public/rancher-docs
1
0
Fork 0
mirror of https://github.com/rancher/rancher-docs.git synced 2026-05-14 00:53:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add SELinux docs

Browse Source
This commit is contained in:
Catherine Luse
2021-04-25 14:12:22 -07:00
parent 7ee2d1e2b9
commit fe8400eaeb
4 changed files with 131 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
content/rancher/v2.5/en/logging/_index.md
+14
View File
@@ -17,6 +17,8 @@ aliases:
- [Configuring the Logging Application](#configuring-the-logging-application)
- [Working with a Custom Docker Root Directory](#working-with-a-custom-docker-root-directory)
- [Working with Taints and Tolerations](#working-with-taints-and-tolerations)
- [Logging v2 with SELinux](#logging-v2-with-selinux)
- [Troubleshooting](#troubleshooting)
# Changes in Rancher v2.5
@@ -349,6 +351,18 @@ fluentbit_tolerations:
# insert tolerations list for fluentbit containers only...
```
# Logging v2 with SELinux
_Available as of v2.5.8_
> **Requirements:** Logging v2 was tested with SELinux on RHEL/CentOS 7 and 8.
[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8.
To use Logging v2 with SELinux, we recommend installing the `rancher-selinux` RPM according to the instructions on [this page.]({{<baseurl>}}/rancher/v2.5/en/security/selinux/#installing-the-rancher-selinux-rpm)
Then you will need to configure the logging application to work with SELinux as shown in [this section.]({{<baseurl>}}/rancher/v2.5/en/security/selinux/#configuring-the-logging-application-to-work-with-selinux)
# Troubleshooting
### The `cattle-logging` Namespace Being Recreated
content/rancher/v2.5/en/security/_index.md
+7
View File
@@ -25,6 +25,7 @@ Security is at the heart of all Rancher features. From integrating with all the
On this page, we provide security-related documentation along with resources to help you secure your Rancher installation and your downstream Kubernetes clusters:
- [Running a CIS security scan on a Kubernetes cluster](#running-a-cis-security-scan-on-a-kubernetes-cluster)
- [SELinux RPM](#selinux-rpm)
- [Guide to hardening Rancher installations](#rancher-hardening-guide)
- [The CIS Benchmark and self-assessment](#the-cis-benchmark-and-self-assessment)
- [Third-party penetration test reports](#third-party-penetration-test-reports)
@@ -46,6 +47,12 @@ When Rancher runs a CIS security scan on a cluster, it generates a report showin
For details, refer to the section on [security scans.]({{<baseurl>}}/rancher/v2.5/en/cis-scans)
### SELinux RPM
[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8.
We provide two RPMs (Red Hat package managers) that enable Rancher products to function properly on SELinux-enforcing hosts: `rancher-selinux` and `rke2-selinux`. For details, see [this page.]({{<baseurl>}}/rancher/v2.5/en/security/selinux)
### Rancher Hardening Guide
The Rancher Hardening Guide is based on controls and best practices found in the <a href="https://www.cisecurity.org/benchmark/kubernetes/" target="_blank">CIS Kubernetes Benchmark</a> from the Center for Internet Security.
content/rancher/v2.5/en/security/rancher-2.5/_index.md
+18 -1
View File
@@ -6,6 +6,15 @@ weight: 1
Rancher v2.5 introduced the capability to deploy Rancher on any Kubernetes cluster. For that reason, we now provide separate security hardening guides for Rancher deployments on each of Rancher's Kubernetes distributions.
- [Rancher Kubernetes Distributions](#rancher-kubernetes-distributions)
- [Hardening Guides and Benchmark Versions](#hardening-guides-and-benchmark-versions)
- [RKE Guides](#rke-guides)
- [RKE2 Guides](#rke2-guides)
- [K3s Guides](#k3s)
- [Rancher with SELinux](#rancher-with-selinux)
# Rancher Kubernetes Distributions
Rancher has the following Kubernetes distributions:
- [**RKE,**]({{<baseurl>}}/rke/latest/en/) Rancher Kubernetes Engine, is a CNCF-certified Kubernetes distribution that runs entirely within Docker containers.
@@ -14,7 +23,7 @@ Rancher has the following Kubernetes distributions:
To harden a Kubernetes cluster outside of Rancher's distributions, refer to your Kubernetes provider docs.
# Guides
# Hardening Guides and Benchmark Versions
These guides have been tested along with the Rancher v2.5 release. Each self-assessment guide is accompanied with a hardening guide and tested on a specific Kubernetes version and CIS benchmark version. If a CIS benchmark has not been validated for your Kubernetes version, you can choose to use the existing guides until a newer version is added.
@@ -34,3 +43,11 @@ Kubernetes v1.18 | CIS v1.5 | [Link](https://docs.rke2.io/security/cis_self_asse
### K3s Guides
The K3s security guides will be added soon.
# Rancher with SELinux
_Available as of v2.5.8_
[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8.
To use Rancher with SELinux, we recommend installing the `rancher-selinux` RPM according to the instructions on [this page.]({{<baseurl>}}/rancher/v2.5/en/security/selinux/#installing-the-rancher-selinux-rpm)
content/rancher/v2.5/en/security/selinux/_index.md
+92
View File
@@ -0,0 +1,92 @@
---
title: SELinux RPM
weight: 4
---
_Available as of v2.5.8_
[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux.
Developed by Red Hat, it is an implementation of mandatory access controls (MAC) on Linux. Mandatory access controls allow an administrator of a system to define how applications and users can access different resources such as files, devices, networks and inter-process communication. SELinux also enhances security by making an OS restrictive by default.
After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8.
We provide two RPMs (Red Hat package managers) that enable Rancher products to function properly on SELinux-enforcing hosts: `rancher-selinux` and `rke2-selinux`.
- [rancher-selinux](#rancher-selinux)
- [rke2-selinux](#rke2-selinux)
- [Installing the rancher-selinux RPM](#installing-the-rancher-selinux-rpm)
- [Configuring the Logging Application to Work with SELinux](#configuring-the-logging-application-to-work-with-selinux)
# rancher-selinux
To allow Rancher to work with SELinux, some functionality has to be manually enabled for the SELinux nodes. To help with that, Rancher provides a SELinux RPM.
This RPM only contains policies for the [rancher-logging application,](https://github.com/rancher/charts/tree/dev-v2.5/charts/rancher-logging) but this is where additional policies for more Rancher feature applications will be added in the future. The logging application was tested
The `rancher-selinux` GitHub repository is [here.](https://github.com/rancher/rancher-selinux)
# rke2-selinux
rke2-selinux provides policies for RKE2. It is installed automatically when the RKE2 installer script detects that it is running on an RPM-based distro.
The `rke2-selinux` GitHub repository is [here.](https://github.com/rancher/rke2-selinux)
For more information about installing RKE2 on SELinux-enabled hosts, see the [RKE2 documentation.](https://docs.rke2.io/install/methods/#rpm)
# Installing the rancher-selinux RPM
> **Requirements:** The rancher-selinux RPM was tested with CentOS 7 and 8.
### 1. Set up the yum repo
Set up the yum repo to install `rancher-selinux` directly on all hosts in the cluster.
For CentOS 7, use this URL for the `baseurl`: https://rpm.rancher.io/rancher/production/centos/7/noarch
For CentOS 8, use this URL for the `baseurl`: https://rpm.rancher.io/rancher/production/centos/8/noarch
```
# source /etc/os-release
# cat << EOF > /etc/yum.repos.d/rancher.repo
[rancher]
name=Rancher
baseurl=https://rpm.rancher.io/rancher/production/centos/8/noarch # Change if using CentOS 7
enabled=1
gpgcheck=1
gpgkey=https://rpm.rancher.io/public.key
EOF
```
If you are testing out an unreleased change, you can use the testing channel:
```
# cat << EOF > /etc/yum.repos.d/rancher-testing.repo
[rancher]
name=Rancher Testing
baseurl=https://rpm-testing.rancher.io/rancher/testing/centos/8/$VERSION_ID/noarch # Change if using CentOS 7
enabled=1
gpgcheck=1
gpgkey=https://rpm-testing.rancher.io/public.key
EOF
```
### 2. Installing the RPM
Install the RPM:
```
yum -y install rancher-selinux
```
# Configuring the Logging Application to Work with SELinux
> **Requirements:** Logging v2 was tested with SELinux on RHEL/CentOS 7 and 8.
Applications do not automatically work once the `rancher-selinux` RPM is installed on the host. They need to be configured to run in an allowed SELinux container domain provided by the RPM.
The rancher-logging chart, for example, needs to be configured to be SELinux aware:
```
helm install logging rancher/rancher-logging --set global.seLinux.enabled=true
```