Merge pull request #658 from vardhaman22/eks-1.5.0

[main] eks 1.5.0 and k8s 1.32 support

Author: vardhaman22

.github/renovate.json

@@ -6,7 +6,8 @@
     "main", 
     "release/v1.1", 
     "release/v1.2", 
-    "release/v1.3"
+    "release/v1.3",
+    "release/v1.4"
   ],
   "ignoreDeps":[
     "github.com/rancher/lasso"
@@ -16,6 +17,18 @@
     {
       "matchBaseBranches": [
         "main",
+        "release/v1.4"
+      ],
+      "matchDepNames": [
+        "k8s.io/api",
+        "k8s.io/apiextensions-apiserver",
+        "k8s.io/apimachinery",
+        "k8s.io/client-go"
+      ],
+      "allowedVersions": "<0.33.0"
+    },
+    {
+      "matchBaseBranches": [
         "release/v1.3"
       ],
       "matchDepNames": [
@@ -26,6 +39,15 @@
       ],
       "allowedVersions": "<0.32.0"
     },
+    {
+      "matchBaseBranches": [
+        "release/v1.4"
+      ],
+      "matchDepNames": [
+        "github.com/rancher/security-scan"
+      ],
+      "allowedVersions": "<v0.7.0"
+    },
     {
       "matchBaseBranches": [
         "release/v1.3"
@@ -72,7 +94,8 @@
     {
       "matchBaseBranches": ["release/v1.3"],
       "matchDepNames": [
-        "github.com/prometheus-operator/prometheus-operator"
+        "github.com/prometheus-operator/prometheus-operator/pkg/client",
+        "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring"
       ],
       "allowedVersions": "<v0.79.0"
     },
@@ -82,7 +105,8 @@
         "release/v1.2"
       ],
       "matchDepNames": [
-        "github.com/prometheus-operator/prometheus-operator"
+        "github.com/prometheus-operator/prometheus-operator/pkg/client",
+        "github.com/prometheus-operator/prometheus-operator/pkg/apis/monitoring"
       ],
       "allowedVersions": "<v0.75.0"
     },

chart/Chart.yaml

@@ -2,12 +2,12 @@ annotations:
   catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
   catalog.cattle.io/certified: rancher
   catalog.cattle.io/display-name: CIS Benchmark
-  catalog.cattle.io/kube-version: '>= 1.28.0-0 < 1.32.0-0'
+  catalog.cattle.io/kube-version: '>= 1.30.0-0 < 1.33.0-0'
   catalog.cattle.io/namespace: cis-operator-system
   catalog.cattle.io/os: linux
   catalog.cattle.io/permits-os: linux,windows
   catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
-  catalog.cattle.io/rancher-version: '>= 2.10.0-0 < 2.11.0-0'
+  catalog.cattle.io/rancher-version: '>= 2.11.0-0 < 2.12.0-0'
   catalog.cattle.io/release-name: rancher-cis-benchmark
   catalog.cattle.io/type: cluster-tool
   catalog.cattle.io/ui-component: rancher-cis-benchmark

chart/app-readme.md

@@ -29,6 +29,7 @@ This chart installs the following components:
 | CIS    | k3s                     | [k3s-cis-1.9](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/k3s-cis-1.9)                                               | k3s-v1.27+          |
 | CIS    | k3s                     | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/k3s-cis-1.8-permissive)                        | k3s-v1.26           |
 | CIS    | k3s                     | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/release/v0.5/package/cfg/k3s-cis-1.8-hardened)                          | k3s-v1.26           |
+| CIS    | eks                     | [eks-1.5.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/eks-1.5.0)                                                         | eks-1.27.0+                 |
 | CIS    | eks                     | [eks-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/eks-1.2.0)                                                         | eks                 |
 | CIS    | aks                     | [aks-1.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/aks-1.0)                                                         | aks                 |
 | CIS    | gke                     | [gke-1.2.0](https://github.com/aquasecurity/kube-bench/tree/main/cfg/gke-1.2.0)                                                         | gke-1.20            |

chart/templates/benchmark-eks-1.2.0.yaml

@@ -6,3 +6,4 @@ metadata:
 spec:
   clusterProvider: eks
   minKubernetesVersion: "1.15.0"
+  maxKubernetesVersion: "1.26.x"

