From 209c4980eaae0140e0cf4f4f2d997170e09a28c5 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Wed, 17 Jul 2019 15:06:24 -0700 Subject: [PATCH] Disambiguate versions in hardening and benchmark guides --- content/rancher/v2.x/en/security/_index.md | 12 +++--- .../v2.x/en/security/benchmark-2.1/_index.md | 8 ++-- .../v2.x/en/security/benchmark-2.2/_index.md | 40 +++++++++++-------- .../v2.x/en/security/hardening-2.1/_index.md | 4 +- .../v2.x/en/security/hardening-2.2/_index.md | 28 +++++++------ 5 files changed, 52 insertions(+), 40 deletions(-) diff --git a/content/rancher/v2.x/en/security/_index.md b/content/rancher/v2.x/en/security/_index.md index 4318eae12e7..09d53a4f439 100644 --- a/content/rancher/v2.x/en/security/_index.md +++ b/content/rancher/v2.x/en/security/_index.md @@ -14,7 +14,7 @@ weight: 7505

Please submit possible security issues by emailing security@rancher.com

-

Announcments

+

Announcements

Subscribe to the Rancher announcements forum for release updates.

@@ -22,17 +22,19 @@ weight: 7505 ### Rancher Hardening Guide -The Rancher Hardening Guide is based off of controls and best practices found in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/). The hardening guide provides prescriptive guidance for hardening a production installation of Rancher v2.1.x. See Rancher's [Self Assessment of the CIS Kubernetes Benchmark](#CIS-Benchmark-Rancher-Self-Assessment) for the full list of security controls. +The Rancher Hardening Guide is based off of controls and best practices found in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) from the Center for Internet Security. The hardening guide provides prescriptive guidance for hardening a production installation of Rancher v2.1.x. and Rancher v2.2.x. See Rancher's [Self Assessment of the CIS Kubernetes Benchmark](#cis-benchmark-rancher-self-assessment) for the full list of security controls. -* [CIS Kubernetes Benchmark 1.3.0 - Rancher 2.1.x with Kubernetes 1.11]({{< baseurl >}}/rancher/v2.x/en/security/hardening-2.1/) +- [Hardening Guide for Rancher v2.1.x with Kubernetes 1.11]({{< baseurl >}}/rancher/v2.x/en/security/hardening-2.1/) +- [Hardening Guide for Rancher v2.2.x with Kubernetes 1.13]({{< baseurl >}}/rancher/v2.x/en/security/hardening-2.2/) ### CIS Benchmark Rancher Self-Assessment -This document is a companion to the Rancher v2.1.x security hardening guide. While the hardening guide shows you how to harden the cluster, the benchmark guide is meant to help you evaluate the level of security of the hardened cluster. +The benchmark self-assessment is a companion to the Rancher security hardening guide. While the hardening guide shows you how to harden the cluster, the benchmark guide is meant to help you evaluate the level of security of the hardened cluster. -Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply. This guide will walk through the various controls and provide updated example commands to audit compliance in Rancher created clusters. The original benchmark documents can be downloaded from the [CIS website](https://www.cisecurity.org/benchmark/kubernetes/). +Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply. This guide will walk through the various controls and provide updated example commands to audit compliance in Rancher created clusters. The original benchmark documents can be downloaded from the [CIS website](https://www.cisecurity.org/benchmark/kubernetes/). * [CIS Kubernetes Benchmark 1.3.0 - Rancher 2.1.x with Kubernetes 1.11]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.1/) +* [CIS Kubernetes Benchmark 1.4.0 - Rancher 2.2.x with Kubernetes 1.13]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.2/) ### Rancher CVEs and Resolutions diff --git a/content/rancher/v2.x/en/security/benchmark-2.1/_index.md b/content/rancher/v2.x/en/security/benchmark-2.1/_index.md index 4ed34f3e53f..e2687edd5dd 100644 --- a/content/rancher/v2.x/en/security/benchmark-2.1/_index.md +++ b/content/rancher/v2.x/en/security/benchmark-2.1/_index.md @@ -1,6 +1,6 @@ --- title: CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.1.x -weight: 100 +weight: 104 --- ### CIS Kubernetes