cis changes for new report format and config

3c967267 · Murali Paluru · Alena Prokharchyk · 120ad828 · 3c967267 · 3c967267
Commit 3c967267 authored Nov 21, 2019 by Murali Paluru Committed by Alena Prokharchyk Nov 21, 2019
5 changed files
--- a/charts/rancher-cis-benchmark/v0.0.1/Chart.yaml
+++ b/charts/rancher-cis-benchmark/v0.0.1/Chart.yaml
 apiVersion: v1
-appVersion: "0.0.27"
+appVersion: "0.1.0"
 description: |
  Run CIS benhmark tests
 name: rancher-cis-benchmark

--- a/charts/rancher-cis-benchmark/v0.0.1/templates/configmap.yaml
+++ b/charts/rancher-cis-benchmark/v0.0.1/templates/configmap.yaml
@@ -6,7 +6,7 @@ metadata:
    helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  name: sonobuoy-config-cm
+  name: s-config-cm-{{ .Release.Name }}
 data:
  config.json: |
    {
@@ -21,6 +21,9 @@ data:
                "name": "rancher-kube-bench"
            }
        ],
+        "PluginSearchPath": [
+          "/plugins.d"
+        ],
        "Resources": [],
        "ResultsDir": "/tmp/sonobuoy",
        "Server": {
@@ -29,7 +32,9 @@ data:
            "bindport": 443,
            "timeoutseconds": 5400
        },
-        "Version": "v0.13.0"
+        "Namespace": "{{ .Release.Namespace }}",
+        "WorkerImage": "sonobuoy/sonobuoy:v0.16.3",
+        "Version": "v0.16.3"
    }
 ---
 apiVersion: v1
@@ -40,18 +45,34 @@ metadata:
    helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
-  name: sonobuoy-plugins-cm
+  name: s-plugins-cm-{{ .Release.Name }}
 data:
  rancher-kube-bench.yaml: |
+    podSpec:
+      containers: []
+      dnsPolicy: ClusterFirstWithHostNet
+      hostIPC: true
+      hostNetwork: true
+      hostPID: true
+      serviceAccountName: s-sa-{{ .Release.Name }}
+      tolerations:
+      - operator: Exists
+      volumes:
+      - hostPath:
+          path: /
+        name: root
    sonobuoy-config:
      driver: DaemonSet
      plugin-name: rancher-kube-bench
      result-type: rancher-kube-bench
+      result-format: raw
    spec:
      name: rancher-kube-bench
-      image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
+      image: {{ .Values.image.repository }}:{{ .Values.image.tag }}
      command: ["/bin/bash", "-c", "run_sonobuoy_plugin.sh && sleep 3600"]
      env:
+      - name: SONOBUOY_NS
+        value: {{ .Release.Namespace }}
      - name: NODE_NAME
        valueFrom:
          fieldRef:
@@ -60,6 +81,12 @@ data:
        value: /tmp/results
      - name: CHROOT_DIR
        value: /node
+      {{- if .Values.debug }}
+      - name: DEBUG
+        value: "true"
+      - name: DEBUG_TIME_IN_SEC
+        value: {{ .Values.debugTime }}
+      {{- end }}
      imagePullPolicy: Always
      securityContext:
        privileged: true

