From fe8400eaebecea547089535398159e8ba8df4f79 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Sun, 25 Apr 2021 14:12:22 -0700 Subject: [PATCH 1/4] Add SELinux docs --- content/rancher/v2.5/en/logging/_index.md | 14 +++ content/rancher/v2.5/en/security/_index.md | 7 ++ .../v2.5/en/security/rancher-2.5/_index.md | 19 +++- .../v2.5/en/security/selinux/_index.md | 92 +++++++++++++++++++ 4 files changed, 131 insertions(+), 1 deletion(-) create mode 100644 content/rancher/v2.5/en/security/selinux/_index.md diff --git a/content/rancher/v2.5/en/logging/_index.md b/content/rancher/v2.5/en/logging/_index.md index 6aa6c4be2c5..0ae41042072 100644 --- a/content/rancher/v2.5/en/logging/_index.md +++ b/content/rancher/v2.5/en/logging/_index.md @@ -17,6 +17,8 @@ aliases: - [Configuring the Logging Application](#configuring-the-logging-application) - [Working with a Custom Docker Root Directory](#working-with-a-custom-docker-root-directory) - [Working with Taints and Tolerations](#working-with-taints-and-tolerations) +- [Logging v2 with SELinux](#logging-v2-with-selinux) +- [Troubleshooting](#troubleshooting) # Changes in Rancher v2.5 @@ -349,6 +351,18 @@ fluentbit_tolerations: # insert tolerations list for fluentbit containers only... ``` +# Logging v2 with SELinux + +_Available as of v2.5.8_ + +> **Requirements:** Logging v2 was tested with SELinux on RHEL/CentOS 7 and 8. + +[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. + +To use Logging v2 with SELinux, we recommend installing the `rancher-selinux` RPM according to the instructions on [this page.]({{}}/rancher/v2.5/en/security/selinux/#installing-the-rancher-selinux-rpm) + +Then you will need to configure the logging application to work with SELinux as shown in [this section.]({{}}/rancher/v2.5/en/security/selinux/#configuring-the-logging-application-to-work-with-selinux) + # Troubleshooting ### The `cattle-logging` Namespace Being Recreated diff --git a/content/rancher/v2.5/en/security/_index.md b/content/rancher/v2.5/en/security/_index.md index a50954a1fb2..d0eec5593ac 100644 --- a/content/rancher/v2.5/en/security/_index.md +++ b/content/rancher/v2.5/en/security/_index.md @@ -25,6 +25,7 @@ Security is at the heart of all Rancher features. From integrating with all the On this page, we provide security-related documentation along with resources to help you secure your Rancher installation and your downstream Kubernetes clusters: - [Running a CIS security scan on a Kubernetes cluster](#running-a-cis-security-scan-on-a-kubernetes-cluster) +- [SELinux RPM](#selinux-rpm) - [Guide to hardening Rancher installations](#rancher-hardening-guide) - [The CIS Benchmark and self-assessment](#the-cis-benchmark-and-self-assessment) - [Third-party penetration test reports](#third-party-penetration-test-reports) @@ -46,6 +47,12 @@ When Rancher runs a CIS security scan on a cluster, it generates a report showin For details, refer to the section on [security scans.]({{}}/rancher/v2.5/en/cis-scans) +### SELinux RPM + +[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. + +We provide two RPMs (Red Hat package managers) that enable Rancher products to function properly on SELinux-enforcing hosts: `rancher-selinux` and `rke2-selinux`. For details, see [this page.]({{}}/rancher/v2.5/en/security/selinux) + ### Rancher Hardening Guide The Rancher Hardening Guide is based on controls and best practices found in the CIS Kubernetes Benchmark from the Center for Internet Security. diff --git a/content/rancher/v2.5/en/security/rancher-2.5/_index.md b/content/rancher/v2.5/en/security/rancher-2.5/_index.md index 3b7eb986652..dc5c0d8d71a 100644 --- a/content/rancher/v2.5/en/security/rancher-2.5/_index.md +++ b/content/rancher/v2.5/en/security/rancher-2.5/_index.md @@ -6,6 +6,15 @@ weight: 1 Rancher v2.5 introduced the capability to deploy Rancher on any Kubernetes cluster. For that reason, we now provide separate security hardening guides for Rancher deployments on each of Rancher's Kubernetes distributions. +- [Rancher Kubernetes Distributions](#rancher-kubernetes-distributions) +- [Hardening Guides and Benchmark Versions](#hardening-guides-and-benchmark-versions) + - [RKE Guides](#rke-guides) + - [RKE2 Guides](#rke2-guides) + - [K3s Guides](#k3s) +- [Rancher with SELinux](#rancher-with-selinux) + +# Rancher Kubernetes Distributions + Rancher has the following Kubernetes distributions: - [**RKE,**]({{}}/rke/latest/en/) Rancher Kubernetes Engine, is a CNCF-certified Kubernetes distribution that runs entirely within Docker containers. @@ -14,7 +23,7 @@ Rancher has the following Kubernetes distributions: To harden a Kubernetes cluster outside of Rancher's distributions, refer to your Kubernetes provider docs. -# Guides +# Hardening Guides and Benchmark Versions These guides have been tested along with the Rancher v2.5 release. Each self-assessment guide is accompanied with a hardening guide and tested on a specific Kubernetes version and CIS benchmark version. If a CIS benchmark has not been validated for your Kubernetes version, you can choose to use the existing guides until a newer version is added. @@ -34,3 +43,11 @@ Kubernetes v1.18 | CIS v1.5 | [Link](https://docs.rke2.io/security/cis_self_asse ### K3s Guides The K3s security guides will be added soon. + +# Rancher with SELinux + +_Available as of v2.5.8_ + +[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. + +To use Rancher with SELinux, we recommend installing the `rancher-selinux` RPM according to the instructions on [this page.]({{}}/rancher/v2.5/en/security/selinux/#installing-the-rancher-selinux-rpm) \ No newline at end of file diff --git a/content/rancher/v2.5/en/security/selinux/_index.md b/content/rancher/v2.5/en/security/selinux/_index.md new file mode 100644 index 00000000000..05e090fd315 --- /dev/null +++ b/content/rancher/v2.5/en/security/selinux/_index.md @@ -0,0 +1,92 @@ +--- +title: SELinux RPM +weight: 4 +--- + +_Available as of v2.5.8_ + +[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. + +Developed by Red Hat, it is an implementation of mandatory access controls (MAC) on Linux. Mandatory access controls allow an administrator of a system to define how applications and users can access different resources such as files, devices, networks and inter-process communication. SELinux also enhances security by making an OS restrictive by default. + +After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. + +We provide two RPMs (Red Hat package managers) that enable Rancher products to function properly on SELinux-enforcing hosts: `rancher-selinux` and `rke2-selinux`. + +- [rancher-selinux](#rancher-selinux) +- [rke2-selinux](#rke2-selinux) +- [Installing the rancher-selinux RPM](#installing-the-rancher-selinux-rpm) +- [Configuring the Logging Application to Work with SELinux](#configuring-the-logging-application-to-work-with-selinux) + +# rancher-selinux + +To allow Rancher to work with SELinux, some functionality has to be manually enabled for the SELinux nodes. To help with that, Rancher provides a SELinux RPM. + +This RPM only contains policies for the [rancher-logging application,](https://github.com/rancher/charts/tree/dev-v2.5/charts/rancher-logging) but this is where additional policies for more Rancher feature applications will be added in the future. The logging application was tested + +The `rancher-selinux` GitHub repository is [here.](https://github.com/rancher/rancher-selinux) + +# rke2-selinux + +rke2-selinux provides policies for RKE2. It is installed automatically when the RKE2 installer script detects that it is running on an RPM-based distro. + +The `rke2-selinux` GitHub repository is [here.](https://github.com/rancher/rke2-selinux) + +For more information about installing RKE2 on SELinux-enabled hosts, see the [RKE2 documentation.](https://docs.rke2.io/install/methods/#rpm) + +# Installing the rancher-selinux RPM + +> **Requirements:** The rancher-selinux RPM was tested with CentOS 7 and 8. + +### 1. Set up the yum repo + +Set up the yum repo to install `rancher-selinux` directly on all hosts in the cluster. + +For CentOS 7, use this URL for the `baseurl`: https://rpm.rancher.io/rancher/production/centos/7/noarch + +For CentOS 8, use this URL for the `baseurl`: https://rpm.rancher.io/rancher/production/centos/8/noarch + +``` +# source /etc/os-release +# cat << EOF > /etc/yum.repos.d/rancher.repo +[rancher] +name=Rancher +baseurl=https://rpm.rancher.io/rancher/production/centos/8/noarch # Change if using CentOS 7 +enabled=1 +gpgcheck=1 +gpgkey=https://rpm.rancher.io/public.key +EOF +``` + +If you are testing out an unreleased change, you can use the testing channel: + +``` +# cat << EOF > /etc/yum.repos.d/rancher-testing.repo +[rancher] +name=Rancher Testing +baseurl=https://rpm-testing.rancher.io/rancher/testing/centos/8/$VERSION_ID/noarch # Change if using CentOS 7 +enabled=1 +gpgcheck=1 +gpgkey=https://rpm-testing.rancher.io/public.key +EOF +``` + +### 2. Installing the RPM + +Install the RPM: + +``` +yum -y install rancher-selinux +``` + +# Configuring the Logging Application to Work with SELinux + +> **Requirements:** Logging v2 was tested with SELinux on RHEL/CentOS 7 and 8. + +Applications do not automatically work once the `rancher-selinux` RPM is installed on the host. They need to be configured to run in an allowed SELinux container domain provided by the RPM. + +The rancher-logging chart, for example, needs to be configured to be SELinux aware: + +``` +helm install logging rancher/rancher-logging --set global.seLinux.enabled=true +``` \ No newline at end of file From 7eb421431ce69a345cd6c5dde4a7e4568ca8b10b Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 4 May 2021 07:24:33 -0700 Subject: [PATCH 2/4] Update content/rancher/v2.5/en/security/_index.md Co-authored-by: Colleen Murphy --- content/rancher/v2.5/en/security/_index.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/rancher/v2.5/en/security/_index.md b/content/rancher/v2.5/en/security/_index.md index d0eec5593ac..8586f78b957 100644 --- a/content/rancher/v2.5/en/security/_index.md +++ b/content/rancher/v2.5/en/security/_index.md @@ -51,7 +51,7 @@ For details, refer to the section on [security scans.]({{}}/rancher/v2. [Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. -We provide two RPMs (Red Hat package managers) that enable Rancher products to function properly on SELinux-enforcing hosts: `rancher-selinux` and `rke2-selinux`. For details, see [this page.]({{}}/rancher/v2.5/en/security/selinux) +We provide two RPMs (Red Hat packages) that enable Rancher products to function properly on SELinux-enforcing hosts: `rancher-selinux` and `rke2-selinux`. For details, see [this page.]({{}}/rancher/v2.5/en/security/selinux) ### Rancher Hardening Guide From 33e08a3a73ee305a8550b4005c208c8143ca0ba5 Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 4 May 2021 07:30:25 -0700 Subject: [PATCH 3/4] Update content/rancher/v2.5/en/security/selinux/_index.md Co-authored-by: Colleen Murphy --- content/rancher/v2.5/en/security/selinux/_index.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/content/rancher/v2.5/en/security/selinux/_index.md b/content/rancher/v2.5/en/security/selinux/_index.md index 05e090fd315..a044e59802c 100644 --- a/content/rancher/v2.5/en/security/selinux/_index.md +++ b/content/rancher/v2.5/en/security/selinux/_index.md @@ -11,7 +11,7 @@ Developed by Red Hat, it is an implementation of mandatory access controls (MAC) After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. -We provide two RPMs (Red Hat package managers) that enable Rancher products to function properly on SELinux-enforcing hosts: `rancher-selinux` and `rke2-selinux`. +We provide two RPMs (Red Hat packages) that enable Rancher products to function properly on SELinux-enforcing hosts: `rancher-selinux` and `rke2-selinux`. - [rancher-selinux](#rancher-selinux) - [rke2-selinux](#rke2-selinux) @@ -89,4 +89,4 @@ The rancher-logging chart, for example, needs to be configured to be SELinux awa ``` helm install logging rancher/rancher-logging --set global.seLinux.enabled=true -``` \ No newline at end of file +``` From d5fc051d345d68054fa7ab1f07a44fd057567b3d Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 4 May 2021 07:37:39 -0700 Subject: [PATCH 4/4] Update SELinux docs per Colleen's feedback --- .../v2.5/en/security/selinux/_index.md | 32 +++++++------------ 1 file changed, 12 insertions(+), 20 deletions(-) diff --git a/content/rancher/v2.5/en/security/selinux/_index.md b/content/rancher/v2.5/en/security/selinux/_index.md index a044e59802c..fe707e064e2 100644 --- a/content/rancher/v2.5/en/security/selinux/_index.md +++ b/content/rancher/v2.5/en/security/selinux/_index.md @@ -22,7 +22,7 @@ We provide two RPMs (Red Hat packages) that enable Rancher products to function To allow Rancher to work with SELinux, some functionality has to be manually enabled for the SELinux nodes. To help with that, Rancher provides a SELinux RPM. -This RPM only contains policies for the [rancher-logging application,](https://github.com/rancher/charts/tree/dev-v2.5/charts/rancher-logging) but this is where additional policies for more Rancher feature applications will be added in the future. The logging application was tested +As of v2.5.8, the `rancher-selinux` RPM only contains policies for the [rancher-logging application.](https://github.com/rancher/charts/tree/dev-v2.5/charts/rancher-logging) The `rancher-selinux` GitHub repository is [here.](https://github.com/rancher/rancher-selinux) @@ -42,35 +42,31 @@ For more information about installing RKE2 on SELinux-enabled hosts, see the [RK Set up the yum repo to install `rancher-selinux` directly on all hosts in the cluster. -For CentOS 7, use this URL for the `baseurl`: https://rpm.rancher.io/rancher/production/centos/7/noarch - -For CentOS 8, use this URL for the `baseurl`: https://rpm.rancher.io/rancher/production/centos/8/noarch +In order to use the RPM repository, on a CentOS 7 or RHEL 7 system, run the following bash snippet: ``` -# source /etc/os-release # cat << EOF > /etc/yum.repos.d/rancher.repo [rancher] name=Rancher -baseurl=https://rpm.rancher.io/rancher/production/centos/8/noarch # Change if using CentOS 7 +baseurl=https://rpm.rancher.io/rancher/production/centos/7/noarch enabled=1 gpgcheck=1 gpgkey=https://rpm.rancher.io/public.key EOF ``` -If you are testing out an unreleased change, you can use the testing channel: +In order to use the RPM repository, on a CentOS 8 or RHEL 8 system, run the following bash snippet: ``` -# cat << EOF > /etc/yum.repos.d/rancher-testing.repo -[rancher] -name=Rancher Testing -baseurl=https://rpm-testing.rancher.io/rancher/testing/centos/8/$VERSION_ID/noarch # Change if using CentOS 7 -enabled=1 -gpgcheck=1 -gpgkey=https://rpm-testing.rancher.io/public.key +# cat << EOF > /etc/yum.repos.d/rancher.repo +[rancher] +name=Rancher +baseurl=https://rpm.rancher.io/rancher/production/centos/8/noarch +enabled=1 +gpgcheck=1 +gpgkey=https://rpm.rancher.io/public.key EOF ``` - ### 2. Installing the RPM Install the RPM: @@ -85,8 +81,4 @@ yum -y install rancher-selinux Applications do not automatically work once the `rancher-selinux` RPM is installed on the host. They need to be configured to run in an allowed SELinux container domain provided by the RPM. -The rancher-logging chart, for example, needs to be configured to be SELinux aware: - -``` -helm install logging rancher/rancher-logging --set global.seLinux.enabled=true -``` +To configure the `rancher-logging` chart to be SELinux aware, change `global.seLinux.enabled` to true in the `values.yaml` when installing the chart.