From 3ef9e40bd817f183d4e90a6c81fd8ba7a158b59c Mon Sep 17 00:00:00 2001 From: catherineluse Date: Wed, 18 Dec 2019 22:54:11 -0700 Subject: [PATCH 1/3] Update security docs for Rancher v2.4 --- content/rancher/v2.x/en/security/_index.md | 31 ++++++++- .../v2.x/en/security/security-scan/_index.md | 64 +++++++++++++++++++ 2 files changed, 93 insertions(+), 2 deletions(-) create mode 100644 content/rancher/v2.x/en/security/security-scan/_index.md diff --git a/content/rancher/v2.x/en/security/_index.md b/content/rancher/v2.x/en/security/_index.md index 913927b32ed..123a516aca2 100644 --- a/content/rancher/v2.x/en/security/_index.md +++ b/content/rancher/v2.x/en/security/_index.md @@ -20,6 +20,29 @@ weight: 7505 +Security is at the heart of all Rancher features. From integrating with all the popular authentication tools and services, to an enterprise grade [RBAC capability,]({{}}/rancher/v2.x/en/admin-settings/rbac) Rancher makes your Kubernetes clusters even more secure. + +On this page, we provide security-related documentation along with resources to help you secure your Rancher installation and your downstream Kubernetes clusters: + +- [Running a CIS security scan on a Kubernetes cluster](#running-a-cis-security-scan-on-a-kubernetes-cluster) +- [Guide to hardening Rancher installations](#rancher-hardening-guide) +- [The CIS Benchmark and self-assessment](#the-cis-benchmark-and-self-assessment) +- [Third-party penetration test reports](#third-party-penetration-test-reports) +- [Rancher CVEs and resolutions](#rancher-cves-and-resolutions) +- [Security Tips and Best Practices](#security-tips-and-best-practices) + +### Running a CIS Security Scan on a Kubernetes Cluster + +_Available as of v2.4_ + +Rancher leverages [kube-bench](https://github.com/aquasecurity/kube-bench) run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS (Center for Internet Security) Kubernetes Benchmark. + +The CIS Kubernetes Benchmark is a reference document that can be used to establish a secure configuration baseline for Kubernetes. + +When Rancher scans a cluster, it generates a report showing the results of each test, including the number of passed, skipped, and failed tests. The report also includes guidance on how to configure the cluster so that the failing tests will pass. + +For details, refer to the section on [security scans.]({{}}/rancher/v2.x/en/security/security-scan) + ### Rancher Hardening Guide The Rancher Hardening Guide is based off of controls and best practices found in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) from the Center for Internet Security. The hardening guide provides prescriptive guidance for hardening a production installation of Rancher v2.1.x, v2.2.x and v.2.3.x. See Rancher's [Self Assessment of the CIS Kubernetes Benchmark](#cis-benchmark-rancher-self-assessment) for the full list of security controls. @@ -28,7 +51,7 @@ The Rancher Hardening Guide is based off of controls and best practices found in - [Hardening Guide for Rancher v2.2.x with Kubernetes 1.13]({{< baseurl >}}/rancher/v2.x/en/security/hardening-2.2/) - [Hardening Guide for Rancher v2.3.x with Kubernetes 1.15]({{< baseurl >}}/rancher/v2.x/en/security/hardening-2.3/) -### CIS Benchmark Rancher Self-Assessment +### The CIS Benchmark and Self-Assessment The benchmark self-assessment is a companion to the Rancher security hardening guide. While the hardening guide shows you how to harden the cluster, the benchmark guide is meant to help you evaluate the level of security of the hardened cluster. @@ -39,7 +62,7 @@ Because Rancher and RKE install Kubernetes services as Docker containers, many o - [CIS Kubernetes Benchmark 1.4.1 - Rancher 2.2.x with Kubernetes 1.13]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.2/#cis-kubernetes-benchmark-1-4-1-rancher-2-2-x-with-kubernetes-1-13) - [CIS Kubernetes Benchmark 1.4.1 - Rancher 2.3.x with Kubernetes 1.15]({{< baseurl >}}/rancher/v2.x/en/security/benchmark-2.3/#cis-kubernetes-benchmark-1-4-1-rancher-2-3-x-with-kubernetes-1-15) -### Third Party Pen Test Reports +### Third-party Penetration Test Reports Rancher periodically hires third parties to perform security audits and penetration tests of the Rancher 2.x software stack. The environments under test follow the Rancher provided hardening guides at the time of the testing. Results are posted when the third party has also verified fixes classified MEDIUM or above. @@ -62,3 +85,7 @@ Rancher is committed to informing the community of security issues in our produc | [CVE-2019-13209](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13209) | The vulnerability is known as a [Cross-Site Websocket Hijacking attack](https://www.christian-schneider.net/CrossSiteWebSocketHijacking.html). This attack allows an exploiter to gain access to clusters managed by Rancher with the roles/permissions of a victim. It requires that a victim to be logged into a Rancher server and then access a third-party site hosted by the