From aff91b5a271d2152625fc4d84c380d3bbcf5d311 Mon Sep 17 00:00:00 2001
From: nicholasSSUSE <nicholas.paolillo@suse.com>
Date: Tue, 12 Nov 2024 15:37:12 -0300
Subject: [PATCH 1/8] forward-port rancher-cis-benchmark 6.1.0

---
 .../rancher-cis-benchmark-6.1.0.tgz           | Bin 0 -> 6244 bytes
 charts/rancher-cis-benchmark/6.1.0/Chart.yaml |  22 ++
 charts/rancher-cis-benchmark/6.1.0/README.md  |   9 +
 .../rancher-cis-benchmark/6.1.0/app-readme.md |  37 ++++
 .../6.1.0/templates/_helpers.tpl              |  27 +++
 .../6.1.0/templates/alertingrule.yaml         |  14 ++
 .../6.1.0/templates/benchmark-aks-1.0.yaml    |   8 +
 .../6.1.0/templates/benchmark-cis-1.7.yaml    |   9 +
 .../6.1.0/templates/benchmark-cis-1.8.yaml    |   8 +
 .../6.1.0/templates/benchmark-eks-1.2.0.yaml  |   8 +
 .../6.1.0/templates/benchmark-gke-1.2.0.yaml  |   8 +
 .../benchmark-k3s-cis-1.7-hardened.yaml       |   9 +
 .../benchmark-k3s-cis-1.7-permissive.yaml     |   9 +
 .../benchmark-k3s-cis-1.8-hardened.yaml       |   8 +
 .../benchmark-k3s-cis-1.8-permissive.yaml     |   8 +
 .../benchmark-rke-cis-1.7-hardened.yaml       |   9 +
 .../benchmark-rke-cis-1.7-permissive.yaml     |   9 +
 .../benchmark-rke-cis-1.8-hardened.yaml       |   8 +
 .../benchmark-rke-cis-1.8-permissive.yaml     |   8 +
 .../benchmark-rke2-cis-1.7-hardened.yaml      |   9 +
 .../benchmark-rke2-cis-1.7-permissive.yaml    |   9 +
 .../benchmark-rke2-cis-1.8-hardened.yaml      |   8 +
 .../benchmark-rke2-cis-1.8-permissive.yaml    |   8 +
 .../6.1.0/templates/cis-roles.yaml            |  49 ++++
 .../6.1.0/templates/configmap.yaml            |  18 ++
 .../6.1.0/templates/deployment.yaml           |  61 +++++
 .../templates/network_policy_allow_all.yaml   |  15 ++
 .../patch_default_serviceaccount.yaml         |  29 +++
 .../6.1.0/templates/rbac.yaml                 | 209 ++++++++++++++++++
 .../6.1.0/templates/scanprofile-cis-1.7.yaml  |   9 +
 .../6.1.0/templates/scanprofile-cis-1.8.yaml  |   9 +
 .../scanprofile-k3s-cis-1.7-hardened.yml      |   9 +
 .../scanprofile-k3s-cis-1.7-permissive.yml    |   9 +
 .../scanprofile-k3s-cis-1.8-hardened.yml      |   9 +
 .../scanprofile-k3s-cis-1.8-permissive.yml    |   9 +
 .../scanprofile-rke-1.7-hardened.yaml         |   9 +
 .../scanprofile-rke-1.7-permissive.yaml       |   9 +
 .../scanprofile-rke-1.8-hardened.yaml         |   9 +
 .../scanprofile-rke-1.8-permissive.yaml       |   9 +
 .../scanprofile-rke2-cis-1.7-hardened.yml     |   9 +
 .../scanprofile-rke2-cis-1.7-permissive.yml   |   9 +
 .../scanprofile-rke2-cis-1.8-hardened.yml     |   9 +
 .../scanprofile-rke2-cis-1.8-permissive.yml   |   9 +
 .../6.1.0/templates/scanprofileaks.yml        |   9 +
 .../6.1.0/templates/scanprofileeks.yml        |   9 +
 .../6.1.0/templates/scanprofilegke.yml        |   9 +
 .../6.1.0/templates/serviceaccount.yaml       |  14 ++
 .../6.1.0/templates/validate-install-crd.yaml |  17 ++
 .../rancher-cis-benchmark/6.1.0/values.yaml   |  53 +++++
 index.yaml                                    |  26 +++
 release.yaml                                  |   1 +
 51 files changed, 897 insertions(+)
 create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-6.1.0.tgz
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/Chart.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/README.md
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/app-readme.md
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/_helpers.tpl
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/alertingrule.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-aks-1.0.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-cis-1.7.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-cis-1.8.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-eks-1.2.0.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-gke-1.2.0.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/cis-roles.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/configmap.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/deployment.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/network_policy_allow_all.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/patch_default_serviceaccount.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/rbac.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-cis-1.7.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-cis-1.8.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.7-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.7-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.8-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.8-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.7-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.7-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.8-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.8-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofileaks.yml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofileeks.yml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/scanprofilegke.yml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/serviceaccount.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/templates/validate-install-crd.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.1.0/values.yaml

diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-6.1.0.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-6.1.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..8c3915666fe59a96da23087b4cefa02a2816f148
GIT binary patch
literal 6244
zcmYkBcRbba`^S%!vPVMV*fV>FV-yG385tQNB<B#aosfA#c6OAV5eFUXpll+tvscK<
zI5^||^ZEYuyZ^f%kNbMuulx1S^}Jp;7<v6B=)VPsfW(}1&7_=l4HXQ6l;xkwT1vS*
zlJ~HAq^w|UX{lgn_2Rh`%q7U&6t1T0`oatJHw^c3O<^2PR0~d!7%9l{Nz!`~W<B|=
zDldLCv%yy^q~5k-Hk~X@{Dv5nBWNrMbJT{j0_i3wTC+YpammX6^_aIyhwP6-0NI<d
zNGW(i_ffeY>|M}=GGoJ!T@l8?cA?|tTuzhb`8_WB*iCrzyf|@>GoPkon>IPwC@Cq~
zD5h`8F9aI(aSi^V6**{S%Fn{M<X32C^~DFl!28xm`{ss0k`0K<lz*9dnopnNkJ%zm
z$|{|!Sqe9sW=V@u!67D>dBadlIZ*f}=cAK}J~8Blc?=0UfGvCNy1j#47gmoVW5ewy
z?Y(AU{*4#plE5YB$!}u(yno9f>mPJf0r9;4pXrlmn)q10G1?U#s^YKS>+R-BwV`i@
z7|GMMF;<JTro$DfMm9T#Niu~?13Tl9OJ?8_Su~4IWRKc3HE)H9ZnD%Ydd~t<NTXGA
z6owu3na9CuTif<X$@rPpU^RC}2e*EOmA4KhYzhB}8hpy=uL_}8zF(U8MTmz0<-PQ(
z)$aB_I-S`=FJvZ<Gs~H8&h?3G#@u+9k_!@ui<2G{)Uh(#=l+Q#x4=4HGANOe+E|g_
zkA9}{g2U$5#P2fw=$F5?1LxND6f<YsJJQQtgqE2lRBS*WeM)()7L9CV+c0b0Ssydg
zEa!qh+fE$SCx*iQa8xz{&HQmD`-3E(>j1*a2L}|;w~*FLoYs_Fro59TY~t8=r`OKB
zs&+n@1YBlLnxV10)zA#jlV<fTzIiECO0q+${(+St!uuh4Be%sJ7=sqAAXxa(o&6ww
zjTKdzIIZm_8$TmK_cr>B8~vwNpa`BUb043=r<G~)6s7NYnZ2ODYvwtcxT9AypffKe
z^hBVx@ie(L^8q1!Ikawg!By;#^>77)-G>8y?FoA2aHtThc9Karh+j3G?;Kx3aY#yx
zXBdbh?^3&davqvAOxc^UFU?*I?ZYnjIj2Er-(0k4yk5VhxxK<2tfczm6EujQ))PKh
z5&KMd(%dSlyU`g+IuIda><;Gc%4OP|#b~idRqhGY+lngX@;zeOFVE4^Xbe+qdt^$d
zsk3Nq1!T%pdVQp3byjOx_WjCtcRF?0nX#eTLg%YAJ!v>}_PaN|@Pu|8aG;xm^L;{c
zpT2~Dl{kiSSkB9x;tNc<zQ3ZwFrnxiO=>UEa#_M5JNYBX1wt0+Bo}Gltdfiw^?}7S
zPOFDKToWYTDzd}IPa#<klW^Bb&|RIR!s`$Qk?rq(#S%X8YtgmVU-_8Ny^UX;uqmg-
zUCucDhC-jdE;vKvU)6|*Z4cV5bPK<Gb`hgb5lV9@D6DnrE<%?;dHc@wT0fO?jT;E#
zT{31tPB3cKOmIKS7=yC0p27FS{pK&ksWijz@5NOFBYx$WJk{uR9xQKZ{%1%Uem_#_
zlR1eE+bl?|NhwRI$ZR|5Mf1qQj5J18;+Ne7=SGF2^0hTmWtB0YA!Ph{3MiUWi$mg^
z`lrBRu~h0JW7p@M5z`wx1N3&~jCrq&F-+LDfXXwV!hhe+So*rDu2r;cENRsyB8phI
z3>X{5MD+sGnuY2C9nrpmd=c-AkSJu9`(6XTFFEadT&oDx8@P%?2MU6Cg@PB;6jg6Y
zZl`&9cerCqslR5us$A)KcmesuRsBTzsGfco+9>v`(3fRaYg#(ilQB2B=aC=HzWR&x
z=Oe~4k`;0)+s;KF3=)e72-mW97BU+CQir(>%bPa8E}Bk_Ra6Y_a{d0v4O+!{VA*_O
zcJbLpw>c!~ZCm<jui+&+@}#@xPL_P6sg;fd0#&K}Oy4cuBnWFT%a@B}z2BG-O)N!k
zv$3W-!RFUHX&M`U{77ibP)J!54!3mZJYrLmk33TeXPK^*Ec?QV8bu&=$Lt|f?9wiO
zv7c#zrqS;++?3T6ONqLuK_Z8u{_KMXBrp}QofFXdEzN$Bhz(iTuloY{n{>hE$_Enf
z3nGL22C8R<l_xaWT$!iWNYQ?3kb~c6HnM|w#?WP=t!=S9R6Dddj;?!fmzM{d|K2K8
z-98nESI+0mY(r9CIeL=!)MfRn60gEaq4n!f=cnEwB>x_I=0{(M81UTR$26`iDIedj
zA@dmNiWqwk#g*aX_ueKOxWm^#1t7KUWzv!gT;MQr%N2~nTi~)?6I<Se;52^_z$GJ6
z=`gRMZA`~n_0Ki5?_MgeToN2ILjiZ9`ZI9L6)ECj<KMb<mh>BjQ>U;&T(<!OEe}T3
zW+{ouL+1wp9QbL?)*i%XzM&(yrGI8O2EJVT<l^8VHGXj>_Q`nZx%vVU0H+@=d9DIB
z?%=EKZJ;j^SDQW6r=BxYgXy7hlqV)5&%s>syO_o?*iqq5|4ZuEBQ(pN#ivK=*-nY)
zU^$%n^P+`S^~sct^TOe}E@1lp?ixbj-N5bFvI5=E7-Dd#BMXsop_^DsT>f+QFmaSE
z-fFx5<s&H$)!S5ZRV4Cbug(>5`6Zv4J=>Y>5`oprrMiIe&%m@6?i-*5y-j_1I<9b~
z?F(=~k30Y<p?!pFfd5#>A)<v0So(Zzzp&{W03#p}kL>{PS?dT6W8;oEUy26ccRM>g
z!thA;DMdh?OX0jW`V|ro<+M%;KRP#aWF|~&%&#C0j)CxF91wg};?M^u-daX`T-hcC
zsKdem3;I23V0Rd>D#FAQvBp=Yfn#9JJ_@+^|1RLeW1DS3Gpa;z-bpUu%BCMj4pS-6
zl_mHp;8r4jgfRux-3EFHh;LnWL4XzY9wXp+4U|X`Xf#I!a7ch&Z~^p2mm|b0)$nr%
zUy@~?6U8H-!{Z_T;1__6g}MSue}Ss#vp69C9Oxzen`OD;;J~UHIPO#@cDQtqu?bva
zuKX}z1Xg1LCE|ajQ(vlY9!dth60LgCB|z^zVEj5>z3j6<F=#EyPgfTZ47^z?bgUF~
zpSkehecn7;7^Ot3Vqs+MuXr=mfb4UdRgkG;e{_8_%=C9ZW9ah`()jK(9@NLNWc3TS
z4}_ac8;0|-dpAT0r$54@Uul#)2kKGzJ$&`lUeU&0Ofln9kL?tpo7*87=WnUYUcv=U
zL+74Z1o$eHrYYZOAfzsaUF;2wJDI4MX4xhLAT+!#BqyRa@P+d+@+h_H6Chsn?<jz6
zDIp-9J=9nOJU`6n<eG**?0yQ1sqacM7WS_k*%s_O7YJpAj=4Q!2R|)fDArBZOJsJt
zZi3}$(ir8^Ib3GrJIyMXKR`dh(aB^A%To9R!!Vvy#M9Oc0b}ulaDii&$cY0>Rl6D<
zS#YIjqO5YH!Vj01wj3MrFsqPy24e^QQvQLgJld0<-%Yz_;w^Tn&-p_3VWoDm=*xpr
zi?gLZsb#FMi?J?cV>gjLw&WN*l2VsQsEw#Uv+pZJekH{Et!KU2%VsuLl*Ta#>DR4n
z+CWkJmz~oOI^P?Y`sYO68EVWX<$szpDh#WLbt~xOD_zXEHxf_HV9T9SD61`eKjlWR
zn9A=|!#q++->{C8_kIhwLiI8zAt!dhV2~vs#gU{VlwHlnJmp5{#XlLzfmq?|ki*x(
zSiY}pn6;fKjd+i>&b+eR?HPmlRI*n*B`C2M`Y~_ij@Wy$-_lxE-{ol)pZ4}AUX~3Z
zlhqv@+94qUVMk|w;al02tH(oyW60Tc_6wLDG<`SO4N-M-D@Fe=C>@PKV2QZGMW8KN
zp?AQ`vQbi~tHtnPprpstF0yL3L2)Y!TwAkLfM{zA4D%<f5H|W`wz8^D);FBnYJUJe
zHGP|=@y<<pOerj@1sD|^apZ!2*V}+@;RnB-6#K)uLl8#W&dJpR9^P^p7#>8}|LfJ`
z?bgay_>()$)77K44e$;RIy)k4oYHSC0p`+gCBgEHki`c<e5OjCZSQ<~t92C{ZfmG_
z0L05RoTAMb5_?d?#ajQ^Ss|>OOqlp_okpLxk1|{+OMh2DPq_ync+6e>BBf!Qgv}Kq
zL(xu*e8f{W>h@unnipaHk4*8~=FLHN$@;&4_lh;pO!Ow}8J^E1T1S~?UtaK7#+Utz
zvdNTCzm-f?Cixy^F7kTy*L@_fhfJ|$P-sGGrp_hWx&EGq1%A|I!AH84F3|xasM&dN
zg2^4eX4wvK-pM#a(B&R4?G~*@hN~{78|qVE9Q+mMSW&B&aq)Wqw7S~FzQdvI+(7Au
z<b&sXuhEe`)RyY%i?IU_-%#V;UWCHbAps7EL=+XUSz>jYcT-4wckZ>t0iv}%?cW7G
zEzz@xmk2)zl#~MaFclgtrc}_>TN*qFIgOBnuHP9GKhlq_L&$luL<hiO?ilTr2Mpk$
z9!^~S<QGR+a;IH-$`;S%A8<Eq5?Z6rPC?RB#I0hXe{`o1!VV`zd6CIQ+%^}rrVcDC
z(-*T+dV9}0VOoC9cEoZm$S9Bf<wdbhQC@yfQ&z2eI#~SXfDw}_q>!2RgYn+i$YDBC
z_pQ?rn5@*uI5^(~z+E_aF^NE?DQaF`;!;N65vn-18t_aQas|`c_wTVNI!|!TN%IwN
zffT>z9vz+2=0B2;v|r-|=G`*@MGn=1_mrX0fI9oFCE(2Hvi%tlAddPtqB<+@%M=5H
z7_K?%9aR-dk&sPHTysi`yO#sq*o|E`M2*Sxw8l~4p4{;SO=yRDZTJo;(V;N%*>}@8
zjnA~Q4JXrhu!gq{gc^4Trh6bc=aG6X*^(SMkoD*ANKpy*SF_(~_O8j}1QtI&!_25D
zf6+MewZ1GNvzxrTP^g%Gk#0DCb~iZqB0oc1WXM15x<mTP62A01%sSvrHdpyh4kzqM
z$ThDlE+@LQA(pmEoLRC%3Bt8;r1GhCHbo4{sR4AG+vt#6<4eKZVg?IS$J0c+npEq2
z6ji^q9yIHCGGJH`!{iXwC#1AxP|OJm5ecJg{dz0;eodbFgB2yJRAhF3ZZb8qh=dxG
zi9$u@z*{8UY}7lP-u7x;ZTTnEC-Wy3cEiI2Vas0($u>slg6oG+g_6?!p7V?xY0Q4=
ztj-iSa_jEx`Wim6ISSp(%e2J5XM@jI^QSzUO4n_D&xV<``R^Y8$q2k#<inCX`01-_
zP0_Ni`J=a=*wL!ayCVgE$~u}Y577%27T&iw{$vtE<DJEg$C1gXdJ2<Qy<%$`><f4f
zHP<>P@aSk!m2!G!ghJQqeqZ%pf+xoiXR;|Tp!3ZP>mHhTII#Nc{&d~Kb&1&N&9A|8
zpsDEjt%3-3$!Z&5;P1iWJ+i|=ET)72w6Cpg;tOrukC%X6mE$Zoz_2OPs-065c-}cO
z9mxDs!&D)%iHWgkB1@$L_Dnz?9aGp!3Cy6BiHf73HWp$o_NsmFA0ceSh{hav^>~FY
zg#Wcp&OAU-xDW^!&jX%N?=b=BzYbr1e2N9_O|zK`a)s`95ctNL&PTaGC+o*R%)%<M
z)~PuNu%+JP0MOvpDOVDi3`hVFzK7x@8e<QDE4t9abphMQ7r;a>0N0vdMJy39)9XNG
z^jRX{b_kRu0uF@=U6}VPw`PH<BS0HZA7e<w1iNRQj~0}r{fV<KUXuJLmPQ8&zz|K{
zIq>jIf?Mu6Vnz*i=s<l%Ea+p@4hocbuoS1z2b9hNO((#}g>j<^EfGK|oGAJNiT@$a
z>i?89o&)#9uNtjlG3}8<2Fc;}1%|Q&@6av?z|~OBcx<63nTG#n*Vg_*ZDCU{a7_|q
zxr%uF8&Fie_xuc)(hBKAcu9gXH?Dl(BDP#X3miq_C<ZJoV{Xkc6FrweCiy{!=n(8~
zS@jVH{vXQJMxP}CTZh1iXy+V?gg9VO(=cCaP<6PZE^-Oj*LES)P!I8LFDL%8@3xc{
z%zM=lT;@Q)S4lj5OAi*&Zl4A;bIl15zbN28b|EldK*puChw9nYU#6QAn!11w|3fS$
zAp4DfNH6fcEgp6V_}Rn*)kdMC6QX!9?G-_WM1^0GMUhs==%8#sg06%5#QaV}aKf1z
zRz|hYDgQzNf@M?JsX9bFB;8?-9$+LU2~90xv&N|K*lW-zQX($uN(AOsFk>0Xd*MJ9
z?kFpgtp?%Hb(g6hUbVD)!+LNp_g#RV?gRCYEXitC!L0GZUe%|Nw;g1K!J@wRi}hhm
z$e%hw%x<W?i!)o*i?AGUnCC5@cMWP$57VSO@NL{LB9}V^dC)~97B@>m&Q^Gv5HgQa
zlbrO|myRG62N|nY`X&k_SZ)a{f{J$|;SaayH~MVMNp8lD@pSB=5I$dD;Ph*csxMP}
z_tH3TsfV&2Iq{Zh1Oz3SW?U<Yc&9-gX`STC%nD)qc;ky2iM;mVR|etxupj7&<kyM<
zT0Ps4)Z)v695WAii_V^<g5>cAy6DWptdW3GRmZLDp;fQ}W_^|C@EOU^z*&sY!X^PO
zenKiyeXVmBDW)qf)HcQD*$8>=_pDp7PEYi|EQV|fS=EE5NhL>q5DH?tieiv|L`K$(
z-qSO?<dj?kRB6hS$~D+Nif9_flO{`j)jYi5yqXPv2G~}!dOLYVjNm6OPp2JhAJJ@9
z$XA%Vd8;hXglZ~0mL=g;`pl4>LoOS$<(sS@W}b*(ib>K~9ra;VSoXnVFZ-ZS3OqPp
z?gF!0BygT}`!c@DP_r<qIYJ$5OUXs1GA_Xd@vyA5=bOmtwd;%~emCi|7+!XCl3kaq
zE&X3W^m}0e&1ER+gMROKOB5}|mrvF_c?sBc{=P=(EV0?k<sKrt5%59j0aK!*GruTP
z;C0eI;S)}-8|Ul3l8@kTBb1$7BD*IQ7tV8bkAmC=5AO8j>pcid=UiQS?!2Lr@*u^|
zfL^(2sqsxV5m}vv;yvPC4rnPvZLHB`r+%~?iZHhJM7@J)P0F=MM}F7xucx5zj7ZHW
zVA|Xzq1OH0RzaJ`0NIA1glk=l!;!k<xP0wdGLt;YDPd%s9yd2%r3rlpmq+xy+v~%>
zoMa6Cs9;+@0`~O;iM+%{o5z&WrEdqfizbU+kTD&65EE05D<O78h<%%ikbOjALTF18
zav<cyk08|Q?u6cX6vMP%+K+lJtSOYncB6u9s1i$?@<)huZvw*aneCk!SJt<n!~u@;
z_$*P-?`#t_n80By`}w={M**!qZDjrYVRqs+fBnEL&GO0QCze=m#gawyhRG~e`y+*H
z-|vAx?X&Ab(v*{vDp=`1uX4M|kq^EY5g}u(G|%f~I~b>#vJeMJrY4NCx~<K-bPP{1
z7sJJj))fc}g&&RMyO-^ggFeM-9zAYnT`OtzW9+`WY3^+aJ4=NbfopgEgw~}=nc02g
zZ3?5F0i}4yYJLEAVn_7#ojz;v_TOQlVyB;fbQ!=CToLQvmq#I-e(OkPFF;6|DCx?B
z=X1*WOF?RG_H7oG`pHp>%8OTZ+wf;Hsj8eP|Eb?lsa$japw>d7?<+etGLnEdA`6JA
zE`DPX*y}`+c5Ss-IXfyAA*s~Z7{>cmjQuYBW3SfBwAU6(x7pvu=~<=Qy_SxeBbJq(
zH60KaHK(lk1HE<esE&YN%KfJ-84L-2Uko@vo3`^I@mxD+y1v_~P^uvbcjTon)nt$p
zthZqJ3zlveuOi}x8=zrIHvhdbP?vWBnGDrs_`RiKSsdx$wUT0OeLi`coIIDAF&q+t
z)8SL-ADKpja`zgfg5ZtzZBn9HM-0?^X{P109#y9xD;<j!9^0`pvm3$8*<6Ua%Xe&}
z!NNjD&!J!&dLx7FSSE2y1GKW{r0CSKw^L5nmbg<Io}f6Xemj-lCn`Sjo<8@h%?IBa
znVH}^f-^_GX-31_j{d;n*>9rh(T>i)f_;O<3Hc2*A|kn8?Ahet1*otxS#l=geDW>*
zQ=ed?qO|4|#o6cW&K}H7lzJttDOf)TLP!e=A*=r-u`OhKX##qQWema%ZB$=wjKCh$
ztcE)FSeMXy4z$kGNgS&^j%y$b3aIV0$ZH_r<icheNwY3);R3ST8Y1jsns+`r2XK4K
zuSGr1E57$a;DD~RIl=2W_!Zwl(qwavPYt3062uXN9mlYo1(dWY*$Tp2*z5lh?aOWQ
zLPML(7Xy#ah$VN;Z8~x?0_uN(%W_A~B;9Jp|4nY$--VSI#SlOKL6BX2C;(d4rOqHy
H643tvqxQDN

literal 0
HcmV?d00001

diff --git a/charts/rancher-cis-benchmark/6.1.0/Chart.yaml b/charts/rancher-cis-benchmark/6.1.0/Chart.yaml
new file mode 100644
index 0000000000..4c1573c4f1
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/Chart.yaml
@@ -0,0 +1,22 @@
+annotations:
+  catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/display-name: CIS Benchmark
+  catalog.cattle.io/kube-version: '>= 1.27.0-0 < 1.31.0-0'
+  catalog.cattle.io/namespace: cis-operator-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
+  catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0'
+  catalog.cattle.io/release-name: rancher-cis-benchmark
+  catalog.cattle.io/type: cluster-tool
+  catalog.cattle.io/ui-component: rancher-cis-benchmark
+apiVersion: v1
+appVersion: v6.1.0
+description: The cis-operator enables running CIS benchmark security scans on a kubernetes
+  cluster
+icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
+keywords:
+- security
+name: rancher-cis-benchmark
+version: 6.1.0
diff --git a/charts/rancher-cis-benchmark/6.1.0/README.md b/charts/rancher-cis-benchmark/6.1.0/README.md
new file mode 100644
index 0000000000..50beab58ba
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/README.md
@@ -0,0 +1,9 @@
+# Rancher CIS Benchmark Chart
+
+The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded.
+
+# Installation
+
+```
+helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system
+```
diff --git a/charts/rancher-cis-benchmark/6.1.0/app-readme.md b/charts/rancher-cis-benchmark/6.1.0/app-readme.md
new file mode 100644
index 0000000000..d4834a4824
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/app-readme.md
@@ -0,0 +1,37 @@
+# Rancher CIS Benchmarks
+
+This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/).
+
+For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/cis-scan-guides).
+
+This chart installs the following components:
+
+- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded.
+- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed.
+- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans.
+- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources.
+- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish.
+    - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts.
+    - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart.
+
+## CIS Kubernetes Benchmark support
+
+| Source | Kubernetes distribution | scan profile                                                                                                       | Kubernetes versions |
+|--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------|
+| CIS    | any                     | [cis-1.7](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.7)                                | v1.25               |
+| CIS    | any                     | [cis-1.8](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.8)                                | v1.26+              |
+| CIS    | rke                     | [rke-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.7-permissive)  | rke1-v1.25          |
+| CIS    | rke                     | [rke-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.7-hardened)      | rke1-v1.25          |
+| CIS    | rke                     | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-permissive)  | rke1-v1.26+         |
+| CIS    | rke                     | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-hardened)      | rke1-v1.26+         |
+| CIS    | rke2                    | [rke2-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.7-permissive)| rke2-v1.25          |
+| CIS    | rke2                    | [rke2-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.7-hardened)    | rke2-v1.25          |
+| CIS    | rke2                    | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-permissive)| rke2-v1.26+         |
+| CIS    | rke2                    | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-hardened)    | rke2-v1.26+         |
+| CIS    | k3s                     | [k3s-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.7-permissive)  | k3s-v1.25           |
+| CIS    | k3s                     | [k3s-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.7-hardened)      | k3s-v1.25           |
+| CIS    | k3s                     | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-permissive)  | k3s-v1.26+          |
+| CIS    | k3s                     | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-hardened)      | k3s-v1.26+          |
+| CIS    | eks                     | eks-1.2.0                                                                                                          | eks                 |
+| CIS    | aks                     | aks-1.0                                                                                                            | aks                 |
+| CIS    | gke                     | gke-1.2.0                                                                                                          | gke                 |
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/_helpers.tpl b/charts/rancher-cis-benchmark/6.1.0/templates/_helpers.tpl
new file mode 100644
index 0000000000..b7bb000422
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/_helpers.tpl
@@ -0,0 +1,27 @@
+{{/* Ensure namespace is set the same everywhere */}}
+{{- define "cis.namespace" -}}
+  {{- .Release.Namespace | default "cis-operator-system" -}}
+{{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/alertingrule.yaml
new file mode 100644
index 0000000000..1787c88a07
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/alertingrule.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.alerts.enabled -}}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: rancher-cis-pod-monitor
+  namespace: {{ template "cis.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      cis.cattle.io/operator: cis-operator
+  podMetricsEndpoints:
+  - port: cismetrics
+{{- end }}
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-aks-1.0.yaml
new file mode 100644
index 0000000000..1ac866253f
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-aks-1.0.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: aks-1.0
+spec:
+  clusterProvider: aks
+  minKubernetesVersion: "1.15.0"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-cis-1.7.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-cis-1.7.yaml
new file mode 100644
index 0000000000..fa8dfd8eb9
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-cis-1.7.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: cis-1.7
+spec:
+  clusterProvider: ""
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-cis-1.8.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-cis-1.8.yaml
new file mode 100644
index 0000000000..ae19007b2e
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-cis-1.8.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: cis-1.8
+spec:
+  clusterProvider: ""
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-eks-1.2.0.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-eks-1.2.0.yaml
new file mode 100644
index 0000000000..c1bdd9ed5e
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-eks-1.2.0.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: eks-1.2.0
+spec:
+  clusterProvider: eks
+  minKubernetesVersion: "1.15.0"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-gke-1.2.0.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-gke-1.2.0.yaml
new file mode 100644
index 0000000000..c609e736fd
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-gke-1.2.0.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: gke-1.2.0
+spec:
+  clusterProvider: gke
+  minKubernetesVersion: "1.15.0"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.7-hardened.yaml
new file mode 100644
index 0000000000..6fb369360c
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.7-hardened
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.7-permissive.yaml
new file mode 100644
index 0000000000..b556d70fe5
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.7-permissive
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.8-hardened.yaml
new file mode 100644
index 0000000000..07b4300d20
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.8-hardened.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.8-hardened
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.8-permissive.yaml
new file mode 100644
index 0000000000..c30fa7f725
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-k3s-cis-1.8-permissive.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.8-permissive
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.7-hardened.yaml
new file mode 100644
index 0000000000..39bac7833c
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.7-hardened
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.7-permissive.yaml
new file mode 100644
index 0000000000..2e2f09ac74
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.7-permissive
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.8-hardened.yaml
new file mode 100644
index 0000000000..d3d357c023
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.8-hardened.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.8-hardened
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.8-permissive.yaml
new file mode 100644
index 0000000000..208eb777cd
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke-cis-1.8-permissive.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.8-permissive
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.7-hardened.yaml
new file mode 100644
index 0000000000..6306e9601a
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.7-hardened
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.7-permissive.yaml
new file mode 100644
index 0000000000..76236e11af
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.7-permissive
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.8-hardened.yaml
new file mode 100644
index 0000000000..0237206a73
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.8-hardened.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.8-hardened
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.8-permissive.yaml
new file mode 100644
index 0000000000..b5f9e4b50f
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/benchmark-rke2-cis-1.8-permissive.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.8-permissive
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/cis-roles.yaml
new file mode 100644
index 0000000000..23c93dc659
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/cis-roles.yaml
@@ -0,0 +1,49 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cis-admin
+rules:
+  - apiGroups:
+      - cis.cattle.io
+    resources:
+      - clusterscanbenchmarks
+      - clusterscanprofiles
+      - clusterscans
+      - clusterscanreports
+    verbs: ["create", "update", "delete", "patch","get", "watch", "list"]
+  - apiGroups:
+      - catalog.cattle.io
+    resources: ["apps"]
+    resourceNames: ["rancher-cis-benchmark"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cis-view
+rules:
+  - apiGroups:
+      - cis.cattle.io
+    resources:
+      - clusterscanbenchmarks
+      - clusterscanprofiles
+      - clusterscans
+      - clusterscanreports
+    verbs: ["get", "watch", "list"]
+  - apiGroups:
+      - catalog.cattle.io
+    resources: ["apps"]
+    resourceNames: ["rancher-cis-benchmark"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs: ["get", "watch", "list"]
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/configmap.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/configmap.yaml
new file mode 100644
index 0000000000..094c9dfe0a
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/configmap.yaml
@@ -0,0 +1,18 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-clusterscanprofiles
+  namespace: {{ template "cis.namespace" . }}
+data:
+  # Default ClusterScanProfiles per cluster provider type
+  rke: |-
+    <1.21.0: rke-profile-permissive-1.20
+    >=1.21.0: rke-profile-permissive-1.8
+  rke2: |-
+    <1.21.0: rke2-cis-1.20-profile-permissive
+    >=1.21.0: rke2-cis-1.8-profile-permissive
+  eks: "eks-profile"
+  gke: "gke-profile"
+  aks: "aks-profile"
+  k3s: "k3s-cis-1.8-profile-permissive"
+  default: "cis-1.8-profile"
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/deployment.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/deployment.yaml
new file mode 100644
index 0000000000..8c9f72f5de
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/deployment.yaml
@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cis-operator
+  namespace: {{ template "cis.namespace" . }}
+  labels:
+    cis.cattle.io/operator: cis-operator
+spec:
+  selector:
+    matchLabels:
+      cis.cattle.io/operator: cis-operator
+  template:
+    metadata:
+      labels:
+        cis.cattle.io/operator: cis-operator
+    spec:
+      serviceAccountName: cis-operator-serviceaccount
+      containers:
+      - name: cis-operator
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}'
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: cismetrics
+          containerPort: {{ .Values.alerts.metricsPort }}
+        env:
+        - name: SECURITY_SCAN_IMAGE
+          value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }}
+        - name: SECURITY_SCAN_IMAGE_TAG
+          value: {{ .Values.image.securityScan.tag }}
+        - name: SONOBUOY_IMAGE
+          value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }}
+        - name: SONOBUOY_IMAGE_TAG
+          value: {{ .Values.image.sonobuoy.tag }}
+        - name: CIS_ALERTS_METRICS_PORT
+          value: '{{ .Values.alerts.metricsPort }}'
+        - name: CIS_ALERTS_SEVERITY
+          value: {{ .Values.alerts.severity }}
+        - name: CIS_ALERTS_ENABLED
+          value: {{ .Values.alerts.enabled | default "false" | quote }}
+        - name: CLUSTER_NAME
+          value: '{{ .Values.global.cattle.clusterName }}'
+        - name: CIS_OPERATOR_DEBUG
+          value: '{{ .Values.image.cisoperator.debug }}'
+        {{- if .Values.securityScanJob.overrideTolerations }}
+        - name: SECURITY_SCAN_JOB_TOLERATIONS
+          value: '{{ .Values.securityScanJob.tolerations | toJson  }}'
+        {{- end }}
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/network_policy_allow_all.yaml
new file mode 100644
index 0000000000..6ed5d645ea
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/network_policy_allow_all.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-allow-all
+  namespace: {{ template "cis.namespace" . }}
+spec:
+  podSelector: {}
+  ingress:
+  - {}
+  egress:
+  - {}
+  policyTypes:
+  - Ingress
+  - Egress
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/patch_default_serviceaccount.yaml
new file mode 100644
index 0000000000..e78a6bd08a
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/patch_default_serviceaccount.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: patch-sa
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  template:
+    spec:
+      serviceAccountName: cis-operator-serviceaccount
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+      restartPolicy: Never
+      containers:
+      - name: sa
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+        args: ["-n", {{ template "cis.namespace" . }}]
+
+  backoffLimit: 1
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/rbac.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/rbac.yaml
new file mode 100644
index 0000000000..5fe075e34f
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/rbac.yaml
@@ -0,0 +1,209 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-operator-clusterrole
+rules:
+- apiGroups:
+  - "cis.cattle.io"
+  resources:
+  - "*"
+  verbs:
+  - "*"
+- apiGroups:
+  - ""
+  resources:
+  - "pods"
+  - "services"
+  - "configmaps"
+  - "nodes"
+  - "serviceaccounts"
+  verbs:
+  - "get"
+  - "list"
+  - "create"
+  - "update"
+  - "watch"
+  - "patch"
+- apiGroups:
+  - "rbac.authorization.k8s.io"
+  resources:
+  - "rolebindings"
+  - "clusterrolebindings"
+  - "clusterroles"
+  verbs:
+  - "get"
+  - "list"
+- apiGroups:
+  - "batch"
+  resources:
+  - "jobs"
+  verbs:
+  - "list"
+  - "create"
+  - "patch"
+  - "update"
+  - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-scan-ns
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - "namespaces"
+  - "nodes"
+  - "pods"
+  - "serviceaccounts"
+  - "services"
+  - "replicationcontrollers"
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+- apiGroups: 
+  - "rbac.authorization.k8s.io"
+  resources:
+  - "rolebindings"
+  - "clusterrolebindings"
+  - "clusterroles"
+  verbs:
+  - "get"
+  - "list"
+- apiGroups:
+   - "batch"
+  resources:
+   - "jobs"
+   - "cronjobs"
+  verbs:
+   - "list"
+- apiGroups:
+    - "apps"
+  resources:
+    - "daemonsets"
+    - "deployments"
+    - "replicasets"
+    - "statefulsets"
+  verbs:
+    - "list"
+- apiGroups:
+    - "autoscaling"
+  resources:
+    - "horizontalpodautoscalers"
+  verbs:
+    - "list"
+- apiGroups:
+    - "networking.k8s.io"
+  resources:
+    - "networkpolicies"
+  verbs:
+    - "get"
+    - "list"
+    - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cis-operator-role
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  namespace: {{ template "cis.namespace" . }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - "services"
+  verbs:
+  - "watch"
+  - "list"
+  - "get"
+  - "patch"
+- apiGroups:
+  - "batch"
+  resources:
+  - "jobs"
+  verbs:
+  - "watch"
+  - "list"
+  - "get"
+  - "delete"
+- apiGroups:
+  - ""
+  resources:
+  - "configmaps"
+  - "pods"
+  - "secrets"
+  verbs:
+  - "*"
+- apiGroups:
+  - "apps"
+  resources:
+  - "daemonsets"
+  verbs:
+  - "*"
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - prometheusrules
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-operator-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cis-operator-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: cis-operator-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cis-scan-ns
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cis-scan-ns
+subjects:
+- kind: ServiceAccount
+  name: cis-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-operator-rolebinding
+  namespace: {{ template "cis.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cis-operator-role
+subjects:
+- kind: ServiceAccount
+  name: cis-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+- kind: ServiceAccount
+  name: cis-operator-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-cis-1.7.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-cis-1.7.yaml
new file mode 100644
index 0000000000..1a37aad835
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-cis-1.7.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: cis-1.7-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: cis-1.7
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-cis-1.8.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-cis-1.8.yaml
new file mode 100644
index 0000000000..40be06c946
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-cis-1.8.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: cis-1.8-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: cis-1.8
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.7-hardened.yml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.7-hardened.yml
new file mode 100644
index 0000000000..22ae9e0d23
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.7-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.7-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.7-hardened
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.7-permissive.yml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.7-permissive.yml
new file mode 100644
index 0000000000..f79e9ed966
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.7-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.7-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.7-permissive
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.8-hardened.yml
new file mode 100644
index 0000000000..03f6695689
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.8-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.8-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.8-hardened
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.8-permissive.yml
new file mode 100644
index 0000000000..39932a4e5b
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-k3s-cis-1.8-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.8-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.8-permissive
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.7-hardened.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.7-hardened.yaml
new file mode 100644
index 0000000000..7b83f95bcd
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-hardened-1.7
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.7-hardened
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.7-permissive.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.7-permissive.yaml
new file mode 100644
index 0000000000..52327c4af1
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-permissive-1.7
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.7-permissive
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.8-hardened.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.8-hardened.yaml
new file mode 100644
index 0000000000..54aa08691e
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.8-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-hardened-1.8
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.8-hardened
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.8-permissive.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.8-permissive.yaml
new file mode 100644
index 0000000000..f7d4fdd229
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke-1.8-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-permissive-1.8
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.8-permissive
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.7-hardened.yml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.7-hardened.yml
new file mode 100644
index 0000000000..193753a0bc
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.7-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.7-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.7-hardened
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.7-permissive.yml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.7-permissive.yml
new file mode 100644
index 0000000000..409645dc76
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.7-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.7-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.7-permissive
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.8-hardened.yml
new file mode 100644
index 0000000000..d0a1180f56
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.8-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.8-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.8-hardened
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.8-permissive.yml
new file mode 100644
index 0000000000..0aa72407c0
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofile-rke2-cis-1.8-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.8-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.8-permissive
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofileaks.yml
new file mode 100644
index 0000000000..ac9f47a8fb
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofileaks.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: aks-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: aks-1.0
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofileeks.yml
new file mode 100644
index 0000000000..7cf7936cbf
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofileeks.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: eks-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: eks-1.2.0
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofilegke.yml
new file mode 100644
index 0000000000..42fa4f23a2
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/scanprofilegke.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: gke-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: gke-1.2.0
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..ec48ec6224
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/serviceaccount.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ template "cis.namespace" . }}
+  name: cis-operator-serviceaccount
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ template "cis.namespace" . }}
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-serviceaccount
diff --git a/charts/rancher-cis-benchmark/6.1.0/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/6.1.0/templates/validate-install-crd.yaml
new file mode 100644
index 0000000000..562295791b
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/templates/validate-install-crd.yaml
@@ -0,0 +1,17 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+# {{- $found := dict -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}}
+# {{- range .Capabilities.APIVersions -}}
+# {{- if hasKey $found (toString .) -}}
+# 	{{- set $found (toString .) true -}}
+# {{- end -}}
+# {{- end -}}
+# {{- range $_, $exists := $found -}}
+# {{- if (eq $exists false) -}}
+# 	{{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
+# {{- end -}}
+# {{- end -}}
+#{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/6.1.0/values.yaml b/charts/rancher-cis-benchmark/6.1.0/values.yaml
new file mode 100644
index 0000000000..bce51b913b
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.1.0/values.yaml
@@ -0,0 +1,53 @@
+# Default values for rancher-cis-benchmark.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image:
+  cisoperator:
+    repository: rancher/cis-operator
+    tag: v1.0.14
+  securityScan:
+    repository: rancher/security-scan
+    tag: v0.2.16
+  sonobuoy:
+    repository: rancher/mirrored-sonobuoy-sonobuoy
+    tag: v0.57.1
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+## Node labels for pod assignment
+## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+##
+nodeSelector: {}
+
+## List of node taints to tolerate (requires Kubernetes >= 1.6)
+tolerations: []
+
+securityScanJob:
+  overrideTolerations: false
+  tolerations: []
+
+affinity: {}
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+    clusterName: ""
+  kubectl:
+    repository: rancher/kubectl
+    tag: v1.29.7
+
+alerts:
+  enabled: false
+  severity: warning
+  metricsPort: 8080
diff --git a/index.yaml b/index.yaml
index c3e2442a47..7c7b8743f1 100755
--- a/index.yaml
+++ b/index.yaml
@@ -9684,6 +9684,32 @@ entries:
     urls:
     - assets/rancher-cis-benchmark/rancher-cis-benchmark-6.3.0.tgz
     version: 6.3.0
+  - annotations:
+      catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/display-name: CIS Benchmark
+      catalog.cattle.io/kube-version: '>= 1.27.0-0 < 1.31.0-0'
+      catalog.cattle.io/namespace: cis-operator-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
+      catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0'
+      catalog.cattle.io/release-name: rancher-cis-benchmark
+      catalog.cattle.io/type: cluster-tool
+      catalog.cattle.io/ui-component: rancher-cis-benchmark
+    apiVersion: v1
+    appVersion: v6.1.0
+    created: "2024-11-12T15:36:48.966436254-03:00"
+    description: The cis-operator enables running CIS benchmark security scans on
+      a kubernetes cluster
+    digest: 88cbf1231d5e62e5d08363ff70694c1ddd6422eedabd7774b4b4a8bc4b352e18
+    icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
+    keywords:
+    - security
+    name: rancher-cis-benchmark
+    urls:
+    - assets/rancher-cis-benchmark/rancher-cis-benchmark-6.1.0.tgz
+    version: 6.1.0
   - annotations:
       catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
       catalog.cattle.io/certified: rancher
diff --git a/release.yaml b/release.yaml
index 29d7749019..3af8f3a282 100644
--- a/release.yaml
+++ b/release.yaml
@@ -1,5 +1,6 @@
 rancher-cis-benchmark:
   - 105.0.0+up7.0.0
+  - 6.1.0
 rancher-cis-benchmark-crd:
   - 105.0.0+up7.0.0
 rancher-vsphere-cpi:

From 9f6dcff29145495731f4cc4689d2f428192b7929 Mon Sep 17 00:00:00 2001
From: nicholasSSUSE <nicholas.paolillo@suse.com>
Date: Tue, 12 Nov 2024 15:37:27 -0300
Subject: [PATCH 2/8] forward-port rancher-cis-benchmark-crd 6.1.0

---
 .../rancher-cis-benchmark-crd-6.1.0.tgz       | Bin 0 -> 1476 bytes
 .../6.1.0/Chart.yaml                          |  10 ++
 .../rancher-cis-benchmark-crd/6.1.0/README.md |   2 +
 .../6.1.0/templates/clusterscan.yaml          | 149 ++++++++++++++++++
 .../6.1.0/templates/clusterscanbenchmark.yaml |  55 +++++++
 .../6.1.0/templates/clusterscanprofile.yaml   |  37 +++++
 .../6.1.0/templates/clusterscanreport.yaml    |  40 +++++
 index.yaml                                    |  14 ++
 release.yaml                                  |   1 +
 9 files changed, 308 insertions(+)
 create mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.1.0.tgz
 create mode 100644 charts/rancher-cis-benchmark-crd/6.1.0/Chart.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/6.1.0/README.md
 create mode 100644 charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscan.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscanbenchmark.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscanprofile.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscanreport.yaml

diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.1.0.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.1.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..3b53e1401211f2dabe18efa89d34ae21027cf8b3
GIT binary patch
literal 1476
zcmV;#1v~m5iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PI@PbK1BQ&NF|7roU%gn*jL@Zz=8F^zNEwNUrz1$Qw{&OBzYe
zmASe9{YJI{8)U#>XfyS`Flgm(W&7Jt>$MedI!D!|On0Zq={yGY+@&gfJD!6w-U8z2
z>O}K>-yin->96nmo4@{`=U)Z=;oxR49NhGWSAH-Ig6k{dpBnfOOSA!X<)0jD^W<KM
z0q4SiVS?*XhY$(|A~EwQ7!#q##9NBWuqTG$h~!*xPMfnZL_Q*Kj7sp0a|(wTwFHVI
zV%a7nDlkHI^+Fqrorfrl5Hxn}p{w}YT<w5lUr=c#_=vm&oe(uuOq%rnN3IP-ktSx2
zWITDV$&*lSEU&XKkXc9^5s)%sG`(t_mu1|c7kGZ>d*9ExR-OL_V;O-#{gy_FHmEcO
zev}^U&i}yg^{>nM-wXPF(B}Uote80<8GbX!?LX~3|6kh_d<i<wjE5sKPP7s61hq&M
z#rOEcI7>4iMgt)ju=<hZPk}JnqfD<ex}zmhJ8`B&B2ytKIJ4tZAtEG?nn68K;OVH0
z5(QB?MC#Ct&yomK$<-l5Q(;p!$LSD~Cu|y}OCSu>vw-McF>X+eMU=!mUqhFC)q>xH
znU9F44VXlG5oj|>xLwh`5>G6`JBTrzzC8cJqVp-aJChG>6yvkX06K|dPz%op15pY0
zu`p5#N`lrUr2F+iEubf0<t6>H9;gMRpP4KHJ*)?60sRe%mw^6S57YwU!rW%MK8?z^
z^G+DD<vIvE=gK3CQ5%TMXZ(lTxd&Jx^)#Jhm_!&_hK&V(Vl$5_!5{MRG8wlWTOqQU
zFF}?`bdE8M^0`7HzrFwX<@%vCOo&u=2RCe)ubD0Ldu{G{S)fu1ZMq5JNfg;jJ|ecN
z*m7^3MiF}J3e|?MUbwa5^>+F9!tXf)YYGi=t4?E)aN~}WL0IXUrSi6E_9EX#sLbS)
zh3>u<*1*R2%*P^@5t@of>jh7Rh!FU0Fe@&JIteSAA*NrEnhF9rotg@TR!SImFb8=O
zZ;y6KL1&A@1=U>JvE;5;bf!3mrrsTXGd4AD9jrP&>mHU|V|-@m)^t`=!L!}k!9r#*
zc9L@+b*)A}D&RUrwrX6(w*&HIZ%SwJ{*)mYJb$bhwT9W5gD3<o_<3Wv*xhuDbix@U
z?3AK|k^+>1#fC3rT1K#Fcy~jkgxa;?RBP@|&Yiv|S|*$g+^lrKDf?va>F>D5?&pRk
z<#DsxY!X{cHL4d3e?^We?R;#b?<z&|D!XBt+Ku(NvZz$;9|vJK`y*?zXXdy$ha8zc
z6CQV{eNZ~)$Vy5(9b1DLZ3=f+8=<T|6h@M%%G(O73z`c)`RCtP*HU{`R<r-NZk5((
z1n%koU;9C@(f_;d^>5n#-zDta{l67q8f*l<TVkeeM@MiSG}9MXYj9csX|P8qk$QQQ
zdnI02xKh+oYjDGNK+h*;{P$#vilafD-?9?&r|JoZz{9sa@YNFzfTt;WRyQu|$b161
z)jB<3;)&tXS5ODXEYAKx+GZQ{YV-kn$CbELoa_~0gTY+XZWP~<c+KIrRaR?fw3_vw
z%${89y$0S>{{@3#f202E-Q4(X{dWmFcm0<Wrorm3_(s)H`z-@jSAKE@&~V+i${$z#
z^v>=4L28Q4r8oL6?wQF))TU0;es3#pXCv>(X6nzl)z;L1g;Lc1DsZ3v-vq-={U7#w
zt^Qxa&aM9$VH%YGNeWn{{&~1+@mI^k8`l0aed*C|DHng!kul`AhtGFE!$VxP{!c#K
zzW?;Wi^G#OX5aVULBF^0{r8~XAGG>^3H#rUkDYJHB=ZqE2W5zvgCT6|bLvE6NT!Rb
ePpZH78MfA1Ypu2Bvi|}A0RR6SZ<E&mHUI#_{NKR<

literal 0
HcmV?d00001

diff --git a/charts/rancher-cis-benchmark-crd/6.1.0/Chart.yaml b/charts/rancher-cis-benchmark-crd/6.1.0/Chart.yaml
new file mode 100644
index 0000000000..8cb27e78cd
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/6.1.0/Chart.yaml
@@ -0,0 +1,10 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/namespace: cis-operator-system
+  catalog.cattle.io/release-name: rancher-cis-benchmark-crd
+apiVersion: v1
+description: Installs the CRDs for rancher-cis-benchmark.
+name: rancher-cis-benchmark-crd
+type: application
+version: 6.1.0
diff --git a/charts/rancher-cis-benchmark-crd/6.1.0/README.md b/charts/rancher-cis-benchmark-crd/6.1.0/README.md
new file mode 100644
index 0000000000..f6d9ef621f
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/6.1.0/README.md
@@ -0,0 +1,2 @@
+# rancher-cis-benchmark-crd
+A Rancher chart that installs the CRDs used by rancher-cis-benchmark.
diff --git a/charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscan.yaml
new file mode 100644
index 0000000000..73cf1652b2
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscan.yaml
@@ -0,0 +1,149 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscans.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScan
+    plural: clusterscans
+    singular: clusterscan
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.lastRunScanProfileName
+      name: ClusterScanProfile
+      type: string
+    - jsonPath: .status.summary.total
+      name: Total
+      type: string
+    - jsonPath: .status.summary.pass
+      name: Pass
+      type: string
+    - jsonPath: .status.summary.fail
+      name: Fail
+      type: string
+    - jsonPath: .status.summary.skip
+      name: Skip
+      type: string
+    - jsonPath: .status.summary.warn
+      name: Warn
+      type: string
+    - jsonPath: .status.summary.notApplicable
+      name: Not Applicable
+      type: string
+    - jsonPath: .status.lastRunTimestamp
+      name: LastRunTimestamp
+      type: string
+    - jsonPath: .spec.scheduledScanConfig.cronSchedule
+      name: CronSchedule
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              scanProfileName:
+                nullable: true
+                type: string
+              scheduledScanConfig:
+                nullable: true
+                properties:
+                  cronSchedule:
+                    nullable: true
+                    type: string
+                  retentionCount:
+                    type: integer
+                  scanAlertRule:
+                    nullable: true
+                    properties:
+                      alertOnComplete:
+                        type: boolean
+                      alertOnFailure:
+                        type: boolean
+                    type: object
+                type: object
+              scoreWarning:
+                enum:
+                - pass
+                - fail
+                nullable: true
+                type: string
+            type: object
+          status:
+            properties:
+              NextScanAt:
+                nullable: true
+                type: string
+              ScanAlertingRuleName:
+                nullable: true
+                type: string
+              conditions:
+                items:
+                  properties:
+                    lastTransitionTime:
+                      nullable: true
+                      type: string
+                    lastUpdateTime:
+                      nullable: true
+                      type: string
+                    message:
+                      nullable: true
+                      type: string
+                    reason:
+                      nullable: true
+                      type: string
+                    status:
+                      nullable: true
+                      type: string
+                    type:
+                      nullable: true
+                      type: string
+                  type: object
+                nullable: true
+                type: array
+              display:
+                nullable: true
+                properties:
+                  error:
+                    type: boolean
+                  message:
+                    nullable: true
+                    type: string
+                  state:
+                    nullable: true
+                    type: string
+                  transitioning:
+                    type: boolean
+                type: object
+              lastRunScanProfileName:
+                nullable: true
+                type: string
+              lastRunTimestamp:
+                nullable: true
+                type: string
+              observedGeneration:
+                type: integer
+              summary:
+                nullable: true
+                properties:
+                  fail:
+                    type: integer
+                  notApplicable:
+                    type: integer
+                  pass:
+                    type: integer
+                  skip:
+                    type: integer
+                  total:
+                    type: integer
+                  warn:
+                    type: integer
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscanbenchmark.yaml
new file mode 100644
index 0000000000..261a84efd4
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscanbenchmark.yaml
@@ -0,0 +1,55 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscanbenchmarks.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScanBenchmark
+    plural: clusterscanbenchmarks
+    singular: clusterscanbenchmark
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.clusterProvider
+      name: ClusterProvider
+      type: string
+    - jsonPath: .spec.minKubernetesVersion
+      name: MinKubernetesVersion
+      type: string
+    - jsonPath: .spec.maxKubernetesVersion
+      name: MaxKubernetesVersion
+      type: string
+    - jsonPath: .spec.customBenchmarkConfigMapName
+      name: customBenchmarkConfigMapName
+      type: string
+    - jsonPath: .spec.customBenchmarkConfigMapNamespace
+      name: customBenchmarkConfigMapNamespace
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              clusterProvider:
+                nullable: true
+                type: string
+              customBenchmarkConfigMapName:
+                nullable: true
+                type: string
+              customBenchmarkConfigMapNamespace:
+                nullable: true
+                type: string
+              maxKubernetesVersion:
+                nullable: true
+                type: string
+              minKubernetesVersion:
+                nullable: true
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscanprofile.yaml
new file mode 100644
index 0000000000..b63d842fae
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscanprofile.yaml
@@ -0,0 +1,37 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscanprofiles.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScanProfile
+    plural: clusterscanprofiles
+    singular: clusterscanprofile
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.benchmarkVersion
+      name: BenchmarkVersion
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              benchmarkVersion:
+                nullable: true
+                type: string
+              skipTests:
+                items:
+                  nullable: true
+                  type: string
+                nullable: true
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscanreport.yaml
new file mode 100644
index 0000000000..544d825f4b
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/6.1.0/templates/clusterscanreport.yaml
@@ -0,0 +1,40 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscanreports.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScanReport
+    plural: clusterscanreports
+    singular: clusterscanreport
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.lastRunTimestamp
+      name: LastRunTimestamp
+      type: string
+    - jsonPath: .spec.benchmarkVersion
+      name: BenchmarkVersion
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              benchmarkVersion:
+                nullable: true
+                type: string
+              lastRunTimestamp:
+                nullable: true
+                type: string
+              reportJSON:
+                nullable: true
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/index.yaml b/index.yaml
index 7c7b8743f1..15a2c75185 100755
--- a/index.yaml
+++ b/index.yaml
@@ -10296,6 +10296,20 @@ entries:
     urls:
     - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.3.0.tgz
     version: 6.3.0
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/namespace: cis-operator-system
+      catalog.cattle.io/release-name: rancher-cis-benchmark-crd
+    apiVersion: v1
+    created: "2024-11-12T15:37:18.45360186-03:00"
+    description: Installs the CRDs for rancher-cis-benchmark.
+    digest: da65117220a96ea705fe9b691b3977b580d00177243f05dd0577c4928e038fe9
+    name: rancher-cis-benchmark-crd
+    type: application
+    urls:
+    - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.1.0.tgz
+    version: 6.1.0
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"
diff --git a/release.yaml b/release.yaml
index 3af8f3a282..9c12936505 100644
--- a/release.yaml
+++ b/release.yaml
@@ -3,6 +3,7 @@ rancher-cis-benchmark:
   - 6.1.0
 rancher-cis-benchmark-crd:
   - 105.0.0+up7.0.0
+  - 6.1.0
 rancher-vsphere-cpi:
   - 104.0.1+up1.8.1
 rancher-vsphere-csi:

From 78057de5babb87573d92326842144a3c4e55aedb Mon Sep 17 00:00:00 2001
From: nicholasSSUSE <nicholas.paolillo@suse.com>
Date: Tue, 12 Nov 2024 15:37:49 -0300
Subject: [PATCH 3/8] forward-port rancher-cis-benchmark 6.2.0

---
 .../rancher-cis-benchmark-6.2.0.tgz           | Bin 0 -> 6244 bytes
 charts/rancher-cis-benchmark/6.2.0/Chart.yaml |  22 ++
 charts/rancher-cis-benchmark/6.2.0/README.md  |   9 +
 .../rancher-cis-benchmark/6.2.0/app-readme.md |  37 ++++
 .../6.2.0/templates/_helpers.tpl              |  27 +++
 .../6.2.0/templates/alertingrule.yaml         |  14 ++
 .../6.2.0/templates/benchmark-aks-1.0.yaml    |   8 +
 .../6.2.0/templates/benchmark-cis-1.7.yaml    |   9 +
 .../6.2.0/templates/benchmark-cis-1.8.yaml    |   8 +
 .../6.2.0/templates/benchmark-eks-1.2.0.yaml  |   8 +
 .../6.2.0/templates/benchmark-gke-1.2.0.yaml  |   8 +
 .../benchmark-k3s-cis-1.7-hardened.yaml       |   9 +
 .../benchmark-k3s-cis-1.7-permissive.yaml     |   9 +
 .../benchmark-k3s-cis-1.8-hardened.yaml       |   8 +
 .../benchmark-k3s-cis-1.8-permissive.yaml     |   8 +
 .../benchmark-rke-cis-1.7-hardened.yaml       |   9 +
 .../benchmark-rke-cis-1.7-permissive.yaml     |   9 +
 .../benchmark-rke-cis-1.8-hardened.yaml       |   8 +
 .../benchmark-rke-cis-1.8-permissive.yaml     |   8 +
 .../benchmark-rke2-cis-1.7-hardened.yaml      |   9 +
 .../benchmark-rke2-cis-1.7-permissive.yaml    |   9 +
 .../benchmark-rke2-cis-1.8-hardened.yaml      |   8 +
 .../benchmark-rke2-cis-1.8-permissive.yaml    |   8 +
 .../6.2.0/templates/cis-roles.yaml            |  49 ++++
 .../6.2.0/templates/configmap.yaml            |  18 ++
 .../6.2.0/templates/deployment.yaml           |  61 +++++
 .../templates/network_policy_allow_all.yaml   |  15 ++
 .../patch_default_serviceaccount.yaml         |  29 +++
 .../6.2.0/templates/rbac.yaml                 | 209 ++++++++++++++++++
 .../6.2.0/templates/scanprofile-cis-1.7.yaml  |   9 +
 .../6.2.0/templates/scanprofile-cis-1.8.yaml  |   9 +
 .../scanprofile-k3s-cis-1.7-hardened.yml      |   9 +
 .../scanprofile-k3s-cis-1.7-permissive.yml    |   9 +
 .../scanprofile-k3s-cis-1.8-hardened.yml      |   9 +
 .../scanprofile-k3s-cis-1.8-permissive.yml    |   9 +
 .../scanprofile-rke-1.7-hardened.yaml         |   9 +
 .../scanprofile-rke-1.7-permissive.yaml       |   9 +
 .../scanprofile-rke-1.8-hardened.yaml         |   9 +
 .../scanprofile-rke-1.8-permissive.yaml       |   9 +
 .../scanprofile-rke2-cis-1.7-hardened.yml     |   9 +
 .../scanprofile-rke2-cis-1.7-permissive.yml   |   9 +
 .../scanprofile-rke2-cis-1.8-hardened.yml     |   9 +
 .../scanprofile-rke2-cis-1.8-permissive.yml   |   9 +
 .../6.2.0/templates/scanprofileaks.yml        |   9 +
 .../6.2.0/templates/scanprofileeks.yml        |   9 +
 .../6.2.0/templates/scanprofilegke.yml        |   9 +
 .../6.2.0/templates/serviceaccount.yaml       |  14 ++
 .../6.2.0/templates/validate-install-crd.yaml |  17 ++
 .../rancher-cis-benchmark/6.2.0/values.yaml   |  53 +++++
 index.yaml                                    |  26 +++
 release.yaml                                  |   1 +
 51 files changed, 897 insertions(+)
 create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-6.2.0.tgz
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/Chart.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/README.md
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/app-readme.md
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/_helpers.tpl
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/alertingrule.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-aks-1.0.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-cis-1.7.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-cis-1.8.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-eks-1.2.0.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-gke-1.2.0.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/cis-roles.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/configmap.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/deployment.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/network_policy_allow_all.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/patch_default_serviceaccount.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/rbac.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-cis-1.7.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-cis-1.8.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.7-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.7-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.8-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.8-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.7-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.7-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.8-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.8-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofileaks.yml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofileeks.yml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/scanprofilegke.yml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/serviceaccount.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/templates/validate-install-crd.yaml
 create mode 100644 charts/rancher-cis-benchmark/6.2.0/values.yaml

diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-6.2.0.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-6.2.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..ebb3d9953a5b732c8059b2d56c2a0b3c03657d53
GIT binary patch
literal 6244
zcmX|`cRbbKAIC4*k|J(p6|%R??38)!kkQQ^*|Nu#Eh1UTPIg?OY}dZFjF5F@%ib5)
zJwM-ne&>(#`RBaP>wRA5JkIBN&S8lqyAAoT0B#7cg{q#Al`2eJ(@#pwQq)k$T3^h;
zL|;l=+t5%PX5{2(;bQG)pzA8DYUAV#*$TSwSP~y~#moA?6Bx|?>>jUX9`xe3ZCPf_
zaB8(DZ$Oo4$)DtFN&Muz6t5t^;!*oe7e)}(cM>n48b{V?=K5AKL=059h&ig8N|fzQ
z+!W~i(R#&I*qZWyG_pvU>oj{H%+*_A&ZRa$hVe7%>Wi)Qc_V@?l#r3z$YP|@){1Z0
zIEg1w>2S?$jO{bhWv9D^d6Q#i^xYkClQqu$>FpKGcoPV-F8c!QB%3<%y59VQ#Kjvn
zdWrY%C>AtGX78agXjfpoQodZbne>mw(7dr{29X5yK6lcW$X>$D+D_GoQ&#LosHAJT
z*jJp01i?Ae(JVe@#;aiux?UfajmK6U=$c1dkBMUYMfLXq#g{s_<z@p(WMFvzEu!S7
zD5H5Q-GP#iS|<PY;ze>Wz5hl-F?uWoqV;soLc3%qDOpQ&R1<{$)NenR%ek&pu^)6g
z>^^hhf^2NsCcMT@v*c32INY~39#q`e|89+ID6G%&mY0kiwbYZs)bE@RE>&31osm!5
z-S&^Cwj1YC6Gmwt8LUpDxmP2}KO|;A9!5tC_i;Qk(%ZQ|5=->_^ws%I$!mlrMnq2{
zY!#dsOvcA%i_{}L#y5PYm(?Uvr|esji>)~qXayddK=R!SS&inkOhlVdOYLd-sY!;@
z{@+Z;_N(3px~wyl{sgt`(K<VQ1m7yb<=<R*4M5N3cjG4&1s6yelelzVp&7f)49bu*
z{sb&V281aJ3v1Q2u9?D6&o8&ng$fD&5z6O6Z@zWYAo_9tIit%>B`OXUE`7!wKX!$`
zGS{P(Hh!AC(c-XgqD~?2IW~g4eUN70?w(^=nj}VC_<@zyS!K3j=CPw9MHg>E<%-!y
zz4)Ircg4+XcTcn)F$`g0ox5q(pY$KpDPYvz6|#8X;<aXj%O2_+sQPlL?44;)E)e5r
zAAGz;9vX0SegBLxojQ(p&Pqf%A%3?l0nHI~kL=LvEu@z}bhJb9$jvuXE#W}*-o$*e
zKJ}nZX-Nf1#A|ds(Z_2x*}vozLM0v!R3jopNS@DVSl1f3iK`T{&+3Xrgg9Qf_!fO(
z42^3lslfBw7|c9_3UvFwX<KtsF|K%+j%KwrEsJxrVkW}HSH=8g)+vm=2{4I|PS+X;
zBbn9JIxq7aP_0rD<tlruw`M!u-!F9SrXX%IdvmNIVOyGY*b_*y*KSYL?Bc_W$XS}b
z{u+rmPwj@`_?7B+Xv?933rwfC2tC5y66^E?-Paq9*-$oLq(M`{tKC#M_WovXtqXf_
z+&cc=QI`<k36b3f(pNDi=c6h0?Gd{72M?%HD6n^qU^?OdM)VkOQ$Lct`EtWs=PeCB
zdxDfhQ(Dfxt3Y#>G$+{MM^)unB4+*Pq3P|=bF8qbw<ckUSYBsH96DLo%XKA#2p37@
zu3AD^BUD9T=;SWou2e9}^v5Nm@w-*9omp{x;p0C2HjnGw#2((c!0z<xZ&m_|$Km2;
zd(bZ$O;0V@o7qBN{LaXy8Bb!V(_xd`&JKRK<F{+D4fHo>>$5Fye)&*AQG0{fa1fAO
zTC{<j%<BQ~0WwSuu@gwSrumHUK^DCORB&Y4PHmO!p3td}{%tahcT1o{5Pr)ZqkLD%
zbQnI$IkONrvIB#<32qy71f?AWsmhu(S}xkKOe8oO70a*jR7F%+-I!z*XNfIZzcY)N
z>iPXS$NHt7gZC&}NiqH2lMB$N6~Ie!M^zJ5(_hY2Q+(*Wnd9yK$ylZ?UlG!II<_Oc
zI$K90n)OKhCG*cWi451V=7CaH;XgJ|OP2I*iyC{rx7WYiZ{|MN4dHOq(H9Wz|Ni_Q
z%yUdwfU9HnXYbp)j<2(_=w9<Wv!Zoz-&#VJg#8_fwta9s6>zwg)noe{K%bb~9QaMt
zvS(`d#odDnPhs9+4}TZU%S8K>O9_|cs+efPS#P<zcDzp%XLHl#?rFnZuoc+M4V|me
zO=5`Bq(6>NGX0+JSr{hN$5DYM_So<boUh;hVViu$hHbs9{i*yq{vB5N7E^f2<Wr@c
z$HGW#a1;CKnWyw)K0he*%Fzv}uAWYJcV(w``D(~ncjv+h;d0u9H07cGC#A?)#On@}
z=W3K0>FDRMYk4swvOG)cLO(=+)H7Q;JT$h+nuAHUcYc=aTRQ@E2OI~4?c}y0m<*JC
zm_@it;WG+PwQoSn4r~I^(jQqL#k<N)5xZJYtoPE}#Bw{Bcr~t_#Lv21$P=3&$V^y3
zgYvNKA5wfmKX#W%0*egujs?alsY{q||M(&hm{xe>0Va(e+x(rn@hfZ}(EtVVTuZ1J
z@H#JO0layQW0BZF*<N*HZ`p{a7Y+H1l^0k<_>O-A6H1L;h*GwGeu%he2r^~@4Xh)@
z77@R;Kyk#ChQXBvLZpKPz^Tg<z#j#U*N~xPGM2mNo9Us?u`F*WFHq-U`S~Q^$1j(C
zcmZ2Ktj%f9p6k~)l5vHZznCqb)Q|HO$69V;_}EQE$GloK9!|MU4Jer$_*y45X0CEW
z<5BW_Er5lQ$%g?qsd&*2Hg4b$)%WTU(>FllF}SpFzeG$uc9;jhl`cAf01jbAa01(0
zf)7--oPqr-OZjU|aYh?G9!Ih0G{TH^6v<U!Kn^&~z<|joS0U1P)OW}*Y-Rx!c?R4M
zFOdHBa4g&okD|DQ9ije{`LA_?*1iAa|F6LC7loQ5Y+c<43tur?pgh7m9#qB4P=H`s
zAkXU@1Ktx}*(kUJ7;Z!kUZ70u6R>bmh&^Ac=cpkT<3{l65Q}gdbv?OCJD>x6ri3Kq
zU(LrU%ybb^bTwodo(o_L;QTczxZO@5LH`O>Ljlek7TS_-gqgnu!N^Bo_oNYqgHzJ&
z3%W$FeN=_j=K`x6z{9Sns*m360Fs6y`h@lDGhw9=l2eTeKXMIKvG5m3NRoK8e-__c
zpB1YVJ65T`lKkA~NgMi6YhOSLlsM9iD`1np>pf#z(NE3~Tuv-Xk0~y(NeKkg+7EQ+
zYl5b-b4TI3TSoSz2Bjy08Z$3sSQ~#CV#hfwxTwOqygaS5Ta03c>)d!wZE3oSoDIDs
z?5w2IlZ0jjH|EkXEqqKQKWM$`3w%#W$5Vlbtnm=2cQ$@9Go}u5ireuxl++e-9gzNK
z7uU}b+hokg%1;@2PL)fv>RFDS4ZXs_<e08oN9ixRqdswlbB$W*Ep^@{91n`-|5Y7z
zOGdI=^|D~?B*0~|B`oe?pQd7F_RQ|*P{gH+O|O1`BfM88ec`B)jymmi&p=eE`jTdR
z?t9Vn*@<U<UuJ%1^L36vW4P509@<?C60Y5DFo+d^CQSEaH)e28YF6MI9a1h&g|A~T
z8UN6ZDwbD*4vP&OdS|chJNTh9F~5oRyj2T6#N$3z%6f+W<FI8}R3;anHQS7yFlWJj
zCcAUkTcf4_!Kz+dKSWvc@NO6X@!r6pZ|8WUUXheLfh8sTfoCC^4VOrpuT7L`RgC_E
zO~r5;b5cbBI9xj_h96dDsMRkD(D1dU3FfQB@`$_@guh&Ucy^Pxjg(nuH<$>z<YN|e
zlS|l{@zdcOQKk$BQ;$}GugTsKu-*@e9CG=RN#EN_QyyB^uH35_f`d1H`}=E~Ws`Qh
z6@v5Gm)kP>&jW+cX#IsVWY{q8H={i+_qSYA7G?Bem_kHOPj}}LVC*92bfjCdez5dp
zh26N;fqeJjpns6NSJ25S?qKQn@yuaD8Wf4FkZ(faj8}0UDcMbdai_n}<cE%@WO&>M
z#MM}<lx7co>@X-PV8ImMn>UlrPR?Pa#=yK#8_oOe+rL3=BbH%7Bqpo5{LYS(&$8$}
zYmaii?UYlNA;Dp}7E}}dFYY3TCvtx!pQ9a}!R5+MVfP*?GE_&mVQYA89es*{BLcxQ
zO8<TQ-0vkN`qu-6+P;u3L~^F0+A_9vcUjM&nVq``J8aGTHHF_pTo#f)pi-DS33uaJ
zK03Re?5DUas1dwiJC&&<we&PKtJ(ZEm(e1@yC#pp0h`kotfm6;ojm&n!8-k;E9gbt
zzemJLsXW9wnf~^=?67C!JPF#mqob<wKAMJ{<?q1V(#Ha}lX?4_lk8;JEIcCVPiyHZ
zDlC5#KWyQN50Eu5`;~yss8Vxy0J55G*qT%fBje)NL9OQIO%M6B&FdjmF$#B4OhQJL
zzHR^3&=*2}F>V$)!a2j+=(U|qWTN3;Ow*D2lTO@M8*_%rf0wScK6>YuDq+CCI2tg>
z&QlJ69#@_ZF3IhQU$2;mh3Z$frI61`jp$0?1hZmKf%<_8%e1Sm<gHG$hda8($&2sP
z44V+tX4x-V?mWsZ%u3*waN1zMN#6@ciG%9%BJJ)Bi1Q2tmP?YNK0!FYQ8L;`cOzdb
zb<ykniDC6`-)vgDNVAq=T`oJj?Clladn+oGPpguM5{B25udVApuDD+v2ATE?s-C&7
zS$(9!ISvqbqYUMD!(MO8GV#I7qSn9>ea46C6nqOC=jB+HE$^6);=SA!ET?a!+P4jq
z34XF>@IH64t_O&ltbjq11kP0g_+OwM*>#F)P6|f;0p^t3_M+O}gPGxZ8QNo5V?EqI
zPR-WVqZ-92_Al|Px@YGP{Al@WH1`F*v<E}c_gdfFf}5Vrio{>rc7<{DTceYjb!_#I
zt$Tu!NXFE*{SUmpCvdd9`slLS-z}#=UzU^mj`Fj)xbTxk#lhg1)8apZ-r8DxA1=*O
zgEt^XVj8DwR5o%pNj0*u*)N0bY&7~j=GfbzHdqN1_jl6?CW}JS(gxco)5&bbnF5th
z9m^iX$bT*4OGX>;7tYnC#)h_UEfi$Obfu$dWyo~C75((Fi3mp;v!#_;Uo9v?55v)s
zmB3@B>Rx205oVu!NGi#mwDqMrrcI!tYv}_oC!MZjeCV>J?b_;6yYf4Y1fpbEsg20e
zmnSFpmxJ{hB)52ZxcRxC8__{UJ>}ogiFM|u>Q`_Q;u2vcB>}?01-1joM(dx6Vm*se
zv60_4dqTVkJ{I7u*&3UxKKm9Oe=g@fo5++sRK7*tFXR7^S;O9}t5Ag7CH*xQmhty(
zHiu^d!&Cm%oaZIG<#d5AKF{egyGR-e<l&3P{YgiQY~@Y_$yxh-k~+^Mz%%W;PE+VZ
z&vnNe1va^`%DM}8-T*M&?SZyR?m>-Ij?3PIvjtYw{rM&4BoW&G_lHzPws?rw-;;W~
zg<*}d353W+W9<;6>EP1U0U&m<byA>+ej0a*+8@HL{6Qp@uRM2+>O<XgI~1E&ex#H9
zKDS&seEVoct2E<<8m!{)+D@CixN|%h6ot4(fYnP^{+a+>&cr(~Mgp|I!1mx-1a72j
zfU0i|WIb9#Oe!^YA_OjszKL!;P`D5yNr@rNX><i-HT?K$Qi$vs4rNhW2VPG(&tC!4
zMK@vxUE%d2M6+Oc4h4Vg90kTMFTj5c6ugHx55$9-eUS0%Cl=EPTn`Xe*wPI|v0$tl
zAhk0V-~(>4TZm08V8xSmZ~(Y$jRwwccueh0C*Q~}^ejc~N*NBgYN+rM{rGAaPJWA7
z42z67i2$>HCSE2X-KVa~8B2(<ErjVgSj82Y6q5ji3B!3tJ?Op)dc6;>syq`MB8xtE
zA25tWVv&6i>=6zVriVwqOaisc)57?R;U5IK(uWJ4r#q9{rb~!0D1>)kp6?1~n3=>b
z5U=x^mry^UkbVzpIUj1oT+Ktg#5ANb1-R~A;Tt*l;R-1plEKb4UmTB3U@^7e3Uelv
z0?@z{3vB6LIZs1?HOJ(iZKJ~H*xj7lmk8wK0*ZP1AzrlJ;Uvz>Tz`05d@5MPIRr5a
z#goo0UZ7qgdx0tSHVrUlz>h4TFvcOAV<gy|fr+V2)2CPDhG_z25#BLCv%Nuf31K;}
zEP+Kxmv;g~&XzR?I()*_9s!yaQTtc_>IWFRmGs9?zan!soR43~KE0?8xSPFHITXl{
z6A;Ie{~U{YNN^m}zD$Nd)4txl(6A@Q2ZZG-5`as^t0dr*&Cz2J&D%{BAKJ=74qx1s
z^ALHx_H#1Qd-ZFrc+D{??Am(h;fls)L~p@Sk#NE%>ipf-qU^re55*rdwk>N$dOPnr
z2ee$$YX|47s$f1pWn6X|UKq8G6O<Pu%eY^MR8w`aSD<^kksVYQy`3|V{MG6c&6!V=
z_P>AvYzj>>tW`F;|1u|3wVqWvx^M5vs^Fz<!TH$n0~|S`NKZ}HMR+(<8M#+m6YXH4
zMe`Q*)F797yMK9Xv!8|i=G#}PR)0DpsJrczoU|2Sw`2r}`aWcM?i{f#z+!aV8xp=2
zw-gl`OlMT+Hl_^r2l}}b2c;M|1Hs|pVBdh9q06lC?>u;h6Ut3g^Ix@EKVVAP9HLQ1
zuy?*lq1R826zeuAPq>$rzDMQsQJtLCav<b*(NS1FjJ=I@T`ikvD5RCuU;VI-cC~{j
z-L|Anp88rT8_&&ddvzWCFRg6XU2X;jqY1SFkLC<FiOq~nUx|X6;LGF5iQ8d*jxe6z
zcV}-%io-upO=yOY-QZO&<Y<fgdp4V|$MSqBCp?es1J-jkg36Z>G~@S2bP0e8Ck(&q
zZ%>XdhzwqI)c>`%;Jh%5o_LFHjjxG~(*FFrY_jL5Kp5(lCogQ^Mkgw1Jazr7zpO+r
zkI_ro$H%8aB}v^(fFmnHU0^_Ut=0JlULGn`+t&6ew*EWm^t|R76W5JIWwxn1G4F_&
zLtBL@f}&Ii<<4gN#~G|%Y28WBbvuShw5(noD$@@htGL_I=(5;EVQZ(2&$QTe*`Z@k
z;<tVHEee6<CVRQ6%oQT+a5|q!J}F!-{_U}#KXH%$Yle>4dzZNT-*vK_+OE0fS{D?B
zpZT{E(g?dcUgHecZlLDx<NcF_Vf}a%Y^QqyxxMyQtdG@_hO8%=XFLq4Vv-k6A|>ke
z={oKCQ1i|@D$NN+X=hbVKcN`Mo$ujq@5MC}()oD3PyL2v3BqlmuhMH_zyM+(k6h|C
zLfKj#!m0U4S<uOO;f>rP<@eNo^|C)x`qx_ZFX##TdGFJU8tPsXj?9OP8}1TA-K3WH
z%3?VWK279SEq0Gx=XD>jkNM?3@?}dr(AG*i#>qqcnq-ieL)U{@Sc$}Mr{k3fqbArY
zqwvcbBaW?k>!EzBe_hwgBzx{sy%jO_>}!qSq2m<lZhREx^_;Rb_Uqzd*B`8Sx?uHj
z`1;H{+IkpjaBW@xi%{L974wFLj*Q`Mm+yvvdALxl6kTRYM)TK<F?5-<G|Luy-0jKA
zXlD$exB~mE#m#lpxkdFyy*p(e$V5~kl)5`klJVxzFaKH03EL4+6g+LxyqHsq0~#;L
zfa)iXfVYs8aX0aDcJ4cIN*QF@{`yDx5bF07YO-@x+=Kj8RXRRPnM}}bg;pjD_0t?L
zp<exW46m#dTy=*ZP^Bq#k;g6PS#<t#BoetxUc+?eFj80R;7`J4IZF2s`f4EeCnzat
z-fl$seDI<tXJ(|4FW+VIy5SM@^kF!wIo}vb$l1in%P&z4vZH1V%Zcq(l+$1EnMz(S
zKV^L9^xSH`CJMCr{sfDJb+Xa<_=)h@wP=g6&=8%T#itZ67@7K78`1~=AR%a5RSwS?
zo^Kh6rt&!S5@@x(;M1Hpy}J8~>$8#RRJyRf?f7KcQMNTj_qlHm{ZWZQ=)7_vn&q1u
zdv`T+Urf^UNYq3at^RqQa{umDVkvKsz3eApA*#_-R6|M5BJ4OJl3i`~)tB6On&>R4
z5x4E|&WuEI@235)w4Tz&bEsO`T7*GULt<0W<D}C!Fuw$VVLN#D;)jP^Ytg?YO7Hu@
zVoPDhnc4d5%g)QNpC-G;)8X5SdK)gwvU5ftTVNX#r{~1B`||wsC=nl|JdgMAD+~6k
zW=JfPWHEL(+~_bl*!daOA4pBVxTP>Z$LmJ7<^<$mEZ*g<HZ5IvbB<l7`)Pm6&)27z
z$jk<@_vwp@Z<zKrcI=c}W=u!T^)y-?m)mA;V!mn5Kbvnpa*en&=N24F?agqB{MLkm
zmeO;w<nX6R%r`Y7xG7Uok+v&Ye8=bw+v>~y^s<`3<9cW;gJW?X;5x_r_n-h|{NsEf
IganZP0WV+bJpcdz

literal 0
HcmV?d00001

diff --git a/charts/rancher-cis-benchmark/6.2.0/Chart.yaml b/charts/rancher-cis-benchmark/6.2.0/Chart.yaml
new file mode 100644
index 0000000000..4cac499669
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/Chart.yaml
@@ -0,0 +1,22 @@
+annotations:
+  catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/display-name: CIS Benchmark
+  catalog.cattle.io/kube-version: '>= 1.27.0-0 < 1.31.0-0'
+  catalog.cattle.io/namespace: cis-operator-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
+  catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0'
+  catalog.cattle.io/release-name: rancher-cis-benchmark
+  catalog.cattle.io/type: cluster-tool
+  catalog.cattle.io/ui-component: rancher-cis-benchmark
+apiVersion: v1
+appVersion: v6.2.0
+description: The cis-operator enables running CIS benchmark security scans on a kubernetes
+  cluster
+icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
+keywords:
+- security
+name: rancher-cis-benchmark
+version: 6.2.0
diff --git a/charts/rancher-cis-benchmark/6.2.0/README.md b/charts/rancher-cis-benchmark/6.2.0/README.md
new file mode 100644
index 0000000000..50beab58ba
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/README.md
@@ -0,0 +1,9 @@
+# Rancher CIS Benchmark Chart
+
+The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded.
+
+# Installation
+
+```
+helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system
+```
diff --git a/charts/rancher-cis-benchmark/6.2.0/app-readme.md b/charts/rancher-cis-benchmark/6.2.0/app-readme.md
new file mode 100644
index 0000000000..d4834a4824
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/app-readme.md
@@ -0,0 +1,37 @@
+# Rancher CIS Benchmarks
+
+This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/).
+
+For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/cis-scan-guides).
+
+This chart installs the following components:
+
+- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded.
+- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed.
+- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans.
+- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources.
+- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish.
+    - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts.
+    - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart.
+
+## CIS Kubernetes Benchmark support
+
+| Source | Kubernetes distribution | scan profile                                                                                                       | Kubernetes versions |
+|--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------|
+| CIS    | any                     | [cis-1.7](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.7)                                | v1.25               |
+| CIS    | any                     | [cis-1.8](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.8)                                | v1.26+              |
+| CIS    | rke                     | [rke-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.7-permissive)  | rke1-v1.25          |
+| CIS    | rke                     | [rke-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.7-hardened)      | rke1-v1.25          |
+| CIS    | rke                     | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-permissive)  | rke1-v1.26+         |
+| CIS    | rke                     | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-hardened)      | rke1-v1.26+         |
+| CIS    | rke2                    | [rke2-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.7-permissive)| rke2-v1.25          |
+| CIS    | rke2                    | [rke2-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.7-hardened)    | rke2-v1.25          |
+| CIS    | rke2                    | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-permissive)| rke2-v1.26+         |
+| CIS    | rke2                    | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-hardened)    | rke2-v1.26+         |
+| CIS    | k3s                     | [k3s-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.7-permissive)  | k3s-v1.25           |
+| CIS    | k3s                     | [k3s-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.7-hardened)      | k3s-v1.25           |
+| CIS    | k3s                     | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-permissive)  | k3s-v1.26+          |
+| CIS    | k3s                     | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-hardened)      | k3s-v1.26+          |
+| CIS    | eks                     | eks-1.2.0                                                                                                          | eks                 |
+| CIS    | aks                     | aks-1.0                                                                                                            | aks                 |
+| CIS    | gke                     | gke-1.2.0                                                                                                          | gke                 |
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/_helpers.tpl b/charts/rancher-cis-benchmark/6.2.0/templates/_helpers.tpl
new file mode 100644
index 0000000000..b7bb000422
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/_helpers.tpl
@@ -0,0 +1,27 @@
+{{/* Ensure namespace is set the same everywhere */}}
+{{- define "cis.namespace" -}}
+  {{- .Release.Namespace | default "cis-operator-system" -}}
+{{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/alertingrule.yaml
new file mode 100644
index 0000000000..1787c88a07
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/alertingrule.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.alerts.enabled -}}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: rancher-cis-pod-monitor
+  namespace: {{ template "cis.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      cis.cattle.io/operator: cis-operator
+  podMetricsEndpoints:
+  - port: cismetrics
+{{- end }}
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-aks-1.0.yaml
new file mode 100644
index 0000000000..1ac866253f
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-aks-1.0.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: aks-1.0
+spec:
+  clusterProvider: aks
+  minKubernetesVersion: "1.15.0"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-cis-1.7.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-cis-1.7.yaml
new file mode 100644
index 0000000000..fa8dfd8eb9
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-cis-1.7.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: cis-1.7
+spec:
+  clusterProvider: ""
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-cis-1.8.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-cis-1.8.yaml
new file mode 100644
index 0000000000..ae19007b2e
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-cis-1.8.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: cis-1.8
+spec:
+  clusterProvider: ""
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-eks-1.2.0.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-eks-1.2.0.yaml
new file mode 100644
index 0000000000..c1bdd9ed5e
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-eks-1.2.0.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: eks-1.2.0
+spec:
+  clusterProvider: eks
+  minKubernetesVersion: "1.15.0"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-gke-1.2.0.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-gke-1.2.0.yaml
new file mode 100644
index 0000000000..c609e736fd
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-gke-1.2.0.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: gke-1.2.0
+spec:
+  clusterProvider: gke
+  minKubernetesVersion: "1.15.0"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.7-hardened.yaml
new file mode 100644
index 0000000000..6fb369360c
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.7-hardened
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.7-permissive.yaml
new file mode 100644
index 0000000000..b556d70fe5
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.7-permissive
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.8-hardened.yaml
new file mode 100644
index 0000000000..07b4300d20
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.8-hardened.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.8-hardened
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.8-permissive.yaml
new file mode 100644
index 0000000000..c30fa7f725
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-k3s-cis-1.8-permissive.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.8-permissive
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.7-hardened.yaml
new file mode 100644
index 0000000000..39bac7833c
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.7-hardened
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.7-permissive.yaml
new file mode 100644
index 0000000000..2e2f09ac74
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.7-permissive
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.8-hardened.yaml
new file mode 100644
index 0000000000..d3d357c023
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.8-hardened.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.8-hardened
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.8-permissive.yaml
new file mode 100644
index 0000000000..208eb777cd
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke-cis-1.8-permissive.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.8-permissive
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.7-hardened.yaml
new file mode 100644
index 0000000000..6306e9601a
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.7-hardened
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.7-permissive.yaml
new file mode 100644
index 0000000000..76236e11af
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.7-permissive
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.8-hardened.yaml
new file mode 100644
index 0000000000..0237206a73
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.8-hardened.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.8-hardened
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.8-permissive.yaml
new file mode 100644
index 0000000000..b5f9e4b50f
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/benchmark-rke2-cis-1.8-permissive.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.8-permissive
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.26.0"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/cis-roles.yaml
new file mode 100644
index 0000000000..23c93dc659
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/cis-roles.yaml
@@ -0,0 +1,49 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cis-admin
+rules:
+  - apiGroups:
+      - cis.cattle.io
+    resources:
+      - clusterscanbenchmarks
+      - clusterscanprofiles
+      - clusterscans
+      - clusterscanreports
+    verbs: ["create", "update", "delete", "patch","get", "watch", "list"]
+  - apiGroups:
+      - catalog.cattle.io
+    resources: ["apps"]
+    resourceNames: ["rancher-cis-benchmark"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cis-view
+rules:
+  - apiGroups:
+      - cis.cattle.io
+    resources:
+      - clusterscanbenchmarks
+      - clusterscanprofiles
+      - clusterscans
+      - clusterscanreports
+    verbs: ["get", "watch", "list"]
+  - apiGroups:
+      - catalog.cattle.io
+    resources: ["apps"]
+    resourceNames: ["rancher-cis-benchmark"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs: ["get", "watch", "list"]
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/configmap.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/configmap.yaml
new file mode 100644
index 0000000000..094c9dfe0a
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/configmap.yaml
@@ -0,0 +1,18 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-clusterscanprofiles
+  namespace: {{ template "cis.namespace" . }}
+data:
+  # Default ClusterScanProfiles per cluster provider type
+  rke: |-
+    <1.21.0: rke-profile-permissive-1.20
+    >=1.21.0: rke-profile-permissive-1.8
+  rke2: |-
+    <1.21.0: rke2-cis-1.20-profile-permissive
+    >=1.21.0: rke2-cis-1.8-profile-permissive
+  eks: "eks-profile"
+  gke: "gke-profile"
+  aks: "aks-profile"
+  k3s: "k3s-cis-1.8-profile-permissive"
+  default: "cis-1.8-profile"
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/deployment.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/deployment.yaml
new file mode 100644
index 0000000000..8c9f72f5de
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/deployment.yaml
@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cis-operator
+  namespace: {{ template "cis.namespace" . }}
+  labels:
+    cis.cattle.io/operator: cis-operator
+spec:
+  selector:
+    matchLabels:
+      cis.cattle.io/operator: cis-operator
+  template:
+    metadata:
+      labels:
+        cis.cattle.io/operator: cis-operator
+    spec:
+      serviceAccountName: cis-operator-serviceaccount
+      containers:
+      - name: cis-operator
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}'
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: cismetrics
+          containerPort: {{ .Values.alerts.metricsPort }}
+        env:
+        - name: SECURITY_SCAN_IMAGE
+          value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }}
+        - name: SECURITY_SCAN_IMAGE_TAG
+          value: {{ .Values.image.securityScan.tag }}
+        - name: SONOBUOY_IMAGE
+          value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }}
+        - name: SONOBUOY_IMAGE_TAG
+          value: {{ .Values.image.sonobuoy.tag }}
+        - name: CIS_ALERTS_METRICS_PORT
+          value: '{{ .Values.alerts.metricsPort }}'
+        - name: CIS_ALERTS_SEVERITY
+          value: {{ .Values.alerts.severity }}
+        - name: CIS_ALERTS_ENABLED
+          value: {{ .Values.alerts.enabled | default "false" | quote }}
+        - name: CLUSTER_NAME
+          value: '{{ .Values.global.cattle.clusterName }}'
+        - name: CIS_OPERATOR_DEBUG
+          value: '{{ .Values.image.cisoperator.debug }}'
+        {{- if .Values.securityScanJob.overrideTolerations }}
+        - name: SECURITY_SCAN_JOB_TOLERATIONS
+          value: '{{ .Values.securityScanJob.tolerations | toJson  }}'
+        {{- end }}
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/network_policy_allow_all.yaml
new file mode 100644
index 0000000000..6ed5d645ea
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/network_policy_allow_all.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-allow-all
+  namespace: {{ template "cis.namespace" . }}
+spec:
+  podSelector: {}
+  ingress:
+  - {}
+  egress:
+  - {}
+  policyTypes:
+  - Ingress
+  - Egress
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/patch_default_serviceaccount.yaml
new file mode 100644
index 0000000000..e78a6bd08a
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/patch_default_serviceaccount.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: patch-sa
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  template:
+    spec:
+      serviceAccountName: cis-operator-serviceaccount
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+      restartPolicy: Never
+      containers:
+      - name: sa
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+        args: ["-n", {{ template "cis.namespace" . }}]
+
+  backoffLimit: 1
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/rbac.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/rbac.yaml
new file mode 100644
index 0000000000..5fe075e34f
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/rbac.yaml
@@ -0,0 +1,209 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-operator-clusterrole
+rules:
+- apiGroups:
+  - "cis.cattle.io"
+  resources:
+  - "*"
+  verbs:
+  - "*"
+- apiGroups:
+  - ""
+  resources:
+  - "pods"
+  - "services"
+  - "configmaps"
+  - "nodes"
+  - "serviceaccounts"
+  verbs:
+  - "get"
+  - "list"
+  - "create"
+  - "update"
+  - "watch"
+  - "patch"
+- apiGroups:
+  - "rbac.authorization.k8s.io"
+  resources:
+  - "rolebindings"
+  - "clusterrolebindings"
+  - "clusterroles"
+  verbs:
+  - "get"
+  - "list"
+- apiGroups:
+  - "batch"
+  resources:
+  - "jobs"
+  verbs:
+  - "list"
+  - "create"
+  - "patch"
+  - "update"
+  - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-scan-ns
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - "namespaces"
+  - "nodes"
+  - "pods"
+  - "serviceaccounts"
+  - "services"
+  - "replicationcontrollers"
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+- apiGroups: 
+  - "rbac.authorization.k8s.io"
+  resources:
+  - "rolebindings"
+  - "clusterrolebindings"
+  - "clusterroles"
+  verbs:
+  - "get"
+  - "list"
+- apiGroups:
+   - "batch"
+  resources:
+   - "jobs"
+   - "cronjobs"
+  verbs:
+   - "list"
+- apiGroups:
+    - "apps"
+  resources:
+    - "daemonsets"
+    - "deployments"
+    - "replicasets"
+    - "statefulsets"
+  verbs:
+    - "list"
+- apiGroups:
+    - "autoscaling"
+  resources:
+    - "horizontalpodautoscalers"
+  verbs:
+    - "list"
+- apiGroups:
+    - "networking.k8s.io"
+  resources:
+    - "networkpolicies"
+  verbs:
+    - "get"
+    - "list"
+    - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cis-operator-role
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  namespace: {{ template "cis.namespace" . }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - "services"
+  verbs:
+  - "watch"
+  - "list"
+  - "get"
+  - "patch"
+- apiGroups:
+  - "batch"
+  resources:
+  - "jobs"
+  verbs:
+  - "watch"
+  - "list"
+  - "get"
+  - "delete"
+- apiGroups:
+  - ""
+  resources:
+  - "configmaps"
+  - "pods"
+  - "secrets"
+  verbs:
+  - "*"
+- apiGroups:
+  - "apps"
+  resources:
+  - "daemonsets"
+  verbs:
+  - "*"
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - prometheusrules
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-operator-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cis-operator-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: cis-operator-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cis-scan-ns
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cis-scan-ns
+subjects:
+- kind: ServiceAccount
+  name: cis-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-operator-rolebinding
+  namespace: {{ template "cis.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cis-operator-role
+subjects:
+- kind: ServiceAccount
+  name: cis-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+- kind: ServiceAccount
+  name: cis-operator-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-cis-1.7.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-cis-1.7.yaml
new file mode 100644
index 0000000000..1a37aad835
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-cis-1.7.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: cis-1.7-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: cis-1.7
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-cis-1.8.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-cis-1.8.yaml
new file mode 100644
index 0000000000..40be06c946
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-cis-1.8.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: cis-1.8-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: cis-1.8
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.7-hardened.yml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.7-hardened.yml
new file mode 100644
index 0000000000..22ae9e0d23
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.7-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.7-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.7-hardened
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.7-permissive.yml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.7-permissive.yml
new file mode 100644
index 0000000000..f79e9ed966
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.7-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.7-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.7-permissive
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.8-hardened.yml
new file mode 100644
index 0000000000..03f6695689
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.8-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.8-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.8-hardened
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.8-permissive.yml
new file mode 100644
index 0000000000..39932a4e5b
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-k3s-cis-1.8-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.8-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.8-permissive
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.7-hardened.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.7-hardened.yaml
new file mode 100644
index 0000000000..7b83f95bcd
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-hardened-1.7
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.7-hardened
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.7-permissive.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.7-permissive.yaml
new file mode 100644
index 0000000000..52327c4af1
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-permissive-1.7
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.7-permissive
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.8-hardened.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.8-hardened.yaml
new file mode 100644
index 0000000000..54aa08691e
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.8-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-hardened-1.8
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.8-hardened
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.8-permissive.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.8-permissive.yaml
new file mode 100644
index 0000000000..f7d4fdd229
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke-1.8-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-permissive-1.8
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.8-permissive
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.7-hardened.yml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.7-hardened.yml
new file mode 100644
index 0000000000..193753a0bc
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.7-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.7-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.7-hardened
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.7-permissive.yml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.7-permissive.yml
new file mode 100644
index 0000000000..409645dc76
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.7-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.7-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.7-permissive
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.8-hardened.yml
new file mode 100644
index 0000000000..d0a1180f56
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.8-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.8-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.8-hardened
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.8-permissive.yml
new file mode 100644
index 0000000000..0aa72407c0
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofile-rke2-cis-1.8-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.8-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.8-permissive
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofileaks.yml
new file mode 100644
index 0000000000..ac9f47a8fb
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofileaks.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: aks-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: aks-1.0
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofileeks.yml
new file mode 100644
index 0000000000..7cf7936cbf
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofileeks.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: eks-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: eks-1.2.0
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofilegke.yml
new file mode 100644
index 0000000000..42fa4f23a2
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/scanprofilegke.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: gke-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: gke-1.2.0
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..ec48ec6224
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/serviceaccount.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ template "cis.namespace" . }}
+  name: cis-operator-serviceaccount
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ template "cis.namespace" . }}
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-serviceaccount
diff --git a/charts/rancher-cis-benchmark/6.2.0/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/6.2.0/templates/validate-install-crd.yaml
new file mode 100644
index 0000000000..562295791b
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/templates/validate-install-crd.yaml
@@ -0,0 +1,17 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+# {{- $found := dict -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}}
+# {{- range .Capabilities.APIVersions -}}
+# {{- if hasKey $found (toString .) -}}
+# 	{{- set $found (toString .) true -}}
+# {{- end -}}
+# {{- end -}}
+# {{- range $_, $exists := $found -}}
+# {{- if (eq $exists false) -}}
+# 	{{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
+# {{- end -}}
+# {{- end -}}
+#{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/6.2.0/values.yaml b/charts/rancher-cis-benchmark/6.2.0/values.yaml
new file mode 100644
index 0000000000..24a766cdef
--- /dev/null
+++ b/charts/rancher-cis-benchmark/6.2.0/values.yaml
@@ -0,0 +1,53 @@
+# Default values for rancher-cis-benchmark.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image:
+  cisoperator:
+    repository: rancher/cis-operator
+    tag: v1.0.15
+  securityScan:
+    repository: rancher/security-scan
+    tag: v0.2.17
+  sonobuoy:
+    repository: rancher/mirrored-sonobuoy-sonobuoy
+    tag: v0.57.2
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+## Node labels for pod assignment
+## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+##
+nodeSelector: {}
+
+## List of node taints to tolerate (requires Kubernetes >= 1.6)
+tolerations: []
+
+securityScanJob:
+  overrideTolerations: false
+  tolerations: []
+
+affinity: {}
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+    clusterName: ""
+  kubectl:
+    repository: rancher/kubectl
+    tag: v1.29.7
+
+alerts:
+  enabled: false
+  severity: warning
+  metricsPort: 8080
diff --git a/index.yaml b/index.yaml
index 15a2c75185..360f580194 100755
--- a/index.yaml
+++ b/index.yaml
@@ -9684,6 +9684,32 @@ entries:
     urls:
     - assets/rancher-cis-benchmark/rancher-cis-benchmark-6.3.0.tgz
     version: 6.3.0
+  - annotations:
+      catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/display-name: CIS Benchmark
+      catalog.cattle.io/kube-version: '>= 1.27.0-0 < 1.31.0-0'
+      catalog.cattle.io/namespace: cis-operator-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
+      catalog.cattle.io/rancher-version: '>= 2.9.0-0 < 2.10.0-0'
+      catalog.cattle.io/release-name: rancher-cis-benchmark
+      catalog.cattle.io/type: cluster-tool
+      catalog.cattle.io/ui-component: rancher-cis-benchmark
+    apiVersion: v1
+    appVersion: v6.2.0
+    created: "2024-11-12T15:37:38.715399574-03:00"
+    description: The cis-operator enables running CIS benchmark security scans on
+      a kubernetes cluster
+    digest: 7647e9738c8af72afe76b92d36bfda08b34133ce2891bc53e331e105f9174461
+    icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
+    keywords:
+    - security
+    name: rancher-cis-benchmark
+    urls:
+    - assets/rancher-cis-benchmark/rancher-cis-benchmark-6.2.0.tgz
+    version: 6.2.0
   - annotations:
       catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
       catalog.cattle.io/certified: rancher
diff --git a/release.yaml b/release.yaml
index 9c12936505..8b23f6757a 100644
--- a/release.yaml
+++ b/release.yaml
@@ -1,6 +1,7 @@
 rancher-cis-benchmark:
   - 105.0.0+up7.0.0
   - 6.1.0
+  - 6.2.0
 rancher-cis-benchmark-crd:
   - 105.0.0+up7.0.0
   - 6.1.0

From 5c84bacafa93a1aa6941289113672cd5a398c4d1 Mon Sep 17 00:00:00 2001
From: nicholasSSUSE <nicholas.paolillo@suse.com>
Date: Tue, 12 Nov 2024 15:38:07 -0300
Subject: [PATCH 4/8] forward-port rancher-cis-benchmark-crd 6.2.0

---
 .../rancher-cis-benchmark-crd-6.2.0.tgz       | Bin 0 -> 1476 bytes
 .../6.2.0/Chart.yaml                          |  10 ++
 .../rancher-cis-benchmark-crd/6.2.0/README.md |   2 +
 .../6.2.0/templates/clusterscan.yaml          | 149 ++++++++++++++++++
 .../6.2.0/templates/clusterscanbenchmark.yaml |  55 +++++++
 .../6.2.0/templates/clusterscanprofile.yaml   |  37 +++++
 .../6.2.0/templates/clusterscanreport.yaml    |  40 +++++
 index.yaml                                    |  14 ++
 release.yaml                                  |   1 +
 9 files changed, 308 insertions(+)
 create mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.2.0.tgz
 create mode 100644 charts/rancher-cis-benchmark-crd/6.2.0/Chart.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/6.2.0/README.md
 create mode 100644 charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscan.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscanbenchmark.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscanprofile.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscanreport.yaml

diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.2.0.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.2.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..2370473f579dd2cd92a98c6c91c12681189f3e31
GIT binary patch
literal 1476
zcmV;#1v~m5iwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PI@PbK1BQ&NF|7roU%gn-KU7Zz=8F^zNEwNUrz1$Qw{&OBzYe
zmASe9{YJI{8)U#>XfyS`Flgm(W&7Jt>$MedI!D!|On0Zq={yGY+@&gfJD!6w-U8z2
z>O}K>-yih*>96nmo4@`|&%X-#gJCed=?{lDSAH-Eg5Zkyrv^U65^X?T`6tKPJh@k5
zz_~DBnBaQUA%uc~NX$G6#zg2b@s^@8?1^DGA~{!_)8;G;k&nn5qY`}MoWdbSErH^Q
zShfj?3XD))z0d|@=OGFs1dUyL=qmm;S34lt7gU-FJ|ZtcCqzvZlP3NDk!u4{q=}g$
z8BgA8@+6cS%j@h5WEK)f1f+}@O|M$#Wf^zi^*q1xz3*pTtImIev5df=eoLc78&sMC
zKS~dF=YQb$`q$<B?*-SxVVnP#uwv$bWcbY>xBs;F{C{mz@FnOxGain}IMGJL6VxJ6
z6yM_$<1Ed97!8DA!0JbqKLx^Qk21Z^=#G|1?ZlZ9iA;r{;LMIsg@}+mY6kT{fv2M~
zN)$xp5UE2mK1(7{C0B<KO@&R_9H&D_p0H_@E`cyi&jO-*#kfH=7Eu!Od<|XlRSSL(
zW<DaGHeeF%MWD?j;dVv$N<6U$?;yr>`ttk>i_WLy?o2+kQH;+j1L!1<K`lHZ3`8Z|
z$HGW0C<$7ZknYz5wSb<0m6!C(dY~4NerB=+^spYN1@t#4UIO}SJx~jX3v-+4`ZOxv
z&O2eqmg^wwoGXtkMr|N2pYb1V=N@2*)YEj1VG?0z88#ODiOoE!1b@iK%VgYkY=y{X
zz64n&(K*I2%I6A+{PzCim+ObpFd<Ue9o(>GzGk+}@3pz-Wr0d5wCN^<CsAZC`H0x6
zV#~dC8b#=>D^wf4dg0cJ*W2aa3%}<KtSL0etvZcG!i_sh24SUZmde|v*^7J|p)!+G
z7P|XdSOXj5GarjsMrbM`trt8MB0}K1!K}C>>LjdehM0auYAOiibZROTS}9@N!5rjC
zygk|_1)VJp7gTd?$CA5Z(V5~LntFHm&Dhkqb+GFAtb15;jq#bKThm!h1<!VC2Md|O
z*h$WP)U_J@sDSGf*{X3B-ww!=y(yi=`%{Ks@cgl2)EZ`I4x$jW;OC9uVt3Oq(g|mb
zuv3Z-N(xX478|~hX&J$y;oS|D5^C3mQ?0o>Id}S=Xqj*}aI?|@r|grxr@!MKyPq4H
zl*i3#vq@|*)u>)D{1rK>wDYlzzN-|;tL%npYB$#7%A!)We;kC}?2oL;o|)t39CBp(
zOnBU(_Ce{GBP%KGbZiY~v?<(OZG^J=P#8(3DsL;SE@&?J<ez_ET}$m%S<U|6x>Z`E
z5xA%Sf9(gsM*r`+*S~4|f0wXx_y1OeX|NIaZi$(?9UZ}S&`e)kt-)ylq`@AcMC#>H
z?v;39;Yv|Ut-%f70X?6X@!yjvDvkzqe#=V8pQ<Mu0uSHzz*kQ=0G_7gS>3p-Bl8L5
zR_pYDi6@3jUqKxlvpD+)X`5}(tI-GS9arK~ak5v04F+>jyHR{c;x&igR#~l`(Q4Lz
zGJA5Z_ZoOl{TJK}`Wy9MZ#WpV_1`7z-1T2hm<FrA;u}>*?Y9hAUHQosK*M$4Dt}z{
z(>u5G2dODGm)_{RxMwCGQJXqV`@OBaosGOBo2ftJR$Ej56-rV2tH6EwKMV$&`akIV
zt^Qxa&aM9$VH%YGNeWn{{&~1+@mI^k8`l0aed*C|DHng!kul`AhtGFE!$VxP{!c#K
zzW?;Wi^G#OX5aVULBF^0{r643f8FZ;CG3AYK6bt(lgvlx9F!qu4u-I;&#4oQA(<|!
eKB@lRXV_Y6t+m#g%l-=h0RR7qP5BJ~HUI#up5@*E

literal 0
HcmV?d00001

diff --git a/charts/rancher-cis-benchmark-crd/6.2.0/Chart.yaml b/charts/rancher-cis-benchmark-crd/6.2.0/Chart.yaml
new file mode 100644
index 0000000000..985c0b0d7a
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/6.2.0/Chart.yaml
@@ -0,0 +1,10 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/namespace: cis-operator-system
+  catalog.cattle.io/release-name: rancher-cis-benchmark-crd
+apiVersion: v1
+description: Installs the CRDs for rancher-cis-benchmark.
+name: rancher-cis-benchmark-crd
+type: application
+version: 6.2.0
diff --git a/charts/rancher-cis-benchmark-crd/6.2.0/README.md b/charts/rancher-cis-benchmark-crd/6.2.0/README.md
new file mode 100644
index 0000000000..f6d9ef621f
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/6.2.0/README.md
@@ -0,0 +1,2 @@
+# rancher-cis-benchmark-crd
+A Rancher chart that installs the CRDs used by rancher-cis-benchmark.
diff --git a/charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscan.yaml
new file mode 100644
index 0000000000..73cf1652b2
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscan.yaml
@@ -0,0 +1,149 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscans.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScan
+    plural: clusterscans
+    singular: clusterscan
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .status.lastRunScanProfileName
+      name: ClusterScanProfile
+      type: string
+    - jsonPath: .status.summary.total
+      name: Total
+      type: string
+    - jsonPath: .status.summary.pass
+      name: Pass
+      type: string
+    - jsonPath: .status.summary.fail
+      name: Fail
+      type: string
+    - jsonPath: .status.summary.skip
+      name: Skip
+      type: string
+    - jsonPath: .status.summary.warn
+      name: Warn
+      type: string
+    - jsonPath: .status.summary.notApplicable
+      name: Not Applicable
+      type: string
+    - jsonPath: .status.lastRunTimestamp
+      name: LastRunTimestamp
+      type: string
+    - jsonPath: .spec.scheduledScanConfig.cronSchedule
+      name: CronSchedule
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              scanProfileName:
+                nullable: true
+                type: string
+              scheduledScanConfig:
+                nullable: true
+                properties:
+                  cronSchedule:
+                    nullable: true
+                    type: string
+                  retentionCount:
+                    type: integer
+                  scanAlertRule:
+                    nullable: true
+                    properties:
+                      alertOnComplete:
+                        type: boolean
+                      alertOnFailure:
+                        type: boolean
+                    type: object
+                type: object
+              scoreWarning:
+                enum:
+                - pass
+                - fail
+                nullable: true
+                type: string
+            type: object
+          status:
+            properties:
+              NextScanAt:
+                nullable: true
+                type: string
+              ScanAlertingRuleName:
+                nullable: true
+                type: string
+              conditions:
+                items:
+                  properties:
+                    lastTransitionTime:
+                      nullable: true
+                      type: string
+                    lastUpdateTime:
+                      nullable: true
+                      type: string
+                    message:
+                      nullable: true
+                      type: string
+                    reason:
+                      nullable: true
+                      type: string
+                    status:
+                      nullable: true
+                      type: string
+                    type:
+                      nullable: true
+                      type: string
+                  type: object
+                nullable: true
+                type: array
+              display:
+                nullable: true
+                properties:
+                  error:
+                    type: boolean
+                  message:
+                    nullable: true
+                    type: string
+                  state:
+                    nullable: true
+                    type: string
+                  transitioning:
+                    type: boolean
+                type: object
+              lastRunScanProfileName:
+                nullable: true
+                type: string
+              lastRunTimestamp:
+                nullable: true
+                type: string
+              observedGeneration:
+                type: integer
+              summary:
+                nullable: true
+                properties:
+                  fail:
+                    type: integer
+                  notApplicable:
+                    type: integer
+                  pass:
+                    type: integer
+                  skip:
+                    type: integer
+                  total:
+                    type: integer
+                  warn:
+                    type: integer
+                type: object
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscanbenchmark.yaml
new file mode 100644
index 0000000000..261a84efd4
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscanbenchmark.yaml
@@ -0,0 +1,55 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscanbenchmarks.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScanBenchmark
+    plural: clusterscanbenchmarks
+    singular: clusterscanbenchmark
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.clusterProvider
+      name: ClusterProvider
+      type: string
+    - jsonPath: .spec.minKubernetesVersion
+      name: MinKubernetesVersion
+      type: string
+    - jsonPath: .spec.maxKubernetesVersion
+      name: MaxKubernetesVersion
+      type: string
+    - jsonPath: .spec.customBenchmarkConfigMapName
+      name: customBenchmarkConfigMapName
+      type: string
+    - jsonPath: .spec.customBenchmarkConfigMapNamespace
+      name: customBenchmarkConfigMapNamespace
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              clusterProvider:
+                nullable: true
+                type: string
+              customBenchmarkConfigMapName:
+                nullable: true
+                type: string
+              customBenchmarkConfigMapNamespace:
+                nullable: true
+                type: string
+              maxKubernetesVersion:
+                nullable: true
+                type: string
+              minKubernetesVersion:
+                nullable: true
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscanprofile.yaml
new file mode 100644
index 0000000000..b63d842fae
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscanprofile.yaml
@@ -0,0 +1,37 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscanprofiles.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScanProfile
+    plural: clusterscanprofiles
+    singular: clusterscanprofile
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.benchmarkVersion
+      name: BenchmarkVersion
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              benchmarkVersion:
+                nullable: true
+                type: string
+              skipTests:
+                items:
+                  nullable: true
+                  type: string
+                nullable: true
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscanreport.yaml
new file mode 100644
index 0000000000..544d825f4b
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/6.2.0/templates/clusterscanreport.yaml
@@ -0,0 +1,40 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscanreports.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScanReport
+    plural: clusterscanreports
+    singular: clusterscanreport
+  scope: Cluster
+  versions:
+  - additionalPrinterColumns:
+    - jsonPath: .spec.lastRunTimestamp
+      name: LastRunTimestamp
+      type: string
+    - jsonPath: .spec.benchmarkVersion
+      name: BenchmarkVersion
+      type: string
+    name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              benchmarkVersion:
+                nullable: true
+                type: string
+              lastRunTimestamp:
+                nullable: true
+                type: string
+              reportJSON:
+                nullable: true
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
diff --git a/index.yaml b/index.yaml
index 360f580194..34cc354e24 100755
--- a/index.yaml
+++ b/index.yaml
@@ -10322,6 +10322,20 @@ entries:
     urls:
     - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.3.0.tgz
     version: 6.3.0
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/namespace: cis-operator-system
+      catalog.cattle.io/release-name: rancher-cis-benchmark-crd
+    apiVersion: v1
+    created: "2024-11-12T15:37:55.944170999-03:00"
+    description: Installs the CRDs for rancher-cis-benchmark.
+    digest: 03447cacc5937b5c533a0aacf844157e4eb33e5b16077e6877dc338284fbfc17
+    name: rancher-cis-benchmark-crd
+    type: application
+    urls:
+    - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-6.2.0.tgz
+    version: 6.2.0
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"
diff --git a/release.yaml b/release.yaml
index 8b23f6757a..d788b18d1e 100644
--- a/release.yaml
+++ b/release.yaml
@@ -5,6 +5,7 @@ rancher-cis-benchmark:
 rancher-cis-benchmark-crd:
   - 105.0.0+up7.0.0
   - 6.1.0
+  - 6.2.0
 rancher-vsphere-cpi:
   - 104.0.1+up1.8.1
 rancher-vsphere-csi:

From 07f724aa7e4f1dc6fc7a357fdabdf1f2f21e0ca1 Mon Sep 17 00:00:00 2001
From: nicholasSSUSE <nicholas.paolillo@suse.com>
Date: Tue, 12 Nov 2024 15:39:25 -0300
Subject: [PATCH 5/8] forward-port rancher-cis-benchmark 5.3.0

---
 .../rancher-cis-benchmark-5.3.0.tgz           | Bin 0 -> 7257 bytes
 charts/rancher-cis-benchmark/5.3.0/Chart.yaml |  22 ++
 charts/rancher-cis-benchmark/5.3.0/README.md  |   9 +
 .../rancher-cis-benchmark/5.3.0/app-readme.md |  55 +++++
 .../5.3.0/templates/_helpers.tpl              |  27 +++
 .../5.3.0/templates/alertingrule.yaml         |  14 ++
 .../5.3.0/templates/benchmark-aks-1.0.yaml    |   8 +
 .../5.3.0/templates/benchmark-cis-1.7.yaml    |   9 +
 .../5.3.0/templates/benchmark-cis-1.8.yaml    |   8 +
 .../5.3.0/templates/benchmark-eks-1.2.0.yaml  |   8 +
 .../5.3.0/templates/benchmark-gke-1.2.0.yaml  |   8 +
 .../benchmark-k3s-cis-1.7-hardened.yaml       |   9 +
 .../benchmark-k3s-cis-1.7-permissive.yaml     |   9 +
 .../benchmark-k3s-cis-1.8-hardened.yaml       |   8 +
 .../benchmark-k3s-cis-1.8-permissive.yaml     |   8 +
 .../benchmark-rke-cis-1.7-hardened.yaml       |   9 +
 .../benchmark-rke-cis-1.7-permissive.yaml     |   9 +
 .../benchmark-rke-cis-1.8-hardened.yaml       |   8 +
 .../benchmark-rke-cis-1.8-permissive.yaml     |   8 +
 .../benchmark-rke2-cis-1.7-hardened.yaml      |   9 +
 .../benchmark-rke2-cis-1.7-permissive.yaml    |   9 +
 .../benchmark-rke2-cis-1.8-hardened.yaml      |   8 +
 .../benchmark-rke2-cis-1.8-permissive.yaml    |   8 +
 .../5.3.0/templates/cis-roles.yaml            |  49 ++++
 .../5.3.0/templates/configmap.yaml            |  18 ++
 .../5.3.0/templates/deployment.yaml           |  61 +++++
 .../templates/network_policy_allow_all.yaml   |  15 ++
 .../patch_default_serviceaccount.yaml         |  29 +++
 .../5.3.0/templates/psp.yaml                  |  59 +++++
 .../5.3.0/templates/rbac.yaml                 | 219 ++++++++++++++++++
 .../5.3.0/templates/scanprofile-cis-1.7.yaml  |   9 +
 .../5.3.0/templates/scanprofile-cis-1.8.yaml  |   9 +
 .../scanprofile-k3s-cis-1.7-hardened.yml      |   9 +
 .../scanprofile-k3s-cis-1.7-permissive.yml    |   9 +
 .../scanprofile-k3s-cis-1.8-hardened.yml      |   9 +
 .../scanprofile-k3s-cis-1.8-permissive.yml    |   9 +
 .../scanprofile-rke-1.7-hardened.yaml         |   9 +
 .../scanprofile-rke-1.7-permissive.yaml       |   9 +
 .../scanprofile-rke-1.8-hardened.yaml         |   9 +
 .../scanprofile-rke-1.8-permissive.yaml       |   9 +
 .../scanprofile-rke2-cis-1.7-hardened.yml     |   9 +
 .../scanprofile-rke2-cis-1.7-permissive.yml   |   9 +
 .../scanprofile-rke2-cis-1.8-hardened.yml     |   9 +
 .../scanprofile-rke2-cis-1.8-permissive.yml   |   9 +
 .../5.3.0/templates/scanprofileaks.yml        |   9 +
 .../5.3.0/templates/scanprofileeks.yml        |   9 +
 .../5.3.0/templates/scanprofilegke.yml        |   9 +
 .../5.3.0/templates/serviceaccount.yaml       |  14 ++
 .../5.3.0/templates/validate-install-crd.yaml |  17 ++
 .../5.3.0/templates/validate-psp-install.yaml |   7 +
 .../rancher-cis-benchmark/5.3.0/values.yaml   |  55 +++++
 index.yaml                                    |  26 +++
 release.yaml                                  |   1 +
 53 files changed, 993 insertions(+)
 create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-5.3.0.tgz
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/Chart.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/README.md
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/app-readme.md
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/_helpers.tpl
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/alertingrule.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-aks-1.0.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-cis-1.7.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-cis-1.8.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-eks-1.2.0.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-gke-1.2.0.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/cis-roles.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/configmap.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/deployment.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/network_policy_allow_all.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/patch_default_serviceaccount.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/psp.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/rbac.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-cis-1.7.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-cis-1.8.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.7-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.7-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.8-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.8-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.7-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.7-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.8-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.8-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofileaks.yml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofileeks.yml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/scanprofilegke.yml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/serviceaccount.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/validate-install-crd.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/templates/validate-psp-install.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.3.0/values.yaml

diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-5.3.0.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-5.3.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..0f42b8ab0fa8a5733d503dbe4b5bfb453fc5452f
GIT binary patch
literal 7257
zcmX9@cRbbq_rH|N%1C6ZNXRY{?v1Qu?-1GBMOimod+)vX$cVDn$F=tsLLz%_?!NDz
zzQ5O>uh;9G=Xsphc|0G_b6)IGcj!R>7Qh4IGgHzMvQSbLQ}LE~VJ@mCWU2ka&QM!I
zOkGb;OjX~}-ptw3TSpTrtz_ls1Um4=x-Gq&KE{1P(R~=sRnDF$6zE`^Z8F*%LLF=`
z8ykCABQl58xP%rGzZZh;f|S>jHa?8kWphiC_!oO6x&M&kmON1Iqa`JdQ2<(}ID+Ye
zy)EdR;)btSMW9k#=F{FUp2)T!EtzoNZ|r%rEzhi5oHs2U(gRm&;~2<Ath)NRnwom-
zgqq*Zm0GM?EZqM{fXP%oK}QZZ>HFEJZ`_w#?!kKG)8P!3mmoGx&eg~BkCjPwwEjFy
zSaTXKek3F0uk3F3r5iX;ehM{y9~34#^-vz-+g_WlZuKA@EB08MrL(fq2qkQnUyI{x
z?YW`|DbA)`MVk^Rq?_Pt9!nok>iARmZrlVP`>g6<yw^+6G7VcHM`ToEdm33;N}P*?
zzklrxa=7hbB#&-wPU@>{?XB~cDgk~}H0J42QHBu9v!fOh>bD`Xu;8KbDt)w%$eosP
z<nnp*u`e>9nw%nDDZ0d1B0FWG9INqe#BE+L`*up-qs1%K^9_m&Lp^EIT?p;CjdWP>
z-?jaSFB=}L>?Pc`Uq>5|7Naq=9FIMTl&NVfl4GJPiW`FD1Zj1agJ>SQ+`3s`aVL~)
z%<C8U<<FUhxD>L@{F&4Gz9i?-ADTWqnnP-xipCz#Zz%j#c~hMolTG?(qUB_>)2=M$
z6;;FwR)M9VGKG#3do1L!Ot72&-H##oWA?nu$Sa_J-r)ewdO_jW{V;-<#ADQKP`-iC
zIxgx3DW&~-lNe##?!C<BCd{Q=K=p<xU*O~(jELrr=%cUl<!dfs)b`KOuQS$MCLR-!
zm6^S!Q=WI-NsgZMV&}b=yk7$%ej`x6wgx8A<#r%fc_^>27~lM%$@AcKWS>#o_ss^*
zlEp<8%ZlAr-zLwB%D>So@;E>5``WxW8FreI3U|YdeYtI%CtPnTvyoD5g1~ThP;M9e
zv7E>w85b&IX>iV?^8nWpt|xCUc23xEUXIgc0Yat>cj8B>liBVThV`tgz>*cGbq-@B
zE+;8UnD(tTnmrDbI3zT-NDpsvdRcT!VfCL{Xf|}oi4_Ib@rZDlsm(qhuApo$m$cfX
zw%mwuKZiaoT722+^5SO^IXFzhtR>fyEh_!+o5(1oH}#2x)nn~1uQLQ>ad7$R-+6nt
z9>AV*(ICT00phaX7i?WoaxPS!fe#ia?vr_SP+xu$uhx;=4nR|^hD?EA%SX=%;J$Lk
zITHX!8PkR`3U*uO&bFCY<ww#GyM+aiXbk#tXiX>36biTo^@P;DM?Drj{hNERBWxe{
zXwM?dm3@i!#zp;&gO?Mz5}4_4E!`oS93M6vc<-M)+{wznGh0;h@+q6G3rG7TKA)Hi
zC+$Qv`h54IGvZx_H@gpN*0uIKni(<UyDdr=h(UpkJd}vbUliyNG2Z1V+WT`RPKIJ7
zUE?Vso9rG``)(ffDd;h83cY2e)lq*g`rB#2X@f@Sm1a1;1MyKNYD&AyEx4b=O|KAs
zbcKn1Lrmup{BBk`yFiFF<6c*lwVEdB-jIX9PtbVV_DUqy@3}4(`1#5c94mZBQ%OI>
zNS#El53Yz`4+J2Rl1JhM#9a)o<(yU^Bl@N+6TKaS;MAhc+tNEsG{|#dvf#9w8q=JK
zyro5P&Cto|({~t4@<r2zFEb>+nVB7$p))W<G21s?8n1=0%c8~mdlN08js<b9l<e}3
zV0!hbht0ruQGEx$#LnXBgW|Z5K#>>0b3k&=oZkJ99K!f%US#29(fGS<gwyAA1F7^G
z4$vC5+$&l_yt+3yslR{ZjUq!!kN?E_2;<`_RUkX+ZD)jF*ScnYRNzJbjv`U!`yi%I
z5erN?)3%vePV0dpDNEo6v%p0|n<8_klCe=&YDlHvs!Mn-)9ZbHM9k8B+Dr>;y#PE)
zY0?lp$0%lbfP6;fJ>L>OT=zoyMQI1Op%oC5SM11H2x^MCt^W&f<{|7OTbGOa3G*@}
zZFXhy&Qjd9U!hH(-ic|CUp$YhP1tu0Fm7eb^RSk-k<EbkI~*Z?aAouGuHBQrcvjgi
zMC*oNoxi^lm$m_hs}=Pmdb<AI*H;{%yCJF>Wz%aNXhY9onkC^SVlm49&7FR$j9NDI
zH{4>|Gi{WrC0A*mX^}c}H&@Y03jglgC?YQ5eF)I^NHAlt@oufSIC164ir_ea`LD>i
zj$lfDe<~+TC2~*Sqp&cjr?0|?apgyB@tv4$@p+Ffqjcg|nT3utiKVJdFz4gm!$!h~
z{L2rM7}Pu$>}Uae0ypf3A6Iq3S?i5(1FvdX0Bc<v9vt=-VKD{hsP8<E@%_c+6bYRF
zhXVW<fia9ae?1j04;lk#H!Z>JBXB=#eQ`w@OP5XIAiZ^<J{(w2x&<^$I-ln44Z4y0
ztKK}}pTeNnRb8Mc2+v<&r}+P&%KkwWkyiHt+T@#5a{KFWH_oIN{#WUD*cmbV8G*Ve
z$R7PRpvcW#MoHMuUtU8fE2d@z4owAV2Ux$zzqNQ5utwA+e{P(U?3zUhRs*ca@ytuW
z&=!s|-BGe2>iDpD3)q&t0`Tk3LqMJfGj3i6+YO-a;^1{m&G2jUw#)0YH5}0FIX4P8
z6yX2D83>3UAZ+R7so)a>Qyd)jvmK}j@rVL=S>MO{ot|iY6vfsAH1+_0)&auXe~CY&
z0`^frKe5ycryzi74VYQqLasDScAOy8a0oK|*Z~}<XC)xn0Hk^*8qQx2!5w!4;`AR^
z>S+krC4P`27=XOm7e@e<As(?nZLHKCz)uu_Yc0|O%&OPvL^K0P)YlAP{>_(OAoHI8
zH4>Lo2tdgI63YYFb1t(k5r(!<l<6m;RkI86bHH~d6}3_h9J8m*0dcWe{~#4{$G!g`
z5%pvMrggQe=x)%50Kl(?4)DY-TmLJbQ^BL~?L?)RmV97<g|MkMZk58{{Fg`oO)7L+
zmMrmzObDzL7JN|?sAvWgQI~|;uH9ov`XtE^LSJT9Hq29b6dFin=bwV)6(pl*(YTtU
z=*wa03`^yXf9l98%SVPsCB+dfsz22H)9n6>sbJc4`--ogm{)gyz6Ad)H{rt$pO0;V
zP;zNtpZh1v+z$PSiDs8!q%}()w}W0pR^3BZ)wk&>?_fyu$aYCjzDJ>eXyo~^h7sW-
z?0Y+*tkI0pNu3W5FC@dB1OGWUc@a#TRt|v5Fmq-n1vDjT)DYwFElF@e{RbyCafyDx
za!=QrzE6gmWA}rp<zXuJ*)QMtw^B_Ju}V{{zFT@w4ji=LbC(*9IV@sD9xAnMU$vF4
zniAS;H(I{6nZEa?UA<_#PnBjg*!xDe#P!kb$?gahXNMxGX}o<5{lRWjZ!#x3G3l|d
zaMNMy&qx7=xW&%gwk)3coBD9aYliWqxZwwpzY71X!FK?hy6)lzj!xg7V`~hbIvii(
zJ_$ns9#%Bh%+)AqMOM0R_&u&)yIY2e^+%Y_`QWbRT$SVJBrUx2)pQ(YGd>E!MQkQs
zY;ox@BU(dAf!B@!!SHdq0t$I+5fdJlcVez&QWHZyyTZGMm^?_CB0e*0S!MXXXM!wI
zhaanyfldOA4<2)U#hvcvyj1=lJg7Pp+R{q@RQQl3{rt0N;MfJf#771#WqGqt0+!7Y
z6HmvBEx+4akuFsI?mpbC%!5|{0nSdZX8V@n^q~R-ScV-h7=feF8htV`80E^U2kt<i
z9JnN@o}1s!H^#O#9sA+X%YxV)i|pUlx_}!?)lx(85!W)z-5q<ncDXr*U5bMWtgIOS
z*NXSTA8q-zY;9LwY@pw`ub2?lwc^HtSO#XFyqDGc{sn!tHZY$C`KE2*w&U^SZQ$Ft
z(}98~M!om-#4a)0OUN{F_7#)%@&`v%FV7e$MOySyl{c5K5&E#6;_UEN-060tnGYd9
z;^b6dm^q^R{d!2WsIz=)#w-Z4)W#0!fFlh>VV6gThdnCvMx&+bDB?&!)$JBn>iP{t
z(z}w&#NzBVM7&+RSmWTr1<3;|un5V2gu+r;wY-Vf84PlS+Kt=JrJ0|e+O!Yq*+3Z>
zhf`3*eXVZGqgKfG-9`eCUfwGmKaG*!n*(byTNflrsk|f_*)Us8PF01C<bkq5JG<gM
zn3^8<w@g4(=aaw__BZSEkVKBvPk7+TRA&Vep~zi=&l?y+A75&?%0Sql!wMxKxTdSr
zoWIiFMJzwd0SGI@uy|~Xu?;9W=H@W!(7z?Hk6aJ3vJy7*E|?D+jrOsFfE%h1@`fSs
z^J%`EM_WOu?oR()FaLSJi)6oM+=54h;|niAAwb+uKj3o_ozq(ue_4X9|J;M1a=w8a
z;q9b3kgR}iA_Oz(7uB7>0Zxr-Ivkm6B>Ch3+A55eqMA|!sE=F*NgBtj&TCWMQWs-<
zbO6-H_KbWdNtt_JWl9no{F`3s7`Akq{T$M2ubx`uHH=x$eu-Q^laG;=VD@fIt+7pJ
z=cgOGMaq_^7IAAbOz-z=>)S;2XBg`y#&qZ1xI+y9K<Dw(@_=VaoIhc(x$5!wy8GN!
zI3~nRu{slBkz>21D);8;6~f+2kY{h!$={O~Ia)9LP1YX)w)NA%$Ur-~q23LcU$7Gf
zY-;9FfZ<M8dj{+zNw>Vl^wasx{X)sQKdiioLwFBn!5`0JXjS&a8B0x;<jCg($8G%|
zw<oiahO6Rg<bvN4U6>}s|DN*a%^W?+L--tlC`uOQX}O7FiCH>Tdj&Q~+B`x1#ub(O
z`gT^BFDwHa)gMgp$v|$EPLr9kAA9HS(9l$buhHuTQ0uETC9kU)?ht2`O@ukAIIXF}
zar=QYT_}-S0uQYvaxa-|+>2VZPV1Ms{@jhFAF_;@{CUiw(9>Jh-FihHRXl30>Ph#Y
z`y#^{2D&p;=ppkQ@7&B~lHJgHF*(|%!>hPtbaIT|1wlZdp@7=UU;O3sNY<#oL>(;t
zqqaJ+0ntZ<kX(_#2CMU=fZy6Bb_Y+YYBYf}^w|?iyo~;0hpOQw5OV}}BmUkE<mJ#$
zz;|;lv8seLLtDix@4DmBw+~v;&&M`5YRW74y}O@15OPurR(<qm&RvJO2&J1UoHmlJ
z!H1+p=z6^TmiDbZXo_KYR!6$rS9ioO`q2E${YRWw$HzqH?U8;l9r`Txf=Ker4~?!N
z9zm^m+GEWo(}UdK=?}3jqxfl}>OH-F(o+0;B^Wv<MVjZ_Jx$1T<F6^MT4!0rHJFi9
zC&D_+Xg=@tQi-BL){tD6ct&H|Cf+TBiJ{b(e5&V$GUJH&`rLev>MOyovWkp4@AH!j
zo(NHVwF#YCS0QD)`E>5aY&!)5D)h9LMd*F6ftQP(?Bp5jlJ)#vu-1Q=Sap}-3^_^A
zl~(H;M^}EfFk^}G@NP3YP6kl~pLcqOk}E5fmRQBsP&E1csn#IA__OOT{pVV+zq-ph
z##PbL#jmC8B{pHjXm1XMcR8jkUuW$T*qCYb41=EK*4YleYNW7b;CR1xD0arnmlXlO
z-DnL}&V|@aNNLJ-*P<1;*xuP1>#AA}6C(4CPIxMW6{e$&JIwbT*mvbCWsjkjd+EJc
zBZZTN^6ugHdkQjm=fI=oI3sUottEpauV`9=gR#TH^6;#7_xA4m(3#)Kipvkjl~bVN
zGH>*_Eiov^BNsUTdVxj!*|n=9Xp=kn5fpJF?VAfgQeLX=;awiUesZkIi(%@urkH;!
zEluO}yj;1nwZ!Z<=>`zu(;^G7eYuK|0LthWr3n)beE?dU{6w-$^~5xX$m{ktz{Z*~
z4mg~_=iapS!UeE4Rie8O{jo1@=~keB7UBhLjc_(pAfF2~La_wDGB8G{f!VI0CRjZ*
z(?|@SV}7pTx9lWwdB-b&_%<*ni|qo?GiczvAArg(t-+58h^}k-1I0lC00<NZVCqQ;
zeK(s132nCsSa}>fE4w)ATHHkd2i~xVSlf^V(X-0LyO0J01oO3U%(4QOtO@Yn(spOS
zyezgGek3*aivRUGR=jZR6k&I@!jFds0ft|10dNy$Ox7>B#kElb3fRIO8-Aq+Ov^}Y
zaezYoLqeqp2=WR*PEEa~0seae*htq~;E;LtH(r-GgBx5BHx`)y=5~-l1hBqFK&&Sv
zSp!i1dQaT^74gRi4{(D&!u6jPbOQYv2L8o+6$~tjgLL+`w8@c@`QJ_vP~ckaT<^yM
zWhcNGZ|7n?5n)KKx^AgP<+?|J@L>Rxnl89>{X3kE+sq;3erriCcKHsPxs>uG4%-7i
z#hcc6E>;1vvTePPxls6X)Ui1I>eRIp#iSQk7`-Vm6!Z$1{r5mm%nox;AtKO1W*j6}
zZw+1<E$D3+0wk@Q6UzQ*BG7nKew{(&2k#11n%#XH*au%GwJE|uZdlpND$$jJGPd<F
z+xr9?&U~<Ddhv<f7xP13IO(@e`0-A0Gf)Qq>9BR(G}NIu7ZL&)h(x?-T)+|Cx5vSU
zqcDD3t8py{nRkHXOMiiSgr9qEhH)gE=`0*Agc3#l)Xre0)pe`W&35`Mavq&J2CeH$
zf;@q>``$n0w84@&3vI}z<S_)tQ2%xmBS)@bcpKp&+KG3~R5n&l!FI<XYfZ`;V#G)e
z0VIU%*=FR<Tb)v{C1DzxS_$!$3WoeW*5NH5;I9@Pm?FpV^P9J(uFI`LY3}d5*?)q*
z*xTYJmE%a?G!S$9yZAsg{E+mkaNt15Yeu(EiP?TP+l6U()sQK4v&f(6%3o$)*f-UF
z$q-bhY=9=tH39_`_t?K%U{|CMJ>FdbUn2nf0^eVN>RoPiGSTYQKCQYP0z<;&@HWd{
zaxG=U-D#$<;9HY0h=PV(v<6ofH;Sdi&QZnMHd?)$skymBIj&#zFh#w@nyDIE!=;h>
zLoOnNj08#DK>EqZd;Pp~yNnI6$E_Hf;4ZeNbB?wsF}yf-WE2_^JJC9Z%`@C#{B1z#
zudm+}Kc2msGUqrjb!Rvf`mumdMlPDs#@D^gATNM30HhQrM4C+$Ab*h@7%#-GF!(uT
z5v|_izZXsxobmjvhDBlLV~QhcAFvG(HyBgBE)~SLALzKHzCBZ>KK>xc?p4-T9UB+P
z$wsuS(|2oPIomo}OM6<C%vX6ZoxLJ^T#}F@IVXY6)9eP@bz8boWf~5^xNXYDjv@91
zT&OfAOnK0|*Lgur0TA{@QXh%~CH2$4LDhSGe3qE$c=G1yya&8WEQej))`O;|(f^y>
zWlU^WD<&xz3n=7-C<}}#ZFjn717jpAPA)<l=Jp2xjp7#I+kFoc=US)|zACLgyu(sB
z>FLF}8Z_~rN}KSl(%=LdGX0g$>kiceWjVrmP4}VKbD^RGYItc(%1SI}<c2vcx*1<B
zF*+#Ns5V{O8{|LHkX^sIPLYv#W5BK_tm=iKi+G_u%QB;adFiW#z}u6di79ONw)Tn0
zm3rHSt%?97+<k_<o|=D@Z=V|>&q)Kf(YylDZ3i?AKQgDiGZ@bMv#2J_u;A`(3DITI
zx5gJaU-)+sY0(IBhBx0B=H5{76uJ4>raWB=>XqK<S7tLW53=p~R^CX-P)d}K@n+TN
zKqZroLs)+?`LJk((r#H;8j2_97im(2{0y?X#KtOJBt>1>u_vZ6x+HuryZy(DnLT{B
zN+9>d0v0q}%UmOB5W60kD#Xgbf9AYyBUW5AXl)}FKBJ#x!qV-d^52hYJyVnBzW22|
z)Hf8`th$d>_Z(jpn@D|+49cFIRD(qr>a5D9#NK<b#<J$quQ7Y$<WV{5bAli7mQGB-
zf`{ydQxEBig7XXyCiyAF(Pg?K>;YZe<riTS!{R83QFBcaf#GG7M_U)CyfWK1l5gcB
z9SnN=p+w9av|A5uVru+;1y6_kAdBG8)_H0v<rtT69C(=+-0)F=m`=IQD{1(@90Opx
zRtR`(mZ?rktfSSlaFJO2QHac`)N7i#h@HgCR!3=XGIXck+|sJxsNc@DIy%5#!c2K&
z0+znP(?|JTIA4@*XUUL^l3OS-tn^W+-sAWorTqIFVe;F5iWxO1q9UFugFDk@4nbN*
zlKX84&v<uw37thwKf@KtU6u_?d9L6`ANc2Q`J=5bAiwj&S|QWMt$!1`YpE6s@!7K1
zY?k$d&td7yZEGR{9-B?eTM>%9^xh)R7&_G5r8(~$od>3TT}|S5JYV*!y+za&iar_X
z%bI8UA>-T?Oa6VAKwjw?dw!6i*%BRQV4D{$>!ifGP5zrnH$-qD5S*es**2(zi<%AV
z^_qJl;h`mo=|fM)^58WJH$AVEW@G$ZJJN-PSf^7Ft(EL+rn6Enx!-P4S~LCBB>o}F
z#Z;XW?{!b4J64><eJ%5@-iYViCoFegCG+W*4pF~}`3>X+gl$z{r6T2=+~+G8VR`#N
zU*CtiZpMKjxSbL)1m*V_b<#SNnci_mNw1{&Or#Bq7tt-9v@xJ_Asj2WQHO%tO?zdY
zZDuVMTQ^3=d3_C{R+h<{jgPwmb68K>zK~Q`Nbs!;?DkaOZ#IT%c8s8MSca^;D#4Pl
z+Z6wU($)$4hFUK0s;p2w>~Tgd|G?<!XD31DxS>7ACL2a(aQ(BWBr9BLTLItkaY)6&
z(8NUQ88ZO00F3FG_)W*oBn|iCW|m8_+oJQf=!%F;Ka*Z<DTYwn&xEk`-@NAQKEujQ
zRDXM3AZOeSnq$uw1nMOb3uD2BY&LA6%BA*yNLyCa+`)eQUp|_a|9L1v{c=<E!t5#P
zXKy$oSfIMbc%UWz_3Qj-V)r|Oru{V<MPaR1XI$;8-PJECNQPZ8b76b$xZZN^liUuY
zetXZ8{3cFXPJJO>Oip;ioGh5g>QIQoq?>3l<nZ%pUzNJAA?6V_DI)fMn7Xz4D0lvw
ze6oHyL)Tzpn`A|iW_9w+JB#kwh|ZBTXiIn3NZPpRDlgJR;*Y79t!z&5-3M9}K5d=C
z+_d4zzl*HDO}Uhhn5>xC(9aL|$TCt4sf@VYxyfl&1nRmP*MoR{t+T2=G*o-^s_rDK
zYF4M*_N@E&_oCZN?b>;o#5chi^WLtyd8;Jj@pi6z*EA`AU8`N>@j~I<^4wJQw3^Zy
zG9aQS$5+5Refp>=`=OlGdzK%yw3q{?aAY;n?LY1x3DMd|ch8y4m#D@=Gd~)4Wk->=
zhcjCL5b%5T?DJo04ez6XO0JY)<zF<ZLb4=U@_#s&wLZR-44ynYa4mgkZlGfF(^kdW
z#J#v%=yD6jV#DOYy1gAQ`t3`<fK>5d<dW})(?p*tybSfeS_o|6*{a9;Y~F9D7PJ%$
zlj`&MF>~woJ2}rxpFCUWn;6~GaAc==S~i%>Q*c>q+a=($ekt)Kn)LBouACe37HlMb
zwZqv*fWa%;o(<LHxX4Kk@#jN{M%JS<UGIw#^YSqwjG(Nvr!T|yOcv!aLKH{mB+mEE
gz%(77f!BgH%=TXk6sG{H>t9450b;`kq9X$RAN)q-RR910

literal 0
HcmV?d00001

diff --git a/charts/rancher-cis-benchmark/5.3.0/Chart.yaml b/charts/rancher-cis-benchmark/5.3.0/Chart.yaml
new file mode 100644
index 0000000000..0fee66ebe6
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/Chart.yaml
@@ -0,0 +1,22 @@
+annotations:
+  catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/display-name: CIS Benchmark
+  catalog.cattle.io/kube-version: '>= 1.25.0-0 < 1.29.0-0'
+  catalog.cattle.io/namespace: cis-operator-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
+  catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+  catalog.cattle.io/release-name: rancher-cis-benchmark
+  catalog.cattle.io/type: cluster-tool
+  catalog.cattle.io/ui-component: rancher-cis-benchmark
+apiVersion: v1
+appVersion: v5.3.0
+description: The cis-operator enables running CIS benchmark security scans on a kubernetes
+  cluster
+icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
+keywords:
+- security
+name: rancher-cis-benchmark
+version: 5.3.0
diff --git a/charts/rancher-cis-benchmark/5.3.0/README.md b/charts/rancher-cis-benchmark/5.3.0/README.md
new file mode 100644
index 0000000000..50beab58ba
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/README.md
@@ -0,0 +1,9 @@
+# Rancher CIS Benchmark Chart
+
+The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded.
+
+# Installation
+
+```
+helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system
+```
diff --git a/charts/rancher-cis-benchmark/5.3.0/app-readme.md b/charts/rancher-cis-benchmark/5.3.0/app-readme.md
new file mode 100644
index 0000000000..d240859273
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/app-readme.md
@@ -0,0 +1,55 @@
+# Rancher CIS Benchmarks
+
+This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/).
+
+For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/cis-scan-guides).
+
+This chart installs the following components:
+
+- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded.
+- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed.
+- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans.
+- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources.
+- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish.
+    - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts.
+    - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart.
+
+## CIS Kubernetes Benchmark support
+
+| Source | Kubernetes distribution | scan profile                                                                                                       | Kubernetes versions |
+|--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------|
+| CIS    | any                     | [cis-1.7](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.7)                                | v1.25               |
+| CIS    | any                     | [cis-1.8](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.8)                                | v1.26+              |
+| CIS    | rke                     | [rke-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.7-permissive)  | rke1-v1.25          |
+| CIS    | rke                     | [rke-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.7-hardened)      | rke1-v1.25          |
+| CIS    | rke                     | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-permissive)  | rke1-v1.26+         |
+| CIS    | rke                     | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-hardened)      | rke1-v1.26+         |
+| CIS    | rke2                    | [rke2-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.7-permissive)| rke2-v1.25          |
+| CIS    | rke2                    | [rke2-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.7-hardened)    | rke2-v1.25          |
+| CIS    | rke2                    | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-permissive)| rke2-v1.26+         |
+| CIS    | rke2                    | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-hardened)    | rke2-v1.26+         |
+| CIS    | k3s                     | [k3s-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.7-permissive)  | k3s-v1.25           |
+| CIS    | k3s                     | [k3s-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.7-hardened)      | k3s-v1.25           |
+| CIS    | k3s                     | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-permissive)  | k3s-v1.26+          |
+| CIS    | k3s                     | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-hardened)      | k3s-v1.26+          |
+| CIS    | eks                     | eks-1.2.0                                                                                                          | eks                 |
+| CIS    | aks                     | aks-1.0                                                                                                            | aks                 |
+| CIS    | gke                     | gke-1.2.0                                                                                                          | gke                 |
+
+## Upgrading to Kubernetes v1.25+
+
+Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
+
+As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
+
+> **Note:**
+> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
+
+> **Note:**
+> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
+>
+> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
+
+Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
+
+As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/_helpers.tpl b/charts/rancher-cis-benchmark/5.3.0/templates/_helpers.tpl
new file mode 100644
index 0000000000..b7bb000422
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/_helpers.tpl
@@ -0,0 +1,27 @@
+{{/* Ensure namespace is set the same everywhere */}}
+{{- define "cis.namespace" -}}
+  {{- .Release.Namespace | default "cis-operator-system" -}}
+{{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/alertingrule.yaml
new file mode 100644
index 0000000000..1787c88a07
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/alertingrule.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.alerts.enabled -}}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: rancher-cis-pod-monitor
+  namespace: {{ template "cis.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      cis.cattle.io/operator: cis-operator
+  podMetricsEndpoints:
+  - port: cismetrics
+{{- end }}
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-aks-1.0.yaml
new file mode 100644
index 0000000000..1ac866253f
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-aks-1.0.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: aks-1.0
+spec:
+  clusterProvider: aks
+  minKubernetesVersion: "1.15.0"
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-cis-1.7.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-cis-1.7.yaml
new file mode 100644
index 0000000000..fa8dfd8eb9
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-cis-1.7.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: cis-1.7
+spec:
+  clusterProvider: ""
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-cis-1.8.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-cis-1.8.yaml
new file mode 100644
index 0000000000..f9fa2853e9
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-cis-1.8.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: cis-1.8
+spec:
+  clusterProvider: ""
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-eks-1.2.0.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-eks-1.2.0.yaml
new file mode 100644
index 0000000000..c1bdd9ed5e
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-eks-1.2.0.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: eks-1.2.0
+spec:
+  clusterProvider: eks
+  minKubernetesVersion: "1.15.0"
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-gke-1.2.0.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-gke-1.2.0.yaml
new file mode 100644
index 0000000000..106ff7b0de
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-gke-1.2.0.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: gke-1.2.0
+spec:
+  clusterProvider: gke
+  minKubernetesVersion: "1.15.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.7-hardened.yaml
new file mode 100644
index 0000000000..6fb369360c
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.7-hardened
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.7-permissive.yaml
new file mode 100644
index 0000000000..b556d70fe5
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.7-permissive
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.8-hardened.yaml
new file mode 100644
index 0000000000..3f6ac5c159
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.8-hardened.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.8-hardened
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.8-permissive.yaml
new file mode 100644
index 0000000000..26f1cdba98
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-k3s-cis-1.8-permissive.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.8-permissive
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.7-hardened.yaml
new file mode 100644
index 0000000000..39bac7833c
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.7-hardened
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.7-permissive.yaml
new file mode 100644
index 0000000000..2e2f09ac74
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.7-permissive
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.8-hardened.yaml
new file mode 100644
index 0000000000..4dbf8b4522
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.8-hardened.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.8-hardened
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.8-permissive.yaml
new file mode 100644
index 0000000000..2aa0c85ac4
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke-cis-1.8-permissive.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.8-permissive
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.7-hardened.yaml
new file mode 100644
index 0000000000..6306e9601a
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.7-hardened
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.7-permissive.yaml
new file mode 100644
index 0000000000..76236e11af
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.7-permissive
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.8-hardened.yaml
new file mode 100644
index 0000000000..bf8ee31f7b
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.8-hardened.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.8-hardened
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.8-permissive.yaml
new file mode 100644
index 0000000000..bd396f9df5
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/benchmark-rke2-cis-1.8-permissive.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.8-permissive
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/cis-roles.yaml
new file mode 100644
index 0000000000..23c93dc659
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/cis-roles.yaml
@@ -0,0 +1,49 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cis-admin
+rules:
+  - apiGroups:
+      - cis.cattle.io
+    resources:
+      - clusterscanbenchmarks
+      - clusterscanprofiles
+      - clusterscans
+      - clusterscanreports
+    verbs: ["create", "update", "delete", "patch","get", "watch", "list"]
+  - apiGroups:
+      - catalog.cattle.io
+    resources: ["apps"]
+    resourceNames: ["rancher-cis-benchmark"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cis-view
+rules:
+  - apiGroups:
+      - cis.cattle.io
+    resources:
+      - clusterscanbenchmarks
+      - clusterscanprofiles
+      - clusterscans
+      - clusterscanreports
+    verbs: ["get", "watch", "list"]
+  - apiGroups:
+      - catalog.cattle.io
+    resources: ["apps"]
+    resourceNames: ["rancher-cis-benchmark"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs: ["get", "watch", "list"]
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/configmap.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/configmap.yaml
new file mode 100644
index 0000000000..32e6d6e550
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/configmap.yaml
@@ -0,0 +1,18 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-clusterscanprofiles
+  namespace: {{ template "cis.namespace" . }}
+data:
+  # Default ClusterScanProfiles per cluster provider type
+  rke: |-
+    <1.21.0: rke-profile-permissive-1.20
+    >=1.21.0: rke-profile-permissive-1.8
+  rke2: |-
+    <1.21.0: rke2-cis-1.20-profile-permissive
+    >=1.21.0: rke2-cis-1.8-profile-permissive
+  eks: "eks-profile"
+  gke: "gke-profile"
+  aks: "aks-profile"
+  k3s: "k3s-cis-1.8-profile-permissive"
+  default: "cis-1.8-profile"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/deployment.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/deployment.yaml
new file mode 100644
index 0000000000..8c9f72f5de
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/deployment.yaml
@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cis-operator
+  namespace: {{ template "cis.namespace" . }}
+  labels:
+    cis.cattle.io/operator: cis-operator
+spec:
+  selector:
+    matchLabels:
+      cis.cattle.io/operator: cis-operator
+  template:
+    metadata:
+      labels:
+        cis.cattle.io/operator: cis-operator
+    spec:
+      serviceAccountName: cis-operator-serviceaccount
+      containers:
+      - name: cis-operator
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}'
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: cismetrics
+          containerPort: {{ .Values.alerts.metricsPort }}
+        env:
+        - name: SECURITY_SCAN_IMAGE
+          value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }}
+        - name: SECURITY_SCAN_IMAGE_TAG
+          value: {{ .Values.image.securityScan.tag }}
+        - name: SONOBUOY_IMAGE
+          value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }}
+        - name: SONOBUOY_IMAGE_TAG
+          value: {{ .Values.image.sonobuoy.tag }}
+        - name: CIS_ALERTS_METRICS_PORT
+          value: '{{ .Values.alerts.metricsPort }}'
+        - name: CIS_ALERTS_SEVERITY
+          value: {{ .Values.alerts.severity }}
+        - name: CIS_ALERTS_ENABLED
+          value: {{ .Values.alerts.enabled | default "false" | quote }}
+        - name: CLUSTER_NAME
+          value: '{{ .Values.global.cattle.clusterName }}'
+        - name: CIS_OPERATOR_DEBUG
+          value: '{{ .Values.image.cisoperator.debug }}'
+        {{- if .Values.securityScanJob.overrideTolerations }}
+        - name: SECURITY_SCAN_JOB_TOLERATIONS
+          value: '{{ .Values.securityScanJob.tolerations | toJson  }}'
+        {{- end }}
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/network_policy_allow_all.yaml
new file mode 100644
index 0000000000..6ed5d645ea
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/network_policy_allow_all.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-allow-all
+  namespace: {{ template "cis.namespace" . }}
+spec:
+  podSelector: {}
+  ingress:
+  - {}
+  egress:
+  - {}
+  policyTypes:
+  - Ingress
+  - Egress
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/patch_default_serviceaccount.yaml
new file mode 100644
index 0000000000..e78a6bd08a
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/patch_default_serviceaccount.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: patch-sa
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  template:
+    spec:
+      serviceAccountName: cis-operator-serviceaccount
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+      restartPolicy: Never
+      containers:
+      - name: sa
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+        args: ["-n", {{ template "cis.namespace" . }}]
+
+  backoffLimit: 1
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/psp.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/psp.yaml
new file mode 100644
index 0000000000..9b8a5995ee
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/psp.yaml
@@ -0,0 +1,59 @@
+{{- if .Values.global.cattle.psp.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: cis-psp
+spec:
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+  - '*'
+  fsGroup:
+    rule: RunAsAny
+  hostIPC: true
+  hostNetwork: true
+  hostPID: true
+  hostPorts:
+  - max: 65535
+    min: 0
+  privileged: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cis-psp-role
+  namespace: {{ template "cis.namespace" . }}
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - cis-psp
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cis-psp-rolebinding
+  namespace: {{ template "cis.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cis-psp-role
+subjects:
+- kind: ServiceAccount
+  name: cis-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+- kind: ServiceAccount
+  name: cis-operator-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+{{- end }}
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/rbac.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/rbac.yaml
new file mode 100644
index 0000000000..33fb93f04c
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/rbac.yaml
@@ -0,0 +1,219 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-operator-clusterrole
+rules:
+- apiGroups:
+  - "cis.cattle.io"
+  resources:
+  - "*"
+  verbs:
+  - "*"
+- apiGroups:
+  - ""
+  resources:
+  - "pods"
+  - "services"
+  - "configmaps"
+  - "nodes"
+  - "serviceaccounts"
+  verbs:
+  - "get"
+  - "list"
+  - "create"
+  - "update"
+  - "watch"
+  - "patch"
+- apiGroups:
+  - "rbac.authorization.k8s.io"
+  resources:
+  - "rolebindings"
+  - "clusterrolebindings"
+  - "clusterroles"
+  verbs:
+  - "get"
+  - "list"
+- apiGroups:
+  - "batch"
+  resources:
+  - "jobs"
+  verbs:
+  - "list"
+  - "create"
+  - "patch"
+  - "update"
+  - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-scan-ns
+rules:
+{{- if .Values.global.cattle.psp.enabled }}
+- apiGroups:
+  - "*"
+  resources:
+  - "podsecuritypolicies"
+  verbs: 
+  - "get"
+  - "list"
+  - "watch"
+{{- end }}
+- apiGroups:
+  - ""
+  resources:
+  - "namespaces"
+  - "nodes"
+  - "pods"
+  - "serviceaccounts"
+  - "services"
+  - "replicationcontrollers"
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+- apiGroups: 
+  - "rbac.authorization.k8s.io"
+  resources:
+  - "rolebindings"
+  - "clusterrolebindings"
+  - "clusterroles"
+  verbs:
+  - "get"
+  - "list"
+- apiGroups:
+   - "batch"
+  resources:
+   - "jobs"
+   - "cronjobs"
+  verbs:
+   - "list"
+- apiGroups:
+    - "apps"
+  resources:
+    - "daemonsets"
+    - "deployments"
+    - "replicasets"
+    - "statefulsets"
+  verbs:
+    - "list"
+- apiGroups:
+    - "autoscaling"
+  resources:
+    - "horizontalpodautoscalers"
+  verbs:
+    - "list"
+- apiGroups:
+    - "networking.k8s.io"
+  resources:
+    - "networkpolicies"
+  verbs:
+    - "get"
+    - "list"
+    - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cis-operator-role
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  namespace: {{ template "cis.namespace" . }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - "services"
+  verbs:
+  - "watch"
+  - "list"
+  - "get"
+  - "patch"
+- apiGroups:
+  - "batch"
+  resources:
+  - "jobs"
+  verbs:
+  - "watch"
+  - "list"
+  - "get"
+  - "delete"
+- apiGroups:
+  - ""
+  resources:
+  - "configmaps"
+  - "pods"
+  - "secrets"
+  verbs:
+  - "*"
+- apiGroups:
+  - "apps"
+  resources:
+  - "daemonsets"
+  verbs:
+  - "*"
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - prometheusrules
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-operator-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cis-operator-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: cis-operator-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cis-scan-ns
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cis-scan-ns
+subjects:
+- kind: ServiceAccount
+  name: cis-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-operator-rolebinding
+  namespace: {{ template "cis.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cis-operator-role
+subjects:
+- kind: ServiceAccount
+  name: cis-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+- kind: ServiceAccount
+  name: cis-operator-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-cis-1.7.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-cis-1.7.yaml
new file mode 100644
index 0000000000..edac79e2a3
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-cis-1.7.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: cis-1.7-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: cis-1.7
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-cis-1.8.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-cis-1.8.yaml
new file mode 100644
index 0000000000..bf68d6ec17
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-cis-1.8.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: cis-1.8-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: cis-1.8
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.7-hardened.yml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.7-hardened.yml
new file mode 100644
index 0000000000..51fd6baf00
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.7-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.7-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.7-hardened
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.7-permissive.yml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.7-permissive.yml
new file mode 100644
index 0000000000..0c1baf774a
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.7-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.7-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.7-permissive
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.8-hardened.yml
new file mode 100644
index 0000000000..8a78b2a964
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.8-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.8-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.8-hardened
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.8-permissive.yml
new file mode 100644
index 0000000000..3bbf94335c
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-k3s-cis-1.8-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.8-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.8-permissive
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.7-hardened.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.7-hardened.yaml
new file mode 100644
index 0000000000..e488eaedf0
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-hardened-1.7
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.7-hardened
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.7-permissive.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.7-permissive.yaml
new file mode 100644
index 0000000000..8e6df750d6
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-permissive-1.7
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.7-permissive
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.8-hardened.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.8-hardened.yaml
new file mode 100644
index 0000000000..24a1250c06
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.8-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-hardened-1.8
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.8-hardened
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.8-permissive.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.8-permissive.yaml
new file mode 100644
index 0000000000..4472913c64
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke-1.8-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-permissive-1.8
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.8-permissive
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.7-hardened.yml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.7-hardened.yml
new file mode 100644
index 0000000000..9e90d769ac
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.7-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.7-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.7-hardened
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.7-permissive.yml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.7-permissive.yml
new file mode 100644
index 0000000000..4363d3afab
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.7-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.7-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.7-permissive
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.8-hardened.yml
new file mode 100644
index 0000000000..05fc5d8d33
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.8-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.8-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.8-hardened
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.8-permissive.yml
new file mode 100644
index 0000000000..a83409c02e
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofile-rke2-cis-1.8-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.8-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.8-permissive
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofileaks.yml
new file mode 100644
index 0000000000..ea7b25b404
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofileaks.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: aks-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: aks-1.0
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofileeks.yml
new file mode 100644
index 0000000000..de4500acd9
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofileeks.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: eks-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: eks-1.2.0
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofilegke.yml
new file mode 100644
index 0000000000..3e5e2439ac
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/scanprofilegke.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: gke-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: gke-1.2.0
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..ec48ec6224
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/serviceaccount.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ template "cis.namespace" . }}
+  name: cis-operator-serviceaccount
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ template "cis.namespace" . }}
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-serviceaccount
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/validate-install-crd.yaml
new file mode 100644
index 0000000000..562295791b
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/validate-install-crd.yaml
@@ -0,0 +1,17 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+# {{- $found := dict -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}}
+# {{- range .Capabilities.APIVersions -}}
+# {{- if hasKey $found (toString .) -}}
+# 	{{- set $found (toString .) true -}}
+# {{- end -}}
+# {{- end -}}
+# {{- range $_, $exists := $found -}}
+# {{- if (eq $exists false) -}}
+# 	{{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
+# {{- end -}}
+# {{- end -}}
+#{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.3.0/templates/validate-psp-install.yaml b/charts/rancher-cis-benchmark/5.3.0/templates/validate-psp-install.yaml
new file mode 100644
index 0000000000..a30c59d3b7
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/templates/validate-psp-install.yaml
@@ -0,0 +1,7 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+#{{- if .Values.global.cattle.psp.enabled }}
+#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
+#{{- end }}
+#{{- end }}
+#{{- end }}
diff --git a/charts/rancher-cis-benchmark/5.3.0/values.yaml b/charts/rancher-cis-benchmark/5.3.0/values.yaml
new file mode 100644
index 0000000000..40c98949c4
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.3.0/values.yaml
@@ -0,0 +1,55 @@
+# Default values for rancher-cis-benchmark.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image:
+  cisoperator:
+    repository: rancher/cis-operator
+    tag: v1.0.14
+  securityScan:
+    repository: rancher/security-scan
+    tag: v0.2.16
+  sonobuoy:
+    repository: rancher/mirrored-sonobuoy-sonobuoy
+    tag: v0.57.1
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+## Node labels for pod assignment
+## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+##
+nodeSelector: {}
+
+## List of node taints to tolerate (requires Kubernetes >= 1.6)
+tolerations: []
+
+securityScanJob:
+  overrideTolerations: false
+  tolerations: []
+
+affinity: {}
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+    clusterName: ""
+    psp:
+      enabled: false
+  kubectl:
+    repository: rancher/kubectl
+    tag: v1.28.12
+
+alerts:
+  enabled: false
+  severity: warning
+  metricsPort: 8080
diff --git a/index.yaml b/index.yaml
index 34cc354e24..70cdb526c2 100755
--- a/index.yaml
+++ b/index.yaml
@@ -9814,6 +9814,32 @@ entries:
     urls:
     - assets/rancher-cis-benchmark/rancher-cis-benchmark-5.5.0.tgz
     version: 5.5.0
+  - annotations:
+      catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/display-name: CIS Benchmark
+      catalog.cattle.io/kube-version: '>= 1.25.0-0 < 1.29.0-0'
+      catalog.cattle.io/namespace: cis-operator-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
+      catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+      catalog.cattle.io/release-name: rancher-cis-benchmark
+      catalog.cattle.io/type: cluster-tool
+      catalog.cattle.io/ui-component: rancher-cis-benchmark
+    apiVersion: v1
+    appVersion: v5.3.0
+    created: "2024-11-12T15:39:09.511482567-03:00"
+    description: The cis-operator enables running CIS benchmark security scans on
+      a kubernetes cluster
+    digest: 7dab16f454ca6462ad17e2e4aa782bedb8c36a3163add4abff3023aadb2ea22e
+    icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
+    keywords:
+    - security
+    name: rancher-cis-benchmark
+    urls:
+    - assets/rancher-cis-benchmark/rancher-cis-benchmark-5.3.0.tgz
+    version: 5.3.0
   - annotations:
       catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
       catalog.cattle.io/certified: rancher
diff --git a/release.yaml b/release.yaml
index d788b18d1e..875818ab1a 100644
--- a/release.yaml
+++ b/release.yaml
@@ -2,6 +2,7 @@ rancher-cis-benchmark:
   - 105.0.0+up7.0.0
   - 6.1.0
   - 6.2.0
+  - 5.3.0
 rancher-cis-benchmark-crd:
   - 105.0.0+up7.0.0
   - 6.1.0

From 3c447a7ae90ba14c53da9ad59691a08ee34fb9bd Mon Sep 17 00:00:00 2001
From: nicholasSSUSE <nicholas.paolillo@suse.com>
Date: Tue, 12 Nov 2024 15:39:40 -0300
Subject: [PATCH 6/8] forward-port rancher-cis-benchmark-crd 5.3.0

---
 .../rancher-cis-benchmark-crd-5.3.0.tgz       | Bin 0 -> 1464 bytes
 .../5.3.0/Chart.yaml                          |  10 ++
 .../rancher-cis-benchmark-crd/5.3.0/README.md |   2 +
 .../5.3.0/templates/clusterscan.yaml          | 148 ++++++++++++++++++
 .../5.3.0/templates/clusterscanbenchmark.yaml |  54 +++++++
 .../5.3.0/templates/clusterscanprofile.yaml   |  36 +++++
 .../5.3.0/templates/clusterscanreport.yaml    |  39 +++++
 index.yaml                                    |  14 ++
 release.yaml                                  |   1 +
 9 files changed, 304 insertions(+)
 create mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.3.0.tgz
 create mode 100644 charts/rancher-cis-benchmark-crd/5.3.0/Chart.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/5.3.0/README.md
 create mode 100644 charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscan.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscanbenchmark.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscanprofile.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscanreport.yaml

diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.3.0.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.3.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..2ceed732d3a921a67afd13513040009ebf5833c9
GIT binary patch
literal 1464
zcmV;p1xNZHiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PI>(bK*7-&NIJ4bA85V6CfSla@@6ZZ7-K0>GgS$H=v6xd8BoE
zOsD_7BijkKu`vciu5;`QgCu_|+24LEt*t@wCF(vGrawo?mm%oKKG*)+=@K+KD+q&&
z1I=|^cRU;>zpm?+f8Ei*z3_(P(bZ@?8eWYqTyN}ogA3*!>UbB64S~LJ5B61F-2cQt
zN<~0INi*p&#(^ME3x@+yfR0daIcgFQ0{scgxKcT6DSRL0guNjh<D1GM5<)Z)aGWs9
zHWi@;Qo3(ehA^zWL}P$pux~GY@xRH{9z@~`Y9o}KuqUtQqv2Xal>GlF4M7kXMoVPV
z*?Yqtl&;2ddQFaK72$+I6a|7OcdhsI?04i`I&SZ^pJ!XEkAK223V_hO<w0x+wc#N5
z(u3{s@3{ldE5`r8yS%zQ$NwoTA2|>S{6;A4KjS?9Y-|WVdA&y={Rx}KhEzC1qhihR
zJw6C2k_ZTqzy|`WA8GvL2xA;B%sQfbCPHopF0_iHL<n-7>Gg>aF_w8vq3$@yq%{g+
z4MEXGk1@lQ4a{tGkFhK)6RdtVttT&mFsPrboLQwx8%SwbV6FvxKUo_Dw^~R-Jyk&*
z%4}wR_SGnP3$&at#}H6#oB#~XVrl1jtJQ-D@CL#Z?D?+bmXZz0x>Hdxq=j76Ixuk<
zf?heK2!aCceXgYyR0PHpkZ#uvt$-dt6sPpdx}g=2c@$9r=x*K63g~apvH<kgx}g=2
zRCJxH{X8f>&KpH+qiZMZj4SsdL_-i3SNunHX9IAA+%bHKejK2088%h&K`b1umAuQ^
zi)7sF*l=Ouxz55pW4?_QyMzh*=ihV)Ut$Q)ohm|kef#mt<z1nfu}Ir&PhyReT%2ja
z+N#H;jtYTQ?q*EJL0}(5E{gNEvA8_+#(irIUq5kc`KM6T-w5BZ0&5xxrPZvdiX~Nh
zNg=GDEfSF|o4v``0cx5ZGSTh#!Wvi~pXF4AQGitAX+7b&QUQY84rV1M)(2swBh>sW
za;hOvWvAgvqZJq-E0}{a4mVr-ET_Kt=A4$UZC`TNOganV9YgO1zmW}%>k3xwA9Z)n
zToZC(>DF~rb0yOpUco{^7*>+AiMm#~?=?u1AX|;D<J%5#(iqaIzds`%2#@b8L}TnO
z=%`LKf>H9gKC0N=wU1=L5j|{`qMd>Qw1!ow&le^NVAXMUL#>tGmT>AdcPr-(&xw`^
zM+2u99jKIj*0}sF&$#+D(WN|=_n=*3t9g3F`V}SWq)M`hzHKX#?Y%pusZFf=ZHo$L
zfc+qBvfp!0_9!YI&MsFbC&m3Pwa2G@uB@eWWk;d$wF@CXsI{#BtxKgX3V{vv|H0L8
zT&n+F4#vZC{qGcZ?E2peVLB`XzI(<@x+^MzYp1VU8jO%T*|cu8dJ_JNWELudrM?|X
zJ)w}l$8*#Y2~GC=3do=82kZh5-x}cS2kZdP6DGYp#kAz|38IaP=?()AbeFu3+SzA*
z^mkn?E0M0#bM=<{b1FaSTf`2XRS~{Z{EBew4*!tNRm=PzrKgd0uK^qKzc(6Omh%7L
zYJ7hGe-b-({?7>0VfN3zJFCe3&knoK{NIznzl7=$#LAvH@6k}3!f9hUWot2I&w^I7
z?y)^KY~@>9*d4s9?kueCwL`j<wbXx&k!t-_Sd;#bN29X-kB8^)KTcxD*8h|+9m@YK
z0jyL1%-!oB`;PRE|6p-qKTsk&W{o=~+HZHCZ%(+6KSKQ1>;LS-_4`jBoX|hmN7MJe
z-f&R*{&zGSp6h=nv7fel?0U^+X&>WD(8Op7#Kgwuw6Q^-%~y4w)V}r#&vv%6o$YK@
S_Fn)10RR8|Te4*UGynkPV9as=

literal 0
HcmV?d00001

diff --git a/charts/rancher-cis-benchmark-crd/5.3.0/Chart.yaml b/charts/rancher-cis-benchmark-crd/5.3.0/Chart.yaml
new file mode 100644
index 0000000000..2cabb5fe6f
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/5.3.0/Chart.yaml
@@ -0,0 +1,10 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/namespace: cis-operator-system
+  catalog.cattle.io/release-name: rancher-cis-benchmark-crd
+apiVersion: v1
+description: Installs the CRDs for rancher-cis-benchmark.
+name: rancher-cis-benchmark-crd
+type: application
+version: 5.3.0
diff --git a/charts/rancher-cis-benchmark-crd/5.3.0/README.md b/charts/rancher-cis-benchmark-crd/5.3.0/README.md
new file mode 100644
index 0000000000..f6d9ef621f
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/5.3.0/README.md
@@ -0,0 +1,2 @@
+# rancher-cis-benchmark-crd
+A Rancher chart that installs the CRDs used by rancher-cis-benchmark.
diff --git a/charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscan.yaml
new file mode 100644
index 0000000000..3cbb0ffcd3
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscan.yaml
@@ -0,0 +1,148 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscans.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScan
+    plural: clusterscans
+  scope: Cluster
+  versions:
+  - name: v1
+    served: true
+    storage: true
+    additionalPrinterColumns:
+    - jsonPath: .status.lastRunScanProfileName
+      name: ClusterScanProfile
+      type: string
+    - jsonPath: .status.summary.total
+      name: Total
+      type: string
+    - jsonPath: .status.summary.pass
+      name: Pass
+      type: string
+    - jsonPath: .status.summary.fail
+      name: Fail
+      type: string
+    - jsonPath: .status.summary.skip
+      name: Skip
+      type: string
+    - jsonPath: .status.summary.warn
+      name: Warn
+      type: string
+    - jsonPath: .status.summary.notApplicable
+      name: Not Applicable
+      type: string
+    - jsonPath: .status.lastRunTimestamp
+      name: LastRunTimestamp
+      type: string
+    - jsonPath: .spec.scheduledScanConfig.cronSchedule
+      name: CronSchedule
+      type: string
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              scanProfileName:
+                nullable: true
+                type: string
+              scheduledScanConfig:
+                nullable: true
+                properties:
+                  cronSchedule:
+                    nullable: true
+                    type: string
+                  retentionCount:
+                    type: integer
+                  scanAlertRule:
+                    nullable: true
+                    properties:
+                      alertOnComplete:
+                        type: boolean
+                      alertOnFailure:
+                        type: boolean
+                    type: object
+                type: object
+              scoreWarning:
+                enum:
+                - pass
+                - fail
+                nullable: true
+                type: string
+            type: object
+          status:
+            properties:
+              NextScanAt:
+                nullable: true
+                type: string
+              ScanAlertingRuleName:
+                nullable: true
+                type: string
+              conditions:
+                items:
+                  properties:
+                    lastTransitionTime:
+                      nullable: true
+                      type: string
+                    lastUpdateTime:
+                      nullable: true
+                      type: string
+                    message:
+                      nullable: true
+                      type: string
+                    reason:
+                      nullable: true
+                      type: string
+                    status:
+                      nullable: true
+                      type: string
+                    type:
+                      nullable: true
+                      type: string
+                  type: object
+                nullable: true
+                type: array
+              display:
+                nullable: true
+                properties:
+                  error:
+                    type: boolean
+                  message:
+                    nullable: true
+                    type: string
+                  state:
+                    nullable: true
+                    type: string
+                  transitioning:
+                    type: boolean
+                type: object
+              lastRunScanProfileName:
+                nullable: true
+                type: string
+              lastRunTimestamp:
+                nullable: true
+                type: string
+              observedGeneration:
+                type: integer
+              summary:
+                nullable: true
+                properties:
+                  fail:
+                    type: integer
+                  notApplicable:
+                    type: integer
+                  pass:
+                    type: integer
+                  skip:
+                    type: integer
+                  total:
+                    type: integer
+                  warn:
+                    type: integer
+                type: object
+            type: object
+        type: object
diff --git a/charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscanbenchmark.yaml
new file mode 100644
index 0000000000..fd291f8c33
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscanbenchmark.yaml
@@ -0,0 +1,54 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscanbenchmarks.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScanBenchmark
+    plural: clusterscanbenchmarks
+  scope: Cluster
+  versions:
+  - name: v1
+    served: true
+    storage: true
+    additionalPrinterColumns:
+    - jsonPath: .spec.clusterProvider
+      name: ClusterProvider
+      type: string
+    - jsonPath: .spec.minKubernetesVersion
+      name: MinKubernetesVersion
+      type: string
+    - jsonPath: .spec.maxKubernetesVersion
+      name: MaxKubernetesVersion
+      type: string
+    - jsonPath: .spec.customBenchmarkConfigMapName
+      name: customBenchmarkConfigMapName
+      type: string
+    - jsonPath: .spec.customBenchmarkConfigMapNamespace
+      name: customBenchmarkConfigMapNamespace
+      type: string
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              clusterProvider:
+                nullable: true
+                type: string
+              customBenchmarkConfigMapName:
+                nullable: true
+                type: string
+              customBenchmarkConfigMapNamespace:
+                nullable: true
+                type: string
+              maxKubernetesVersion:
+                nullable: true
+                type: string
+              minKubernetesVersion:
+                nullable: true
+                type: string
+            type: object
+        type: object
diff --git a/charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscanprofile.yaml
new file mode 100644
index 0000000000..1e75501b7c
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscanprofile.yaml
@@ -0,0 +1,36 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscanprofiles.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScanProfile
+    plural: clusterscanprofiles
+  scope: Cluster
+  versions:
+  - name: v1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              benchmarkVersion:
+                nullable: true
+                type: string
+              skipTests:
+                items:
+                  nullable: true
+                  type: string
+                nullable: true
+                type: array
+            type: object
+        type: object
+    additionalPrinterColumns:
+    - jsonPath: .spec.benchmarkVersion
+      name: BenchmarkVersion
+      type: string
diff --git a/charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscanreport.yaml
new file mode 100644
index 0000000000..6e8c0b7de5
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/5.3.0/templates/clusterscanreport.yaml
@@ -0,0 +1,39 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscanreports.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScanReport
+    plural: clusterscanreports
+  scope: Cluster
+  versions:
+  - name: v1
+    served: true
+    storage: true
+    additionalPrinterColumns:
+    - jsonPath: .spec.lastRunTimestamp
+      name: LastRunTimestamp
+      type: string
+    - jsonPath: .spec.benchmarkVersion
+      name: BenchmarkVersion
+      type: string
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              benchmarkVersion:
+                nullable: true
+                type: string
+              lastRunTimestamp:
+                nullable: true
+                type: string
+              reportJSON:
+                nullable: true
+                type: string
+            type: object
+        type: object
\ No newline at end of file
diff --git a/index.yaml b/index.yaml
index 70cdb526c2..9c530f312e 100755
--- a/index.yaml
+++ b/index.yaml
@@ -10418,6 +10418,20 @@ entries:
     urls:
     - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.5.0.tgz
     version: 5.5.0
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/namespace: cis-operator-system
+      catalog.cattle.io/release-name: rancher-cis-benchmark-crd
+    apiVersion: v1
+    created: "2024-11-12T15:39:31.93838705-03:00"
+    description: Installs the CRDs for rancher-cis-benchmark.
+    digest: 3f0c978371100b717f66ea1f4ef31cedf869291fc4ebbb47b25d5cdd8255cafa
+    name: rancher-cis-benchmark-crd
+    type: application
+    urls:
+    - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.3.0.tgz
+    version: 5.3.0
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"
diff --git a/release.yaml b/release.yaml
index 875818ab1a..08a3c79fd7 100644
--- a/release.yaml
+++ b/release.yaml
@@ -7,6 +7,7 @@ rancher-cis-benchmark-crd:
   - 105.0.0+up7.0.0
   - 6.1.0
   - 6.2.0
+  - 5.3.0
 rancher-vsphere-cpi:
   - 104.0.1+up1.8.1
 rancher-vsphere-csi:

From 032a2f2940a5196b24beacb9c24d383f18ce59c4 Mon Sep 17 00:00:00 2001
From: nicholasSSUSE <nicholas.paolillo@suse.com>
Date: Tue, 12 Nov 2024 15:40:04 -0300
Subject: [PATCH 7/8] forward-port rancher-cis-benchmark 5.4.0

---
 .../rancher-cis-benchmark-5.4.0.tgz           | Bin 0 -> 7260 bytes
 charts/rancher-cis-benchmark/5.4.0/Chart.yaml |  22 ++
 charts/rancher-cis-benchmark/5.4.0/README.md  |   9 +
 .../rancher-cis-benchmark/5.4.0/app-readme.md |  55 +++++
 .../5.4.0/templates/_helpers.tpl              |  27 +++
 .../5.4.0/templates/alertingrule.yaml         |  14 ++
 .../5.4.0/templates/benchmark-aks-1.0.yaml    |   8 +
 .../5.4.0/templates/benchmark-cis-1.7.yaml    |   9 +
 .../5.4.0/templates/benchmark-cis-1.8.yaml    |   8 +
 .../5.4.0/templates/benchmark-eks-1.2.0.yaml  |   8 +
 .../5.4.0/templates/benchmark-gke-1.2.0.yaml  |   8 +
 .../benchmark-k3s-cis-1.7-hardened.yaml       |   9 +
 .../benchmark-k3s-cis-1.7-permissive.yaml     |   9 +
 .../benchmark-k3s-cis-1.8-hardened.yaml       |   8 +
 .../benchmark-k3s-cis-1.8-permissive.yaml     |   8 +
 .../benchmark-rke-cis-1.7-hardened.yaml       |   9 +
 .../benchmark-rke-cis-1.7-permissive.yaml     |   9 +
 .../benchmark-rke-cis-1.8-hardened.yaml       |   8 +
 .../benchmark-rke-cis-1.8-permissive.yaml     |   8 +
 .../benchmark-rke2-cis-1.7-hardened.yaml      |   9 +
 .../benchmark-rke2-cis-1.7-permissive.yaml    |   9 +
 .../benchmark-rke2-cis-1.8-hardened.yaml      |   8 +
 .../benchmark-rke2-cis-1.8-permissive.yaml    |   8 +
 .../5.4.0/templates/cis-roles.yaml            |  49 ++++
 .../5.4.0/templates/configmap.yaml            |  18 ++
 .../5.4.0/templates/deployment.yaml           |  61 +++++
 .../templates/network_policy_allow_all.yaml   |  15 ++
 .../patch_default_serviceaccount.yaml         |  29 +++
 .../5.4.0/templates/psp.yaml                  |  59 +++++
 .../5.4.0/templates/rbac.yaml                 | 219 ++++++++++++++++++
 .../5.4.0/templates/scanprofile-cis-1.7.yaml  |   9 +
 .../5.4.0/templates/scanprofile-cis-1.8.yaml  |   9 +
 .../scanprofile-k3s-cis-1.7-hardened.yml      |   9 +
 .../scanprofile-k3s-cis-1.7-permissive.yml    |   9 +
 .../scanprofile-k3s-cis-1.8-hardened.yml      |   9 +
 .../scanprofile-k3s-cis-1.8-permissive.yml    |   9 +
 .../scanprofile-rke-1.7-hardened.yaml         |   9 +
 .../scanprofile-rke-1.7-permissive.yaml       |   9 +
 .../scanprofile-rke-1.8-hardened.yaml         |   9 +
 .../scanprofile-rke-1.8-permissive.yaml       |   9 +
 .../scanprofile-rke2-cis-1.7-hardened.yml     |   9 +
 .../scanprofile-rke2-cis-1.7-permissive.yml   |   9 +
 .../scanprofile-rke2-cis-1.8-hardened.yml     |   9 +
 .../scanprofile-rke2-cis-1.8-permissive.yml   |   9 +
 .../5.4.0/templates/scanprofileaks.yml        |   9 +
 .../5.4.0/templates/scanprofileeks.yml        |   9 +
 .../5.4.0/templates/scanprofilegke.yml        |   9 +
 .../5.4.0/templates/serviceaccount.yaml       |  14 ++
 .../5.4.0/templates/validate-install-crd.yaml |  17 ++
 .../5.4.0/templates/validate-psp-install.yaml |   7 +
 .../rancher-cis-benchmark/5.4.0/values.yaml   |  55 +++++
 index.yaml                                    |  26 +++
 release.yaml                                  |   1 +
 53 files changed, 993 insertions(+)
 create mode 100644 assets/rancher-cis-benchmark/rancher-cis-benchmark-5.4.0.tgz
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/Chart.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/README.md
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/app-readme.md
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/_helpers.tpl
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/alertingrule.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-aks-1.0.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-cis-1.7.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-cis-1.8.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-eks-1.2.0.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-gke-1.2.0.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/cis-roles.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/configmap.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/deployment.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/network_policy_allow_all.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/patch_default_serviceaccount.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/psp.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/rbac.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-cis-1.7.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-cis-1.8.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.7-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.7-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.8-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.8-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.7-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.7-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.8-hardened.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.8-permissive.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.7-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.7-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.8-hardened.yml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.8-permissive.yml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofileaks.yml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofileeks.yml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/scanprofilegke.yml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/serviceaccount.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/validate-install-crd.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/templates/validate-psp-install.yaml
 create mode 100644 charts/rancher-cis-benchmark/5.4.0/values.yaml

diff --git a/assets/rancher-cis-benchmark/rancher-cis-benchmark-5.4.0.tgz b/assets/rancher-cis-benchmark/rancher-cis-benchmark-5.4.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..7efc795bb219a8d186f27312776f9e049a355504
GIT binary patch
literal 7260
zcmXAucQoA3*T+}y5hX+kAp{XUL|=pi(Fr1=_b4HHTfO%hz4u<CL|MH?527ws@7=O%
zKacP4nLp>uz3)5c%z2;Jy~7xZPYL>O0URJsV|fi;Q+Z_}B@Yon69H{rGfhEjJxviI
zRc&n{WgS}^V|z0XEp-P8d2?Gk(4h~~X-Rnc1m%UG{5q1Ym^qQp-N`W9{AFtxak#Uh
zukUIBO&?KV<y}aq%?CXKDZ&#szm7L#vWemN6}l(7)XB1m9V+&d6JSQa2YydI526b4
zFr~DM9l3tS?;y@<GVLMwQl|CBj22akweQ-tG6OfgXkI#^0<KlY@4%NasuP};mL)3%
z$D}K(!&6fWq?0Rh@Cx>Xh%m<AvGx`JT2F%TP4&s-L=v&^x?V(JdvAKmmVv&Gh_Pt2
zE2n9(;Nz;5aoedPAlc+w(VX8-)!0P~cS~Y*s4mKgv7BHQW)WEKE-pmimn2##IkIm5
zvh(7S8Zg9x(VV=UYt?1@HX@)5jOMvN^Vll*O+Z6VikB<a^Nv#1aVq6TW4-a5j2rK<
z8r8jl$6HyxBE_Z|jnE$>-jb=aML0R?jOJc%C_)1JCFY5k%hcp!c^A^IUgfCbGR@z1
zdNJH|oJdZ(_+yZV*Cla=Hk^yNFxpsuK3<Ht$gS6vU1G=y$z;+TEoWo8|Il+=xf92$
z?=9gNyHX7=xWpz&ZoT%6YE{QH+vJuaU^a=Wk5^A_bdB4U3n=&EWyT)&^V5FPt(Hea
zx`Y?%`TM#~Bahx$G`q=tI$A_1f`|3h0s$gyG{&NfJ=1z9xglPl8!1BFNiTfVsJ_Eg
zSKMnZcKdgzS<4QvWC>F{9>J)r1@7Su22<#q%x7<}p^rRq!Rv9d{+MFhyqo!Ykgq#5
z?TnfPTA2QZ+^g;Oq^&>6izY*vNYtni1RZ|(K{RB4^R*mX-r)<Td*>=Sw(P`%f@gT2
z6BZo^J1f4oY9~!57`f5``7@<zIXdP9lqdeeDUM@)VJE*_y(H%NynmzW!@qOA1Pwd8
zm;AHNE1gSXGqc|ZPMCe6?GYSL0*Ee`6s9iURd*%|G@l4#vc?95I)QSaqM(U2C>b+N
z{PPw(e}){D_}i|QY4SuSPiJ>hUvZ(m8L6K&MA-5c_===>Q@!hsFC|7^SeIW9WO`bK
zXhgdRu<MJtvc%D|Uj(^glDG32XWw%s)s-$9F=wcEFHoi>@RryRW6a{N{>`d)!skC9
z_<j2}N!^bAYYXlE6i!ZWX05&|f2`b}Yi*kC5OI7&W_^5_M6MDw6B^2FeXQz&MJ$n&
z5Qcm=1M%0i_l#YWV{Qo*la8_tA;b|k47+Qk(<#ro=<>!r?Xd!N*t^j}ayI@Ff2)C@
zLk7O0xMW(7DaIQtPg9Wi7_GfsnCzR9k2&^+@YPdWy4QOaUZdjE5Z_f@FQ5MUKz3Ev
z+Y)ORj^Vk8;hJeVLGQCSr@!9A9#?%Xm`sRxe5tG!v_GXmPf7Yl__4vRubMwOI=cza
zBHh_@t*_`$JE<gUU-<JsR5Wa_^MZy@+Q&PGON_<;Z@OB!A8}}sx{Jdt9S$l6`z%QV
z$I94@O}DPUwVNzik*I!_-_3LaHHVl)=&`>;viJGI3~O`ycgu`KWZ;-0oKs*oFP}js
z3_`J<A{*9mwVyG6!i}^AN=mV>HU+6|KszfJ4*fph^zwU%O_mtr;L{-X!it`%63mJX
zXaU->8_3DJQl$k9@qEzB9t5dM?=hK3A{!%9t&SR4G_j+@khf29dPc|RYsPmb?2a<n
z-&yS;Sbgeoj%pS=_Arm5qXn0ntvd`gV&}^7+Yfv1)Q<?ScJ$vhO%Aq%#4-ypMwaY8
zUWWWjs}KY$7-?9$P7lgRr_stBKt@!)RS@#V{q(g?_EO(f-zmC)35hDbX82?M7<6{8
zB|eZzr(@EiU<%*LD~Mb+?%FxqiXxjUhK%>Kto5a?ov}~KNqd@J7J$YorK4N>Y@=1I
z-;9klIZCIE*ySwpO50U6sMj@3TWkx5<;+rl7nW5e$-PQ}4ICYe?kzvkONGj@SaC5P
z5YzErd!>Z7ALz?&Eu?4DYQiY0>VW}O4Iy%Mzomgd&O=BuC2-YdSyB>xUlT~^I-?S~
z?5<*_4zu4$u`SNrv!*hCF%QRVb(WAk`r|ns#18?@FGEZ}3TtZhu|@2D*7h)F+4L2w
z=ImtT8TLVEz7J(R+31<CiHYIBwaBNM2phwmcrDc_^yAcQ;O7^;gV%plnSzL0fr0T8
z?leXxiTF9eMy5A260sxhcd2@55XKh`gg~U60e`&RGcyN!Z0&WZVJ2|pbw6Wq52bpQ
zFGiY1Ia_lmD~A^v`RSIw)AX4F8SR8a^-(}GFOKsYxdmnx<qZ3)<<;;dyZbh&gSOnO
zvzm{W%MCtjKw}V4U=QtvJZt=d8WgRk2P{5Wa-fj7=*489v$5+W+UFmuT?BB^fdG7m
zfgHgD@UKb9Q%I*ET6M+#pp5l=F#qZ-*1~=s#*C>O4a_j3V`FJi^D=Gykn$I!Tp%H`
zu4dT-IOI)t$2w3L1o$@pzgEeAS_K5veSjv>7U_Q{oLCYC{jPuFGt%50qy>CJ%y;`T
z03X-}J8%J)N&7Ryq8Fpe-J84JWl{~aYFKumkOtUiMbR$@S!*^Z>Uki>i*4)<!qo^y
z@i-UOfneNrfxyKxB!G5oJ_P<NNgCM$+&)4<8faS}i;sY|s|Ro1Kmjdoi+_M`dH3rO
zYBaPCge<-~<9VrTh=MFStOEbLM{>;T4^Ve^j@q>Qd8ws!$jKS>5y3-3DP%7o`d^Hy
z^3obK1OYU{Q0O+QMQZeXIG~dUO}jtIY3c=5;Sis)ZV1UkWhXtrTPh=1BN-aG#09dI
z1i+#PLQtS0*fj>Ij}gZQd<6iA#v(aDrwr1DLtB6wL}?l@|IVuqNT=`{z!Yb-3kFE2
zK|(nIW7bvr6;#j40b%$9W6k*T?FHa7lY)Si0Vj;9b3p9f7z#?Y_yX;=0nicE8tMf@
ze7>HpsfTt~cR`>!5kOnVj0M_|=*bz+aoA3Rd~|CrFi4NyQW-Z-=4x5T;Jzi`Ju68P
zVJ762ln)KMtO@vF?8&bx=3uo!L7(_Tj5?UA#JFUHqvALufYjPA`Q{Z5A#tnP^&D}3
z7JXM}3R@hz?K2rp!h1wwEXJZLllp3l%Rkz@X~Ugs&PL2vpAP1W?q6ref8FKuwu<LX
zDh}v(`C*pbsS`fY@_ppSg1(>an|63c1Jg5Qg`deEJ#TJDcZzy*UGupGA}&tUzMzdf
zYunK!O~xd4s+{+bd_v>}&|%-~j5dTW06L`oLW@!7bmUZt0!bvU-ZIv0i<$OLQHB~P
z8~ArhNsiCv378@-fBqGA3<0??=3|L^KJ7|v;?n>Yejp{9zrmyj=*?x~Tqlm)l)IrQ
z5A)$4U)-Se=PX@&Zk!C<&2izO<%)3GN4dciY0Go(JqnStv|RsYsKYrF&RN+$+?m)f
zxs*Nm%FXc0U&8IJW;H=I`d{M+8u=6#<r{HGwwJ5@4}im`Z(~>BiQ6}ZztrYd4{mo%
zR?(WG=O2rY(kQgv@*y9yDb~)6{fe<#x$>_e2y~Q4TeT*1`c(auL#n6vHp=9^MEj{Y
z1K(8>OQWm4-#<(OAd^FeCgP7-yT)3I?FOZLcH-@{>GZElFhnKxPLQ-MEs67(IT+LX
zUevv|l=%hX?#d%O@qit_+C!=XiJ?ydb8_KQGg%bj-PyCi&e;3n)Wuzx6w$M-KlGg<
zM?F(v*l2cyy#8}*@Y1Lb7^dF=Y{8EzBAXd&R`pR={4-kKzPB$5e=29kQ^Q3oy}co4
z^NOwvR(+48TCd$4VE2fNHpA<wLE+Z1a`cw4Zu2*Vm5;x#_V=&h{Rg8NH_ePN{Z44B
zrwj7zZe<MVG&Z5LH+&Jg-`Rm0EMmyO6N#x%t`Dj-x;a1UkFDW>=#>m?P97;GU?(ON
z;ux+qhjCWg?q5wbpYS+Hc6PXH@-2UM+!UZSbE<lsJks`{5P5TAFNt=(g-<-`MWCc9
z*5O~1-jWA53=q*+E=M>ERA5{-yMcYZf#Y8mm-{PAOQC76n|><ioZ?Ud8Jon4uLtpb
z*-{k`SQSM2AxtyR?QG*4_K0{#yv+zb@8y((GbMBU`FX-n=EJ1RN`gCT<L>cQ<Ez~K
zNt|am5iVQ5(?*XQf|~Vx!#*9Bp>k7NM`QZ~|LhUH<oZOID||JXFP|PY#1X3+KQk>4
zzRIjr(GvtLOSkovBtr&jAS}{dJ9mI`zW=8aNUVw?5*(X;0XxXs2=EnOO^Q||x^+0>
z66^IcG9TIvLqkRzA2HqhXdMT!(-9<{En)n?iKMRd?SzshrsC^d(_Gw6`+D1ahD0_J
z0^3D8qH=%mxDFQm9#Xe;G@Rd(lAyokF{4i|-FbL{x4t_5&IOcq3iN(5Xe+<Dr-5ah
zgIRn#iE|(s?oSEeyGh^3p7`gIDUr=bqjOC-KfZys^P|K`r#=9WkG~J$G>w^G)TcP5
zEJk~40SKe^v|KweX^K+mqJ&?5&7xX*tv$wnhc()(rxsu7MZ+_NZ{X*0(J~@*9!)7V
zR!NLpl*70L4+t8LI~l6IEM<X*(RhAm(M<ExelPY&4FGO)xX3vqXL0O*+#$17<L(=t
zuvMaHq1ZwV27LS{)=QNxEz>aczA(tGFXMFmR4_|J(9ZzQ3|KWz1EYiOx4#;lfcXV$
zKEU#(@(lPj8R#K!wZ>MVVF=ycCYY0Rv*-}hVo5|E2^pAtre*#4*MVQDqbZ!K8YgQC
z^ue7&g8Xp?!Y~{^5px&H%+y+d@##(4Iv8@hjPX>lp@vljlO9LdFC*;h5RvN%D5_OU
zXTD~7<nl&1X83Dc=N$(i@wv>tHwh)_H<OrHK!I%XtH*G5>5D%-EKwy~Ih`QyC%0$m
zoLlu+SYao|%4F7L89JWjc#?VcJl&$Gw!gX(ugNr+|IHW4x5Tgw68+$+_eZ*#nH$+J
z*;ePwlk#fIiy6-o`$aFr1>1<GNv!R{SnQXM7&$ID=&E+_zv|n(V>$&ne7B+$qw2--
z76GMAmC|F;tlSexm}7q%-DbmTEm55Lr>tvOfZn>;Ql`BNtZwwlXdD6PR(v+Gje-HN
z7*{qhEq36Rf#Uf!86$LI0ZU8db-u7pA00N-{Pg8K=rga;VkUluY<tx~snGkgir1#x
zsUmsW$E>~;hu`&hzIfmj@FZ1~d1@fbQ|_NG^=}@SFxq){v#gA#M%$IX76QvWp?=e5
z3nx6nbwRSOK7h(UiB`UM*FVybMOgZ?RZ$d5$cDJfb1_aYjqL+&<IbU8DB^3`Z}Sa&
z0rFDvu}96-VE?9%v9&^p;Q<c(c08lVEq+06rB<r^P`o7m6o-MTn$Qeq1GV57{?d9W
zj(5sNPt_)f3kK83#qrfD@yb1DxKByo<|0P*VRff#l|i{%SNmeyZ1_c<SI=_Rk_5tC
zL5D@oq5n4Y#2>XfX^;i?vdeQ@`0AYV3dC=SG8EcsjV01hSHp|qkP3SnwKZ0Smpv7~
z%UX14XcYY2|2mCa$zNPZMWu*Bh1Du%nI(jnD;se?i(5{`x!BT7a!b|!U9#K!q%A}N
zJhB~IO%jKUXM5y_1({z&D~hK~wv?xjB;7xeZeG*WGL0&vY4z@(o0pu9)DB*S4gKW{
zziEzIYtRf%ZulD=aJPcJ(#F_)zFgQ;w|w@L6*b>7SKpRgQ4%yUQ<J!LzXn}5S?GiV
zpANujFgI2_u_JL{M}6-G(lG<KxG$kvM4@64sUD*Z02`RAV)2;<dNw!1;fy=qKi?L_
z#ma13R1>bT^2e$Ci<b?C?@pr#dg7oP@&m2P)#!!FnSUV25~?*fm5ep0DAwttaX>=!
zRTeP62~>u<h6DQ76S|hu??5--h|9Gu%H)t=Cz}ux3?Rhr1teAx35`v^H@uqcJj)R~
z%;zSmwYn_pM~=<7BEYaV0Bko7R0Ur@z+TA(uoDfyf|~k)?0dlR0W`T99Z+C@0PKJQ
z?ivZu{n*Vz=r&w5QVzxVj8PC#6a1ik=;0Y2V->t0a9)w{2>eSIO1Fp$WS9d>7HG(_
zg#Gyg10s7M$Kqq6TvBl4+x)RJsP#3B>mCva=#}CE5CgiqjDHZ*hoD~wU>kL!S4ssK
zmf%>SfcK3|=n8%iSQNOKno`(9mAnKjB^pgpH#s&~QbqQXzrI7U7HI*xc93p30N+4E
z;fVznfCE>f8*2U<(<t0k@|Pdf@jn{01N|ET-agcO9Rw`C1!?VXYZBdv<yM_R9RS!N
z@UR~Pl$-)%ueuf+G0?-Z)eTEEN)@LtFy|d$P}2>OX#9w>becJ$Irv?aja<RMr7I>m
zjYalC&h8Cs+?FeWS(&yz@LUMw4dUc2)!NiUk`IZ3*LT`eLI{UzVD?>GALOO+QT7>_
z-yxq41<uyqfK){Bc<2QKiEtBi$*Owu?Y$wF*3ivYk8)+Qy#q_nuRgRYQ|QC&&=TQF
z0oY&(13c8~3EGk+S5p0F;i<Kk$&n9)psEXUvRl{!l)%8>wjcbr0l~5mA3%-4?@snz
zGQ0<G{J;K+%gTIQ<D2wHKup+=yAkT^lAWd>0iit)yX8d)ApUBm(UE_0YWS3C=gfZ*
zl``hg(4Po?>Dlh{<c!4<NodczDU+N-9Tfd|*;a_?X5;Qv6NFzg;gPY@ChSbo`XqRx
zSy4?0^X57C4VdutR>ZD?R<WcRdfFkS0_-Cm1YSSUdQ~>aRV^?$MTFwwGWneXmtAup
zd$RlP;N|V*{x%zd?DL;nx<XFti%*rqjtENm0tSPnXq<i|Wcp&a^O3z$xk;v+z4`l7
z(Q8J~rn%lLjYpN_mqWr_6Oczt!B}gGgh?E^MqUG@us+B`Yjp^`3{7MUrqMYyDf{dU
zM9N!j{dnY}xDcX;XC3`c2Ft30@dZ2c`_hCp3h$WdH$pE3-VBszk?89i7JYyhUyqb%
z2$0M-&y%x{>gM+;1qXPAEe5q#wV!#cU1-Ka1kn!MJieYk_Eg+1aDASjW0CzR!@-i0
zF=US3F3qwoiJy*6bKH35TJoIj;1vEyh=Wlcr?hMojirxEn{JLji$CaL9!HRg;V*ZY
z6cESD_<qPadGS`Y*Ka?JFevSff|_Z5*9+p~$KH~b7;KVv)o}4Z&VvBkZPlHb64mji
zf!3lKrCOHX#U`6>W$bD#FlDV8WXx>HmC{9XJhk=<Y*2~3wnQvwN;hLHh5^XQW~E^m
z;K^pmHg*EG$zw&N(%zK?ew4}yZ1x8;E)sYXAIhtqtp`@`_j8)vO~(<nOy@j(B~O3U
z-D5FiXc(1DxRpDTHnCIvA@RLF_xr41MeaZHJ6$fBz!;8_-FMzi6PrW-rnjb&c>PQX
zbFHNDrSfY``1JXcZtg5=ffF4{ZG5=JLGfgSIxuJWx9Y)?EWVuPCl0a9`vr%OA;r<j
zuo#wzO%u<kmiuavKSMlCD%16SfqoOeG8?zx#AyjwgVw#Fm4bTT-{#xUuh6_VDHdG_
zz?%$7NM@keKENQ7?`!8XF92>JE;EdckGcME9<V*kD99j|>enF39sge=%qHacLt(G}
z7Sx35<vqd^5m*sW(7(*`;@X3zMnQ?F-&Il1y(8u*aPqcFW?u^Ilh_?lWH2cUwCb%Y
zYa*d8#>l<%c&65gNFo>qKl?}PO|KC`zHMrz_ckfFK%F@FZ=m@VGDiL~G4k4)F(H-a
zdwgvP-l{ttW7u9LclN2NXW&RZU5$Wl3_K!*_Zc<Uxjo!csIXwj!cr(~MkmpLzQ<ds
zqpn)p(4eLNbN%jPtoLo^J;%!XwxWdw;<XWhnUj+$p5c00Yck0(6i+wkH@pYbX0cA0
z%Mi}-zL?uu(f$jrGM9F}1hDt^GaPqG?8L`cKR<XrrHsAu;xo`Ij1>7}qK?BovSPrz
zeR=juddE^sK`!E(Zr^|d2HkV=?WfpxHNO9Xri1GU!=Gzvv73q8#>SrnTqOkkGUCRh
zRBUih9O=l?1$OFrffvT<ssxx?8odjb357<ygm%U5({u%lIPO+j^81q^y8|X>=6S~h
z){fOt{(d6HilY;rKQ}r0Nox6W1t@oy^ax4VcoRa4nM1T+#0|^mKG_VF+gUB7Q6r8F
zXIGT$`YC+`()c2F&<1sjbD<K^T4eFngNg0YZ<@)m1~Gr-n#c9KwYUT?=Z5|UPwW3)
zkMF4`UCh7FlzFhTj5^M5OI~;u7~C9|TV}Z7A6`*;@V}<+RCSSH!9TtTNG@GV<g&e3
z@vX<j=nlC(9qrGUr>&E=?~Wm=-9r;qxW!x?rm43^h3Z=6M9J96KieT%ru`Jmvk)Me
ztT@>=B#(-m4efKEdne+mA$He)I~~Juua>{%b}c^}?d#b2laKe=bPDu$1>=U{thg|n
z!ZwKo?O%1wIssPN>Z~|-3jUs$xAZO>>5sHW-R6EE+4?K!&b&GWd?)5NZ!W<MYdT8h
z$rnW4rIJuHyh9xw@5c=@->8GyNua|HT&{oYG>)XFckK}puvG7f)RDIZluM^=)VJB-
z=P*3P5zkKZeu-O~aclWD*68>vAKggU3So=>Nq0cjv(q*&oa%BBPT1gHZ}pQFeFyc<
zQA8H~u(^AMq?jij@&BYWwL+^9D|zk}<;q9B_K20bJ8hlJM29&xhu#x|%`e6fo%6^<
zb5wC#9_PtPaQVXU#6-$D9pGsS=u^>h8IGNc>FvkPtP~@61m>-7%fr)s4f-_2sY9%s
z(V_6=S0-@p5yfWG^<Kf785iA_n2QDOMltBZSWrHLB}0f}vCS$$D@?^j(wEE2$gpgc
ziT|<imcXSkJK}F&7>y)%b&dXDYn+r+ZWN{qK9Au*jaotI@9T5c_O+gBVPc#S$Gf@E
z{g12)EC)Dvp^p_P+=#GI60)ibaYC|un<j)o80JU3&kcGo7K4wR&-yD>ee~{_k%{3k
zPeN5KRR6H$zRM*XkkxYx!n92Kz~7=ul#ajXk_qh^O?7DP=^jlTH(YylV<56>=x!yG
zRru(s2C;Wr7atpWSkiKVMb*^zvQYz=fhE=aNUsbH@vzdU6FxSJc>$>VdR!aqUfN(@
zeWa(tEZT6IQ8}wsW_8}PTw8#*)UKJMj)^UqHt*s1DQ695JkHv2|G_5Z9^Ps<Q5<hr
zj~p9mBe}YSnluRG<;gYhQHLsW%4Rrgjl#@GLxawL3Po5G)n51Hn3vops%Or4zDPOF
zA>By7J2R4?J&eYpj@wuCwe$L8HIHNe3fANi#eZZeyfQc%a;q#W8b-omL6hf)j>SwS
zx=IFrt&}VbTnc-5ueLquEooh!?d-$}RCx_>ix&<>EctvrOYp9|mwtSp670F~dd>B7
z=BuhRQ*vVJN!9uLF%ye+{H)i8FJCY8PyE?evt=Y^FBwYW$h#`E>gM)_Ux|1{5xh`f
z&BBT^Wx(;RAIUrhbVbQ~H<goOBPO4}eKVZ!#p2IQ_vb?Byj(Ot4Jad(T{v{#U{UUl
om-zSs$Nq`2Bw433AjMNdXH%N@VG1C9_(%kVcMZuwlo+7@1E7HDLjV8(

