diff --git a/content/rancher/v2.5/en/logging/_index.md b/content/rancher/v2.5/en/logging/_index.md index 6aa6c4be2c5..0ae41042072 100644 --- a/content/rancher/v2.5/en/logging/_index.md +++ b/content/rancher/v2.5/en/logging/_index.md @@ -17,6 +17,8 @@ aliases: - [Configuring the Logging Application](#configuring-the-logging-application) - [Working with a Custom Docker Root Directory](#working-with-a-custom-docker-root-directory) - [Working with Taints and Tolerations](#working-with-taints-and-tolerations) +- [Logging v2 with SELinux](#logging-v2-with-selinux) +- [Troubleshooting](#troubleshooting) # Changes in Rancher v2.5 @@ -349,6 +351,18 @@ fluentbit_tolerations: # insert tolerations list for fluentbit containers only... ``` +# Logging v2 with SELinux + +_Available as of v2.5.8_ + +> **Requirements:** Logging v2 was tested with SELinux on RHEL/CentOS 7 and 8. + +[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. + +To use Logging v2 with SELinux, we recommend installing the `rancher-selinux` RPM according to the instructions on [this page.]({{}}/rancher/v2.5/en/security/selinux/#installing-the-rancher-selinux-rpm) + +Then you will need to configure the logging application to work with SELinux as shown in [this section.]({{}}/rancher/v2.5/en/security/selinux/#configuring-the-logging-application-to-work-with-selinux) + # Troubleshooting ### The `cattle-logging` Namespace Being Recreated diff --git a/content/rancher/v2.5/en/security/_index.md b/content/rancher/v2.5/en/security/_index.md index a50954a1fb2..d0eec5593ac 100644 --- a/content/rancher/v2.5/en/security/_index.md +++ b/content/rancher/v2.5/en/security/_index.md @@ -25,6 +25,7 @@ Security is at the heart of all Rancher features. From integrating with all the On this page, we provide security-related documentation along with resources to help you secure your Rancher installation and your downstream Kubernetes clusters: - [Running a CIS security scan on a Kubernetes cluster](#running-a-cis-security-scan-on-a-kubernetes-cluster) +- [SELinux RPM](#selinux-rpm) - [Guide to hardening Rancher installations](#rancher-hardening-guide) - [The CIS Benchmark and self-assessment](#the-cis-benchmark-and-self-assessment) - [Third-party penetration test reports](#third-party-penetration-test-reports) @@ -46,6 +47,12 @@ When Rancher runs a CIS security scan on a cluster, it generates a report showin For details, refer to the section on [security scans.]({{}}/rancher/v2.5/en/cis-scans) +### SELinux RPM + +[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. + +We provide two RPMs (Red Hat package managers) that enable Rancher products to function properly on SELinux-enforcing hosts: `rancher-selinux` and `rke2-selinux`. For details, see [this page.]({{}}/rancher/v2.5/en/security/selinux) + ### Rancher Hardening Guide The Rancher Hardening Guide is based on controls and best practices found in the CIS Kubernetes Benchmark from the Center for Internet Security. diff --git a/content/rancher/v2.5/en/security/rancher-2.5/_index.md b/content/rancher/v2.5/en/security/rancher-2.5/_index.md index 3b7eb986652..dc5c0d8d71a 100644 --- a/content/rancher/v2.5/en/security/rancher-2.5/_index.md +++ b/content/rancher/v2.5/en/security/rancher-2.5/_index.md @@ -6,6 +6,15 @@ weight: 1 Rancher v2.5 introduced the capability to deploy Rancher on any Kubernetes cluster. For that reason, we now provide separate security hardening guides for Rancher deployments on each of Rancher's Kubernetes distributions. +- [Rancher Kubernetes Distributions](#rancher-kubernetes-distributions) +- [Hardening Guides and Benchmark Versions](#hardening-guides-and-benchmark-versions) + - [RKE Guides](#rke-guides) + - [RKE2 Guides](#rke2-guides) + - [K3s Guides](#k3s) +- [Rancher with SELinux](#rancher-with-selinux) + +# Rancher Kubernetes Distributions + Rancher has the following Kubernetes distributions: - [**RKE,**]({{}}/rke/latest/en/) Rancher Kubernetes Engine, is a CNCF-certified Kubernetes distribution that runs entirely within Docker containers. @@ -14,7 +23,7 @@ Rancher has the following Kubernetes distributions: To harden a Kubernetes cluster outside of Rancher's distributions, refer to your Kubernetes provider docs. -# Guides +# Hardening Guides and Benchmark Versions These guides have been tested along with the Rancher v2.5 release. Each self-assessment guide is accompanied with a hardening guide and tested on a specific Kubernetes version and CIS benchmark version. If a CIS benchmark has not been validated for your Kubernetes version, you can choose to use the existing guides until a newer version is added. @@ -34,3 +43,11 @@ Kubernetes v1.18 | CIS v1.5 | [Link](https://docs.rke2.io/security/cis_self_asse ### K3s Guides The K3s security guides will be added soon. + +# Rancher with SELinux + +_Available as of v2.5.8_ + +[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. + +To use Rancher with SELinux, we recommend installing the `rancher-selinux` RPM according to the instructions on [this page.]