Rancher CIS Kubernetes v.1.4.0 Benchmark Self Assessment Rancher v2.2.x Version 1.1.0 - August 2019 Authors Taylor Price Overview The following document scores a Kubernetes 1.13.x RKE cluster provisioned provisioned according to the Rancher v2.2.x hardening guide against the CIS 1.4.0 Kubernetes benchmark. This document is a companion to the Rancher v2.2.x security hardening guide. The hardening guide installation of Rancher, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the benchmark. Because Rancher and RKE install Kubernetes

CIS Benchmark Rancher Self-Assessment Guide - v2.4 CIS Benchmark Rancher Self-Assessment Guide - v2.4 1 4 5 6 6 14 29 33 34 34 37 37 38 38 42 49 49 50 52 Contents CIS Kubernetes Benchmark Benchmark v1.5 - Rancher v2.4 with Kubernetes v1.15 Controls 1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Network Policies and CNI CIS Benchmark Rancher Self-Assessment Guide - v2.4 2 53 5.6 General Policies CIS Benchmark Rancher Self-Assessment Guide - v2.4 3 CIS Kubernetes Benchmark v1.5 - Rancher v2.4 with

CIS 1.6 Benchmark - Self- Assessment Guide - Rancher v2.5.4 CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 1 8 9 10 10 10 11 12 15 17 17 18 18 18 19 19 19 20 20 20 21 21 Contents CIS 1.6 Kubernetes Benchmark - Rancher v2.5.4 with Kubernetes v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more Ensure that the scheduler.conf file permissions are set to 644 or more restrictive (Automated) CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 2 21 21 22 23 23 24 26 27 29 31 33 34 36

CIS 1.5 Benchmark - Self- Assessment Guide - Rancher v2.5 CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 1 4 5 6 6 14 29 33 34 34 37 37 38 38 42 49 49 50 Contents CIS v1 v1.5 Kubernetes Benchmark - Rancher v2.5 with Kubernetes v1.15 Controls 1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler Policies CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 2 52 53 5.3 Network Policies and CNI 5.6 General Policies CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 3 CIS v1.5 Kubernetes

outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster versions of the CIS Kubernetes Benchmark, Kubernetes, and Rancher: Hardening Guide Version Rancher Version CIS Benchmark Version Kubernetes Version Hardening Guide v2.4 Rancher v2.4 Benchmark v1.5 Kubernetes Kubernetes benchmark controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment

outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster versions of the CIS Kubernetes Benchmark, Kubernetes, and Rancher: Hardening Guide Version Rancher Version CIS Benchmark Version Kubernetes Version Hardening Guide v2.3.5 Rancher v2.3.5 Benchmark v1.5 Kubernetes Kubernetes benchmark controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment

Support 4 4 4 2 Pod and Network Security Policies 4 3 2 2 Configurable Adherence to CIS 4 3 2 2 Global RBAC Policies 4 2 3 2 2.4 Shared Tools and Services Once deployed, Kubernetes Rancher-managed Amazon EKS, Microsoft AKS and Google GKE deployments support templating and CIS benchmark scanning to maintain high security and minimize configuration drift between clusters. 3.1.6 called a Policy Controller that implements similar functionality. 3.2.3 Configurable Adherence to CIS Security Benchmarks • SUSE Rancher: 4 • OpenShift: 3 • Tanzu: 2 • Anthos: 2 3.2.3.1

Rancher v2.1.x. It outlines the configurations and controls required to address CIS-Kubernetes benchmark controls. Rancher CIS-Kubernetes self assessment using RKE This document has been created by the Engineering Engineering team at Rancher Labs. Profile Definitions The following profile definitions agree with the CIS Benchmarks for Kubernetes. Level 1 Items in this profile intend to: offer practical advice appropriate Description Ensure Kubelet options are configured to match CIS controls. Rationale To pass the following controls in the CIS benchmark, ensure the appropriate flags are passed to the Kubelet. 2.1

节点上自定义数据的收集(依赖于自定义插件) 问题上报 • 需要采集和分析结果文件 Kube* CIS Kubernetes Benchmark 集群安全扫描 集群综合检查 执行 bpftrace 检测工具小结 工具 适用场景 局限性 kube-bench 在集群中运行 CIS Benchmark 检测项依赖于 CIS Benchmark 内容 能发现集群核心组件配置错误 无法发现如 Flannel 组件异常

clock de 1 GHz significa que o tempo por ciclo de clock é de 1 ns (1/109). Por exemplo, para o benchmark CoreMark [Gal-On and Levy 2012] (100.000 iterações), o desempenho no ARM-32 Cortex-A9 é 32.27 B hoje ante- cipam os resultados dos desvios usando preditores de hardware, que podem exceder a pre- cisão de 90% e trabalhar com qualquer tamanho de pipeline. Eles precisam apenas de um mecanismo para liberar Berkeley, 2015. S. Gal-On and M. Levy. Exploring CoreMark - a benchmark maximizing simplicity and efficacy. The Embedded Microprocessor Benchmark Consortium, 2012. Intel Corporation. Intel 64 and IA-32 Architectures