,4 @@ metadata: spec: clusterProvider: k3s minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml b/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml index c30fa7f7..0afe6535 100644 --- a/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml +++ b/chart/templates/benchmark-k3s-cis-1.8-permissive.yaml @@ -6,3 +6,4 @@ metadata: spec: clusterProvider: k3s minKubernetesVersion: "1.26.0" + maxKubernetesVersion: "1.26.x" diff --git a/chart/templates/benchmark-k3s-cis-1.9.yaml b/chart/templates/benchmark-k3s-cis-1.9.yaml new file mode 100644 index 00000000..7b6ef228 --- /dev/null +++ b/chart/templates/benchmark-k3s-cis-1.9.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanBenchmark +metadata: + name: k3s-cis-1.9 +spec: + clusterProvider: k3s + minKubernetesVersion: "1.27.0" diff --git a/chart/templates/configmap.yaml b/chart/templates/configmap.yaml index 2988b183..dcdd2937 100644 --- a/chart/templates/configmap.yaml +++ b/chart/templates/configmap.yaml @@ -14,5 +14,5 @@ data: eks: "eks-profile" gke: "gke-profile-1.6.0" aks: "aks-profile" - k3s: "k3s-cis-1.8-profile-permissive" - default: "cis-1.8-profile" + k3s: "k3s-cis-1.9-profile" + default: "cis-1.9-profile" diff --git a/chart/templates/scanprofile-cis-1.9.yaml b/chart/templates/scanprofile-cis-1.9.yaml new file mode 100644 index 00000000..9f0c9f58 --- /dev/null +++ b/chart/templates/scanprofile-cis-1.9.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: cis-1.9-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: cis-1.9 diff --git a/chart/templates/scanprofile-k3s-cis-1.9.yaml b/chart/templates/scanprofile-k3s-cis-1.9.yaml new file mode 100644 index 00000000..3d9ea843 --- /dev/null +++ b/chart/templates/scanprofile-k3s-cis-1.9.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: cis.cattle.io/v1 +kind: ClusterScanProfile +metadata: + name: k3s-cis-1.9-profile + annotations: + clusterscanprofile.cis.cattle.io/builtin: "true" +spec: + benchmarkVersion: k3s-cis-1.9 diff --git a/tests/k3s-bench-test.yaml b/tests/k3s-bench-test.yaml index 74c37967..4fe5e7f2 100644 --- a/tests/k3s-bench-test.yaml +++ b/tests/k3s-bench-test.yaml @@ -4,5 +4,5 @@ metadata: name: k3s-e2e-scan namespace: cis-operator-system spec: - scanProfileName: k3s-cis-1.8-profile-permissive + scanProfileName: k3s-cis-1.9-profile scoreWarning: pass From 93bbc5bce62d9721130c460a1a47a3aa20e6519c Mon Sep 17 00:00:00 2001 From: vardhaman22 Date: Tue, 3 Dec 2024 16:53:44 +0530 Subject: [PATCH 2/4] bump security-scan and kubectl --- chart/values.yaml | 4 ++-- hack/make/deps.mk | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/chart/values.yaml b/chart/values.yaml index ee095083..9ce755eb 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -8,7 +8,7 @@ image: tag: v1.2.0 securityScan: repository: rancher/security-scan - tag: v0.4.0 + tag: v0.4.1 sonobuoy: repository: rancher/mirrored-sonobuoy-sonobuoy tag: v0.57.2 @@ -45,7 +45,7 @@ global: clusterName: "" kubectl: repository: rancher/kubectl - tag: v1.29.7 + tag: v1.29.11 alerts: enabled: false diff --git a/hack/make/deps.mk b/hack/make/deps.mk index 1be87152..2d020a64 100644 --- a/hack/make/deps.mk +++ b/hack/make/deps.mk @@ -4,6 +4,6 @@ GOLANGCI_VERSION = v1.62.2 K3D_VERSION = v5.7.5 # TODO: Bump aligned with Rancher Manager release line -KUBECTL_VERSION = 1.28.12 +KUBECTL_VERSION = 1.29.11 # renovate: datasource=github-release-attachments depName=helm/helm HELM_VERSION = v3.16.3 From d137f30f5f9b6ccdb46af88d256bd9a61b3660f1 Mon Sep 17 00:00:00 2001 From: vardhaman22 Date: Tue, 3 Dec 2024 16:54:17 +0530 Subject: [PATCH 3/4] bump cis-operator and chart version --- chart/Chart.yaml | 4 ++-- chart/values.yaml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/chart/Chart.yaml b/chart/Chart.yaml index 35409232..a9da590d 100644 --- a/chart/Chart.yaml +++ b/chart/Chart.yaml @@ -12,11 +12,11 @@ annotations: catalog.cattle.io/type: cluster-tool catalog.cattle.io/ui-component: rancher-cis-benchmark apiVersion: v1 -appVersion: v6.4.0 +appVersion: v6.5.0 description: The cis-operator enables running CIS benchmark security scans on a kubernetes cluster icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg keywords: - security name: rancher-cis-benchmark -version: 6.4.0 +version: 6.5.0 diff --git a/chart/values.yaml b/chart/values.yaml index 9ce755eb..50e4a475 100644 --- a/chart/values.yaml +++ b/chart/values.yaml @@ -5,7 +5,7 @@ image: cisoperator: repository: rancher/cis-operator - tag: v1.2.0 + tag: v1.2.1 securityScan: repository: rancher/security-scan tag: v0.4.1 From 6dceea21c23e147d2d3b78669674a103fe2355d8 Mon Sep 17 00:00:00 2001 From: vardhaman22 Date: Tue, 3 Dec 2024 19:59:22 +0530 Subject: [PATCH 4/4] updated app readme with correct profile links --- chart/app-readme.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/chart/app-readme.md b/chart/app-readme.md index bb8aed4c..9e9d56b5 100644 --- a/chart/app-readme.md +++ b/chart/app-readme.md @@ -18,8 +18,8 @@ This chart installs the following components: | Source | Kubernetes distribution | scan profile | Kubernetes versions | |--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------| -| CIS | any | cis-1.9 | v1.27+ | -| CIS | any | cis-1.8 | v1.26 | +| CIS | any | [cis-1.9](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.9) | v1.27+ | +| CIS | any | [cis-1.8](https://github.com/aquasecurity/kube-bench/tree/main/cfg/cis-1.8) | v1.26 | | CIS | rke | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-permissive) | rke1-v1.26+ | | CIS | rke | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke-cis-1.8-hardened) | rke1-v1.26+ | | CIS | rke2 | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/rke2-cis-1.8-permissive) | rke2-v1.26+ | @@ -27,7 +27,7 @@ This chart installs the following components: | CIS | k3s | [k3s-cis-1.9](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.9) | k3s-v1.27+ | | CIS | k3s | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-permissive) | k3s-v1.26 | | CIS | k3s | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.4/package/cfg/k3s-cis-1.8-hardened) | k3s-v1.26 | -| CIS | eks | eks-1.2.0 | eks | -| CIS | aks | aks-1.0 | aks | -| CIS | gke | gke-1.2.0 | gke | -| CIS | gke | gke-1.6.0 | gke-1.29+ | \ No newline at end of file +| CIS | eks | [eks-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/eks-1.2.0) | eks | +| CIS | aks | [aks-1.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/aks-1.0) | aks | +| CIS | gke | [gke-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.2.0) | gke-1.20 | +| CIS | gke | [gke-1.6.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.6.0) | gke-1.29+ |