exploiter. Once that is accomplished, the exploiter is able to execute commands against the Kubernetes API with the permissions and identity of the victim. Reported by Matt Belisle and Alex Stevenson from Workiva. | 15 Jul 2019 | [Rancher v2.2.5](https://github.com/rancher/rancher/releases/tag/v2.2.5), [Rancher v2.1.11](https://github.com/rancher/rancher/releases/tag/v2.1.11) and [Rancher v2.0.16](https://github.com/rancher/rancher/releases/tag/v2.0.16) | | [CVE-2019-14436](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14436) | The vulnerability allows a member of a project that has access to edit role bindings to be able to assign themselves or others a cluster level role granting them administrator access to that cluster. The issue was found and reported by Michal Lipinski at Nokia. | 5 Aug 2019 | [Rancher v2.2.7](https://github.com/rancher/rancher/releases/tag/v2.2.7) and [Rancher v2.1.12](https://github.com/rancher/rancher/releases/tag/v2.1.12) | | [CVE-2019-14435](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14435) | This vulnerability allows authenticated users to potentially extract otherwise private data out of IPs reachable from system service containers used by Rancher. This can include but not only limited to services such as cloud provider metadata services. Although Rancher allow users to configure whitelisted domains for system service access, this flaw can still be exploited by a carefully crafted HTTP request. The issue was found and reported by Matt Belisle and Alex Stevenson at Workiva. | 5 Aug 2019 | [Rancher v2.2.7](https://github.com/rancher/rancher/releases/tag/v2.2.7) and [Rancher v2.1.12](https://github.com/rancher/rancher/releases/tag/v2.1.12) | + +### Security Tips and Best Practices + +Our [best practices guide]({{}}/rancher/v2.x/en/best-practices/management/#tips-for-security) includes basic tips for increasing security in Rancher. \ No newline at end of file diff --git a/content/rancher/v2.x/en/security/security-scan/_index.md b/content/rancher/v2.x/en/security/security-scan/_index.md new file mode 100644 index 00000000000..6848f75f25a --- /dev/null +++ b/content/rancher/v2.x/en/security/security-scan/_index.md @@ -0,0 +1,64 @@ +--- +title: Security Scans +weight: 1 +--- + +_Available as of v2.4_ + +Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS (Center for Internet Security) Kubernetes Benchmark. + +The CIS Kubernetes Benchmark is a reference document that can be used to establish a secure configuration baseline for Kubernetes. + +When Rancher scans a cluster, it generates a report showing the results of each test, including the number of passed, skipped, and failed tests. The report also includes guidance on how to configure the cluster so that the failing tests will pass. + +To check clusters for CIS Kubernetes Benchmark compliance, the security scan leverages [kube-bench,](https://github.com/aquasecurity/kube-bench) an open-source tool from Aqua Security. + +When Rancher scans a cluster hosted in a managed Kubernetes provider such as GKE, EKS, or AKS, only worker nodes can be scanned. + +### About the Generated Report + +Each scan generates a report can be viewed in the Rancher UI and can be downloaded in CSV format. + +The version of the [benchmark](https://www.cisecurity.org/benchmark/kubernetes/) that is used depends on the cluster's Kubernetes version. + +Each test in the resport is identified by its corresponding section of the benchmark. For example, if a cluster fails test 1.3.6, you can look up the description and rationale for the benchmark section 1.3.6 in the benchmark itself, or in Rancher's [hardening guide for the Kubernetes version that the cluster is using.]({{}}/rancher/v2.x/en/security/#rancher-hardening-guide) + +Similarly, for information how to manually audit the test result, you could look up section 1.3.6 in Rancher's [self-assessment guide for the corresponding Kubernetes version.]({{}}/rancher/v2.x/en/security/#the-cis-benchmark-and-self-assessment) + +### Prerequisites + +To run security scans on a cluster and access the generated reports, you must be an [Administrator]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) or [Cluster Owner.]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) + +### Running a Scan + +1. From the cluster view in Rancher, click **Tools > CIS Scans.** +1. Click **Run Scan.** + +**Result:** A report is generated and displayed in the **CIS Scans** page. To see details of the report, click the report's name. + +### Skipping a Test + +1. From the cluster view in Rancher, click **Tools > CIS Scans.** +1. Click the name of the report that has tests you want to skip. +1. A **Skip** button is displayed next to each failed test. Click **Skip** for each test that should be skipped. + +**Result:** The tests will be skipped on the next scan. + +To re-run the security scan, go to the top of the page and click **Run Scan.** + +### Un-skipping a Test + +1. From the cluster view in Rancher, click **Tools > CIS Scans.