Skip to content

Instantly share code, notes, and snippets.

@mddamato

mddamato/README.md

Last active May 5, 2021 15:11
Show Gist options
  • Save mddamato/e571e4383853e86a1e156c457a0b5e70 to your computer and use it in GitHub Desktop.
Save mddamato/e571e4383853e86a1e156c457a0b5e70 to your computer and use it in GitHub Desktop.
Download ZIP
RKE2 CIS Scan without Rancher UI
Raw
README.md

Install cis-operator-system

Prereq:

  • need tar: yum install -y tar
  • need helm: curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash

Install CIS-Operator

Online?

helm repo add rancher-system-charts https://charts.rancher.io
kubectl create ns cis-operator-system
helm upgrade --install rancher-cis-benchmark-crd rancher-system-charts/rancher-cis-benchmark-crd --namespace cis-operator-system --version 1.0.301
helm upgrade --install rancher-cis-benchmark rancher-system-charts/rancher-cis-benchmark --namespace cis-operator-system --version 1.0.301

Offline?

Download first, move to offline env

helm fetch rancher-system-charts/rancher-cis-benchmark-crd --version 1.0.301
helm fetch rancher-system-charts/rancher-cis-benchmark --version 1.0.301

Grab images, move offline:

helm template rancher-cis-benchmark rancher-cis-benchmark-1.0.301.tgz --namespace cis-operator-system --version 1.0.301 | grep image:

should see:

        image: 'rancher/cis-operator:v1.0.3'
        image: "rancher/kubectl:v1.18.6"

You will also need the corresponding security-scan and sonobuoy images (https://github.com/rancher/charts/tree/dev-v2.5/charts/rancher-cis-benchmark/rancher-cis-benchmark).

  • rancher/security-scan:v0.2.2
  • rancher/mirrored-sonobuoy-sonobuoy:v0.16.3

then do some docker pull, save

Install

kubectl create ns cis-operator-system
helm upgrade --install rancher-cis-benchmark-crd rancher-cis-benchmark-crd-1.0.301.tgz --namespace cis-operator-system --version 1.0.301
helm upgrade --install rancher-cis-benchmark rancher-cis-benchmark-1.0.301.tgz --namespace cis-operator-system --version 1.0.301

Known issues

If Sonobuoy fails to reach CoreDNS try these workarounds individually (kubernetes/kubernetes#87852 and rancher/rancher#30029)

  • ethtool --offload flannel.1 rx off tx off

  • kubectl patch IPPool default-ipv4-ippool -p '{"spec":{"cidr":"10.42.0.0/16"}}' --type=merge

Make a scan, set your desired profile and scan name

cat > scan.yml << EOF
apiVersion: cis.cattle.io/v1
kind: ClusterScan
metadata:
  name: test-scan-0
spec:
  scanProfileName: rke2-cis-1.5-profile-permissive
  scoreWarning: pass
type: cis.cattle.io.clusterscan
EOF
kubectl create -f scan.yml -n cis-operator-system

Wait for scan to complete

kubectl -n cis-operator-system wait --for=condition=Complete clusterscan --timeout=600s test-scan-0

Check results:

kubectl -n cis-operator-system get clusterscan test-scan-0 -o jsonpath='{.status.summary}'
Raw
clusterscan.yaml
apiVersion: cis.cattle.io/v1
kind: ClusterScan
metadata:
name: mike-scan
spec:
scanProfileName: rke2-cis-1.5-profile-permissive
scoreWarning: pass
type: cis.cattle.io.clusterscan
Raw
rancher-cis-benchmark-crd-values.yaml
global:
cattle:
clusterId: local
clusterName: local
systemDefaultRegistry: ''
systemDefaultRegistry: ''
Raw
rancher-cis-benchmark-values.yaml
affinity: {}
alerts:
enabled: false
metricsPort: 8080
severity: warning
global:
cattle:
clusterName: local
systemDefaultRegistry: ''
clusterId: local
kubectl:
repository: rancher/kubectl
tag: v1.18.6
systemDefaultRegistry: ''
image:
cisoperator:
repository: rancher/cis-operator
tag: v1.0.3
securityScan:
repository: rancher/security-scan
tag: v0.2.2
sonobuoy:
repository: rancher/sonobuoy-sonobuoy
tag: v0.16.3
nodeSelector: {}
resources: {}
tolerations: null
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment