Rancher CIS Kubernetes v.1.4.0 Benchmark Self Assessment Rancher v2.2.x Version 1.1.0 - August 2019 Authors Taylor Price Overview The following document scores a Kubernetes 1.13.x RKE cluster provisioned against the CIS 1.4.0 Kubernetes benchmark. This document is a companion to the Rancher v2.2.x security hardening guide. The hardening guide provides prescriptive guidance for hardening a production production installation of Rancher, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the benchmark. Because Rancher and RKE install

CIS Benchmark Rancher Self-Assessment Guide - v2.4 CIS Benchmark Rancher Self-Assessment Guide - v2.4 1 4 5 6 6 14 29 33 34 34 37 37 38 38 42 49 49 50 52 Contents CIS Kubernetes Benchmark Benchmark v1.5 - Rancher v2.4 with Kubernetes v1.15 Controls 1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies 5.3 Network Policies

CIS 1.6 Benchmark - Self- Assessment Guide - Rancher v2.5.4 CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 1 8 9 10 10 10 11 12 15 17 17 18 18 18 19 19 19 20 20 20 21 21 conf file permissions are set to 644 or more restrictive (Automated) CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 2 21 21 22 23 23 24 26 27 29 31 33 34 36 37 39 41 41 42 --audit-log-maxage argument is set to 30 or as appropriate (Automated) CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 3 58 60 61 63 65 66 68 70 71 73 74 76 77 77 78 78 79

CIS 1.5 Benchmark - Self- Assessment Guide - Rancher v2.5 CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 1 4 5 6 6 14 29 33 34 34 37 37 38 38 42 49 49 50 Contents CIS v1 v1.5 Kubernetes Benchmark - Rancher v2.5 with Kubernetes v1.15 Controls 1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies CIS 1.5 Benchmark - Self-Assessment Guide

non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Rancher Kubernetes Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy CA 94042 rancher.com Corsec Security, Inc. 13921 Park Center Rd., Ste. 460 Herndon, VA 20171 corsec.com +1 703.276.6050 FIPS 140-2 Security Policy Rancher Kubernetes Cryptographic Specification Name Date [140] FIPS 140-2, Security Requirements for Cryptographic Modules 12/3/2002 [140AA] FIPS 140-2 Annex A: Approved Security Functions 6/10/2019 [140AC] FIPS 140-2 Annex

solutions to help them build applications quickly without compromising reliability, agility and security. Relying on upstream Kubernetes isn't enough for teams deploying Kubernetes into production production. Basic Kubernetes installations are plagued by a lack of central visibility, inconsistent security practices and complex management processes. Therefore, Kubernetes management platforms need to confidently DevOps efficiencies with simplified cluster operations • Consistent Security Policy and User Management: best-practice security policy enforcement and advanced user management on any infrastructure

configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster, and it is recommended Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.4. requires a private IP to be provided when registering the custom nodes. When setting the default_pod_security_policy_template_id: to restricted Rancher creates RoleBindings and ClusterRoleBindings on the

configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster, and it is recommended Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.3.5 enable_network_policy: true default_pod_security_policy_template_id: "restricted" services: etcd: uid: 52034 gid: 52034 kube-api: pod_security_policy: true secrets_encryption_config:

and controls required to address CIS-Kubernetes benchmark controls. Rancher CIS-Kubernetes self assessment using RKE This document has been created by the Engineering team at Rancher Labs. Profile Definitions profile intend to: offer practical advice appropriate for the environment; deliver an obvious security benefit; and not alter the functionality or utility of the environment beyond an acceptable margin more of the following characteristics: are intended for use in environments or use cases where security is paramount act as a defense in depth measure may negatively impact the utility or performance

supporting customer tickets. Vishal's roles spanned from consulting Fortune 500 customers on DevOps assessment to hands down platform building for internet scale companies. Vishal is a DevOps practitioner with focus on TDD. Vishal's interests span continuous delivery, enterprise DevOps, containers and security. When not typing, Vishal can be found cycling, photographing or flipping pages. infraCloud technologies