literal 0
HcmV?d00001

diff --git a/charts/rancher-cis-benchmark/5.4.0/Chart.yaml b/charts/rancher-cis-benchmark/5.4.0/Chart.yaml
new file mode 100644
index 0000000000..37f4f494a6
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/Chart.yaml
@@ -0,0 +1,22 @@
+annotations:
+  catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/display-name: CIS Benchmark
+  catalog.cattle.io/kube-version: '>= 1.25.0-0 < 1.29.0-0'
+  catalog.cattle.io/namespace: cis-operator-system
+  catalog.cattle.io/os: linux
+  catalog.cattle.io/permits-os: linux,windows
+  catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
+  catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+  catalog.cattle.io/release-name: rancher-cis-benchmark
+  catalog.cattle.io/type: cluster-tool
+  catalog.cattle.io/ui-component: rancher-cis-benchmark
+apiVersion: v1
+appVersion: v5.4.0
+description: The cis-operator enables running CIS benchmark security scans on a kubernetes
+  cluster
+icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
+keywords:
+- security
+name: rancher-cis-benchmark
+version: 5.4.0
diff --git a/charts/rancher-cis-benchmark/5.4.0/README.md b/charts/rancher-cis-benchmark/5.4.0/README.md
new file mode 100644
index 0000000000..50beab58ba
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/README.md
@@ -0,0 +1,9 @@
+# Rancher CIS Benchmark Chart
+
+The cis-operator enables running CIS benchmark security scans on a kubernetes cluster and generate compliance reports that can be downloaded.
+
+# Installation
+
+```
+helm install rancher-cis-benchmark ./ --create-namespace -n cis-operator-system
+```
diff --git a/charts/rancher-cis-benchmark/5.4.0/app-readme.md b/charts/rancher-cis-benchmark/5.4.0/app-readme.md
new file mode 100644
index 0000000000..d240859273
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/app-readme.md
@@ -0,0 +1,55 @@
+# Rancher CIS Benchmarks
+
+This chart enables security scanning of the cluster using [CIS (Center for Internet Security) benchmarks](https://www.cisecurity.org/benchmark/kubernetes/).
+
+For more information on how to use the feature, refer to our [docs](https://ranchermanager.docs.rancher.com/how-to-guides/advanced-user-guides/cis-scan-guides).
+
+This chart installs the following components:
+
+- [cis-operator](https://github.com/rancher/cis-operator) - The cis-operator handles launching the [kube-bench](https://github.com/aquasecurity/kube-bench) tool that runs a suite of CIS tests on the nodes of your Kubernetes cluster. After scans finish, the cis-operator generates a compliance report that can be downloaded.
+- Scans - A scan is a CRD (`ClusterScan`) that defines when to trigger CIS scans on the cluster based on the defined profile. A report is created after the scan is completed.
+- Profiles - A profile is a CRD (`ClusterScanProfile`) that defines the configuration for the CIS scan, which is the benchmark versions to use and any specific tests to skip in that benchmark. This chart installs a few default `ClusterScanProfile` custom resources with no skipped tests, which can immediately be used to launch CIS scans.
+- Benchmark Versions - A benchmark version is a CRD (`ClusterScanBenchmark`) that defines the CIS benchmark version to run using kube-bench as well as the valid configuration parameters for that benchmark. This chart installs a few default `ClusterScanBenchmark` custom resources.
+- Alerting Resources - Rancher's CIS Benchmark application lets you run a cluster scan on a schedule, and send alerts when scans finish.
+    - If you want to enable alerts to be delivered when a cluster scan completes, you need to ensure that [Rancher's Monitoring and Alerting](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/) application is pre-installed and the [Receivers and Routes](https://rancher.com/docs/rancher/v2.x/en/monitoring-alerting/v2.5/configuration/#alertmanager-config) are configured to send out alerts.
+    - Additionally, you need to set `alerts: true` in the Values YAML while installing or upgrading this chart.
+
+## CIS Kubernetes Benchmark support
+
+| Source | Kubernetes distribution | scan profile                                                                                                       | Kubernetes versions |
+|--------|-------------------------|--------------------------------------------------------------------------------------------------------------------|---------------------|
+| CIS    | any                     | [cis-1.7](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.7)                                | v1.25               |
+| CIS    | any                     | [cis-1.8](https://github.com/rancher/security-scan/tree/master/package/cfg/cis-1.8)                                | v1.26+              |
+| CIS    | rke                     | [rke-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.7-permissive)  | rke1-v1.25          |
+| CIS    | rke                     | [rke-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.7-hardened)      | rke1-v1.25          |
+| CIS    | rke                     | [rke-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-permissive)  | rke1-v1.26+         |
+| CIS    | rke                     | [rke-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke-cis-1.8-hardened)      | rke1-v1.26+         |
+| CIS    | rke2                    | [rke2-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.7-permissive)| rke2-v1.25          |
+| CIS    | rke2                    | [rke2-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.7-hardened)    | rke2-v1.25          |
+| CIS    | rke2                    | [rke2-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-permissive)| rke2-v1.26+         |
+| CIS    | rke2                    | [rke2-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/rke2-cis-1.8-hardened)    | rke2-v1.26+         |
+| CIS    | k3s                     | [k3s-cis-1.7-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.7-permissive)  | k3s-v1.25           |
+| CIS    | k3s                     | [k3s-cis-1.7-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.7-hardened)      | k3s-v1.25           |
+| CIS    | k3s                     | [k3s-cis-1.8-permissive](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-permissive)  | k3s-v1.26+          |
+| CIS    | k3s                     | [k3s-cis-1.8-hardened](https://github.com/rancher/security-scan/tree/master/package/cfg/k3s-cis-1.8-hardened)      | k3s-v1.26+          |
+| CIS    | eks                     | eks-1.2.0                                                                                                          | eks                 |
+| CIS    | aks                     | aks-1.0                                                                                                            | aks                 |
+| CIS    | gke                     | gke-1.2.0                                                                                                          | gke                 |
+
+## Upgrading to Kubernetes v1.25+
+
+Starting in Kubernetes v1.25, [Pod Security Policies](https://kubernetes.io/docs/concepts/security/pod-security-policy/) have been removed from the Kubernetes API.
+
+As a result, **before upgrading to Kubernetes v1.25** (or on a fresh install in a Kubernetes v1.25+ cluster), users are expected to perform an in-place upgrade of this chart with `global.cattle.psp.enabled` set to `false` if it has been previously set to `true`.
+
+> **Note:**
+> In this chart release, any previous field that was associated with any PSP resources have been removed in favor of a single global field: `global.cattle.psp.enabled`.
+
+> **Note:**
+> If you upgrade your cluster to Kubernetes v1.25+ before removing PSPs via a `helm upgrade` (even if you manually clean up resources), **it will leave the Helm release in a broken state within the cluster such that further Helm operations will not work (`helm uninstall`, `helm upgrade`, etc.).**
+>
+> If your charts get stuck in this state, please consult the Rancher docs on how to clean up your Helm release secrets.
+
+Upon setting `global.cattle.psp.enabled` to false, the chart will remove any PSP resources deployed on its behalf from the cluster. This is the default setting for this chart.
+
+As a replacement for PSPs, [Pod Security Admission](https://kubernetes.io/docs/concepts/security/pod-security-admission/) should be used. Please consult the Rancher docs for more details on how to configure your chart release namespaces to work with the new Pod Security Admission and apply Pod Security Standards.
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/_helpers.tpl b/charts/rancher-cis-benchmark/5.4.0/templates/_helpers.tpl
new file mode 100644
index 0000000000..b7bb000422
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/_helpers.tpl
@@ -0,0 +1,27 @@
+{{/* Ensure namespace is set the same everywhere */}}
+{{- define "cis.namespace" -}}
+  {{- .Release.Namespace | default "cis-operator-system" -}}
+{{- end -}}
+
+{{- define "system_default_registry" -}}
+{{- if .Values.global.cattle.systemDefaultRegistry -}}
+{{- printf "%s/" .Values.global.cattle.systemDefaultRegistry -}}
+{{- else -}}
+{{- "" -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Windows cluster will add default taint for linux nodes,
+add below linux tolerations to workloads could be scheduled to those linux nodes
+*/}}
+{{- define "linux-node-tolerations" -}}
+- key: "cattle.io/os"
+  value: "linux"
+  effect: "NoSchedule"
+  operator: "Equal"
+{{- end -}}
+
+{{- define "linux-node-selector" -}}
+kubernetes.io/os: linux
+{{- end -}}
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/alertingrule.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/alertingrule.yaml
new file mode 100644
index 0000000000..1787c88a07
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/alertingrule.yaml
@@ -0,0 +1,14 @@
+{{- if .Values.alerts.enabled -}}
+---
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: rancher-cis-pod-monitor
+  namespace: {{ template "cis.namespace" . }}
+spec:
+  selector:
+    matchLabels:
+      cis.cattle.io/operator: cis-operator
+  podMetricsEndpoints:
+  - port: cismetrics
+{{- end }}
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-aks-1.0.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-aks-1.0.yaml
new file mode 100644
index 0000000000..1ac866253f
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-aks-1.0.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: aks-1.0
+spec:
+  clusterProvider: aks
+  minKubernetesVersion: "1.15.0"
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-cis-1.7.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-cis-1.7.yaml
new file mode 100644
index 0000000000..fa8dfd8eb9
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-cis-1.7.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: cis-1.7
+spec:
+  clusterProvider: ""
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-cis-1.8.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-cis-1.8.yaml
new file mode 100644
index 0000000000..f9fa2853e9
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-cis-1.8.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: cis-1.8
+spec:
+  clusterProvider: ""
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-eks-1.2.0.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-eks-1.2.0.yaml
new file mode 100644
index 0000000000..c1bdd9ed5e
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-eks-1.2.0.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: eks-1.2.0
+spec:
+  clusterProvider: eks
+  minKubernetesVersion: "1.15.0"
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-gke-1.2.0.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-gke-1.2.0.yaml
new file mode 100644
index 0000000000..106ff7b0de
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-gke-1.2.0.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: gke-1.2.0
+spec:
+  clusterProvider: gke
+  minKubernetesVersion: "1.15.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.7-hardened.yaml
new file mode 100644
index 0000000000..6fb369360c
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.7-hardened
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.7-permissive.yaml
new file mode 100644
index 0000000000..b556d70fe5
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.7-permissive
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.8-hardened.yaml
new file mode 100644
index 0000000000..3f6ac5c159
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.8-hardened.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.8-hardened
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.8-permissive.yaml
new file mode 100644
index 0000000000..26f1cdba98
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-k3s-cis-1.8-permissive.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: k3s-cis-1.8-permissive
+spec:
+  clusterProvider: k3s
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.7-hardened.yaml
new file mode 100644
index 0000000000..39bac7833c
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.7-hardened
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.7-permissive.yaml
new file mode 100644
index 0000000000..2e2f09ac74
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.7-permissive
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.8-hardened.yaml
new file mode 100644
index 0000000000..4dbf8b4522
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.8-hardened.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.8-hardened
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.8-permissive.yaml
new file mode 100644
index 0000000000..2aa0c85ac4
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke-cis-1.8-permissive.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke-cis-1.8-permissive
+spec:
+  clusterProvider: rke
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.7-hardened.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.7-hardened.yaml
new file mode 100644
index 0000000000..6306e9601a
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.7-hardened
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.7-permissive.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.7-permissive.yaml
new file mode 100644
index 0000000000..76236e11af
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.7-permissive
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.25.0"
+  maxKubernetesVersion: "1.25.x"
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.8-hardened.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.8-hardened.yaml
new file mode 100644
index 0000000000..bf8ee31f7b
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.8-hardened.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.8-hardened
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.8-permissive.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.8-permissive.yaml
new file mode 100644
index 0000000000..bd396f9df5
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/benchmark-rke2-cis-1.8-permissive.yaml
@@ -0,0 +1,8 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanBenchmark
+metadata:
+  name: rke2-cis-1.8-permissive
+spec:
+  clusterProvider: rke2
+  minKubernetesVersion: "1.26.0"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/cis-roles.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/cis-roles.yaml
new file mode 100644
index 0000000000..23c93dc659
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/cis-roles.yaml
@@ -0,0 +1,49 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cis-admin
+rules:
+  - apiGroups:
+      - cis.cattle.io
+    resources:
+      - clusterscanbenchmarks
+      - clusterscanprofiles
+      - clusterscans
+      - clusterscanreports
+    verbs: ["create", "update", "delete", "patch","get", "watch", "list"]
+  - apiGroups:
+      - catalog.cattle.io
+    resources: ["apps"]
+    resourceNames: ["rancher-cis-benchmark"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs:
+      - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: cis-view
+rules:
+  - apiGroups:
+      - cis.cattle.io
+    resources:
+      - clusterscanbenchmarks
+      - clusterscanprofiles
+      - clusterscans
+      - clusterscanreports
+    verbs: ["get", "watch", "list"]
+  - apiGroups:
+      - catalog.cattle.io
+    resources: ["apps"]
+    resourceNames: ["rancher-cis-benchmark"]
+    verbs: ["get", "watch", "list"]
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+    verbs: ["get", "watch", "list"]
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/configmap.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/configmap.yaml
new file mode 100644
index 0000000000..32e6d6e550
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/configmap.yaml
@@ -0,0 +1,18 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: default-clusterscanprofiles
+  namespace: {{ template "cis.namespace" . }}
+data:
+  # Default ClusterScanProfiles per cluster provider type
+  rke: |-
+    <1.21.0: rke-profile-permissive-1.20
+    >=1.21.0: rke-profile-permissive-1.8
+  rke2: |-
+    <1.21.0: rke2-cis-1.20-profile-permissive
+    >=1.21.0: rke2-cis-1.8-profile-permissive
+  eks: "eks-profile"
+  gke: "gke-profile"
+  aks: "aks-profile"
+  k3s: "k3s-cis-1.8-profile-permissive"
+  default: "cis-1.8-profile"
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/deployment.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/deployment.yaml
new file mode 100644
index 0000000000..8c9f72f5de
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/deployment.yaml
@@ -0,0 +1,61 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: cis-operator
+  namespace: {{ template "cis.namespace" . }}
+  labels:
+    cis.cattle.io/operator: cis-operator
+spec:
+  selector:
+    matchLabels:
+      cis.cattle.io/operator: cis-operator
+  template:
+    metadata:
+      labels:
+        cis.cattle.io/operator: cis-operator
+    spec:
+      serviceAccountName: cis-operator-serviceaccount
+      containers:
+      - name: cis-operator
+        image: '{{ template "system_default_registry" . }}{{ .Values.image.cisoperator.repository }}:{{ .Values.image.cisoperator.tag }}'
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: cismetrics
+          containerPort: {{ .Values.alerts.metricsPort }}
+        env:
+        - name: SECURITY_SCAN_IMAGE
+          value: {{ template "system_default_registry" . }}{{ .Values.image.securityScan.repository }}
+        - name: SECURITY_SCAN_IMAGE_TAG
+          value: {{ .Values.image.securityScan.tag }}
+        - name: SONOBUOY_IMAGE
+          value: {{ template "system_default_registry" . }}{{ .Values.image.sonobuoy.repository }}
+        - name: SONOBUOY_IMAGE_TAG
+          value: {{ .Values.image.sonobuoy.tag }}
+        - name: CIS_ALERTS_METRICS_PORT
+          value: '{{ .Values.alerts.metricsPort }}'
+        - name: CIS_ALERTS_SEVERITY
+          value: {{ .Values.alerts.severity }}
+        - name: CIS_ALERTS_ENABLED
+          value: {{ .Values.alerts.enabled | default "false" | quote }}
+        - name: CLUSTER_NAME
+          value: '{{ .Values.global.cattle.clusterName }}'
+        - name: CIS_OPERATOR_DEBUG
+          value: '{{ .Values.image.cisoperator.debug }}'
+        {{- if .Values.securityScanJob.overrideTolerations }}
+        - name: SECURITY_SCAN_JOB_TOLERATIONS
+          value: '{{ .Values.securityScanJob.tolerations | toJson  }}'
+        {{- end }}
+        resources:
+          {{- toYaml .Values.resources | nindent 12 }}
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+      {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/network_policy_allow_all.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/network_policy_allow_all.yaml
new file mode 100644
index 0000000000..6ed5d645ea
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/network_policy_allow_all.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-allow-all
+  namespace: {{ template "cis.namespace" . }}
+spec:
+  podSelector: {}
+  ingress:
+  - {}
+  egress:
+  - {}
+  policyTypes:
+  - Ingress
+  - Egress
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/patch_default_serviceaccount.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/patch_default_serviceaccount.yaml
new file mode 100644
index 0000000000..e78a6bd08a
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/patch_default_serviceaccount.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: patch-sa
+  annotations:
+    "helm.sh/hook": post-install, post-upgrade
+    "helm.sh/hook-delete-policy": hook-succeeded, before-hook-creation
+spec:
+  template:
+    spec:
+      serviceAccountName: cis-operator-serviceaccount
+      nodeSelector: {{ include "linux-node-selector" . | nindent 8 }}
+{{- if .Values.nodeSelector }}
+{{ toYaml .Values.nodeSelector | indent 8 }}
+{{- end }}
+      tolerations: {{ include "linux-node-tolerations" . | nindent 8 }}
+{{- if .Values.tolerations }}
+{{ toYaml .Values.tolerations | indent 8 }}
+{{- end }}
+      restartPolicy: Never
+      containers:
+      - name: sa
+        image: "{{ template "system_default_registry" . }}{{ .Values.global.kubectl.repository }}:{{ .Values.global.kubectl.tag }}"
+        imagePullPolicy: {{ .Values.global.imagePullPolicy }}
+        command: ["kubectl", "patch", "serviceaccount", "default", "-p", "{\"automountServiceAccountToken\": false}"]
+        args: ["-n", {{ template "cis.namespace" . }}]
+
+  backoffLimit: 1
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/psp.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/psp.yaml
new file mode 100644
index 0000000000..9b8a5995ee
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/psp.yaml
@@ -0,0 +1,59 @@
+{{- if .Values.global.cattle.psp.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: cis-psp
+spec:
+  allowPrivilegeEscalation: true
+  allowedCapabilities:
+  - '*'
+  fsGroup:
+    rule: RunAsAny
+  hostIPC: true
+  hostNetwork: true
+  hostPID: true
+  hostPorts:
+  - max: 65535
+    min: 0
+  privileged: true
+  runAsUser:
+    rule: RunAsAny
+  seLinux:
+    rule: RunAsAny
+  supplementalGroups:
+    rule: RunAsAny
+  volumes:
+  - '*'
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cis-psp-role
+  namespace: {{ template "cis.namespace" . }}
+rules:
+- apiGroups:
+  - policy
+  resourceNames:
+  - cis-psp
+  resources:
+  - podsecuritypolicies
+  verbs:
+  - use
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: cis-psp-rolebinding
+  namespace: {{ template "cis.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cis-psp-role
+subjects:
+- kind: ServiceAccount
+  name: cis-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+- kind: ServiceAccount
+  name: cis-operator-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+{{- end }}
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/rbac.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/rbac.yaml
new file mode 100644
index 0000000000..33fb93f04c
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/rbac.yaml
@@ -0,0 +1,219 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-operator-clusterrole
+rules:
+- apiGroups:
+  - "cis.cattle.io"
+  resources:
+  - "*"
+  verbs:
+  - "*"
+- apiGroups:
+  - ""
+  resources:
+  - "pods"
+  - "services"
+  - "configmaps"
+  - "nodes"
+  - "serviceaccounts"
+  verbs:
+  - "get"
+  - "list"
+  - "create"
+  - "update"
+  - "watch"
+  - "patch"
+- apiGroups:
+  - "rbac.authorization.k8s.io"
+  resources:
+  - "rolebindings"
+  - "clusterrolebindings"
+  - "clusterroles"
+  verbs:
+  - "get"
+  - "list"
+- apiGroups:
+  - "batch"
+  resources:
+  - "jobs"
+  verbs:
+  - "list"
+  - "create"
+  - "patch"
+  - "update"
+  - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-scan-ns
+rules:
+{{- if .Values.global.cattle.psp.enabled }}
+- apiGroups:
+  - "*"
+  resources:
+  - "podsecuritypolicies"
+  verbs: 
+  - "get"
+  - "list"
+  - "watch"
+{{- end }}
+- apiGroups:
+  - ""
+  resources:
+  - "namespaces"
+  - "nodes"
+  - "pods"
+  - "serviceaccounts"
+  - "services"
+  - "replicationcontrollers"
+  verbs:
+  - "get"
+  - "list"
+  - "watch"
+- apiGroups: 
+  - "rbac.authorization.k8s.io"
+  resources:
+  - "rolebindings"
+  - "clusterrolebindings"
+  - "clusterroles"
+  verbs:
+  - "get"
+  - "list"
+- apiGroups:
+   - "batch"
+  resources:
+   - "jobs"
+   - "cronjobs"
+  verbs:
+   - "list"
+- apiGroups:
+    - "apps"
+  resources:
+    - "daemonsets"
+    - "deployments"
+    - "replicasets"
+    - "statefulsets"
+  verbs:
+    - "list"
+- apiGroups:
+    - "autoscaling"
+  resources:
+    - "horizontalpodautoscalers"
+  verbs:
+    - "list"
+- apiGroups:
+    - "networking.k8s.io"
+  resources:
+    - "networkpolicies"
+  verbs:
+    - "get"
+    - "list"
+    - "watch"
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: cis-operator-role
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  namespace: {{ template "cis.namespace" . }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - "services"
+  verbs:
+  - "watch"
+  - "list"
+  - "get"
+  - "patch"
+- apiGroups:
+  - "batch"
+  resources:
+  - "jobs"
+  verbs:
+  - "watch"
+  - "list"
+  - "get"
+  - "delete"
+- apiGroups:
+  - ""
+  resources:
+  - "configmaps"
+  - "pods"
+  - "secrets"
+  verbs:
+  - "*"
+- apiGroups:
+  - "apps"
+  resources:
+  - "daemonsets"
+  verbs:
+  - "*"
+- apiGroups:
+  - monitoring.coreos.com
+  resources:
+  - prometheusrules
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-operator-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cis-operator-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: cis-operator-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: cis-scan-ns
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cis-scan-ns
+subjects:
+- kind: ServiceAccount
+  name: cis-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-operator-rolebinding
+  namespace: {{ template "cis.namespace" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: cis-operator-role
+subjects:
+- kind: ServiceAccount
+  name: cis-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
+- kind: ServiceAccount
+  name: cis-operator-serviceaccount
+  namespace: {{ template "cis.namespace" . }}
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-cis-1.7.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-cis-1.7.yaml
new file mode 100644
index 0000000000..edac79e2a3
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-cis-1.7.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: cis-1.7-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: cis-1.7
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-cis-1.8.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-cis-1.8.yaml
new file mode 100644
index 0000000000..bf68d6ec17
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-cis-1.8.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: cis-1.8-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: cis-1.8
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.7-hardened.yml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.7-hardened.yml
new file mode 100644
index 0000000000..51fd6baf00
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.7-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.7-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.7-hardened
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.7-permissive.yml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.7-permissive.yml
new file mode 100644
index 0000000000..0c1baf774a
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.7-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.7-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.7-permissive
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.8-hardened.yml
new file mode 100644
index 0000000000..8a78b2a964
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.8-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.8-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.8-hardened
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.8-permissive.yml
new file mode 100644
index 0000000000..3bbf94335c
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-k3s-cis-1.8-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: k3s-cis-1.8-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: k3s-cis-1.8-permissive
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.7-hardened.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.7-hardened.yaml
new file mode 100644
index 0000000000..e488eaedf0
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.7-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-hardened-1.7
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.7-hardened
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.7-permissive.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.7-permissive.yaml
new file mode 100644
index 0000000000..8e6df750d6
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.7-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-permissive-1.7
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.7-permissive
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.8-hardened.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.8-hardened.yaml
new file mode 100644
index 0000000000..24a1250c06
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.8-hardened.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-hardened-1.8
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.8-hardened
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.8-permissive.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.8-permissive.yaml
new file mode 100644
index 0000000000..4472913c64
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke-1.8-permissive.yaml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke-profile-permissive-1.8
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke-cis-1.8-permissive
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.7-hardened.yml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.7-hardened.yml
new file mode 100644
index 0000000000..9e90d769ac
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.7-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.7-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.7-hardened
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.7-permissive.yml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.7-permissive.yml
new file mode 100644
index 0000000000..4363d3afab
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.7-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.7-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.7-permissive
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.8-hardened.yml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.8-hardened.yml
new file mode 100644
index 0000000000..05fc5d8d33
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.8-hardened.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.8-profile-hardened
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.8-hardened
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.8-permissive.yml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.8-permissive.yml
new file mode 100644
index 0000000000..a83409c02e
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofile-rke2-cis-1.8-permissive.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: rke2-cis-1.8-profile-permissive
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: rke2-cis-1.8-permissive
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofileaks.yml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofileaks.yml
new file mode 100644
index 0000000000..ea7b25b404
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofileaks.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: aks-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: aks-1.0
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofileeks.yml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofileeks.yml
new file mode 100644
index 0000000000..de4500acd9
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofileeks.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: eks-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: eks-1.2.0
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/scanprofilegke.yml b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofilegke.yml
new file mode 100644
index 0000000000..3e5e2439ac
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/scanprofilegke.yml
@@ -0,0 +1,9 @@
+---
+apiVersion: cis.cattle.io/v1
+kind: ClusterScanProfile
+metadata:
+  name: gke-profile
+  annotations:
+    clusterscanprofile.cis.cattle.io/builtin: "true"
+spec:
+  benchmarkVersion: gke-1.2.0
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/serviceaccount.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/serviceaccount.yaml
new file mode 100644
index 0000000000..ec48ec6224
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/serviceaccount.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ template "cis.namespace" . }}
+  name: cis-operator-serviceaccount
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  namespace: {{ template "cis.namespace" . }}
+  labels:
+    app.kubernetes.io/name: rancher-cis-benchmark
+    app.kubernetes.io/instance: release-name
+  name: cis-serviceaccount
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/validate-install-crd.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/validate-install-crd.yaml
new file mode 100644
index 0000000000..562295791b
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/validate-install-crd.yaml
@@ -0,0 +1,17 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+# {{- $found := dict -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScan" false -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScanBenchmark" false -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScanProfile" false -}}
+# {{- set $found "cis.cattle.io/v1/ClusterScanReport" false -}}
+# {{- range .Capabilities.APIVersions -}}
+# {{- if hasKey $found (toString .) -}}
+# 	{{- set $found (toString .) true -}}
+# {{- end -}}
+# {{- end -}}
+# {{- range $_, $exists := $found -}}
+# {{- if (eq $exists false) -}}
+# 	{{- required "Required CRDs are missing. Please install the corresponding CRD chart before installing this chart." "" -}}
+# {{- end -}}
+# {{- end -}}
+#{{- end -}}
\ No newline at end of file
diff --git a/charts/rancher-cis-benchmark/5.4.0/templates/validate-psp-install.yaml b/charts/rancher-cis-benchmark/5.4.0/templates/validate-psp-install.yaml
new file mode 100644
index 0000000000..a30c59d3b7
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/templates/validate-psp-install.yaml
@@ -0,0 +1,7 @@
+#{{- if gt (len (lookup "rbac.authorization.k8s.io/v1" "ClusterRole" "" "")) 0 -}}
+#{{- if .Values.global.cattle.psp.enabled }}
+#{{- if not (.Capabilities.APIVersions.Has "policy/v1beta1/PodSecurityPolicy") }}
+#{{- fail "The target cluster does not have the PodSecurityPolicy API resource. Please disable PSPs in this chart before proceeding." -}}
+#{{- end }}
+#{{- end }}
+#{{- end }}
diff --git a/charts/rancher-cis-benchmark/5.4.0/values.yaml b/charts/rancher-cis-benchmark/5.4.0/values.yaml
new file mode 100644
index 0000000000..3f6791d824
--- /dev/null
+++ b/charts/rancher-cis-benchmark/5.4.0/values.yaml
@@ -0,0 +1,55 @@
+# Default values for rancher-cis-benchmark.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+image:
+  cisoperator:
+    repository: rancher/cis-operator
+    tag: v1.0.15
+  securityScan:
+    repository: rancher/security-scan
+    tag: v0.2.17
+  sonobuoy:
+    repository: rancher/mirrored-sonobuoy-sonobuoy
+    tag: v0.57.2
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+## Node labels for pod assignment
+## Ref: https://kubernetes.io/docs/user-guide/node-selection/
+##
+nodeSelector: {}
+
+## List of node taints to tolerate (requires Kubernetes >= 1.6)
+tolerations: []
+
+securityScanJob:
+  overrideTolerations: false
+  tolerations: []
+
+affinity: {}
+
+global:
+  cattle:
+    systemDefaultRegistry: ""
+    clusterName: ""
+    psp:
+      enabled: false
+  kubectl:
+    repository: rancher/kubectl
+    tag: v1.28.12
+
+alerts:
+  enabled: false
+  severity: warning
+  metricsPort: 8080
diff --git a/index.yaml b/index.yaml
index 9c530f312e..7b3e8d0f3b 100755
--- a/index.yaml
+++ b/index.yaml
@@ -9814,6 +9814,32 @@ entries:
     urls:
     - assets/rancher-cis-benchmark/rancher-cis-benchmark-5.5.0.tgz
     version: 5.5.0
+  - annotations:
+      catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/display-name: CIS Benchmark
+      catalog.cattle.io/kube-version: '>= 1.25.0-0 < 1.29.0-0'
+      catalog.cattle.io/namespace: cis-operator-system
+      catalog.cattle.io/os: linux
+      catalog.cattle.io/permits-os: linux,windows
+      catalog.cattle.io/provides-gvr: cis.cattle.io.clusterscans/v1
+      catalog.cattle.io/rancher-version: '>= 2.8.0-0 < 2.9.0-0'
+      catalog.cattle.io/release-name: rancher-cis-benchmark
+      catalog.cattle.io/type: cluster-tool
+      catalog.cattle.io/ui-component: rancher-cis-benchmark
+    apiVersion: v1
+    appVersion: v5.4.0
+    created: "2024-11-12T15:39:55.687201916-03:00"
+    description: The cis-operator enables running CIS benchmark security scans on
+      a kubernetes cluster
+    digest: ede7f087f82bc28445c186fcaf2238ac3f34a1cdd6bd0845f0904ae013072ef7
+    icon: https://charts.rancher.io/assets/logos/cis-kube-bench.svg
+    keywords:
+    - security
+    name: rancher-cis-benchmark
+    urls:
+    - assets/rancher-cis-benchmark/rancher-cis-benchmark-5.4.0.tgz
+    version: 5.4.0
   - annotations:
       catalog.cattle.io/auto-install: rancher-cis-benchmark-crd=match
       catalog.cattle.io/certified: rancher
diff --git a/release.yaml b/release.yaml
index 08a3c79fd7..95566790e7 100644
--- a/release.yaml
+++ b/release.yaml
@@ -3,6 +3,7 @@ rancher-cis-benchmark:
   - 6.1.0
   - 6.2.0
   - 5.3.0
+  - 5.4.0
 rancher-cis-benchmark-crd:
   - 105.0.0+up7.0.0
   - 6.1.0

From 2ad3732bb43a253e39e2e54e7e56777bbf2e9a0d Mon Sep 17 00:00:00 2001
From: nicholasSSUSE <nicholas.paolillo@suse.com>
Date: Tue, 12 Nov 2024 15:40:22 -0300
Subject: [PATCH 8/8] forward-port rancher-cis-benchmark-crd 5.4.0

---
 .../rancher-cis-benchmark-crd-5.4.0.tgz       | Bin 0 -> 1463 bytes
 .../5.4.0/Chart.yaml                          |  10 ++
 .../rancher-cis-benchmark-crd/5.4.0/README.md |   2 +
 .../5.4.0/templates/clusterscan.yaml          | 148 ++++++++++++++++++
 .../5.4.0/templates/clusterscanbenchmark.yaml |  54 +++++++
 .../5.4.0/templates/clusterscanprofile.yaml   |  36 +++++
 .../5.4.0/templates/clusterscanreport.yaml    |  39 +++++
 index.yaml                                    |  14 ++
 release.yaml                                  |   1 +
 9 files changed, 304 insertions(+)
 create mode 100644 assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.4.0.tgz
 create mode 100644 charts/rancher-cis-benchmark-crd/5.4.0/Chart.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/5.4.0/README.md
 create mode 100644 charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscan.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscanbenchmark.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscanprofile.yaml
 create mode 100644 charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscanreport.yaml

diff --git a/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.4.0.tgz b/assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.4.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..43e26fd44d1841e93f196c5448329b077f30e861
GIT binary patch
literal 1463
zcmV;o1xWfIiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PI@dliD^AzGwalP5O*uIDT|^yO6Y#wz=GJ*YtUj_dq#Y@<{7z
zm`?xqj%?py8yjOVkWSba21))_vcLUST3dtUOVnL1Om~iwF9Xm|U9P>i(<NwfRuK4C
z2b$};?r1QGe_hut{<_1yd(|6^#=Y@)<X*d1Zg1p{hgZx!)bTDB83KLf9_*{Qxc`ZP
zl!}0al4jCjj01tM77hm@A046Ia?~Uq1$q;fa;0?GQg|N934232!Z)QuBm`(e;5cEH
zZ7M_!q;%J;3}H}uiAEp6VAo#y>VK1~9SFr2)J7;dVb8sehlXnrQvCm;Gz7kH7%h=a
zXYUPrRJt6?>C`!*RfrP?Vdx7U-?h&3i{GI$aNN$hpJ!96j(@@+^nuX4<$h!cwc#N5
z(u3{s-*fxDUOxW&z3buV691>LY~(;F@Ef7D|BUnWv#}xg-0M6E=}p))GNghT8Wm}d
z@9|Mc5l29P1RfAr{Yc^`Lm1<5Vb&4dF(Gn0aG_Nc#zK(kOs<cGh_Tdb0(H+p#;u_r
zY4GzdI*b{vY+$CNJB+1a8Dn+RX+8I12!s0B%9&NFq=A%%1!h{n^WwFEf2V~c)Kle0
zflO!CWnYbwcR<Sta|{7R#__?>ERuGfcUnCPA8#Q@z+Uc3W+~~Av^x<MLt4m1r2`WM
z0qB)Oionm|K4e-NL4{yU4(V>)&<N-eM1D%YtQ#5unI{qEfbQ1~je!0JEptGBts5Ev
zNkun_+Ry#`<GfYGHoA7gPPy_R0yG3ce#L*3ch&%h$Q{F%=tVwymSIyRAH~AqTFLvg
zJx|8Xjtv(kn(H*&Q|8-Pu}he+fBsE|@FfQD(y2m}H+LVuT;J!K84I<|_9WIg@x`eY
ztgU=p;wTqb#csxA<ootPWTH508;i?AZ``-W@YNHymVF9k{k8BlE3l@KP+HBJsz_3~
zmjuEJ+9DRoqS>2#<D;h8ArswxFRX#}@mWq)5c)_Jp4JndE9E1|?O;}NB7G26GD6M2
zBBu%hm3A7gG+KcXvV=J(qhPbO%QEVlZO&-v+V&-P#iY|9-ZAuU@f+FDxG7=P{!w@T
z!ZjfmmTqlFHCHmp;Uz2-gh44e>!@p$`$2;=F|yU@D!%OyC$%A+`1>>TfbjUf0yM_%
zf{yA$BN!!*>!Xa_ZTpA^9MQv8DcUJ0Kx<eP`aEGmA66}AH`H3`Z3(AZbGLHt@SJFw
za5Qjw)qzskXSK`U@{G$*6K%?4aSz%iwwfnLtY1;0j;kb_=-aj;>E63#n%cy=-?k`s
z2G|e6Ci^}2WKW{x;p}o{d{W%+QhR*b=gLY-mv-bD&s_-lL9Jo^Z(S;FPzbE4|M$m(
zQK9~K-5-oE^}kctvFm@YglVx5`0fQW?k=eauAQE@G#Dax(rMjk^(?$s$;?#*3w=A3
zdIBMTkLIW)5}Ne+<&ZyB57-4BzSY2257+^o$4q*Cib=`k6NDQT(;WsL=q`RAwX@Ic
z=<m8(Rv=xg=jtu@=Tv@@w}>q|D<gcX_$A@k9{wSltA_bMOim-sUIW(T|K6~FUC96a
z@!<0Q|0H(o{GSr0#q6JbcUF@7UmUid`M)QDe+|_mh?PBYKA@o{h11${%GP4ao&~LX
z-D7)f*owC{w>x-O-kDq7xkI{<HPnBNp=$h9Se^clhQp%%kNTJIKTcxD*8hYsEz18a
z2CP#5)ZO`yeMfr7f3P^QA1IL>v&Nke?YH~Sw<p}kA0hs$^?&x^=KZG+PT(Evqwf3P
z-k@Lj{&zU&U+RA+v7fel?0UmyNgv}&(8Op7#Kgwuw2?uN%~w^Q)Si2V7rWTSE_Sgp
R`!4_h|NoFc10eu3003Lq=c@n!

literal 0
HcmV?d00001

diff --git a/charts/rancher-cis-benchmark-crd/5.4.0/Chart.yaml b/charts/rancher-cis-benchmark-crd/5.4.0/Chart.yaml
new file mode 100644
index 0000000000..a1cab135cd
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/5.4.0/Chart.yaml
@@ -0,0 +1,10 @@
+annotations:
+  catalog.cattle.io/certified: rancher
+  catalog.cattle.io/hidden: "true"
+  catalog.cattle.io/namespace: cis-operator-system
+  catalog.cattle.io/release-name: rancher-cis-benchmark-crd
+apiVersion: v1
+description: Installs the CRDs for rancher-cis-benchmark.
+name: rancher-cis-benchmark-crd
+type: application
+version: 5.4.0
diff --git a/charts/rancher-cis-benchmark-crd/5.4.0/README.md b/charts/rancher-cis-benchmark-crd/5.4.0/README.md
new file mode 100644
index 0000000000..f6d9ef621f
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/5.4.0/README.md
@@ -0,0 +1,2 @@
+# rancher-cis-benchmark-crd
+A Rancher chart that installs the CRDs used by rancher-cis-benchmark.
diff --git a/charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscan.yaml b/charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscan.yaml
new file mode 100644
index 0000000000..3cbb0ffcd3
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscan.yaml
@@ -0,0 +1,148 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscans.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScan
+    plural: clusterscans
+  scope: Cluster
+  versions:
+  - name: v1
+    served: true
+    storage: true
+    additionalPrinterColumns:
+    - jsonPath: .status.lastRunScanProfileName
+      name: ClusterScanProfile
+      type: string
+    - jsonPath: .status.summary.total
+      name: Total
+      type: string
+    - jsonPath: .status.summary.pass
+      name: Pass
+      type: string
+    - jsonPath: .status.summary.fail
+      name: Fail
+      type: string
+    - jsonPath: .status.summary.skip
+      name: Skip
+      type: string
+    - jsonPath: .status.summary.warn
+      name: Warn
+      type: string
+    - jsonPath: .status.summary.notApplicable
+      name: Not Applicable
+      type: string
+    - jsonPath: .status.lastRunTimestamp
+      name: LastRunTimestamp
+      type: string
+    - jsonPath: .spec.scheduledScanConfig.cronSchedule
+      name: CronSchedule
+      type: string
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              scanProfileName:
+                nullable: true
+                type: string
+              scheduledScanConfig:
+                nullable: true
+                properties:
+                  cronSchedule:
+                    nullable: true
+                    type: string
+                  retentionCount:
+                    type: integer
+                  scanAlertRule:
+                    nullable: true
+                    properties:
+                      alertOnComplete:
+                        type: boolean
+                      alertOnFailure:
+                        type: boolean
+                    type: object
+                type: object
+              scoreWarning:
+                enum:
+                - pass
+                - fail
+                nullable: true
+                type: string
+            type: object
+          status:
+            properties:
+              NextScanAt:
+                nullable: true
+                type: string
+              ScanAlertingRuleName:
+                nullable: true
+                type: string
+              conditions:
+                items:
+                  properties:
+                    lastTransitionTime:
+                      nullable: true
+                      type: string
+                    lastUpdateTime:
+                      nullable: true
+                      type: string
+                    message:
+                      nullable: true
+                      type: string
+                    reason:
+                      nullable: true
+                      type: string
+                    status:
+                      nullable: true
+                      type: string
+                    type:
+                      nullable: true
+                      type: string
+                  type: object
+                nullable: true
+                type: array
+              display:
+                nullable: true
+                properties:
+                  error:
+                    type: boolean
+                  message:
+                    nullable: true
+                    type: string
+                  state:
+                    nullable: true
+                    type: string
+                  transitioning:
+                    type: boolean
+                type: object
+              lastRunScanProfileName:
+                nullable: true
+                type: string
+              lastRunTimestamp:
+                nullable: true
+                type: string
+              observedGeneration:
+                type: integer
+              summary:
+                nullable: true
+                properties:
+                  fail:
+                    type: integer
+                  notApplicable:
+                    type: integer
+                  pass:
+                    type: integer
+                  skip:
+                    type: integer
+                  total:
+                    type: integer
+                  warn:
+                    type: integer
+                type: object
+            type: object
+        type: object
diff --git a/charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscanbenchmark.yaml b/charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscanbenchmark.yaml
new file mode 100644
index 0000000000..fd291f8c33
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscanbenchmark.yaml
@@ -0,0 +1,54 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscanbenchmarks.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScanBenchmark
+    plural: clusterscanbenchmarks
+  scope: Cluster
+  versions:
+  - name: v1
+    served: true
+    storage: true
+    additionalPrinterColumns:
+    - jsonPath: .spec.clusterProvider
+      name: ClusterProvider
+      type: string
+    - jsonPath: .spec.minKubernetesVersion
+      name: MinKubernetesVersion
+      type: string
+    - jsonPath: .spec.maxKubernetesVersion
+      name: MaxKubernetesVersion
+      type: string
+    - jsonPath: .spec.customBenchmarkConfigMapName
+      name: customBenchmarkConfigMapName
+      type: string
+    - jsonPath: .spec.customBenchmarkConfigMapNamespace
+      name: customBenchmarkConfigMapNamespace
+      type: string
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              clusterProvider:
+                nullable: true
+                type: string
+              customBenchmarkConfigMapName:
+                nullable: true
+                type: string
+              customBenchmarkConfigMapNamespace:
+                nullable: true
+                type: string
+              maxKubernetesVersion:
+                nullable: true
+                type: string
+              minKubernetesVersion:
+                nullable: true
+                type: string
+            type: object
+        type: object
diff --git a/charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscanprofile.yaml b/charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscanprofile.yaml
new file mode 100644
index 0000000000..1e75501b7c
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscanprofile.yaml
@@ -0,0 +1,36 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscanprofiles.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScanProfile
+    plural: clusterscanprofiles
+  scope: Cluster
+  versions:
+  - name: v1
+    served: true
+    storage: true
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              benchmarkVersion:
+                nullable: true
+                type: string
+              skipTests:
+                items:
+                  nullable: true
+                  type: string
+                nullable: true
+                type: array
+            type: object
+        type: object
+    additionalPrinterColumns:
+    - jsonPath: .spec.benchmarkVersion
+      name: BenchmarkVersion
+      type: string
diff --git a/charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscanreport.yaml b/charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscanreport.yaml
new file mode 100644
index 0000000000..6e8c0b7de5
--- /dev/null
+++ b/charts/rancher-cis-benchmark-crd/5.4.0/templates/clusterscanreport.yaml
@@ -0,0 +1,39 @@
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  name: clusterscanreports.cis.cattle.io
+spec:
+  group: cis.cattle.io
+  names:
+    kind: ClusterScanReport
+    plural: clusterscanreports
+  scope: Cluster
+  versions:
+  - name: v1
+    served: true
+    storage: true
+    additionalPrinterColumns:
+    - jsonPath: .spec.lastRunTimestamp
+      name: LastRunTimestamp
+      type: string
+    - jsonPath: .spec.benchmarkVersion
+      name: BenchmarkVersion
+      type: string
+    subresources:
+      status: {}
+    schema:
+      openAPIV3Schema:
+        properties:
+          spec:
+            properties:
+              benchmarkVersion:
+                nullable: true
+                type: string
+              lastRunTimestamp:
+                nullable: true
+                type: string
+              reportJSON:
+                nullable: true
+                type: string
+            type: object
+        type: object
\ No newline at end of file
diff --git a/index.yaml b/index.yaml
index 7b3e8d0f3b..fea0dd3917 100755
--- a/index.yaml
+++ b/index.yaml
@@ -10444,6 +10444,20 @@ entries:
     urls:
     - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.5.0.tgz
     version: 5.5.0
+  - annotations:
+      catalog.cattle.io/certified: rancher
+      catalog.cattle.io/hidden: "true"
+      catalog.cattle.io/namespace: cis-operator-system
+      catalog.cattle.io/release-name: rancher-cis-benchmark-crd
+    apiVersion: v1
+    created: "2024-11-12T15:40:15.679996867-03:00"
+    description: Installs the CRDs for rancher-cis-benchmark.
+    digest: af35b45bbadc8963defe591fe1d833ba3bb7de4d336f806019a9637e5628f1b2
+    name: rancher-cis-benchmark-crd
+    type: application
+    urls:
+    - assets/rancher-cis-benchmark-crd/rancher-cis-benchmark-crd-5.4.0.tgz
+    version: 5.4.0
   - annotations:
       catalog.cattle.io/certified: rancher
       catalog.cattle.io/hidden: "true"
diff --git a/release.yaml b/release.yaml
index 95566790e7..b2721a5afa 100644
--- a/release.yaml
+++ b/release.yaml
@@ -9,6 +9,7 @@ rancher-cis-benchmark-crd:
   - 6.1.0
   - 6.2.0
   - 5.3.0
+  - 5.4.0
 rancher-vsphere-cpi:
   - 104.0.1+up1.8.1
 rancher-vsphere-csi: