Add security advice for cloud metadata

content/rancher/v2.5/en/security/_index.md

@@ -33,6 +33,7 @@ On this page, we provide security-related documentation along with resources to
 - [The CIS Benchmark and self-assessment](#the-cis-benchmark-and-self-assessment)
 - [Third-party penetration test reports](#third-party-penetration-test-reports)
 - [Rancher CVEs and resolutions](#rancher-cves-and-resolutions)
+- [Kubernetes Security Best Practices](#kubernetes-security-best-practices)
 
 ### Running a CIS Security Scan on a Kubernetes Cluster
 
@@ -86,3 +87,7 @@ Results:
 ### Rancher CVEs and Resolutions
 
 Rancher is committed to informing the community of security issues in our products. For the list of CVEs (Common Vulnerabilities and Exposures) for issues we have resolved, refer to [this page.](./cve)
+
+### Kubernetes Security Best Practices
+
+For recommendations on securing your Kubernetes cluster, refer to the [Best Practices](./best-practices) guide.

content/rancher/v2.5/en/security/best-practices/_index.md

@@ -0,0 +1,8 @@
+---
+title: Kubernetes Security Best Practices
+weight: 5
+---
+
+# Restricting cloud metadata API access
+
+Cloud providers such as AWS, Azure, or GCP often expose metadata services locally to instances. By default, this endpoint is accessible by pods running on a cloud instance, including pods in hosted Kubernetes providers such as EKS, AKS or GKE, and can contain cloud credentials for that node, provisioning data such as kubelet credentials, or other sensitive data. To mitigate this risk when running on a cloud platform, follow the [Kubernetes security recommendations](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#restricting-cloud-metadata-api-access): limit permissions given to instance credentials, use network policies to restrict pod access to the metadata API, and avoid using provisioning data to deliver secrets.

content/rancher/v2.6/en/security/_index.md

@@ -30,6 +30,7 @@ On this page, we provide security-related documentation along with resources to
 - [The CIS Benchmark and self-assessment](#the-cis-benchmark-and-self-assessment)
 - [Third-party penetration test reports](#third-party-penetration-test-reports)
 - [Rancher CVEs and resolutions](#rancher-cves-and-resolutions)
+- [Kubernetes Security Best Practices](#kubernetes-security-best-practices)
 
 ### Running a CIS Security Scan on a Kubernetes Cluster
 
@@ -83,3 +84,7 @@ Results:
 ### Rancher CVEs and Resolutions
 
 Rancher is committed to informing the community of security issues in our products. For the list of CVEs (Common Vulnerabilities and Exposures) for issues we have resolved, refer to [this page.](./cve)
+
+### Kubernetes Security Best Practices
+
+For recommendations on securing your Kubernetes cluster, refer to the [Best Practices](./best-practices) guide.

content/rancher/v2.6/en/security/best-practices/_index.md

@@ -0,0 +1,8 @@
+---
+title: Kubernetes Security Best Practices
+weight: 5
+---
+
+# Restricting cloud metadata API access
+
+Cloud providers such as AWS, Azure, or GCP often expose metadata services locally to instances. By default, this endpoint is accessible by pods running on a cloud instance, including pods in hosted Kubernetes providers such as EKS, AKS or GKE, and can contain cloud credentials for that node, provisioning data such as kubelet credentials, or other sensitive data. To mitigate this risk when running on a cloud platform, follow the [Kubernetes security recommendations](https://kubernetes.io/docs/tasks/administer-cluster/securing-a-cluster/#restricting-cloud-metadata-api-access): limit permissions given to instance credentials, use network policies to restrict pod access to the metadata API, and avoid using provisioning data to deliver secrets.