Rancher Security Guides
Security policyRancher Labs supports responsible disclosure, and endeavours to resolve all issues in a reasonable time frame. | Reporting processPlease submit possible security issues by emailing security-rancher@suse.com . | AnnouncementsSubscribe to the Rancher announcements forum for release updates. |
Security is at the heart of all Rancher features. From integrating with all the popular authentication tools and services, to an enterprise grade RBAC capability, Rancher makes your Kubernetes clusters even more secure.
On this page, we provide security related documentation along with resources to help you secure your Rancher installation and your downstream Kubernetes clusters.
NeuVector Integration with Rancher
NeuVector is an open-source, container-focused security application that is now integrated into Rancher. NeuVector provides production security, DevOps vulnerability protection, and a container firewall, et al. Please see the Rancher docs and the NeuVector docs for more information.
Running a Compliance Security Scan on a Kubernetes Cluster
Rancher leverages kube-bench to run a security scan to check whether Kubernetes is deployed according to security best practices.
When Rancher runs a Compliance scan on a cluster, it generates a report showing the results of each test, including a summary with the number of passed, skipped and failed tests. The report also includes remediation steps for any failed tests.
For details, refer to the section on security scans. `
SELinux RPM
We provide three RPMs (RPM Package Manager) that enable Rancher products to function properly on SELinux-enforcing hosts: rancher-selinux, rke2-selinux and k3s-selinux. For details, see this page.
Rancher Hardening Guide
The Rancher Hardening Guide is based on controls and best practices found in the CIS Kubernetes Benchmark from the Center for Internet Security.
The hardening guides provide prescriptive guidance for hardening a production installation of Rancher. See Rancher's guides for Self Assessment of the CIS Kubernetes Benchmark for the full list of security controls.
The hardening guides describe how to secure the nodes in your cluster, and it is recommended to follow a hardening guide before installing Kubernetes.
Each version of the hardening guide is intended to be used with specific versions of the CIS Kubernetes Benchmark, Kubernetes, and Rancher.
The CIS Benchmark and Self-Assessment
The benchmark self-assessment is a companion to the Rancher security hardening guide. While the hardening guide shows you how to harden the cluster, the benchmark guide is meant to help you evaluate the level of security of the hardened cluster.
This guide walks through the various controls and provide updated example commands to audit compliance in Rancher created clusters. The original benchmark documents can be downloaded from the CIS website.
Each version of Rancher's self-assessment guide corresponds to specific versions of the hardening guide, Rancher, Kubernetes, and the CIS Benchmark.
Third-party Penetration Test Reports
Rancher periodically hires third parties to perform security audits and penetration tests of the Rancher software stack. The environments under test follow the Rancher provided hardening guides at the time of the testing. Previous penetration test reports are available below.
Results:
Please note that new reports are no longer shared or made publicly available.
Rancher Security Advisories and CVEs
Rancher is committed to informing the community of security issues in our products. For the list of CVEs (Common Vulnerabilities and Exposures) for issues we have resolved, refer to this page.
Kubernetes Security Best Practices
For recommendations on securing your Kubernetes cluster, refer to the Kubernetes Cluster Security Best Practices guide.
Rancher Security Best Practices
For recommendations on securing your Rancher Manager deployments, refer to the Rancher Security Best Practices guide.
Rancher Kubernetes Distributions (K3s/RKE2) Self-Assessment and Hardening Guides
Rancher uses the following Kubernetes distributions:
- RKE2 is a fully conformant Kubernetes distribution that focuses on security and compliance within the U.S. Federal Government sector.
- K3s is a fully conformant, lightweight Kubernetes distribution. It is easy to install, with half the memory requirement of upstream Kubernetes, all in a binary of less than 100 MB.
To harden a Kubernetes cluster that's running a distribution other than those listed, refer to your Kubernetes provider's docs.
Hardening Guides and Benchmark Versions
Each self-assessment guide is accompanied by a hardening guide. These guides were tested alongside the listed Rancher releases. Each self-assessment guide was tested on a specific Kubernetes version and CIS benchmark version. If a CIS benchmark has not been validated for your Kubernetes version, you can use the existing guides until a guide for your version is added.
RKE2 Guides
| Type | Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guide |
|---|---|---|---|---|
| Standalone RKE2 | Kubernetes v1.26 | CIS v1.8 | Link | Link |
| Standalone RKE2 | Kubernetes v1.27 | CIS v1.9 | Link | Link |
| Standalone RKE2 | Kubernetes v1.28 | CIS v1.10 | Link | Link |
| Standalone RKE2 | Kubernetes v1.29 and above | CIS v1.11 | Link | Link |
K3s Guides
| Type | Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guide |
|---|---|---|---|---|
| Standalone K3s | Kubernetes v1.26 | CIS v1.8 | Link | Link |
| Standalone K3s | Kubernetes v1.27 | CIS v1.9 | Link | Link |
| Standalone K3s | Kubernetes v1.28 | CIS v1.10 | Link | Link |
| Standalone K3s | Kubernetes v1.29 and above | CIS v1.11 | Link | Link |