diff --git a/templates/rancher-bench-security/0/README.md b/templates/rancher-bench-security/0/README.md new file mode 100644 index 0000000..acc689d --- /dev/null +++ b/templates/rancher-bench-security/0/README.md @@ -0,0 +1,20 @@ +# rancher-security-bench + +### Info: + +This template provides information about security issues in your rancher environment. It follow the recomendations of of https://dockerbench.com/ + +It has a logic to run in every docker host of your rancher enironment and a web interface to see the results + + +### Usage: + +The web interface runs on the port 80 of "web-server" service. + +You can access to it by adding a rancher load balancer or using traefik proxy. + +If you want to use traefik proxy just configure the domain parameter. The web will be accesible at http://rancher-security-bench. + +If you do not want to use traefik proxy just ignore the domain parameter + +You can customize the time interval in wich the automatic tests will be run. Just tune the "Refresh Interval" option. diff --git a/templates/rancher-bench-security/0/docker-compose.yml b/templates/rancher-bench-security/0/docker-compose.yml new file mode 100644 index 0000000..d26a40a --- /dev/null +++ b/templates/rancher-bench-security/0/docker-compose.yml @@ -0,0 +1,34 @@ +rancher-bench-security: + image: germanramos/rancher-bench-security:1.11.0 + labels: + io.rancher.container.pull_image: always + io.rancher.scheduler.global: 'true' + io.rancher.scheduler.affinity:container_label_ne: io.rancher.stack_service.name=$${stack_name}/$${service_name} + io.rancher.container.hostname_override: container_name + net: host + pid: host + stdin_open: true + tty: true + volumes: + - /var/lib:/var/lib + - /var/run/docker.sock:/var/run/docker.sock + - /usr/lib/systemd:/usr/lib/systemd + - /etc:/etc + - /tmp:/tmp + environment: + - INTERVAL=${INTERVAL} + +web-server: + image: germanramos/nginx-php-fpm:v5.6.21 + stdin_open: true + tty: true + labels: + traefik.enable: stack + traefik.domain: ${TRAEFIK_DOMAIN} + traefik.port: 80 + io.rancher.container.pull_image: always + io.rancher.scheduler.global: 'true' + io.rancher.scheduler.affinity:container_label_ne: io.rancher.stack_service.name=$${stack_name}/$${service_name} + io.rancher.container.hostname_override: container_name + volumes: + - /tmp/cis:/var/www/html diff --git a/templates/rancher-bench-security/0/rancher-compose.yml b/templates/rancher-bench-security/0/rancher-compose.yml new file mode 100644 index 0000000..1ff5851 --- /dev/null +++ b/templates/rancher-bench-security/0/rancher-compose.yml @@ -0,0 +1,27 @@ +.catalog: + name: "rancher-bench-security" + version: "1.11.0" + minimum_rancher_version: "v0.46.0" + questions: + # Traefik parameters + - variable: "TRAEFIK_DOMAIN" + description: "Domain name to route rule. Ignore if you do not use traefik proxy" + label: "Traefik domain:" + required: true + default: "ml.innotechapp.com" + type: string + # Service parameters + - variable: "INTERVAL" + description: "Interval to repeat all the tests" + label: "Refresh Interval:" + required: true + default: 600 + type: int + +web-server: + health_check: + port: 80 + interval: 2000 + unhealthy_threshold: 3 + healthy_threshold: 1 + response_timeout: 2000 diff --git a/templates/rancher-bench-security/catalogIcon.png b/templates/rancher-bench-security/catalogIcon.png new file mode 100644 index 0000000..e0772bc Binary files /dev/null and b/templates/rancher-bench-security/catalogIcon.png differ diff --git a/templates/rancher-bench-security/config.yml b/templates/rancher-bench-security/config.yml new file mode 100644 index 0000000..6ab5304 --- /dev/null +++ b/templates/rancher-bench-security/config.yml @@ -0,0 +1,5 @@ +name: rancher-bench-security +description: | + Generate report about docker specific security recommendations. +version: 1.11.0 +maintainer: "German Ramos Garcia "