Merge pull request #5 from prachidamle/benchmarkcrd_change

Adding clusterscanbenchmark CRD and validation of profile

crds/clusterscan.yaml

@@ -38,8 +38,6 @@ spec:
                 type: object
               nullable: true
               type: array
-            enabled:
-              type: boolean
             lastRunTimestamp:
               type: string
             observedGeneration:

crds/clusterscanbenchmark.yaml

@@ -0,0 +1,34 @@
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscanbenchmarks.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScanBenchmark
+    plural: clusterscanbenchmarks
+  scope: Cluster
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      properties:
+        spec:
+          properties:
+            clusterProvider:
+              type: string
+            customBenchmarkConfigMapName:
+              type: string
+            customBenchmarkConfigMapNameSpace:
+              type: string
+            maxKubernetesVersion:
+              type: string
+            minKubernetesVersion:
+              type: string
+          type: object
+      type: object
+  version: v1
+  versions:
+  - name: v1
+    served: true
+    storage: true

crds/clusterscanprofile.yaml

@@ -17,16 +17,6 @@ spec:
           properties:
             benchmarkVersion:
               type: string
-            clusterProvider:
-              type: string
-            configMap:
-              type: string
-            configMapNamespace:
-              type: string
-            maxKubernetesVersion:
-              type: string
-            minKubernetesVersion:
-              type: string
             skipTests:
               items:
                 type: string

examples/benchmark-cis-1.5.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: cis-1.5
+spec:
+  clusterProvider: ""
+  minKubernetesVersion: "1.15"

examples/benchmark-eks-1.0.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: eks-1.0
+spec:
+  clusterProvider: eks
+  minKubernetesVersion: "1.15"

examples/benchmark-gke-1.0.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: gke-1.0
+spec:
+  clusterProvider: gke
+  minKubernetesVersion: "1.15"

examples/benchmark-rke-cis-1.5-permissive.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.5-permissive
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.15.0"

examples/benchmark-rke-cis-1.5.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.5
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.15.0"

examples/clusterscaneks.yml

@@ -4,7 +4,4 @@ kind: ClusterScan
 metadata:
   name: run-eks-1.0
 spec:
-  clusterProvider: eks
-  runType: manual
-  scanConfig:
-    profileName: eks-1.0
+  scanProfileName: eks-profile

examples/clusterscangke.yml

@@ -4,7 +4,4 @@ kind: ClusterScan
 metadata:
   name: run-gke-scan
 spec:
-  clusterProvider: gke
-  runType: manual
-  scanConfig:
-    profileName: gke-1.0
+  scanProfileName: gke-profile

examples/scanprofile-cis-1.5.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: cis-1.5-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: cis-1.5

examples/scanprofile-rke-custom.yml

@@ -4,7 +4,6 @@ kind: ClusterScanProfile
 metadata:
   name: rke-profile-custom
 spec:
-  clusterProvider: rke
   benchmarkVersion: rke-cis-1.5-permissive
   skipTests:
     - "1.1.20"

examples/scanprofile-rke-hardened.yml

@@ -3,6 +3,7 @@ apiVersion: cis.cattle.io/v1
 kind: ClusterScanProfile
 metadata:
   name: rke-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
 spec:
-  clusterProvider: rke
   benchmarkVersion: rke-cis-1.5

examples/scanprofile-rke-permissive.yml

@@ -3,6 +3,7 @@ apiVersion: cis.cattle.io/v1
 kind: ClusterScanProfile
 metadata:
   name: rke-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
 spec:
-  clusterProvider: rke
   benchmarkVersion: rke-cis-1.5-permissive

examples/scanprofileeks.yml

@@ -3,6 +3,7 @@ apiVersion: cis.cattle.io/v1
 kind: ClusterScanProfile
 metadata:
   name: eks-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
 spec:
-  clusterProvider: eks
   benchmarkVersion: eks-1.0

examples/scanprofilegke.yml

@@ -3,6 +3,7 @@ apiVersion: cis.cattle.io/v1
 kind: ClusterScanProfile
 metadata:
   name: gke-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
 spec:
-  clusterProvider: gke
   benchmarkVersion: gke-1.0

go.mod

@@ -5,6 +5,7 @@ go 1.13
 replace k8s.io/client-go => k8s.io/client-go v0.18.0
 
 require (
+	github.com/blang/semver v3.5.0+incompatible
 	github.com/rancher/kubernetes-provider-detector v0.0.0-20200807181951-690274ab1fb3
 	github.com/rancher/lasso v0.0.0-20200515155337-a34e1e26ad91
 	github.com/rancher/security-scan v0.1.14

pkg/apis/cis.cattle.io/v1/types.go

@@ -10,7 +10,10 @@ const (
 	ClusterProviderRKE = "rke"
 	ClusterProviderEKS = "eks"
 	ClusterProviderGKE = "gke"
+	ClusterProviderAKS = "aks"
+	ClusterProviderK3s = "k3s"
 
+	CISV1NS                      = "security-scan"
 	ClusterScanNS                = "cis-operator-system"
 	ClusterScanSA                = "cis-serviceaccount"
 	ClusterScanConfigMap         = "cis-s-config-cm"
@@ -46,7 +49,6 @@ type ClusterScanSpec struct {
 }
 
 type ClusterScanStatus struct {
-	Enabled            bool                                `yaml:"enabled" json:"enabled,omitempty"`
 	LastRunTimestamp   string                              `yaml:"last_run_timestamp" json:"lastRunTimestamp"`
 	Summary            *ClusterScanSummary                 `json:"summary,omitempty"`
 	ObservedGeneration int64                               `json:"observedGeneration"`
@@ -65,28 +67,36 @@ type ClusterScanSummary struct {
 // +genclient:nonNamespaced
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-type ClusterScanProfile struct {
+type ClusterScanBenchmark struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	Spec ClusterScanProfileSpec `json:"spec"`
+	Spec ClusterScanBenchmarkSpec `json:"spec"`
 }
 
-type ClusterScanProfileSpec struct {
-	ClusterProvider string `json:"clusterProvider,omitempty"`
+type ClusterScanBenchmarkSpec struct {
+	ClusterProvider      string `json:"clusterProvider,omitempty"`
+	MinKubernetesVersion string `json:"minKubernetesVersion,omitempty"`
+	MaxKubernetesVersion string `json:"maxKubernetesVersion,omitempty"`
 
-	BenchmarkVersion string `json:"benchmarkVersion,omitempty"`
+	CustomBenchmarkConfigMapName      string `json:"customBenchmarkConfigMapName,omitempty"`
+	CustomBenchmarkConfigMapNameSpace string `json:"customBenchmarkConfigMapNameSpace,omitempty"`
+}
 
-	SkipTests []string `json:"skipTests,omitempty"`
+// +genclient
+// +genclient:nonNamespaced
+// +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 
-	MinKubernetesVersion string `json:"minKubernetesVersion,omitempty"`
+type ClusterScanProfile struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
 
-	MaxKubernetesVersion string `json:"maxKubernetesVersion,omitempty"`
+	Spec ClusterScanProfileSpec `json:"spec"`
+}
 
-	//RENAME
-	ConfigMap string `json:"configMap,omitempty"`
-	//RENAME
-	ConfigMapNamespace string `json:"configMapNamespace,omitempty"`
+type ClusterScanProfileSpec struct {
+	BenchmarkVersion string   `json:"benchmarkVersion,omitempty"`
+	SkipTests        []string `json:"skipTests,omitempty"`
 }
 
 // +genclient

pkg/codegen/main.go

@@ -21,6 +21,7 @@ func main() {
 					v1.ClusterScan{},
 					v1.ClusterScanProfile{},
 					v1.ClusterScanReport{},
+					v1.ClusterScanBenchmark{},
 					v1.ScheduledScan{},
 				},
 				GenerateTypes: true,