cis changes for new report format and config (3c967267) · Commits · Joe Mayer / system-charts

charts/rancher-cis-benchmark/v0.0.1/Chart.yaml

+1 −1

Original line number	Original line	Diff line number	Diff line
	apiVersion: v1		apiVersion: v1
	appVersion: "0.0.27"		appVersion: "0.1.0"
	description: \|		description: \|
	Run CIS benhmark tests		Run CIS benhmark tests
	name: rancher-cis-benchmark		name: rancher-cis-benchmark

charts/rancher-cis-benchmark/v0.0.1/templates/configmap.yaml

+31 −4

Original line number	Original line	Diff line number	Diff line
	@@ -6,7 +6,7 @@ metadata:
	helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }}		helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }}
	app.kubernetes.io/instance: {{ .Release.Name }}		app.kubernetes.io/instance: {{ .Release.Name }}
	app.kubernetes.io/managed-by: {{ .Release.Service }}		app.kubernetes.io/managed-by: {{ .Release.Service }}
	name: sonobuoy-config-cm		name: s-config-cm-{{ .Release.Name }}
	data:		data:
	config.json: \|		config.json: \|
	{		{
	@@ -21,6 +21,9 @@ data:
	"name": "rancher-kube-bench"		"name": "rancher-kube-bench"
	}		}
	],		],
			"PluginSearchPath": [
			"/plugins.d"
			],
	"Resources": [],		"Resources": [],
	"ResultsDir": "/tmp/sonobuoy",		"ResultsDir": "/tmp/sonobuoy",
	"Server": {		"Server": {
	@@ -29,7 +32,9 @@ data:
	"bindport": 443,		"bindport": 443,
	"timeoutseconds": 5400		"timeoutseconds": 5400
	},		},
	"Version": "v0.13.0"		"Namespace": "{{ .Release.Namespace }}",
			"WorkerImage": "sonobuoy/sonobuoy:v0.16.3",
			"Version": "v0.16.3"
	}		}
	---		---
	apiVersion: v1		apiVersion: v1
	@@ -40,18 +45,34 @@ metadata:
	helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }}		helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }}
	app.kubernetes.io/instance: {{ .Release.Name }}		app.kubernetes.io/instance: {{ .Release.Name }}
	app.kubernetes.io/managed-by: {{ .Release.Service }}		app.kubernetes.io/managed-by: {{ .Release.Service }}
	name: sonobuoy-plugins-cm		name: s-plugins-cm-{{ .Release.Name }}
	data:		data:
	rancher-kube-bench.yaml: \|		rancher-kube-bench.yaml: \|
			podSpec:
			containers: []
			dnsPolicy: ClusterFirstWithHostNet
			hostIPC: true
			hostNetwork: true
			hostPID: true
			serviceAccountName: s-sa-{{ .Release.Name }}
			tolerations:
			- operator: Exists
			volumes:
			- hostPath:
			path: /
			name: root
	sonobuoy-config:		sonobuoy-config:
	driver: DaemonSet		driver: DaemonSet
	plugin-name: rancher-kube-bench		plugin-name: rancher-kube-bench
	result-type: rancher-kube-bench		result-type: rancher-kube-bench
			result-format: raw
	spec:		spec:
	name: rancher-kube-bench		name: rancher-kube-bench
	image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"		image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
	command: ["/bin/bash", "-c", "run_sonobuoy_plugin.sh && sleep 3600"]		command: ["/bin/bash", "-c", "run_sonobuoy_plugin.sh && sleep 3600"]
	env:		env:
			- name: SONOBUOY_NS
			value: {{ .Release.Namespace }}
	- name: NODE_NAME		- name: NODE_NAME
	valueFrom:		valueFrom:
	fieldRef:		fieldRef:
	@@ -60,6 +81,12 @@ data:
	value: /tmp/results		value: /tmp/results
	- name: CHROOT_DIR		- name: CHROOT_DIR
	value: /node		value: /node
			{{- if .Values.debug }}
			- name: DEBUG
			value: "true"
			- name: DEBUG_TIME_IN_SEC
			value: {{ .Values.debugTime }}
			{{- end }}
	imagePullPolicy: Always		imagePullPolicy: Always
	securityContext:		securityContext:
	privileged: true		privileged: true

charts/rancher-cis-benchmark/v0.0.1/templates/pod.yaml

+27 −10

Original line number	Original line	Diff line number	Diff line
	apiVersion: v1		apiVersion: v1
	kind: Pod		kind: Pod
	metadata:		metadata:
	name: sonobuoy		name: security-scan-runner-{{ .Release.Name }}
	{{- if ne .Values.owner "" }}		{{- if ne .Values.owner "" }}
	annotations:		annotations:
	field.cattle.io/clusterScanOwner: "{{ .Values.owner }}"		field.cattle.io/clusterScanOwner: "{{ .Values.owner }}"
	@@ -11,26 +11,39 @@ metadata:
	helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }}		helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }}
	app.kubernetes.io/instance: {{ .Release.Name }}		app.kubernetes.io/instance: {{ .Release.Name }}
	app.kubernetes.io/managed-by: {{ .Release.Service }}		app.kubernetes.io/managed-by: {{ .Release.Service }}
			run: sonobuoy-master
	spec:		spec:
	# TODO: make the sa name configurable		serviceAccountName: s-sa-{{ .Release.Name }}
	serviceAccountName: sonobuoy-serviceaccount
	volumes:		volumes:
	- configMap:		- configMap:
	name: sonobuoy-config-cm		name: s-config-cm-{{ .Release.Name }}
	name: sonobuoy-config-volume		name: s-config-volume
	- configMap:		- configMap:
	name: sonobuoy-plugins-cm		name: s-plugins-cm-{{ .Release.Name }}
	name: sonobuoy-plugins-volume		name: s-plugins-volume
	- emptyDir: {}		- emptyDir: {}
	name: output-volume		name: output-volume
			{{- if ne .Values.skipConfigMapName "" }}
			- configMap:
			name: {{ .Values.skipConfigMapName }}
			name: s-skip-info-volume
			{{- end }}
	containers:		containers:
	- name: {{ .Chart.Name }}		- name: {{ .Chart.Name }}
	restartPolicy: Never		restartPolicy: Never
	env:		env:
			- name: SKIP
			value: {{ .Values.skip }}
			- name: SONOBUOY_NS
			value: {{ .Release.Namespace }}
			- name: SONOBUOY_POD_NAME
			valueFrom:
			fieldRef:
			fieldPath: metadata.name
	- name: SONOBUOY_ADVERTISE_IP		- name: SONOBUOY_ADVERTISE_IP
	value: {{ include "rancher-cis-benchmark.fullname" . }}		value: {{ include "rancher-cis-benchmark.fullname" . }}
	{{- if ne .Values.owner "" }}		{{- if ne .Values.owner "" }}
	- name: CONFIGMAPNAME		- name: OUTPUT_CONFIGMAPNAME
	value: {{ .Release.Name }}		value: {{ .Release.Name }}
	{{- end }}		{{- end }}
	image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"		image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
	@@ -40,11 +53,15 @@ spec:
	protocol: TCP		protocol: TCP
	volumeMounts:		volumeMounts:
	- mountPath: /etc/sonobuoy		- mountPath: /etc/sonobuoy
	name: sonobuoy-config-volume		name: s-config-volume
	- mountPath: /plugins.d		- mountPath: /plugins.d
	name: sonobuoy-plugins-volume		name: s-plugins-volume
	- mountPath: /tmp/sonobuoy		- mountPath: /tmp/sonobuoy
	name: output-volume		name: output-volume
			{{- if ne .Values.skipConfigMapName "" }}
			- mountPath: /etc/kbs
			name: s-skip-info-volume
			{{- end }}
	resources:		resources:
	{{- toYaml .Values.resources \| nindent 12 }}		{{- toYaml .Values.resources \| nindent 12 }}
	{{- with .Values.nodeSelector }}		{{- with .Values.nodeSelector }}

charts/rancher-cis-benchmark/v0.0.1/templates/rbac.yaml

+5 −5

Original line number	Original line	Diff line number	Diff line
	@@ -8,7 +8,7 @@ metadata:
	app.kubernetes.io/managed-by: {{ .Release.Service }}		app.kubernetes.io/managed-by: {{ .Release.Service }}
	# TODO: make the sa name configurable		# TODO: make the sa name configurable
	# name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount		# name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount
	name: sonobuoy-serviceaccount		name: s-sa-{{ .Release.Name }}
	---		---
	apiVersion: rbac.authorization.k8s.io/v1beta1		apiVersion: rbac.authorization.k8s.io/v1beta1
	kind: ClusterRole		kind: ClusterRole
	@@ -20,7 +20,7 @@ metadata:
	app.kubernetes.io/managed-by: {{ .Release.Service }}		app.kubernetes.io/managed-by: {{ .Release.Service }}
	# TODO: make the sa name configurable		# TODO: make the sa name configurable
	# name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount		# name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount
	name: sonobuoy-serviceaccount		name: s-sa-{{ .Release.Name }}
	rules:		rules:
	- apiGroups:		- apiGroups:
	- '*'		- '*'
	@@ -39,16 +39,16 @@ metadata:
	app.kubernetes.io/managed-by: {{ .Release.Service }}		app.kubernetes.io/managed-by: {{ .Release.Service }}
	# TODO: make the sa name configurable		# TODO: make the sa name configurable
	# name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount		# name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount
	name: sonobuoy-serviceaccount		name: s-sa-{{ .Release.Name }}
	roleRef:		roleRef:
	apiGroup: rbac.authorization.k8s.io		apiGroup: rbac.authorization.k8s.io
	kind: ClusterRole		kind: ClusterRole
	# TODO: make the sa name configurable		# TODO: make the sa name configurable
	# name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount		# name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount
	name: sonobuoy-serviceaccount		name: s-sa-{{ .Release.Name }}
	subjects:		subjects:
	- kind: ServiceAccount		- kind: ServiceAccount
	# TODO: make the sa name configurable		# TODO: make the sa name configurable
	# name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount		# name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount
	name: sonobuoy-serviceaccount		name: s-sa-{{ .Release.Name }}
	namespace: {{ .Release.Namespace }}		namespace: {{ .Release.Namespace }}

charts/rancher-cis-benchmark/v0.0.1/values.yaml

+10 −0

Original line number	Original line	Diff line number	Diff line
	@@ -4,7 +4,17 @@

	replicaCount: 1		replicaCount: 1

			# if owner is specified, it's used for the name of the configmap for results
	owner: ""		owner: ""
			# skip is used specify which tests to skip
			skip: ""
			# skipConfigMapName is used to specify the name of cm where the skip info is stored
			# skip has higher precedence than what's specified in the configmap
			skipConfigMapName: ""

			# when debug=true, the plugin pods sleep for the time specified
			debug: false
			debugTime: "infinity"

	image:		image:
	repository: rancher/security-scan		repository: rancher/security-scan