Loading charts/rancher-cis-benchmark/v0.0.1/Chart.yaml +1 −1 Original line number Diff line number Diff line apiVersion: v1 appVersion: "0.0.27" appVersion: "0.1.0" description: | Run CIS benhmark tests name: rancher-cis-benchmark Loading charts/rancher-cis-benchmark/v0.0.1/templates/configmap.yaml +44 −5 Original line number Diff line number Diff line Loading @@ -6,7 +6,7 @@ metadata: helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} name: sonobuoy-config-cm name: s-config-cm-{{ .Release.Name }} data: config.json: | { Loading @@ -21,6 +21,9 @@ data: "name": "rancher-kube-bench" } ], "PluginSearchPath": [ "/plugins.d" ], "Resources": [], "ResultsDir": "/tmp/sonobuoy", "Server": { Loading @@ -29,7 +32,9 @@ data: "bindport": 443, "timeoutseconds": 5400 }, "Version": "v0.13.0" "Namespace": "{{ .Release.Namespace }}", "WorkerImage": "sonobuoy/sonobuoy:v0.16.3", "Version": "v0.16.3" } --- apiVersion: v1 Loading @@ -40,18 +45,40 @@ metadata: helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} name: sonobuoy-plugins-cm name: s-plugins-cm-{{ .Release.Name }} data: rancher-kube-bench.yaml: | podSpec: containers: [] dnsPolicy: ClusterFirstWithHostNet hostIPC: true hostNetwork: true hostPID: true serviceAccountName: s-sa-{{ .Release.Name }} tolerations: - operator: Exists volumes: - hostPath: path: / name: root - hostPath: path: /etc/passwd name: etc-passwd - hostPath: path: /etc/group name: etc-group sonobuoy-config: driver: DaemonSet plugin-name: rancher-kube-bench result-type: rancher-kube-bench result-format: raw spec: name: rancher-kube-bench image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" image: {{ .Values.image.repository }}:{{ .Values.image.tag }} command: ["/bin/bash", "-c", "run_sonobuoy_plugin.sh && sleep 3600"] env: - name: SONOBUOY_NS value: {{ .Release.Namespace }} - name: NODE_NAME valueFrom: fieldRef: Loading @@ -60,6 +87,12 @@ data: value: /tmp/results - name: CHROOT_DIR value: /node {{- if .Values.debug }} - name: DEBUG value: "true" - name: DEBUG_TIME_IN_SEC value: {{ .Values.debugTime }} {{- end }} imagePullPolicy: Always securityContext: privileged: true Loading @@ -69,4 +102,10 @@ data: readOnly: false - mountPath: /node name: root readOnly: false readOnly: true - mountPath: /etc/passwd name: etc-passwd readOnly: true - mountPath: /etc/group name: etc-group readOnly: true charts/rancher-cis-benchmark/v0.0.1/templates/pod.yaml +27 −10 Original line number Diff line number Diff line apiVersion: v1 kind: Pod metadata: name: sonobuoy name: security-scan-runner-{{ .Release.Name }} {{- if ne .Values.owner "" }} annotations: field.cattle.io/clusterScanOwner: "{{ .Values.owner }}" Loading @@ -11,26 +11,39 @@ metadata: helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} run: sonobuoy-master spec: # TODO: make the sa name configurable serviceAccountName: sonobuoy-serviceaccount serviceAccountName: s-sa-{{ .Release.Name }} volumes: - configMap: name: sonobuoy-config-cm name: sonobuoy-config-volume name: s-config-cm-{{ .Release.Name }} name: s-config-volume - configMap: name: sonobuoy-plugins-cm name: sonobuoy-plugins-volume name: s-plugins-cm-{{ .Release.Name }} name: s-plugins-volume - emptyDir: {} name: output-volume {{- if ne .Values.skipConfigMapName "" }} - configMap: name: {{ .Values.skipConfigMapName }} name: s-skip-info-volume {{- end }} containers: - name: {{ .Chart.Name }} restartPolicy: Never env: - name: SKIP value: {{ .Values.skip }} - name: SONOBUOY_NS value: {{ .Release.Namespace }} - name: SONOBUOY_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: SONOBUOY_ADVERTISE_IP value: {{ include "rancher-cis-benchmark.fullname" . }} {{- if ne .Values.owner "" }} - name: CONFIGMAPNAME - name: OUTPUT_CONFIGMAPNAME value: {{ .Release.Name }} {{- end }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" Loading @@ -40,11 +53,15 @@ spec: protocol: TCP volumeMounts: - mountPath: /etc/sonobuoy name: sonobuoy-config-volume name: s-config-volume - mountPath: /plugins.d name: sonobuoy-plugins-volume name: s-plugins-volume - mountPath: /tmp/sonobuoy name: output-volume {{- if ne .Values.skipConfigMapName "" }} - mountPath: /etc/kbs name: s-skip-info-volume {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} {{- with .Values.nodeSelector }} Loading charts/rancher-cis-benchmark/v0.0.1/templates/rbac.yaml +5 −15 Original line number Diff line number Diff line Loading @@ -6,9 +6,7 @@ metadata: helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} # TODO: make the sa name configurable # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount name: sonobuoy-serviceaccount name: s-sa-{{ .Release.Name }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole Loading @@ -18,9 +16,7 @@ metadata: helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} # TODO: make the sa name configurable # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount name: sonobuoy-serviceaccount name: s-sa-{{ .Release.Name }} rules: - apiGroups: - '*' Loading @@ -37,18 +33,12 @@ metadata: helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} # TODO: make the sa name configurable # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount name: sonobuoy-serviceaccount name: s-sa-{{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole # TODO: make the sa name configurable # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount name: sonobuoy-serviceaccount name: s-sa-{{ .Release.Name }} subjects: - kind: ServiceAccount # TODO: make the sa name configurable # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount name: sonobuoy-serviceaccount name: s-sa-{{ .Release.Name }} namespace: {{ .Release.Namespace }} charts/rancher-cis-benchmark/v0.0.1/values.yaml +11 −1 Original line number Diff line number Diff line Loading @@ -4,11 +4,21 @@ replicaCount: 1 # if owner is specified, it's used for the name of the configmap for results owner: "" # skip is used specify which tests to skip skip: "" # skipConfigMapName is used to specify the name of cm where the skip info is stored # skip has higher precedence than what's specified in the configmap skipConfigMapName: "" # when debug=true, the plugin pods sleep for the time specified debug: false debugTime: "infinity" image: repository: rancher/security-scan tag: v0.1.0 tag: v0.1.2 pullPolicy: Always nameOverride: "" Loading Loading
charts/rancher-cis-benchmark/v0.0.1/Chart.yaml +1 −1 Original line number Diff line number Diff line apiVersion: v1 appVersion: "0.0.27" appVersion: "0.1.0" description: | Run CIS benhmark tests name: rancher-cis-benchmark Loading
charts/rancher-cis-benchmark/v0.0.1/templates/configmap.yaml +44 −5 Original line number Diff line number Diff line Loading @@ -6,7 +6,7 @@ metadata: helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} name: sonobuoy-config-cm name: s-config-cm-{{ .Release.Name }} data: config.json: | { Loading @@ -21,6 +21,9 @@ data: "name": "rancher-kube-bench" } ], "PluginSearchPath": [ "/plugins.d" ], "Resources": [], "ResultsDir": "/tmp/sonobuoy", "Server": { Loading @@ -29,7 +32,9 @@ data: "bindport": 443, "timeoutseconds": 5400 }, "Version": "v0.13.0" "Namespace": "{{ .Release.Namespace }}", "WorkerImage": "sonobuoy/sonobuoy:v0.16.3", "Version": "v0.16.3" } --- apiVersion: v1 Loading @@ -40,18 +45,40 @@ metadata: helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} name: sonobuoy-plugins-cm name: s-plugins-cm-{{ .Release.Name }} data: rancher-kube-bench.yaml: | podSpec: containers: [] dnsPolicy: ClusterFirstWithHostNet hostIPC: true hostNetwork: true hostPID: true serviceAccountName: s-sa-{{ .Release.Name }} tolerations: - operator: Exists volumes: - hostPath: path: / name: root - hostPath: path: /etc/passwd name: etc-passwd - hostPath: path: /etc/group name: etc-group sonobuoy-config: driver: DaemonSet plugin-name: rancher-kube-bench result-type: rancher-kube-bench result-format: raw spec: name: rancher-kube-bench image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" image: {{ .Values.image.repository }}:{{ .Values.image.tag }} command: ["/bin/bash", "-c", "run_sonobuoy_plugin.sh && sleep 3600"] env: - name: SONOBUOY_NS value: {{ .Release.Namespace }} - name: NODE_NAME valueFrom: fieldRef: Loading @@ -60,6 +87,12 @@ data: value: /tmp/results - name: CHROOT_DIR value: /node {{- if .Values.debug }} - name: DEBUG value: "true" - name: DEBUG_TIME_IN_SEC value: {{ .Values.debugTime }} {{- end }} imagePullPolicy: Always securityContext: privileged: true Loading @@ -69,4 +102,10 @@ data: readOnly: false - mountPath: /node name: root readOnly: false readOnly: true - mountPath: /etc/passwd name: etc-passwd readOnly: true - mountPath: /etc/group name: etc-group readOnly: true
