From fbec5d7ebf0d75fb67280bb0b8e2bf2a29fcc5eb Mon Sep 17 00:00:00 2001 From: LucasSaintarbor Date: Thu, 24 Jul 2025 09:13:33 -0700 Subject: [PATCH] Remove RKE1 references in rancher-security-best-practices.md --- .../rancher-security/rancher-security-best-practices.md | 2 +- .../rancher-security/rancher-security-best-practices.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/reference-guides/rancher-security/rancher-security-best-practices.md b/docs/reference-guides/rancher-security/rancher-security-best-practices.md index fa958639c1f..beeb2888880 100644 --- a/docs/reference-guides/rancher-security/rancher-security-best-practices.md +++ b/docs/reference-guides/rancher-security/rancher-security-best-practices.md @@ -25,6 +25,6 @@ If you require such features, combine Layer 7 firewalls with [external authentic You should protect the following ports behind an [external load balancer](../../how-to-guides/new-user-guides/kubernetes-resources-setup/load-balancer-and-ingress-controller/layer-4-and-layer-7-load-balancing.md#layer-4-load-balancer) that has SSL offload enabled: - **K3s:** Port 6443, used by the Kubernetes API. -- **RKE and RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. +- **RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. These ports have TLS SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers. diff --git a/versioned_docs/version-2.12/reference-guides/rancher-security/rancher-security-best-practices.md b/versioned_docs/version-2.12/reference-guides/rancher-security/rancher-security-best-practices.md index fa958639c1f..beeb2888880 100644 --- a/versioned_docs/version-2.12/reference-guides/rancher-security/rancher-security-best-practices.md +++ b/versioned_docs/version-2.12/reference-guides/rancher-security/rancher-security-best-practices.md @@ -25,6 +25,6 @@ If you require such features, combine Layer 7 firewalls with [external authentic You should protect the following ports behind an [external load balancer](../../how-to-guides/new-user-guides/kubernetes-resources-setup/load-balancer-and-ingress-controller/layer-4-and-layer-7-load-balancing.md#layer-4-load-balancer) that has SSL offload enabled: - **K3s:** Port 6443, used by the Kubernetes API. -- **RKE and RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. +- **RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. These ports have TLS SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.