diff --git a/README.md b/README.md index d9c0cfaa49cd53418187572929d9c862cd70d940..6848f38456da66577375c7dc8d234d59274dd670 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,10 @@ system-charts ============ -Rancher 2.0 system library charts. +Rancher 2.x system library charts. ## License -Copyright (c) 2018 [Rancher Labs, Inc.](http://rancher.com) +Copyright (c) 2019 [Rancher Labs, Inc.](http://rancher.com) Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. diff --git a/charts/rancher-cis-benchmark/v0.0.1/.helmignore b/charts/rancher-cis-benchmark/v0.0.1/.helmignore new file mode 100644 index 0000000000000000000000000000000000000000..50af0317254197a5a019f4ac2f8ecc223f93f5a7 --- /dev/null +++ b/charts/rancher-cis-benchmark/v0.0.1/.helmignore @@ -0,0 +1,22 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/rancher-cis-benchmark/v0.0.1/Chart.yaml b/charts/rancher-cis-benchmark/v0.0.1/Chart.yaml new file mode 100644 index 0000000000000000000000000000000000000000..936171eec956e57d5a57a075af59df572b112af8 --- /dev/null +++ b/charts/rancher-cis-benchmark/v0.0.1/Chart.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +appVersion: "0.0.27" +description: | + Run CIS benhmark tests +name: rancher-cis-benchmark +version: 0.1.0 +home: https://github.com/rancher/system-charts/charts/rancher-cis-benchmark +sources: + - "https://github.com/rancher/system-charts/charts/rancher-cis-benchmark" +maintainers: + - name: Murali Paluru + email: leodotcloud@gmail.com diff --git a/charts/rancher-cis-benchmark/v0.0.1/templates/NOTES.txt b/charts/rancher-cis-benchmark/v0.0.1/templates/NOTES.txt new file mode 100644 index 0000000000000000000000000000000000000000..e7e7bdf63ded42feafe189f8a095a2bc11a22c68 --- /dev/null +++ b/charts/rancher-cis-benchmark/v0.0.1/templates/NOTES.txt @@ -0,0 +1,21 @@ +1. Get the application URL by running these commands: +{{- if .Values.ingress.enabled }} +{{- range $host := .Values.ingress.hosts }} + {{- range .paths }} + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }} + {{- end }} +{{- end }} +{{- else if contains "NodePort" .Values.service.type }} + export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "rancher-cis-benchmark.fullname" . }}) + export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}") + echo http://$NODE_IP:$NODE_PORT +{{- else if contains "LoadBalancer" .Values.service.type }} + NOTE: It may take a few minutes for the LoadBalancer IP to be available. + You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "rancher-cis-benchmark.fullname" . }}' + export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "rancher-cis-benchmark.fullname" . }} -o jsonpath='{.status.loadBalancer.ingress[0].ip}') + echo http://$SERVICE_IP:{{ .Values.service.port }} +{{- else if contains "ClusterIP" .Values.service.type }} + export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "rancher-cis-benchmark.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}") + echo "Visit http://127.0.0.1:8080 to use your application" + kubectl port-forward $POD_NAME 8080:80 +{{- end }} diff --git a/charts/rancher-cis-benchmark/v0.0.1/templates/_helpers.tpl b/charts/rancher-cis-benchmark/v0.0.1/templates/_helpers.tpl new file mode 100644 index 0000000000000000000000000000000000000000..4bf31193c3471b7be7ab4c2f398f3fd33c7cdb14 --- /dev/null +++ b/charts/rancher-cis-benchmark/v0.0.1/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* vim: set filetype=mustache: */}} +{{/* +Expand the name of the chart. +*/}} +{{- define "rancher-cis-benchmark.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}} +{{- end -}} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "rancher-cis-benchmark.fullname" -}} +{{- if .Values.fullnameOverride -}} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- $name := default .Chart.Name .Values.nameOverride -}} +{{- if contains $name .Release.Name -}} +{{- .Release.Name | trunc 63 | trimSuffix "-" -}} +{{- else -}} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}} +{{- end -}} +{{- end -}} +{{- end -}} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "rancher-cis-benchmark.