diff --git a/content/rancher/v2.5/en/logging/_index.md b/content/rancher/v2.5/en/logging/_index.md index 4dab871ff80..36acadc4b50 100644 --- a/content/rancher/v2.5/en/logging/_index.md +++ b/content/rancher/v2.5/en/logging/_index.md @@ -19,6 +19,7 @@ aliases: - [Examples](#examples) - [Working with a Custom Docker Root Directory](#working-with-a-custom-docker-root-directory) - [Working with Taints and Tolerations](#working-with-taints-and-tolerations) +- [Logging v2 with SELinux](#logging-v2-with-selinux) - [Additional Logging Sources](#additional-logging-sources) - [Troubleshooting](#troubleshooting) @@ -425,6 +426,19 @@ fluentbit_tolerations: # insert tolerations list for fluentbit containers only... ``` + +# Logging v2 with SELinux + +_Available as of v2.5.8_ + +> **Requirements:** Logging v2 was tested with SELinux on RHEL/CentOS 7 and 8. + +[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. + +To use Logging v2 with SELinux, we recommend installing the `rancher-selinux` RPM according to the instructions on [this page.]({{}}/rancher/v2.5/en/security/selinux/#installing-the-rancher-selinux-rpm) + +Then you will need to configure the logging application to work with SELinux as shown in [this section.]({{}}/rancher/v2.5/en/security/selinux/#configuring-the-logging-application-to-work-with-selinux) + # Additional Logging Sources By default, Rancher collects logs for [control plane components](https://kubernetes.io/docs/concepts/overview/components/#control-plane-components) and [node components](https://kubernetes.io/docs/concepts/overview/components/#node-components) for all cluster types. @@ -445,6 +459,7 @@ To enable hosted Kubernetes providers as additional logging sources, go to **Clu When enabled, Rancher collects all additional node and control plane logs the provider has made available, which may vary between providers. If you're already using a cloud provider's own logging solution such as AWS CloudWatch or Google Cloud operations suite (formerly Stackdriver), it is not necessary to enable this option as the native solution will have unrestricted access to all logs. + # Troubleshooting ### The `cattle-logging` Namespace Being Recreated diff --git a/content/rancher/v2.5/en/security/_index.md b/content/rancher/v2.5/en/security/_index.md index a50954a1fb2..8586f78b957 100644 --- a/content/rancher/v2.5/en/security/_index.md +++ b/content/rancher/v2.5/en/security/_index.md @@ -25,6 +25,7 @@ Security is at the heart of all Rancher features. From integrating with all the On this page, we provide security-related documentation along with resources to help you secure your Rancher installation and your downstream Kubernetes clusters: - [Running a CIS security scan on a Kubernetes cluster](#running-a-cis-security-scan-on-a-kubernetes-cluster) +- [SELinux RPM](#selinux-rpm) - [Guide to hardening Rancher installations](#rancher-hardening-guide) - [The CIS Benchmark and self-assessment](#the-cis-benchmark-and-self-assessment) - [Third-party penetration test reports](#third-party-penetration-test-reports) @@ -46,6 +47,12 @@ When Rancher runs a CIS security scan on a cluster, it generates a report showin For details, refer to the section on [security scans.]({{}}/rancher/v2.5/en/cis-scans) +### SELinux RPM + +[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. + +We provide two RPMs (Red Hat packages) that enable Rancher products to function properly on SELinux-enforcing hosts: `rancher-selinux` and `rke2-selinux`. For details, see [this page.]({{}}/rancher/v2.5/en/security/selinux) + ### Rancher Hardening Guide The Rancher Hardening Guide is based on controls and best practices found in the CIS Kubernetes Benchmark from the Center for Internet Security. diff --git a/content/rancher/v2.5/en/security/rancher-2.5/_index.md b/content/rancher/v2.5/en/security/rancher-2.5/_index.md index 3b7eb986652..dc5c0d8d71a 100644 --- a/content/rancher/v2.5/en/security/rancher-2.5/_index.md +++ b/content/rancher/v2.5/en/security/rancher-2.5/_index.md @@ -6,6 +6,15 @@ weight: 1 Rancher v2.5 introduced the capability to deploy Rancher on any Kubernetes cluster. For that reason, we now provide separate security hardening guides for Rancher deployments on each of Rancher's Kubernetes distributions. +- [Rancher Kubernetes Distributions](#rancher-kubernetes-distributions) +- [Hardening Guides and Benchmark Versions](#hardening-guides-and-benchmark-versions) + - [RKE Guides](#rke-guides) + - [RKE2 Guides](#rke2-guides) + - [K3s Guides](#k3s) +- [Rancher with SELinux](#rancher-with-selinux) + +# Rancher Kubernetes Distributions + Rancher has the following Kubernetes distributions: - [**RKE,**]({{}}/rke/latest/en/) Rancher Kubernetes Engine, is a CNCF-certified