6ccd0b7b6c
* Syncing sidebar labels with page titles Deploying Rancher Server: Update sidebar label to match title * Installing/Upgrading Rancher: Update title to match sidebar This is a reference/hub page for install guides with no step-by-step instructions, so we're breaking the -ing rule to match other reference pages as well as the current sidebar label * Cluster Access: Update title to match sidebar * Kubernetes Persistent Storage: Volumes and Storage Classes - Update title to match sidebar * Don't have a Kubernetes cluster? Try one of these tutorials: Update title to match sidebar and make old title intro to page * Don't have infrastructure for your Kubernetes cluster? Try one of these tutorials: Update title to match sidebar and make old title intro to page * versioning Deploying Rancher Server update to other sidebars * Setting Up Kubernetes Clusters in Rancher: Update sidebars to match title and other sidebar labels * capitalization * Creating a vSphere Cluster: Update sidebar to match title and other labels * Creating a Nutanix AOS Cluster: Update sidebar to match title and other labels * Kubernetes Clusters in Rancher Setup across the board for title and sidebar, to match convention in sidebar * Kubernetes Resources: Updated title to match sidebar and distinguish from identically-titled page in troubleshooting section * The Horizontal Pod Autoscaler: Updated title to match sidebar * Backups and Disaster Recovery: Update title to match sidebar * typo fix * revert to Installation and Upgrade of Rancher fix typo in title: Create Kubernetes Persistent files * fix typo in Persistent Storage files * Configuration: Update title to match sidebar item Monitoring V2 Configuration Guides * Setup Guide: Make both sidebar + title Istio Setup guides to match other sidebar labels * Best Practices: Update both to Best Practice Guides * Architecture: Update to match sidebar Rancher Architecture. Note that there are multiple pages with identical titles, one is on Fleet and another on some other subject * Architecture: Retitle logging-architecture.md files Logging Architecture * Architecture: Retitle fleet/architecture.md files Fleet Architecture * GKE Cluster Configuration: Update sidebar to match title and other labels in same section * Security: Update both to Rancher Security Guides * RKE Hardening Guide: Update to match sidebar * typo * RKE2 Hardening Guide: Update to match sidebar * K3s Hardening Guide: Update to match sidebar * various FAQ pages: Add FAQ to title to disambiguate content * Cloud Native Storage with Longhorn: Versioning so older pages match current title * rm international pages for now * typo in metadata killed build * updated sidebar: plural Istio Setup Guides * updating Monitoring Config Guides title/label and distinguishing from similar section under References * monitoring V2 config examples: rm 'V2' * Kubernetes Cluster Setup > Setting up a Kubernetes Cluster for Rancher Server
6.8 KiB
title
| title |
|---|
| Rancher Security Guides |
Security policyRancher Labs supports responsible disclosure, and endeavours to resolve all issues in a reasonable time frame. |
Reporting processPlease submit possible security issues by emailing security-rancher@suse.com . |
AnnouncementsSubscribe to the Rancher announcements forum for release updates. |
Security is at the heart of all Rancher features. From integrating with all the popular authentication tools and services, to an enterprise grade RBAC capability, Rancher makes your Kubernetes clusters even more secure.
On this page, we provide security related documentation along with resources to help you secure your Rancher installation and your downstream Kubernetes clusters.
NeuVector Integration with Rancher
NeuVector is an open-source, container-focused security application that is now integrated into Rancher. NeuVector provides production security, DevOps vulnerability protection, and a container firewall, et al. Please see the Rancher docs and the NeuVector docs for more information.
Running a CIS Security Scan on a Kubernetes Cluster
Rancher leverages kube-bench to run a security scan to check whether Kubernetes is deployed according to security best practices as defined in the CIS (Center for Internet Security) Kubernetes Benchmark.
The CIS Kubernetes Benchmark is a reference document that can be used to establish a secure configuration baseline for Kubernetes.
The Center for Internet Security (CIS) is a 501(c)(3) non-profit organization, formed in October 2000, with a mission to "identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace".
CIS Benchmarks are best practices for the secure configuration of a target system. CIS Benchmarks are developed through the generous volunteer efforts of subject matter experts, technology vendors, public and private community members, and the CIS Benchmark Development team.
The Benchmark provides recommendations of two types: Automated and Manual. We run tests related to only Automated recommendations.
When Rancher runs a CIS security scan on a cluster, it generates a report showing the results of each test, including a summary with the number of passed, skipped and failed tests. The report also includes remediation steps for any failed tests.
For details, refer to the section on security scans.
SELinux RPM
Security-Enhanced Linux (SELinux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on CentOS 7 and 8.
We provide two RPMs (Red Hat packages) that enable Rancher products to function properly on SELinux-enforcing hosts: rancher-selinux and rke2-selinux. For details, see this page.
Rancher Hardening Guide
The Rancher Hardening Guide is based on controls and best practices found in the CIS Kubernetes Benchmark from the Center for Internet Security.
The hardening guides provide prescriptive guidance for hardening a production installation of Rancher. See Rancher's guides for Self Assessment of the CIS Kubernetes Benchmark for the full list of security controls.
The hardening guides describe how to secure the nodes in your cluster, and it is recommended to follow a hardening guide before installing Kubernetes.
Each version of the hardening guide is intended to be used with specific versions of the CIS Kubernetes Benchmark, Kubernetes, and Rancher.
The CIS Benchmark and Self-Assessment
The benchmark self-assessment is a companion to the Rancher security hardening guide. While the hardening guide shows you how to harden the cluster, the benchmark guide is meant to help you evaluate the level of security of the hardened cluster.
Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply. This guide will walk through the various controls and provide updated example commands to audit compliance in Rancher created clusters. The original benchmark documents can be downloaded from the CIS website.
Each version of Rancher's self-assessment guide corresponds to specific versions of the hardening guide, Rancher, Kubernetes, and the CIS Benchmark.
Third-party Penetration Test Reports
Rancher periodically hires third parties to perform security audits and penetration tests of the Rancher software stack. The environments under test follow the Rancher provided hardening guides at the time of the testing. Previous penetration test reports are available below.
Results:
Please note that new reports are no longer shared or made publicly available.
Rancher Security Advisories and CVEs
Rancher is committed to informing the community of security issues in our products. For the list of CVEs (Common Vulnerabilities and Exposures) for issues we have resolved, refer to this page.
Kubernetes Security Best Practices
For recommendations on securing your Kubernetes cluster, refer to the Kubernetes Security Best Practices guide.
Rancher Security Best Practices
For recommendations on securing your Rancher Manager deployments, refer to the Rancher Security Best Practices guide.