Merge pull request #57991 from rakshitgondwal/feat/pkg/cis-op

rakshitgondwal · web-flow · commit 2d618c233f0c · 2025-07-02T19:08:51.000+05:30
feat(pkg): cis-operator
diff --git a/cis-operator.yaml b/cis-operator.yaml
@@ -0,0 +1,71 @@
+package:
+  name: cis-operator
+  version: "1.4.1"
+  epoch: 0
+  description: Helps to enable running CIS benchmark security scans on a Kubernetes cluster and generate compliance reports that can be downloaded
+  copyright:
+    - license: Apache-2.0
+
+pipeline:
+  - uses: git-checkout
+    with:
+      repository: https://github.com/rancher/cis-operator
+      tag: v${{package.version}}
+      expected-commit: cae64d5d3766e725a29825d4fb7b2c63b62741f1
+
+  - uses: go/bump
+    with:
+      deps: |-
+        github.com/go-viper/mapstructure/v2@v2.3.0
+        golang.org/x/net@v0.38.0
+
+  - uses: go/build
+    with:
+      packages: .
+      ldflags: |
+        -X github.com/rancher/cis-operator.Version=${{package.version}}
+        -X github.com/rancher/cis-operator.GitCommit=$(git rev-parse --short HEAD)
+      output: cis-operator
+
+update:
+  enabled: true
+  github:
+    identifier: rancher/cis-operator
+    strip-prefix: v
+
+test:
+  environment:
+    contents:
+      packages:
+        - curl
+  pipeline:
+    - name: basic test
+      runs: |
+        cis-operator --help
+    - uses: test/kwok/cluster
+    - name: Test operator
+      uses: test/daemon-check-output
+      with:
+        setup: |
+          # grab the node name
+          NODE=$(kubectl get nodes --no-headers \
+                -o custom-columns=NAME:.metadata.name | head -n1)
+          # we will have to label the node so that the operator recognizes our cluster as an aks cluster
+          # kwok is not recognized as a provider, https://github.com/rancher/kubernetes-provider-detector/tree/master/providers
+          kubectl label node "$NODE" kubernetes.azure.com/cluster=""
+          kubectl apply -f https://raw.githubusercontent.com/rancher/cis-operator/refs/heads/main/crds/clusterscan.yaml
+          kubectl apply -f https://raw.githubusercontent.com/rancher/cis-operator/refs/heads/main/crds/clusterscanbenchmark.yaml
+          kubectl apply -f https://raw.githubusercontent.com/rancher/cis-operator/refs/heads/main/crds/clusterscanprofile.yaml
+          kubectl apply -f https://raw.githubusercontent.com/rancher/cis-operator/refs/heads/main/crds/clusterscanreport.yaml
+        start: |
+          cis-operator
+        timeout: 10
+        expected_output: |
+          Starting CIS-Operator
+          Starting cis.cattle.io/v1
+          Starting /v1, Kind=Service controller
+          Starting /v1, Kind=Pod controller
+          Starting /v1, Kind=ConfigMap controller
+          Starting batch/v1, Kind=Job controller
+        post: |
+          curl -sfSL http://localhost:8080/metrics | grep go_gc_duration_seconds