--- a/charts/rancher-cis-benchmark/v0.0.1/templates/pod.yaml
+++ b/charts/rancher-cis-benchmark/v0.0.1/templates/pod.yaml
 apiVersion: v1
 kind: Pod
 metadata:
-  name: sonobuoy
+  name: security-scan-runner-{{ .Release.Name }}
  {{- if ne .Values.owner "" }}
  annotations:
    field.cattle.io/clusterScanOwner: "{{ .Values.owner }}"
@@ -11,26 +11,39 @@ metadata:
    helm.sh/chart: {{ include "rancher-cis-benchmark.chart" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
+    run: sonobuoy-master
 spec:
-  # TODO: make the sa name configurable
-  serviceAccountName: sonobuoy-serviceaccount
+  serviceAccountName: s-sa-{{ .Release.Name }}
  volumes:
    - configMap:
-        name: sonobuoy-config-cm
-      name: sonobuoy-config-volume
+        name: s-config-cm-{{ .Release.Name }}
+      name: s-config-volume
    - configMap:
-        name: sonobuoy-plugins-cm
-      name: sonobuoy-plugins-volume
+        name: s-plugins-cm-{{ .Release.Name }}
+      name: s-plugins-volume
    - emptyDir: {}
      name: output-volume
+    {{- if ne .Values.skipConfigMapName "" }}
+    - configMap:
+        name: {{ .Values.skipConfigMapName }}
+      name: s-skip-info-volume
+    {{- end }}
  containers:
    - name: {{ .Chart.Name }}
      restartPolicy: Never
      env:
+        - name: SKIP
+          value: {{ .Values.skip }}
+        - name: SONOBUOY_NS
+          value: {{ .Release.Namespace }}
+        - name: SONOBUOY_POD_NAME
+          valueFrom:
+            fieldRef:
+              fieldPath: metadata.name
        - name: SONOBUOY_ADVERTISE_IP
          value: {{ include "rancher-cis-benchmark.fullname" . }}
        {{- if ne .Values.owner "" }}
-        - name: CONFIGMAPNAME
+        - name: OUTPUT_CONFIGMAPNAME
          value: {{ .Release.Name }}
        {{- end }}
      image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
@@ -40,11 +53,15 @@ spec:
          protocol: TCP
      volumeMounts:
        - mountPath: /etc/sonobuoy
-          name: sonobuoy-config-volume
+          name: s-config-volume
        - mountPath: /plugins.d
-          name: sonobuoy-plugins-volume
+          name: s-plugins-volume
        - mountPath: /tmp/sonobuoy
          name: output-volume
+        {{- if ne .Values.skipConfigMapName "" }}
+        - mountPath: /etc/kbs
+          name: s-skip-info-volume
+        {{- end }}
      resources:
        {{- toYaml .Values.resources | nindent 12 }}
  {{- with .Values.nodeSelector }}

--- a/charts/rancher-cis-benchmark/v0.0.1/templates/rbac.yaml
+++ b/charts/rancher-cis-benchmark/v0.0.1/templates/rbac.yaml
@@ -8,7 +8,7 @@ metadata:
    app.kubernetes.io/managed-by: {{ .Release.Service }}
  # TODO: make the sa name configurable
  # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount
-  name: sonobuoy-serviceaccount
+  name: s-sa-{{ .Release.Name }}
 ---
 apiVersion: rbac.authorization.k8s.io/v1beta1
 kind: ClusterRole
@@ -20,7 +20,7 @@ metadata:
    app.kubernetes.io/managed-by: {{ .Release.Service }}
  # TODO: make the sa name configurable
  # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount
-  name: sonobuoy-serviceaccount
+  name: s-sa-{{ .Release.Name }}
 rules:
 - apiGroups:
  - '*'
@@ -39,16 +39,16 @@ metadata:
    app.kubernetes.io/managed-by: {{ .Release.Service }}
  # TODO: make the sa name configurable
  # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount
-  name: sonobuoy-serviceaccount
+  name: s-sa-{{ .Release.Name }}
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  # TODO: make the sa name configurable
  # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount
-  name: sonobuoy-serviceaccount
+  name: s-sa-{{ .Release.Name }}
 subjects:
 - kind: ServiceAccount
  # TODO: make the sa name configurable
  # name: {{ include "rancher-cis-benchmark.fullname" . }}-serviceaccount
-  name: sonobuoy-serviceaccount
+  name: s-sa-{{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
--- a/charts/rancher-cis-benchmark/v0.0.1/values.yaml
+++ b/charts/rancher-cis-benchmark/v0.0.1/values.yaml
@@ -4,7 +4,17 @@

 replicaCount: 1

+# if owner is specified, it's used for the name of the configmap for results
 owner: ""
+# skip is used specify which tests to skip
+skip: ""
+# skipConfigMapName is used to specify the name of cm where the skip info is stored
+# skip has higher precedence than what's specified in the configmap
+skipConfigMapName: ""
+
+# when debug=true, the plugin pods sleep for the time specified
+debug: false
+debugTime: "infinity"

 image:
  repository: rancher/security-scan