charts/rancher-cis-benchmark/v0.0.1/templates/pod.yaml +27 −10 Original line number Diff line number Diff line apiVersion: v1 kind: Pod metadata: name: sonobuoy name: security-scan-runner-{{ .Release.Name }} {{- if ne .Values.owner "" }} annotations: field.cattle.io/clusterScanOwner: "{{ .Values.owner }}" Loading @@ -11,26 +11,39 @@ metadata: helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} run: sonobuoy-master spec: # TODO: make the sa name configurable serviceAccountName: sonobuoy-serviceaccount serviceAccountName: s-sa-{{ .Release.Name }} volumes: - configMap: name: sonobuoy-config-cm name: sonobuoy-config-volume name: s-config-cm-{{ .Release.Name }} name: s-config-volume - configMap: name: sonobuoy-plugins-cm name: sonobuoy-plugins-volume name: s-plugins-cm-{{ .Release.Name }} name: s-plugins-volume - emptyDir: {} name: output-volume {{- if ne .Values.skipConfigMapName "" }} - configMap: name: {{ .Values.skipConfigMapName }} name: s-skip-info-volume {{- end }} containers: - name: {{ .Chart.Name }} restartPolicy: Never env: - name: SKIP value: {{ .Values.skip }} - name: SONOBUOY_NS value: {{ .Release.Namespace }} - name: SONOBUOY_POD_NAME valueFrom: fieldRef: fieldPath: metadata.name - name: SONOBUOY_ADVERTISE_IP value: {{ include "rancher-cis-benchmark.fullname" . }} {{- if ne .Values.owner "" }} - name: CONFIGMAPNAME - name: OUTPUT_CONFIGMAPNAME value: {{ .Release.Name }} {{- end }} image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" Loading @@ -40,11 +53,15 @@ spec: protocol: TCP volumeMounts: - mountPath: /etc/sonobuoy name: sonobuoy-config-volume name: s-config-volume - mountPath: /plugins.d name: sonobuoy-plugins-volume name: s-plugins-volume - mountPath: /tmp/sonobuoy name: output-volume {{- if ne .Values.skipConfigMapName "" }} - mountPath: /etc/kbs name: s-skip-info-volume {{- end }} resources: {{- toYaml .Values.resources | nindent 12 }} {{- with .Values.nodeSelector }} Loading
charts/rancher-cis-benchmark/v0.0.1/templates/rbac.yaml +5 −15 Original line number Diff line number Diff line Loading @@ -6,9 +6,7 @@ metadata: helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} # TODO: make the sa name configurable # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount name: sonobuoy-serviceaccount name: s-sa-{{ .Release.Name }} --- apiVersion: rbac.authorization.k8s.io/v1beta1 kind: ClusterRole Loading @@ -18,9 +16,7 @@ metadata: helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} # TODO: make the sa name configurable # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount name: sonobuoy-serviceaccount name: s-sa-{{ .Release.Name }} rules: - apiGroups: - '*' Loading @@ -37,18 +33,12 @@ metadata: helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }} app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/managed-by: {{ .Release.Service }} # TODO: make the sa name configurable # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount name: sonobuoy-serviceaccount name: s-sa-{{ .Release.Name }} roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole # TODO: make the sa name configurable # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount name: sonobuoy-serviceaccount name: s-sa-{{ .Release.Name }} subjects: - kind: ServiceAccount # TODO: make the sa name configurable # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount name: sonobuoy-serviceaccount name: s-sa-{{ .Release.Name }} namespace: {{ .Release.Namespace }}
charts/rancher-cis-benchmark/v0.0.1/values.yaml +11 −1 Original line number Diff line number Diff line Loading @@ -4,11 +4,21 @@ replicaCount: 1 # if owner is specified, it's used for the name of the configmap for results owner: "" # skip is used specify which tests to skip skip: "" # skipConfigMapName is used to specify the name of cm where the skip info is stored # skip has higher precedence than what's specified in the configmap skipConfigMapName: "" # when debug=true, the plugin pods sleep for the time specified debug: false debugTime: "infinity" image: repository: rancher/security-scan tag: v0.1.0 tag: v0.1.2 pullPolicy: Always nameOverride: "" Loading
