- need tar:
yum install -y tar
- need helm:
curl https://raw.githubusercontent.com/helm/helm/master/scripts/get-helm-3 | bash
helm repo add rancher-system-charts https://charts.rancher.io
kubectl create ns cis-operator-system
helm upgrade --install rancher-cis-benchmark-crd rancher-system-charts/rancher-cis-benchmark-crd --namespace cis-operator-system --version 1.0.301
helm upgrade --install rancher-cis-benchmark rancher-system-charts/rancher-cis-benchmark --namespace cis-operator-system --version 1.0.301
helm fetch rancher-system-charts/rancher-cis-benchmark-crd --version 1.0.301
helm fetch rancher-system-charts/rancher-cis-benchmark --version 1.0.301
helm template rancher-cis-benchmark rancher-cis-benchmark-1.0.301.tgz --namespace cis-operator-system --version 1.0.301 | grep image:
should see:
image: 'rancher/cis-operator:v1.0.3'
image: "rancher/kubectl:v1.18.6"
You will also need the corresponding security-scan and sonobuoy images (https://github.com/rancher/charts/tree/dev-v2.5/charts/rancher-cis-benchmark/rancher-cis-benchmark).
rancher/security-scan:v0.2.2
rancher/mirrored-sonobuoy-sonobuoy:v0.16.3
then do some docker pull, save
kubectl create ns cis-operator-system
helm upgrade --install rancher-cis-benchmark-crd rancher-cis-benchmark-crd-1.0.301.tgz --namespace cis-operator-system --version 1.0.301
helm upgrade --install rancher-cis-benchmark rancher-cis-benchmark-1.0.301.tgz --namespace cis-operator-system --version 1.0.301
If Sonobuoy fails to reach CoreDNS try these workarounds individually (kubernetes/kubernetes#87852 and rancher/rancher#30029)
-
ethtool --offload flannel.1 rx off tx off
-
kubectl patch IPPool default-ipv4-ippool -p '{"spec":{"cidr":"10.42.0.0/16"}}' --type=merge
cat > scan.yml << EOF
apiVersion: cis.cattle.io/v1
kind: ClusterScan
metadata:
name: test-scan-0
spec:
scanProfileName: rke2-cis-1.5-profile-permissive
scoreWarning: pass
type: cis.cattle.io.clusterscan
EOF
kubectl create -f scan.yml -n cis-operator-system
kubectl -n cis-operator-system wait --for=condition=Complete clusterscan --timeout=600s test-scan-0
kubectl -n cis-operator-system get clusterscan test-scan-0 -o jsonpath='{.status.summary}'