Rancher CIS Kubernetes v.1.4.0 Benchmark Self Assessment Rancher v2.2.x Version 1.1.0 - August 2019 Authors Taylor Price Overview The following document scores a Kubernetes 1.13.x RKE cluster provisioned provisioned according to the Rancher v2.2.x hardening guide against the CIS 1.4.0 Kubernetes benchmark. This document is a companion to the Rancher v2.2.x security hardening guide. The hardening guide install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply. This guide will walk through the various controls and provide updated

CIS Benchmark Rancher Self-Assessment Guide - v2.4 CIS Benchmark Rancher Self-Assessment Guide - v2.4 1 4 5 6 6 14 29 33 34 34 37 37 38 38 42 49 49 50 52 Contents CIS Kubernetes Benchmark 5.3 Network Policies and CNI CIS Benchmark Rancher Self-Assessment Guide - v2.4 2 53 5.6 General Policies CIS Benchmark Rancher Self-Assessment Guide - v2.4 3 CIS Kubernetes Benchmark v1.5 - Rancher hardening guide, Rancher, Kubernetes, and the CIS Benchmark: Self Assessment Guide Version Rancher Version Hardening Guide Version Kubernetes Version CIS Benchmark Version Self Assessment Guide v2

CIS 1.6 Benchmark - Self- Assessment Guide - Rancher v2.5.4 CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 1 8 9 10 10 10 11 12 15 17 17 18 18 18 19 19 19 20 20 20 21 21 Contents CIS 1.6 Kubernetes Benchmark - Rancher v2.5.4 with Kubernetes v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more 15 Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated) CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 2 21 21 22 23 23 24 26 27 29 31 33

CIS 1.5 Benchmark - Self- Assessment Guide - Rancher v2.5 CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 1 4 5 6 6 14 29 33 34 34 37 37 38 38 42 49 49 50 Contents CIS v1 Policies CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 2 52 53 5.3 Network Policies and CNI 5.6 General Policies CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 3 CIS v1.5 Kubernetes guide, Rancher, CIS Benchmark, and Kubernetes: Hardening Guide Version Rancher Version CIS Benchmark Version Kubernetes Version Hardening Guide with CIS 1.5 Benchmark Rancher v2.5 CIS v1.5 Kubernetes

Support 4 4 4 2 Pod and Network Security Policies 4 3 2 2 Configurable Adherence to CIS 4 3 2 2 Global RBAC Policies 4 2 3 2 2.4 Shared Tools and Services Once deployed, Kubernetes SUSE Rancher-managed Amazon EKS, Microsoft AKS and Google GKE deployments support templating and CIS benchmark scanning to maintain high security and minimize configuration drift between clusters. called a Policy Controller that implements similar functionality. 3.2.3 Configurable Adherence to CIS Security Benchmarks • SUSE Rancher: 4 • OpenShift: 3 • Tanzu: 2 • Anthos: 2 3.2.3.1

controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster, and it is recommended to is intended to be used with specific versions of the CIS Kubernetes Benchmark, Kubernetes, and Rancher: Hardening Guide Version Rancher Version CIS Benchmark Version Kubernetes Version Hardening Guide controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment Guide - Rancher

controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster, and it is recommended to is intended to be used with specific versions of the CIS Kubernetes Benchmark, Kubernetes, and Rancher: Hardening Guide Version Rancher Version CIS Benchmark Version Kubernetes Version Hardening Guide controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment Guide - Rancher

Rancher v2.1.x. It outlines the configurations and controls required to address CIS-Kubernetes benchmark controls. Rancher CIS-Kubernetes self assessment using RKE This document has been created by the Engineering Engineering team at Rancher Labs. Profile Definitions The following profile definitions agree with the CIS Benchmarks for Kubernetes. Level 1 Items in this profile intend to: offer practical advice appropriate / 24 Description Ensure Kubelet options are configured to match CIS controls. Rationale To pass the following controls in the CIS benchmark, ensure the appropriate flags are passed to the Kubelet.

节点上自定义数据的收集(依赖于自定义插件) 问题上报 • 需要采集和分析结果文件 Kube* CIS Kubernetes Benchmark 集群安全扫描 集群综合检查 执行 bpftrace 检测工具小结 工具 适用场景 局限性 kube-bench 在集群中运行 CIS Benchmark 检测项依赖于 CIS Benchmark 内容 能发现集群核心组件配置错误 无法发现如 Flannel

"Hello")] Chapter 17 Data.Complex module Data.Complex ( Complex(:+), realPart, imagPart, mkPolar, cis, polar, magnitude, phase, conjugate ) where 17.1 Rectangular form data RealFloat a => Complex a Complex a Form a complex number from polar components of magnitude and phase. cis :: RealFloat a => a -> Complex a cis t is a complex value with magnitude 1 and phase t (modulo 2*pi). polar :: RealFloat number. 17.4 Specification module Data.Complex(Complex((:+)), realPart, imagPart, conjugate, mkPolar, cis, polar, magnitude, phase) where infix 6 :+ data (RealFloat a) => Complex a = !a :+ !a deriving (Eq