** +1. Click the name of the report that has tests you want to un-skip. +1. An **Unskip** button is displayed next to each skipped test. Click **Unskip** for each test that should not be skipped. + +**Result:** The tests will not be skipped on the next scan. + +To re-run the security scan, go to the top of the page and click **Run Scan.** + +### Deleting a Report + +1. From the cluster view in Rancher, click **Tools > CIS Scans.** +1. Go to the report that should be deleted. +1. Click the **Ellipsis (...) > Delete.** +1. Click **Delete.** \ No newline at end of file From f7214c39f8bc0f381c767680f64e3cbbc1584a3b Mon Sep 17 00:00:00 2001 From: catherineluse Date: Fri, 20 Dec 2019 12:23:34 -0700 Subject: [PATCH 2/3] Respond to feedback on CIS scan doc --- content/rancher/v2.x/en/security/_index.md | 8 ++++---- .../rancher/v2.x/en/security/security-scan/_index.md | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/content/rancher/v2.x/en/security/_index.md b/content/rancher/v2.x/en/security/_index.md index 123a516aca2..2ee41833ca0 100644 --- a/content/rancher/v2.x/en/security/_index.md +++ b/content/rancher/v2.x/en/security/_index.md @@ -35,17 +35,17 @@ On this page, we provide security-related documentation along with resources to _Available as of v2.4_ -Rancher leverages [kube-bench](https://github.com/aquasecurity/kube-bench) run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS (Center for Internet Security) Kubernetes Benchmark. +Rancher leverages [kube-bench](https://github.com/aquasecurity/kube-bench) to run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS (Center for Internet Security) Kubernetes Benchmark. -The CIS Kubernetes Benchmark is a reference document that can be used to establish a secure configuration baseline for Kubernetes. +The CIS Kubernetes Benchmark is a reference document that can be used to establish a secure configuration baseline for Kubernetes. The Benchmark provides recommendations of two types: Scored and Not Scored. We run tests related to only Scored recommendations. -When Rancher scans a cluster, it generates a report showing the results of each test, including the number of passed, skipped, and failed tests. The report also includes guidance on how to configure the cluster so that the failing tests will pass. +When Rancher runs a CIS Security Scan on a cluster, it generates a report showing the results of each test, including a summary with the number of passed, skipped and failed tests. The report also includes remediation steps for any failed tests. For details, refer to the section on [security scans.]({{}}/rancher/v2.x/en/security/security-scan) ### Rancher Hardening Guide -The Rancher Hardening Guide is based off of controls and best practices found in the [CIS Kubernetes Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) from the Center for Internet Security. The hardening guide provides prescriptive guidance for hardening a production installation of Rancher v2.1.x, v2.2.x and v.2.3.x. See Rancher's [Self Assessment of the CIS Kubernetes Benchmark](#cis-benchmark-rancher-self-assessment) for the full list of security controls. +The Rancher Hardening Guide is based off of controls and best practices found in the CIS Kubernetes Benchmark from the Center for Internet Security. The hardening guide provides prescriptive guidance for hardening a production installation of Rancher v2.1.x, v2.2.x and v.2.3.x. See Rancher's [Self Assessment of the CIS Kubernetes Benchmark](#cis-benchmark-rancher-self-assessment) for the full list of security controls. - [Hardening Guide for Rancher v2.1.x with Kubernetes 1.11]({{< baseurl >}}/rancher/v2.x/en/security/hardening-2.1/) - [Hardening Guide for Rancher v2.2.x with Kubernetes 1.13]({{< baseurl >}}/rancher/v2.x/en/security/hardening-2.2/) diff --git a/content/rancher/v2.x/en/security/security-scan/_index.md b/content/rancher/v2.x/en/security/security-scan/_index.md index 6848f75f25a..5040a39651c 100644 --- a/content/rancher/v2.x/en/security/security-scan/_index.md +++ b/content/rancher/v2.x/en/security/security-scan/_index.md @@ -7,9 +7,9 @@ _Available as of v2.4_ Rancher can run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS (Center for Internet Security) Kubernetes Benchmark. -The CIS Kubernetes Benchmark is a reference document that can be used to establish a secure configuration baseline for Kubernetes. +The CIS Kubernetes Benchmark is a reference document that can be used to establish a secure configuration baseline for Kubernetes. The Benchmark provides recommendations of two types: Scored and Not Scored. We run tests related to only Scored recommendations. -When Rancher scans a cluster, it generates a report showing the results of each test, including the number of passed, skipped, and failed tests. The report also includes guidance on how to configure the cluster so that the failing tests will pass. +When Rancher runs a CIS Security Scan on a cluster, it generates a report showing the results of each test, including a summary with the number of passed, skipped and failed tests. The report also includes remediation steps for any failed tests. To check clusters for CIS Kubernetes Benchmark compliance, the security scan leverages [kube-bench,](https://github.com/aquasecurity/kube-bench) an open-source tool from Aqua Security. @@ -19,11 +19,11 @@ When Rancher scans a cluster hosted in a managed Kubernetes provider such as GKE Each scan generates a report can be viewed in the Rancher UI and can be downloaded in CSV format. -The version of the [benchmark](https://www.cisecurity.org/benchmark/kubernetes/) that is used depends on the cluster's Kubernetes version. +The version of the [Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) that is used depends on the cluster's Kubernetes version. -Each test in the resport is identified by its corresponding section of the benchmark. For example, if a cluster fails test 1.3.6, you can look up the description and rationale for the benchmark section 1.3.6 in the benchmark itself, or in Rancher's [hardening guide for the Kubernetes version that the cluster is using.]({{}}/rancher/v2.x/en/security/#rancher-hardening-guide) +Each test in the report is identified by its corresponding Scored test in the Benchmark. For example, if a cluster fails test 1.3.6, you can look up the description and rationale for the section 1.3.6 in the Benchmark itself, or in Rancher's [hardening guide for the Kubernetes version that the cluster is using.]({{}}/rancher/v2.x/en/security/#rancher-hardening-guide) Recommendations marked as Not Scored in the Benchmark are not included in the report. -Similarly, for information how to manually audit the test result, you could look up section 1.3.6 in Rancher's [self-assessment guide for the corresponding Kubernetes version.]({{}}/rancher/v2.x/en/security/#the-cis-benchmark-and-self-assessment) +Similarly, for information on how to manually audit the test result, you could look up section 1.3.6 in Rancher's [self-assessment guide for the corresponding Kubernetes version.]({{}}/rancher/v2.x/en/security/#the-cis-benchmark-and-self-assessment) ### Prerequisites From 4915d19354b320ca78f6f7b1c44c5186f4a634db Mon Sep 17 00:00:00 2001 From: Catherine Luse Date: Tue, 24 Dec 2019 11:52:29 -0700 Subject: [PATCH 3/3] Say that security scan is for RKE clusters --- content/rancher/v2.x/en/security/security-scan/_index.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/content/rancher/v2.x/en/security/security-scan/_index.md b/content/rancher/v2.x/en/security/security-scan/_index.md index 5040a39651c..6af630675d9 100644 --- a/content/rancher/v2.x/en/security/security-scan/_index.md +++ b/content/rancher/v2.x/en/security/security-scan/_index.md @@ -13,13 +13,11 @@ When Rancher runs a CIS Security Scan on a cluster, it generates a report showin To check clusters for CIS Kubernetes Benchmark compliance, the security scan leverages [kube-bench,](https://github.com/aquasecurity/kube-bench) an open-source tool from Aqua Security. -When Rancher scans a cluster hosted in a managed Kubernetes provider such as GKE, EKS, or AKS, only worker nodes can be scanned. - ### About the Generated Report Each scan generates a report can be viewed in the Rancher UI and can be downloaded in CSV format. -The version of the [Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) that is used depends on the cluster's Kubernetes version. +To determine which version of the [Benchmark](https://www.cisecurity.org/benchmark/kubernetes/) to use in the scan, Rancher chooses a version that is appropriate for the cluster's Kubernetes version. The Benchmark version is included in the generated report. Each test in the report is identified by its corresponding Scored test in the Benchmark. For example, if a cluster fails test 1.3.6, you can look up the description and rationale for the section 1.3.6 in the Benchmark itself, or in Rancher's [hardening guide for the Kubernetes version that the cluster is using.]({{}}/rancher/v2.x/en/security/#rancher-hardening-guide) Recommendations marked as Not Scored in the Benchmark are not included in the report. @@ -29,6 +27,10 @@ Similarly, for information on how to manually audit the test result, you could l To run security scans on a cluster and access the generated reports, you must be an [Administrator]({{}}/rancher/v2.x/en/admin-settings/rbac/global-permissions/) or [Cluster Owner.]({{}}/rancher/v2.x/en/admin-settings/rbac/cluster-project-roles/) +Rancher can only run security scans on clusters that were created with RKE, which includes custom clusters and clusters that Rancher created in an infrastructure provider such as Amazon EC2 or GCE. Imported clusters and clusters in hosted Kubernetes providers can't be scanned by Rancher. + +The security scan cannot run in a cluster that has Windows nodes. + ### Running a Scan 1. From the cluster view in Rancher, click **Tools > CIS Scans.**