Kubernetes distribution that runs entirely within Docker containers. @@ -14,7 +23,7 @@ Rancher has the following Kubernetes distributions: To harden a Kubernetes cluster outside of Rancher's distributions, refer to your Kubernetes provider docs. -# Guides +# Hardening Guides and Benchmark Versions These guides have been tested along with the Rancher v2.5 release. Each self-assessment guide is accompanied with a hardening guide and tested on a specific Kubernetes version and CIS benchmark version. If a CIS benchmark has not been validated for your Kubernetes version, you can choose to use the existing guides until a newer version is added. @@ -34,3 +43,11 @@ Kubernetes v1.18 | CIS v1.5 | [Link](https://docs.rke2.io/security/cis_self_asse ### K3s Guides The K3s security guides will be added soon. + +# Rancher with SELinux + +_Available as of v2.5.8_ + +[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. + +To use Rancher with SELinux, we recommend installing the `rancher-selinux` RPM according to the instructions on [this page.]({{}}/rancher/v2.5/en/security/selinux/#installing-the-rancher-selinux-rpm) \ No newline at end of file diff --git a/content/rancher/v2.5/en/security/selinux/_index.md b/content/rancher/v2.5/en/security/selinux/_index.md new file mode 100644 index 00000000000..fe707e064e2 --- /dev/null +++ b/content/rancher/v2.5/en/security/selinux/_index.md @@ -0,0 +1,84 @@ +--- +title: SELinux RPM +weight: 4 +--- + +_Available as of v2.5.8_ + +[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. + +Developed by Red Hat, it is an implementation of mandatory access controls (MAC) on Linux. Mandatory access controls allow an administrator of a system to define how applications and users can access different resources such as files, devices, networks and inter-process communication. SELinux also enhances security by making an OS restrictive by default. + +After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. + +We provide two RPMs (Red Hat packages) that enable Rancher products to function properly on SELinux-enforcing hosts: `rancher-selinux` and `rke2-selinux`. + +- [rancher-selinux](#rancher-selinux) +- [rke2-selinux](#rke2-selinux) +- [Installing the rancher-selinux RPM](#installing-the-rancher-selinux-rpm) +- [Configuring the Logging Application to Work with SELinux](#configuring-the-logging-application-to-work-with-selinux) + +# rancher-selinux + +To allow Rancher to work with SELinux, some functionality has to be manually enabled for the SELinux nodes. To help with that, Rancher provides a SELinux RPM. + +As of v2.5.8, the `rancher-selinux` RPM only contains policies for the [rancher-logging application.](https://github.com/rancher/charts/tree/dev-v2.5/charts/rancher-logging) + +The `rancher-selinux` GitHub repository is [here.](https://github.com/rancher/rancher-selinux) + +# rke2-selinux + +rke2-selinux provides policies for RKE2. It is installed automatically when the RKE2 installer script detects that it is running on an RPM-based distro. + +The `rke2-selinux` GitHub repository is [here.](https://github.com/rancher/rke2-selinux) + +For more information about installing RKE2 on SELinux-enabled hosts, see the [RKE2 documentation.](https://docs.rke2.io/install/methods/#rpm) + +# Installing the rancher-selinux RPM + +> **Requirements:** The rancher-selinux RPM was tested with CentOS 7 and 8. + +### 1. Set up the yum repo + +Set up the yum repo to install `rancher-selinux` directly on all hosts in the cluster. + +In order to use the RPM repository, on a CentOS 7 or RHEL 7 system, run the following bash snippet: + +``` +# cat << EOF > /etc/yum.repos.d/rancher.repo +[rancher] +name=Rancher +baseurl=https://rpm.rancher.io/rancher/production/centos/7/noarch +enabled=1 +gpgcheck=1 +gpgkey=https://rpm.rancher.io/public.key +EOF +``` + +In order to use the RPM repository, on a CentOS 8 or RHEL 8 system, run the following bash snippet: + +``` +# cat << EOF > /etc/yum.repos.d/rancher.repo +[rancher] +name=Rancher +baseurl=https://rpm.rancher.io/rancher/production/centos/8/noarch +enabled=1 +gpgcheck=1 +gpgkey=https://rpm.rancher.io/public.key +EOF +``` +### 2. Installing the RPM + +Install the RPM: + +``` +yum -y install rancher-selinux +``` + +# Configuring the Logging Application to Work with SELinux + +> **Requirements:** Logging v2 was tested with SELinux on RHEL/CentOS 7 and 8. + +Applications do not automatically work once the `rancher-selinux` RPM is installed on the host. They need to be configured to run in an allowed SELinux container domain provided by the RPM. + +To configure the `rancher-logging` chart to be SELinux aware, change `global.seLinux.enabled` to true in the `values.yaml` when installing the chart.