Engineering team at Rancher Labs. Profile Definitions The following profile definitions agree with the CIS Benchmarks for Kubernetes. Level 1 Items in this profile intend to: offer practical advice or utility of the environment beyond an acceptable margin Level 2 Items in this profile extend the “Level 1” profile and exhibit one or more of the following characteristics: are intended for use in HA Kubernetes cluster host configuration 1.1.1 - Configure default sysctl settings on all hosts Profile Applicability Level 1 Description Rancher_Hardening_Guide.md 11/30/2018 2 / 24 Configure sysctl

administrative boundaries between resources using namespaces (Manual) 5.7.2 Ensure that the seccomp profile is set to docker/ default in your pod definitions (Manual) 5.7.3 Apply Security Context to Your Pods when using '!' set -H USER_INPUT=$1 if [[ "${USER_INPUT}" == "" ]]; then CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 13 echo "false" exit fi if [[ -d ${USER_INPUT} ]]; then PATTERN="${USER_INPUT}/*" else PATTERN="${USER_INPUT}" fi PERMISSION="" if [[ "$2" != "" ]]; then PERMISSION=$2 fi FILES_PERMISSIONS=$(stat -c %n\ %a ${PATTERN}) while read -r fileInfo; do

directory ownership is set to etcd:etcd (Scored) Notes The etcd container runs as the root user. The data directory and files are owned by root . Audit stat -c %U:%G /var/lib/etcd Returned Value: does not store the kubernetes default kubeconfig credentials file on the nodes. It's presented to user where RKE is run. We recommend that this kube_config_cluster.yml file be kept in secure store. Result: config credentials file on the nodes. It presents credentials to the user when rke is first run, and only on the device where the user ran the command. Rancher Labs recommends that this kube_config_cluster

simplified cluster operations • Consistent Security Policy and User Management: best-practice security policy enforcement and advanced user management on any infrastructure • Access to Shared Tools and Rancher 2.6 is a showcase of the acquisition’s success and includes a new user experience designed for the enterprise user, full lifecycle management across the three major hyperscalers and a strengthened 3 Security Policy and User Management A key benefit of deploying a Kubernetes Management Platform is implementing best practice security policy enforcement and advanced user management on any infrastructure

library which provides FIPS 140-2 approved cryptographic algorithms to serve BoringSSL and other user-space applications. The Module is classified by FIPS 140-2 as a software module, multi-chip standalone approved operating system manages processes and threads in a logically separated manner. The module’s user is considered the owner of the calling application that instantiates the module. The Module conforms Services The cryptographic module implements both User and Crypto Officer (CO) roles. The module does not support user authentication. The User and CO roles are implicitly assumed by the entity accessing

alerting, and centralized audit. Security, policy, and user management SUSE Rancher lets you automate processes and applies a consistent set of user access and security policies to all your clusters, no on the node. 3. Run the following command to create a Linux user account on every node: $ useradd -m -G docker <user_name> $ su - <user_name> $ mkdir $HOME/.ssh $ chmod 600 $HOME/.ssh $ touch $HOME/ replacing the 'hostname' with each of the Kubernetes nodes IP or hostname: $ ssh -i $HOME/.ssh/id_rsa <user_name>@ docker version Installation of the SUSE Rancher Kubernetes cluster

..................................................... 9 2.4 How Rancher Extends Kubernetes for User-Friendly Container Management ............14 2.4.1 Infrastructure Visibility ................. components listed for master as shown in the above diagram, there are optional components such as: user interface, container resource monitoring and logging-related components. 1.5 Summary Kubernetes in the Kubernetes ingress to a load balancer in Rancher. 2.4 How Rancher Extends Kubernetes for User-Friendly Container Management As you might have noticed in previous section, launching Kubernetes

at i on • O n t h e e t c d s e r v e r n od e ( s ) ad d t h e etcd u s e r : useradd -c "Etcd user" -d /var/lib/etcd etcd R e c or d t h e u i d /gi d : id etcd • Ad d t h e f ol l ow i n g t o cluster.yml e t c d s e c t i on u n d e r services: services: etcd: uid: user uid recorded previously> gid: user gid recorded previously> 2 . 1 - R a nche r H A K ube r ne t e s C l us t e r r e q u i r e ad m i n i s t r at i v e p r i v i l e ge s . An y r ol e t h at i s n ot admin or user s h ou l d b e au d i t e d i n t h e R B AC s e c t i on of t h e UI t o e n s u r e t h at t h e

1 3 3 4 5 6 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing RKE. The uid and gid for the etcd user will be used in the RKE config yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the etcd group run the following console commands. addgroup --gid 52034 etcd

1 3 4 4 5 7 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing RKE. The uid and gid for the etcd user will be used in the RKE config yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the etcd group run the following console commands. groupadd --gid 52034 etcd