chart/templates/benchmark-eks-1.5.0.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: eks-1.5.0
+spec:
+  clusterProvider: eks
+  minKubernetesVersion: "1.27.0"

chart/templates/configmap.yaml

@@ -11,7 +11,7 @@ data:
   rke2: |-
     <1.21.0: rke2-cis-1.20-profile-permissive
     >=1.21.0: rke2-cis-1.9-profile
-  eks: "eks-profile"
+  eks: "eks-profile-1.5.0"
   gke: "gke-profile-1.6.0"
   aks: "aks-profile"
   k3s: "k3s-cis-1.9-profile"

chart/templates/scanprofileeks-1.5.0.yml

@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: eks-profile-1.5.0
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: eks-1.5.0

chart/values.yaml

@@ -8,10 +8,10 @@ image:
     tag: v1.4.0-rc.1
   securityScan:
     repository: rancher/security-scan
-    tag: v0.5.4-rc.1
+    tag: v0.6.0-rc.2
   sonobuoy:
     repository: rancher/mirrored-sonobuoy-sonobuoy
-    tag: v0.57.2
+    tag: v0.57.3
 
 resources: {}
   # We usually recommend not to specify default resources and to leave this as a conscious

go.mod

@@ -1,8 +1,6 @@
 module github.com/rancher/cis-operator
 
-go 1.23.4
-
-toolchain go1.23.6
+go 1.23.6
 
 require (
 	github.com/blang/semver v3.5.1+incompatible
@@ -11,7 +9,7 @@ require (
 	github.com/prometheus/client_golang v1.21.0
 	github.com/rancher/kubernetes-provider-detector v0.1.5
 	github.com/rancher/lasso v0.0.0-20240924233157-8f384efc8813
-	github.com/rancher/security-scan v0.5.4-rc.1
+	github.com/rancher/security-scan v0.6.0-rc.2
 	github.com/rancher/wrangler/v3 v3.1.0
 	github.com/robfig/cron v1.2.0
 	github.com/sirupsen/logrus v1.9.3
@@ -24,10 +22,10 @@ require (
 )
 
 require (
-	github.com/aquasecurity/kube-bench v0.10.0 // indirect
-	github.com/aws/aws-sdk-go-v2 v1.32.8 // indirect
-	github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.3 // indirect
-	github.com/aws/smithy-go v1.22.1 // indirect
+	github.com/aquasecurity/kube-bench v0.10.2 // indirect
+	github.com/aws/aws-sdk-go-v2 v1.36.0 // indirect
+	github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.8 // indirect
+	github.com/aws/smithy-go v1.22.2 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect
 	github.com/cpuguy83/go-md2man/v2 v2.0.5 // indirect

go.sum

@@ -17,16 +17,16 @@ github.com/PuerkitoBio/purell v1.0.0/go.mod h1:c11w/QuzBsJSee3cPx9rAFu61PvFxuPbt
 github.com/PuerkitoBio/urlesc v0.0.0-20160726150825-5bd2802263f2/go.mod h1:uGdkoq3SwY9Y+13GIhn11/XLaGBb4BfwItxLd5jeuXE=
 github.com/antlr4-go/antlr/v4 v4.13.0 h1:lxCg3LAv+EUK6t1i0y1V6/SLeUi0eKEKdhQAlS8TVTI=
 github.com/antlr4-go/antlr/v4 v4.13.0/go.mod h1:pfChB/xh/Unjila75QW7+VU4TSnWnnk9UTnmpPaOR2g=
-github.com/aquasecurity/kube-bench v0.10.0 h1:n73bFWxLnEe0uwVj3vTWFiQgNjktC/RcZOVWIrUD+10=
-github.com/aquasecurity/kube-bench v0.10.0/go.mod h1:PWWG09U9N70QG/BsUqltrB8gj1fhkWu8mCKjz77p79g=
+github.com/aquasecurity/kube-bench v0.10.2 h1:wVU6K/g3LJD/BAlDrphLYxs9f5PNRcon+ozZ6S/fMVU=
+github.com/aquasecurity/kube-bench v0.10.2/go.mod h1:TYImH07Qr2XA09VCBUiQDs6vilbTyourr0B+qq/AtN8=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
 github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
-github.com/aws/aws-sdk-go-v2 v1.32.8 h1:cZV+NUS/eGxKXMtmyhtYPJ7Z4YLoI/V8bkTdRZfYhGo=
-github.com/aws/aws-sdk-go-v2 v1.32.8/go.mod h1:P5WJBrYqqbWVaOxgH0X/FYYD47/nooaPOZPlQdmiN2U=
-github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.3 h1:TQ0sua3BwzGqHgEao1IwvJ8PAJ+OZPgJ5ByVU7vm314=
-github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.3/go.mod h1:6qzlBXc2heuoYIo9eU7/6klKvZKqhADl7Ceh0gp5jCg=
-github.com/aws/smithy-go v1.22.1 h1:/HPHZQ0g7f4eUeK6HKglFz8uwVfZKgoI25rb/J+dnro=
-github.com/aws/smithy-go v1.22.1/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
+github.com/aws/aws-sdk-go-v2 v1.36.0 h1:b1wM5CcE65Ujwn565qcwgtOTT1aT4ADOHHgglKjG7fk=
+github.com/aws/aws-sdk-go-v2 v1.36.0/go.mod h1:5PMILGVKiW32oDzjj6RU52yrNrDPUHcbZQYr1sM7qmM=
+github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.8 h1:+0McIKnas9knQ+22C0fS5j1j4J4wlCvnjMPzvdgVrvQ=
+github.com/aws/aws-sdk-go-v2/service/securityhub v1.55.8/go.mod h1:Fab1AoG6jUpxrpAmv9EXzBg19EoJcvnwSIc/oDrEE2o=
+github.com/aws/smithy-go v1.22.2 h1:6D9hW43xKFrRx/tXXfAlIZc4JI+yQe6snnWcQyxSyLQ=
+github.com/aws/smithy-go v1.22.2/go.mod h1:irrKGvNn1InZwb2d7fkIRNucdfwR8R+Ts3wxYa/cJHg=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver v3.5.1+incompatible h1:cQNTCjp13qL8KC3Nbxr/y2Bqb63oX6wdnnjpJbkM4JQ=
@@ -227,8 +227,8 @@ github.com/rancher/kubernetes-provider-detector v0.1.5 h1:hWRAsWuJOemzGjz/XrbTlM
 github.com/rancher/kubernetes-provider-detector v0.1.5/go.mod h1:ypuJS7kP7rUiAn330xG46mj+Nhvym05GM8NqMVekpH0=
 github.com/rancher/lasso v0.0.0-20240924233157-8f384efc8813 h1:V/LY8pUHZG9Kc+xEDWDOryOnCU6/Q+Lsr9QQEQnshpU=
 github.com/rancher/lasso v0.0.0-20240924233157-8f384efc8813/go.mod h1:IxgTBO55lziYhTEETyVKiT8/B5Rg92qYiRmcIIYoPgI=
-github.com/rancher/security-scan v0.5.4-rc.1 h1:ZXonAI5++1ns9o64foRkObqkivt/a7mVtTKrXkVW6uM=
-github.com/rancher/security-scan v0.5.4-rc.1/go.mod h1:HDHaXT6LJKVSEvxC2NW8dm5RsvLP5nAb32739vPdjCc=
+github.com/rancher/security-scan v0.6.0-rc.2 h1:2aqWuaALFV/W9p96hm0UWurTyKnlxScaMIp7UA8nJQA=
+github.com/rancher/security-scan v0.6.0-rc.2/go.mod h1:1Q3NK94YVfW0/83+wmi/YsC6z0R7guWBq78Cd3B/f1c=
 github.com/rancher/wrangler/v3 v3.1.0 h1:8ETBnQOEcZaR6WBmUSysWW7WnERBOiNTMJr4Dj3UG/s=
 github.com/rancher/wrangler/v3 v3.1.0/go.mod h1:gUPHS1ANs2NyByfeERHwkGiQ1rlIa8BpTJZtNSgMlZw=
 github.com/robfig/cron v1.2.0 h1:ZjScXvvxeQ63Dbyxy76Fj3AT3Ut0aKsyd2/tl3DTMuQ=