Benchmark 1.3.0 - Rancher 2.1.x with Kubernetes 1.11 @@ -9,9 +9,9 @@ weight: 100 #### Overview -This document is a companion to the Rancher v2.1.x security hardening guide. The hardening guide provides prescriptive guidance for hardening a production installation of Rancher v2.1.x, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster. +The following document scores a Kubernetes 1.11.x RKE cluster provisioned according to the Rancher v2.1.x hardening guide against the CIS 1.3.0 Kubernetes benchmark. -The scope of this document is limited to scoring a Kubernetes v1.11.x RKE cluster against the CIS Kubernetes benchmark v1.3.0. The hardened cluster is evaluated against each recommendation from the Center for Internet Security (CIS) in the benchmark. +This document is a companion to the Rancher v2.1.x security hardening guide. The hardening guide provides prescriptive guidance for hardening a production installation of Rancher, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the benchmark. Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply. This guide will walk through the various controls and provide updated example commands to audit compliance in Rancher-created clusters. @@ -202,7 +202,7 @@ docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--enable-admission-p **Notes** -This control may be out of date. This **SHOULD NOT** be set if you are using `PodSecurityPolicy` (PSP). From the Kubernetes 1.11 documentation: +This control may be out of date. This **SHOULD NOT** be set if you are using a `PodSecurityPolicy` (PSP). From the Kubernetes 1.11 documentation: > This should be enabled if a cluster doesn’t utilize pod security policies to restrict the set of values a security context can take. diff --git a/content/rancher/v2.x/en/security/benchmark-2.2/_index.md b/content/rancher/v2.x/en/security/benchmark-2.2/_index.md index 2fc44221917..46a72f06c33 100644 --- a/content/rancher/v2.x/en/security/benchmark-2.2/_index.md +++ b/content/rancher/v2.x/en/security/benchmark-2.2/_index.md @@ -1,6 +1,6 @@ --- -title: Benchmark - Rancher v2.2.x -weight: 100 +title: CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.2.x +weight: 103 --- ### CIS Kubernetes Benchmark 1.4.0 - Rancher 2.2.x with Kubernetes 1.13 @@ -9,7 +9,15 @@ weight: 100 #### Overview -The following document scores a Kubernetes 1.13.x RKE cluster provisioned according to the Rancher 2.2.x hardening guide against the CIS 1.4.0 Kubernetes benchmark. This document is to be used by Rancher operators, security teams, auditors and decision makers. +The following document scores a Kubernetes 1.13.x RKE cluster provisioned according to the Rancher v2.2.x hardening guide against the CIS 1.4.0 Kubernetes benchmark. + +This document is a companion to the Rancher v2.2.x security hardening guide. The hardening guide provides prescriptive guidance for hardening a production installation of Rancher, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the benchmark. + +Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply. This guide will walk through the various controls and provide updated example commands to audit compliance in Rancher-created clusters. + +This document is to be used by Rancher operators, security teams, auditors and decision makers. + +For more detail about each audit, including rationales and remediations for failing tests, you can refer to the corresponding section of the CIS Kubernetes Benchmark v1.4.0. You can download the benchmark after logging in to [CISecurity.org]( https://www.cisecurity.org/benchmark/kubernetes/). #### Testing controls methodology @@ -189,7 +197,7 @@ docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--enable-admission-p **Notes** -This **SHOULD NOT** be set if you are using `PodSecurityPolicy` (PSP). From CIS Benchmark document: +This **SHOULD NOT** be set if you are using a `PodSecurityPolicy` (PSP). From the CIS Benchmark document: > This admission controller should only be used where Pod Security Policies cannot be used on the cluster, as it can interact poorly with certain Pod Security Policies @@ -1172,7 +1180,7 @@ docker inspect etcd | jq -e '.[0].Args[] | match("--auto-tls(?:(?!