Rancher CIS Kubernetes v.1.4.0 Benchmark Self Assessment Rancher v2.2.x Version 1.1.0 - August 2019 Authors Taylor Price Overview The following document scores a Kubernetes 1.13.x RKE cluster provisioned provisioned according to the Rancher v2.2.x hardening guide against the CIS 1.4.0 Kubernetes benchmark. This document is a companion to the Rancher v2.2.x security hardening guide. The hardening guide installation of Rancher, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the benchmark. Because Rancher and RKE install Kubernetes

CIS Benchmark Rancher Self-Assessment Guide - v2.4 CIS Benchmark Rancher Self-Assessment Guide - v2.4 1 4 5 6 6 14 29 33 34 34 37 37 38 38 42 49 49 50 52 Contents CIS Kubernetes Benchmark Benchmark v1.5 - Rancher v2.4 with Kubernetes v1.15 Controls 1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Network Policies and CNI CIS Benchmark Rancher Self-Assessment Guide - v2.4 2 53 5.6 General Policies CIS Benchmark Rancher Self-Assessment Guide - v2.4 3 CIS Kubernetes Benchmark v1.5 - Rancher v2.4 with

CIS 1.6 Benchmark - Self- Assessment Guide - Rancher v2.5.4 CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 1 8 9 10 10 10 11 12 15 17 17 18 18 18 19 19 19 20 20 20 21 21 Contents CIS 1.6 Kubernetes Benchmark - Rancher v2.5.4 with Kubernetes v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated) CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 2 21 21 22 23 23 24 26 27 29 31 33 34 36

CIS 1.5 Benchmark - Self- Assessment Guide - Rancher v2.5 CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 1 4 5 6 6 14 29 33 34 34 37 37 38 38 42 49 49 50 Contents CIS v1 v1.5 Kubernetes Benchmark - Rancher v2.5 with Kubernetes v1.15 Controls 1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler Policies CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 2 52 53 5.3 Network Policies and CNI 5.6 General Policies CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 3 CIS v1.5 Kubernetes

outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster versions of the CIS Kubernetes Benchmark, Kubernetes, and Rancher: Hardening Guide Version Rancher Version CIS Benchmark Version Kubernetes Version Hardening Guide v2.4 Rancher v2.4 Benchmark v1.5 Kubernetes Kubernetes benchmark controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment

outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster versions of the CIS Kubernetes Benchmark, Kubernetes, and Rancher: Hardening Guide Version Rancher Version CIS Benchmark Version Kubernetes Version Hardening Guide v2.3.5 Rancher v2.3.5 Benchmark v1.5 Kubernetes Kubernetes benchmark controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment

Support 4 4 4 2 Pod and Network Security Policies 4 3 2 2 Configurable Adherence to CIS 4 3 2 2 Global RBAC Policies 4 2 3 2 2.4 Shared Tools and Services Once deployed, Kubernetes Rancher-managed Amazon EKS, Microsoft AKS and Google GKE deployments support templating and CIS benchmark scanning to maintain high security and minimize configuration drift between clusters. 3.1.6 called a Policy Controller that implements similar functionality. 3.2.3 Configurable Adherence to CIS Security Benchmarks • SUSE Rancher: 4 • OpenShift: 3 • Tanzu: 2 • Anthos: 2 3.2.3.1

Rancher v2.1.x. It outlines the configurations and controls required to address CIS-Kubernetes benchmark controls. Rancher CIS-Kubernetes self assessment using RKE This document has been created by the Engineering Engineering team at Rancher Labs. Profile Definitions The following profile definitions agree with the CIS Benchmarks for Kubernetes. Level 1 Items in this profile intend to: offer practical advice appropriate Description Ensure Kubelet options are configured to match CIS controls. Rationale To pass the following controls in the CIS benchmark, ensure the appropriate flags are passed to the Kubelet. 2.1

kernel livepatch- ing, access to FIPS-validated packages, and compliance with security profiles such as CIS. This is not required for Ubuntu Pro instances through public clouds such as AWS, Azure or GCP, since the Pro Client to activate most of the Ubuntu Pro services, including Livepatch, FIPS, and the CIS Benchmark tool. Further reading • For more information about the Ubuntu Pro Client, you can read our documentation [ ] etcd Resilient key-value store by CoreOS > [ ] stress-ng A tool to load, stress test and benchmark a computer s > [ ] sabnzbd SABnzbd > [ ] wormhole get things from one computer to another, safely

markup (we here use @noinline to prevent the optimizer from trying to be too clever and defeat our benchmark): CHAPTER 34. PERFORMANCE TIPS 393 @noinline function inner(x, y) s = zero(eltype(x)) for i=eachindex(x) – in general, the speedup will be smaller. (In this particular example, the working set of the benchmark is small enough to fit into the L1 cache of the processor, so that memory access latency does not See also [sind], [sinpi], [sincos], [cis]. source Base.cos – Method. cos(x) Compute cosine of x, where x is in radians. See also [cosd], [cospi], [sincos], [cis]. source Base.Math.sincos – Method