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}} +{{- end -}} diff --git a/charts/rancher-cis-benchmark/v0.0.1/templates/configmap.yaml b/charts/rancher-cis-benchmark/v0.0.1/templates/configmap.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a5ed0962b983036ab733b755ecde8975d8716e85 --- /dev/null +++ b/charts/rancher-cis-benchmark/v0.0.1/templates/configmap.yaml @@ -0,0 +1,72 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/name: {{ include "rancher-cis-benchmark.name" . }} + helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + name: sonobuoy-config-cm +data: + config.json: | + { + "Description": "kube-bench plugin for CIS benchmarks", + "Filters": { + "LabelSelector": "", + "Namespaces": "[^\\w-.]+" + }, + "PluginNamespace": "{{ .Release.Namespace }}", + "Plugins": [ + { + "name": "rancher-kube-bench" + } + ], + "Resources": [], + "ResultsDir": "/tmp/sonobuoy", + "Server": { + "advertiseaddress": "{{ include "rancher-cis-benchmark.fullname" . }}", + "bindaddress": "0.0.0.0", + "bindport": 443, + "timeoutseconds": 5400 + }, + "Version": "v0.13.0" + } +--- +apiVersion: v1 +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/name: {{ include "rancher-cis-benchmark.name" . }} + helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + name: sonobuoy-plugins-cm +data: + rancher-kube-bench.yaml: | + sonobuoy-config: + driver: DaemonSet + plugin-name: rancher-kube-bench + result-type: rancher-kube-bench + spec: + name: rancher-kube-bench + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + command: ["/bin/bash", "-c", "run_sonobuoy_plugin.sh && sleep 3600"] + env: + - name: NODE_NAME + valueFrom: + fieldRef: + fieldPath: spec.nodeName + - name: RESULTS_DIR + value: /tmp/results + - name: CHROOT_DIR + value: /node + imagePullPolicy: Always + securityContext: + privileged: true + volumeMounts: + - mountPath: /tmp/results + name: results + readOnly: false + - mountPath: /node + name: root + readOnly: false diff --git a/charts/rancher-cis-benchmark/v0.0.1/templates/ingress.yaml b/charts/rancher-cis-benchmark/v0.0.1/templates/ingress.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a63a59e5a8b6750352af05409377aa52116f055c --- /dev/null +++ b/charts/rancher-cis-benchmark/v0.0.1/templates/ingress.yaml @@ -0,0 +1,39 @@ +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "rancher-cis-benchmark.fullname" . -}} +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + name: {{ $fullName }} + labels: + app.kubernetes.io/name: {{ include "rancher-cis-benchmark.name" . }} + helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: +{{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} +{{- end }} + rules: + {{- range .Values.ingress.hosts }} + - host: {{ .host | quote }} + http: + paths: + {{- range .paths }} + - path: {{ . }} + backend: + serviceName: {{ $fullName }} + servicePort: http + {{- end }} + {{- end }} +{{- end }} diff --git a/charts/rancher-cis-benchmark/v0.0.1/templates/pod.yaml b/charts/rancher-cis-benchmark/v0.0.1/templates/pod.yaml new file mode 100644 index 0000000000000000000000000000000000000000..adb36a2d776f6933ab58902129fe807ce7117a40 --- /dev/null +++ b/charts/rancher-cis-benchmark/v0.0.1/templates/pod.yaml @@ -0,0 +1,61 @@ +apiVersion: v1 +kind: Pod +metadata: + name: sonobuoy + {{- if ne .Values.owner "" }} + annotations: + field.cattle.io/clusterScanOwner: "{{ .Values.owner }}" + {{- end }} + labels: + app.kubernetes.io/name: {{ include "rancher-cis-benchmark.name" . }} + helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + # TODO: make the sa name configurable + serviceAccountName: sonobuoy-serviceaccount + volumes: + - configMap: + name: sonobuoy-config-cm + name: sonobuoy-config-volume + - configMap: + name: sonobuoy-plugins-cm + name: sonobuoy-plugins-volume + - emptyDir: {} + name: output-volume + containers: + - name: {{ .Chart.Name }} + restartPolicy: Never + env: + - name: SONOBUOY_ADVERTISE_IP + value: {{ include "rancher-cis-benchmark.fullname" . }} + {{- if ne .Values.owner "" }} + - name: CONFIGMAPNAME + value: {{ .Release.Name }} + {{- end }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - containerPort: 8080 + protocol: TCP + volumeMounts: + - mountPath: /etc/sonobuoy + name: sonobuoy-config-volume + - mountPath: /plugins.d + name: sonobuoy-plugins-volume + - mountPath: /tmp/sonobuoy + name: output-volume + resources: + {{- toYaml .Values.resources | nindent 12 }} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} +{{- end }} +{{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} +{{- end }} diff --git a/charts/rancher-cis-benchmark/v0.0.1/templates/rbac.yaml b/charts/rancher-cis-benchmark/v0.0.1/templates/rbac.yaml new file mode 100644 index 0000000000000000000000000000000000000000..d8652608c1982b5a246d00ed9b8b31efb9b7f83e --- /dev/null +++ b/charts/rancher-cis-benchmark/v0.0.1/templates/rbac.yaml @@ -0,0 +1,54 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + labels: + app.kubernetes.io/name: {{ include "rancher-cis-benchmark.name" . }} + helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + # TODO: make the sa name configurable + # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount + name: sonobuoy-serviceaccount +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRole +metadata: + labels: + app.kubernetes.io/name: {{ include "rancher-cis-benchmark.name" . }} + helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + # TODO: make the sa name configurable + # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount + name: sonobuoy-serviceaccount +rules: +- apiGroups: + - '*' + resources: + - '*' + verbs: + - '*' +--- +apiVersion: rbac.authorization.k8s.io/v1beta1 +kind: ClusterRoleBinding +metadata: + labels: + app.kubernetes.io/name: {{ include "rancher-cis-benchmark.name" . }} + helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + # TODO: make the sa name configurable + # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount + name: sonobuoy-serviceaccount +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + # TODO: make the sa name configurable + # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount + name: sonobuoy-serviceaccount +subjects: +- kind: ServiceAccount + # TODO: make the sa name configurable + # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount + name: sonobuoy-serviceaccount + namespace: {{ .Release.Namespace }} diff --git a/charts/rancher-cis-benchmark/v0.0.1/templates/service.yaml b/charts/rancher-cis-benchmark/v0.0.1/templates/service.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0882f4abd86e49eb241f35987692482b6dfd7610 --- /dev/null +++ b/charts/rancher-cis-benchmark/v0.0.1/templates/service.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "rancher-cis-benchmark.fullname" . }} + labels: + app.kubernetes.io/name: {{ include "rancher-cis-benchmark.name" . }} + helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/managed-by: {{ .Release.Service }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: 443 + protocol: TCP + selector: + app.kubernetes.io/name: {{ include "rancher-cis-benchmark.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} diff --git a/charts/rancher-cis-benchmark/v0.0.1/values.yaml b/charts/rancher-cis-benchmark/v0.0.1/values.yaml new file mode 100644 index 0000000000000000000000000000000000000000..af433fa81aabf60c611b83c943a33adda4334d41 --- /dev/null +++ b/charts/rancher-cis-benchmark/v0.0.1/values.yaml @@ -0,0 +1,51 @@ +# Default values for rancher-cis-benchmark. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +owner: "" + +image: + repository: rancher/security-scan + tag: v0.1.0 + pullPolicy: Always + +nameOverride: "" +fullnameOverride: "" + +service: + type: ClusterIP + port: 443 + +ingress: + enabled: false + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: chart-example.local + paths: [] + + tls: [] + # - secretName: chart-example-tls + # hosts: + # - chart-example.local + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +nodeSelector: {} + +tolerations: [] + +affinity: {}