To configure the custom resources, go to the Cluster Explorer in the Rancher UI. In dropdown menu in the top left corner, click Cluster Explorer > CIS Benchmark.

A scan is created to trigger a CIS scan on the cluster based on the defined profile. A report is created after the scan is completed.

When configuring a scan, you need to define the name of the scan profile that will be used with the scanProfileName directive.

An example ClusterScan custom resource is below:

Users can clone the ClusterScanProfiles to create custom profiles.

Skipped tests are listed under the skipTests directive.

When you create a new profile, you will also need to give it a name.

A benchmark version is the name of benchmark to run using , as well as the valid configuration parameters for that benchmark.

A ClusterScanBenchmark defines the CIS BenchmarkVersion name and test configurations. The BenchmarkVersion name is a parameter provided to the kube-bench tool.

By default, a few names and test configurations are packaged as part of the CIS scan application. When this feature is enabled, these default BenchmarkVersions will be automatically installed and available for users to create a ClusterScanProfile.

If the default BenchmarkVersions are edited, the next chart update will reset them back. Therefore we don’t recommend editing the default ClusterScanBenchmarks.

• ClusterProvider: This is the cluster provider name for which this benchmark is applicable. For example: RKE, EKS, GKE, etc. Leave it empty if this benchmark can be run on any cluster type.
• MaxKubernetesVersion: Specifies the cluster’s maximum Kubernetes version necessary to run this benchmark. Leave it empty if there is no dependency on a particular k8s version.

An example ClusterScanBenchmark is below: