non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Rancher Kubernetes Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy CA 94042 rancher.com Corsec Security, Inc. 13921 Park Center Rd., Ste. 460 Herndon, VA 20171 corsec.com +1 703.276.6050 FIPS 140-2 Security Policy Rancher Kubernetes Cryptographic Specification Name Date [140] FIPS 140-2, Security Requirements for Cryptographic Modules 12/3/2002 [140AA] FIPS 140-2 Annex A: Approved Security Functions 6/10/2019 [140AC] FIPS 140-2 Annex

e kube-api s e c t i on u n d e r services: services: kube_api: always_pull_images: true pod_security_policy: true service_node_port_range: 30000-32767 event_rate_limit: enabled: true 8 audit_log: e kube-api s e c t i on u n d e r services: services: kube_api: always_pull_images: true pod_security_policy: true service_node_port_range: 30000-32767 event_rate_limit: enabled: true audit_log: are using calico on AWS # # network: # plugin: calico # calico_network_provider: # cloud_provider: aws # # # To specify flannel interface # # network: # plugin: flannel # flannel_network_provider:

against the CIS 1.4.0 Kubernetes benchmark. This document is a companion to the Rancher v2.2.x security hardening guide. The hardening guide provides prescriptive guidance for hardening a production production installation of Rancher, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the benchmark. Because Rancher and RKE install audit compliance in Rancher-created clusters. This document is to be used by Rancher operators, security teams, auditors and decision makers. For more detail about each audit, including rationales and

admission control plugin EventRateLimit is set (Automated) 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated) 1.2.12 Ensure that the admission control plugin AlwaysPullImages 2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual) 1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated) 1.2.15 admission control plugin NamespaceLifecycle is set (Automated) 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set (Automated) 1.2.17 Ensure that the admission control plugin NodeRestriction

configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster, and it is recommended configurations required to address Kubernetes benchmark controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, requires a private IP to be provided when registering the custom nodes. When setting the default_pod_security_policy_template_id: to restricted Rancher creates RoleBindings and ClusterRoleBindings on the

configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster, and it is recommended configurations required to address Kubernetes benchmark controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, out of the pods in that namespace. To enforce network policies, a CNI (container network interface) plugin must be enabled. This guide uses canal to provide the policy enforcement. Additional information

profile intend to: offer practical advice appropriate for the environment; deliver an obvious security benefit; and not alter the functionality or utility of the environment beyond an acceptable margin more of the following characteristics: are intended for use in environments or use cases where security is paramount act as a defense in depth measure may negatively impact the utility or performance the control plane nodes in the cluster. Rationale Set up the EventRateLimit admission control plugin to prevent clients from overwhelming the API server. The settings below are intended as an initial

Contents CIS Kubernetes Benchmark v1.5 - Rancher v2.4 with Kubernetes v1.15 Controls 1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies 5.3 Network Policies download a PDF version of this document Overview This document is a companion to the Rancher v2.4 security hardening guide. The hardening guide provides prescriptive guidance for hardening a production installation

Contents CIS v1.5 Kubernetes Benchmark - Rancher v2.5 with Kubernetes v1.15 Controls 1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies CIS 1.5 Benchmark download a PDF version of this document Overview This document is a companion to the Rancher v2.5 security hardening guide. The hardening guide provides prescriptive guidance for hardening a production installation

CNI plug-in, CN2 is a networking platform that provides dynamic end-to-end virtual networking and security for cloud-native containerized and virtual machine (VM) workloads, across multi-cluster compute clusters to multi-cluster deployments, including: • Full overlay networking including load balancing, security and multi-tenancy, elastic and resilient VPNs, and gateway services in single-cluster and multi-cluster not only easier to configure and manage, but also easier to apply consistent network policy and security. Figure 5 on page 14 provides more detail on this setup. The Contrail controller sits in the Kubernetes