({{}}/rancher/v2.5/en/security/selinux/#installing-the-rancher-selinux-rpm) \ No newline at end of file diff --git a/content/rancher/v2.5/en/security/selinux/_index.md b/content/rancher/v2.5/en/security/selinux/_index.md new file mode 100644 index 00000000000..05e090fd315 --- /dev/null +++ b/content/rancher/v2.5/en/security/selinux/_index.md @@ -0,0 +1,92 @@ +--- +title: SELinux RPM +weight: 4 +--- + +_Available as of v2.5.8_ + +[Security-Enhanced Linux (SELinux)](https://en.wikipedia.org/wiki/Security-Enhanced_Linux) is a security enhancement to Linux. + +Developed by Red Hat, it is an implementation of mandatory access controls (MAC) on Linux. Mandatory access controls allow an administrator of a system to define how applications and users can access different resources such as files, devices, networks and inter-process communication. SELinux also enhances security by making an OS restrictive by default. + +After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8. + +We provide two RPMs (Red Hat package managers) that enable Rancher products to function properly on SELinux-enforcing hosts: `rancher-selinux` and `rke2-selinux`. + +- [rancher-selinux](#rancher-selinux) +- [rke2-selinux](#rke2-selinux) +- [Installing the rancher-selinux RPM](#installing-the-rancher-selinux-rpm) +- [Configuring the Logging Application to Work with SELinux](#configuring-the-logging-application-to-work-with-selinux) + +# rancher-selinux + +To allow Rancher to work with SELinux, some functionality has to be manually enabled for the SELinux nodes. To help with that, Rancher provides a SELinux RPM. + +This RPM only contains policies for the [rancher-logging application,](https://github.com/rancher/charts/tree/dev-v2.5/charts/rancher-logging) but this is where additional policies for more Rancher feature applications will be added in the future. The logging application was tested + +The `rancher-selinux` GitHub repository is [here.](https://github.com/rancher/rancher-selinux) + +# rke2-selinux + +rke2-selinux provides policies for RKE2. It is installed automatically when the RKE2 installer script detects that it is running on an RPM-based distro. + +The `rke2-selinux` GitHub repository is [here.](https://github.com/rancher/rke2-selinux) + +For more information about installing RKE2 on SELinux-enabled hosts, see the [RKE2 documentation.](https://docs.rke2.io/install/methods/#rpm) + +# Installing the rancher-selinux RPM + +> **Requirements:** The rancher-selinux RPM was tested with CentOS 7 and 8. + +### 1. Set up the yum repo + +Set up the yum repo to install `rancher-selinux` directly on all hosts in the cluster. + +For CentOS 7, use this URL for the `baseurl`: https://rpm.rancher.io/rancher/production/centos/7/noarch + +For CentOS 8, use this URL for the `baseurl`: https://rpm.rancher.io/rancher/production/centos/8/noarch + +``` +# source /etc/os-release +# cat << EOF > /etc/yum.repos.d/rancher.repo +[rancher] +name=Rancher +baseurl=https://rpm.rancher.io/rancher/production/centos/8/noarch # Change if using CentOS 7 +enabled=1 +gpgcheck=1 +gpgkey=https://rpm.rancher.io/public.key +EOF +``` + +If you are testing out an unreleased change, you can use the testing channel: + +``` +# cat << EOF > /etc/yum.repos.d/rancher-testing.repo +[rancher] +name=Rancher Testing +baseurl=https://rpm-testing.rancher.io/rancher/testing/centos/8/$VERSION_ID/noarch # Change if using CentOS 7 +enabled=1 +gpgcheck=1 +gpgkey=https://rpm-testing.rancher.io/public.key +EOF +``` + +### 2. Installing the RPM + +Install the RPM: + +``` +yum -y install rancher-selinux +``` + +# Configuring the Logging Application to Work with SELinux + +> **Requirements:** Logging v2 was tested with SELinux on RHEL/CentOS 7 and 8. + +Applications do not automatically work once the `rancher-selinux` RPM is installed on the host. They need to be configured to run in an allowed SELinux container domain provided by the RPM. + +The rancher-logging chart, for example, needs to be configured to be SELinux aware: + +``` +helm install logging rancher/rancher-logging --set global.seLinux.enabled=true +``` \ No newline at end of file