=false).*)").s #### 1.5.4 - Ensure that the `--peer-cert-file` and `--peer-key-file` arguments are set as appropriate (Scored) -**Audit** (`--peer-cert-file) +**Audit** (`--peer-cert-file`) ``` bash docker inspect etcd | jq -e '.[0].Args[] | match("--peer-cert-file=.*").string' @@ -1183,7 +1191,7 @@ Certificate file name may vary slightly, since it contains the IP of the etcd co **Returned Value:** `--peer-cert-file=/etc/kubernetes/ssl/kube-etcd-172-31-22-135.pem` -**Audit** (`--peer-key-file) +**Audit** (`--peer-key-file`) ``` bash docker inspect etcd | jq -e '.[0].Args[] | match("--peer-key-file=.*").string' @@ -1200,7 +1208,7 @@ Key file name may vary slightly, since it contains the IP of the etcd container. **Notes** -Setting "--peer-client-cert-auth" is the equivalent of setting "--peer-client-cert-auth=true". +Setting `--peer-client-cert-auth` is the equivalent of setting `--peer-client-cert-auth=true`. **Audit** @@ -1271,7 +1279,7 @@ Since this requires the enabling of AllAlpha feature gates we would not recommen #### 1.6.5 - Apply security context to your pods and containers (Not Scored) -This practice does go against control 1.1.13, but we prefer using PSP and allowing security context to be set over a blanket deny. +This practice does go against control 1.1.13, but we prefer using a PodSecurityPolicy and allowing security context to be set over a blanket deny. Rancher allows users to set various Security Context options when launching pods via the GUI interface. @@ -1285,7 +1293,7 @@ Rancher can (optionally) automatically create Network Policies to isolate projec See the _Cluster Options_ section when creating a cluster with Rancher to turn on network isolation. -#### 1.6.8 - Place compensating controls in the form of PSP and RBAC for privileged container usage (Not Scored) +#### 1.6.8 - Place compensating controls in the form of PodSecurityPolicy (PSP) and RBAC for privileged container usage (Not Scored) Section 1.7 of this guide shows how to add and configure a default "restricted" PSP based on controls. @@ -1303,7 +1311,7 @@ This RKE configuration has two Pod Security Policies. **Notes** -The restricted PSP is available to all ServiceAccounts. +The restricted PodSecurityPolicy is available to all ServiceAccounts. **Audit** @@ -1319,7 +1327,7 @@ kubectl get psp restricted -o jsonpath='{.spec.privileged}' | grep "true" **Notes** -The restricted PSP is available to all ServiceAccounts. +The restricted PodSecurityPolicy is available to all ServiceAccounts. **Audit** @@ -1335,7 +1343,7 @@ kubectl get psp restricted -o jsonpath='{.spec.hostPID}' | grep "true" **Notes** -The restricted PSP is available to all ServiceAccounts. +The restricted PodSecurityPolicy is available to all ServiceAccounts. **Audit** @@ -1351,7 +1359,7 @@ kubectl get psp restricted -o jsonpath='{.spec.hostIPC}' | grep "true" **Notes** -The restricted PSP is available to all ServiceAccounts. +The restricted PodSecurityPolicy is available to all ServiceAccounts. **Audit** @@ -1367,7 +1375,7 @@ kubectl get psp restricted -o jsonpath='{.spec.hostNetwork}' | grep "true" **Notes** -The restricted PSP is available to all ServiceAccounts. +The restricted PodSecurityPolicy is available to all ServiceAccounts. **Audit** @@ -1383,7 +1391,7 @@ kubectl get psp restricted -o jsonpath='{.spec.allowPrivilegeEscalation}' | grep **Notes** -The restricted PSP is available to all ServiceAccounts. +The restricted PodSecurityPolicy is available to all ServiceAccounts. **Audit** @@ -1399,7 +1407,7 @@ kubectl get psp restricted -o jsonpath='{.spec.runAsUser.rule}' | grep "RunAsAny **Notes** -The restricted PSP is available to all ServiceAccounts. +The restricted PodSecurityPolicy is available to all ServiceAccounts. **Audit** diff --git a/content/rancher/v2.x/en/security/hardening-2.1/_index.md b/content/rancher/v2.x/en/security/hardening-2.1/_index.md index f9aa7140992..07c9338593a 100644 --- a/content/rancher/v2.x/en/security/hardening-2.1/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.1/_index.md @@ -1,6 +1,6 @@ --- title: Hardening Guide - Rancher v2.1.x -weight: 100 +weight: 102 --- ### Hardening Guide for Rancher 2.1.x with Kubernetes 1.11 @@ -11,7 +11,7 @@ weight: 100 This document provides prescriptive guidance for hardening a production installation of Rancher v2.1.x. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). -For more detail on how a hardened cluster scores against the official CIS benchmark, refer to the [CIS Benchmark Rancher Self-Assessment Guide]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.1/). +For more detail on how a hardened cluster scores against the official CIS benchmark, refer to the [CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.1.x]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.1/). ### Profile Definitions diff --git a/content/rancher/v2.x/en/security/hardening-2.2/_index.md b/content/rancher/v2.x/en/security/hardening-2.2/_index.md index 26bfcf20c73..79f25fcc598 100644 --- a/content/rancher/v2.x/en/security/hardening-2.2/_index.md +++ b/content/rancher/v2.x/en/security/hardening-2.2/_index.md @@ -1,6 +1,6 @@ --- title: Hardening Guide - Rancher v2.2.x -weight: 100 +weight: 101 --- ### Hardening Guide for Rancher 2.2.x with Kubernetes 1.13 @@ -9,13 +9,15 @@ weight: 100 ### Overview -This document provides prescriptive guidance for hardening a production installation of Rancher v2.2.x. It outlines the configurations and controls required to address CIS-Kubernetes benchmark controls. +This document provides prescriptive guidance for hardening a production installation of Rancher v2.2.x with Kubernetes v1.13. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). -[CIS Benchmark Rancher Self-Assessment Guide]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.2/) +For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the [CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.2.x]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.2/). ### Profile Definitions -The following profile definitions agree with the CIS Benchmarks for Kubernetes. +The following profile definitions agree with the CIS benchmarks for Kubernetes. + +A profile is a set of configurations that provide a certain amount of hardening. Generally, the more hardened an environment is, the more it affects performance. #### Level 1 @@ -327,7 +329,7 @@ plugins: path: /etc/kubernetes/event.yaml ``` -- For event.yaml set the contents to: +- For `event.yaml` set the contents to: ``` yaml apiVersion: eventratelimit.admission.k8s.io/v1alpha1 @@ -356,10 +358,10 @@ Ensure Kubelet options are configured to match CIS controls. To pass the following controls in the CIS benchmark, ensure the appropriate flags are passed to the Kubelet. -- 2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) -- 2.1.7 - Ensure that the --protect-kernel-defaults argument is set to true (Scored) -- 2.1.8 - Ensure that the --make-iptables-util-chains argument is set to true (Scored) -- 2.1.10 - Ensure that the --event-qps argument is set to 0 (Scored) +- 2.1.6 - Ensure that the `--streaming-connection-idle-timeout` argument is not set to 0 (Scored) +- 2.1.7 - Ensure that the `--protect-kernel-defaults` argument is set to true (Scored) +- 2.1.8 - Ensure that the `--make-iptables-util-chains` argument is set to true (Scored) +- 2.1.10 - Ensure that the `--event-qps` argument is set to 0 (Scored) **Audit** @@ -561,9 +563,9 @@ Set the appropriate arguments on the Kubernetes controller manager. To address the following controls the options need to be passed to the Kubernetes controller manager. -- 1.3.1 - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored) -- 1.3.2 - Ensure that the --profiling argument is set to false (Scored) -- 1.3.7 - Ensure that the --address argument is set to 127.0.0.1 (Scored) +- 1.3.1 - Ensure that the `--terminated-pod-gc-threshold` argument is set as appropriate (Scored) +- 1.3.2 - Ensure that the `--profiling` argument is set to false (Scored) +- 1.3.7 - Ensure that the `--address` argument is set to 127.0.0.1 (Scored) **Audit** @@ -583,7 +585,7 @@ docker inspect kube-controller-manager **Remediation** -- In the RKE cluster.yml file ensure the following options are set: +- In the RKE `cluster.yml` file ensure the following options are set: ``` yaml services: