Self-Assessment and Hardening Guides for Rancher
Rancher provides specific security hardening guides for each supported Rancher version's Kubernetes distributions.
Rancher Kubernetes Distributions
Rancher uses the following Kubernetes distributions:
- RKE, Rancher Kubernetes Engine, is a CNCF-certified Kubernetes distribution that runs entirely within Docker containers.
- RKE2 is a fully conformant Kubernetes distribution that focuses on security and compliance within the U.S. Federal Government sector.
- K3s is a fully conformant, lightweight Kubernetes distribution. It is easy to install, with half the memory requirement of upstream Kubernetes, all in a binary of less than 100 MB.
To harden a Kubernetes cluster that's running a distribution other than those listed, refer to your Kubernetes provider docs.
Hardening Guides and Benchmark Versions
Each self-assessment guide is accompanied by a hardening guide. These guides were tested alongside the listed Rancher releases. Each self-assessment guides was tested on a specific Kubernetes version and CIS benchmark version. If a CIS benchmark has not been validated for your Kubernetes version, you can use the existing guides until a guide for your version is added.
RKE Guides
| Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guides |
|---|---|---|---|
| Kubernetes v1.23 | CIS v1.23 | Link | Link |
| Kubernetes v1.24 | CIS v1.24 | Link | Link |
| Kubernetes v1.25/v1.26/v1.27 | CIS v1.7 | Link | Link |
RKE2 Guides
| Type | Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guides |
|---|---|---|---|---|
| Rancher provisioned RKE2 | Kubernetes v1.23 | CIS v1.23 | Link | Link |
| Rancher provisioned RKE2 | Kubernetes v1.24 | CIS v1.24 | Link | Link |
| Rancher provisioned RKE2 | Kubernetes v1.25/v1.26/v1.27 | CIS v1.7 | Link | Link |
| Standalone RKE2 | Kubernetes v1.25/v1.26/v1.27 | CIS v1.7 | Link | Link |
K3s Guides
| Type | Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guides |
|---|---|---|---|---|
| Rancher provisioned K3s cluster | Kubernetes v1.23 | CIS v1.23 | Link | Link |
| Rancher provisioned K3s cluster | Kubernetes v1.24 | CIS v1.24 | Link | Link |
| Rancher provisioned K3s cluster | Kubernetes v1.25/v1.26/v1.27 | CIS v1.7 | Link | Link |
| Standalone K3s | Kubernetes v1.22 up to v1.24 | CIS v1.23 | Link | Link |
Rancher with SELinux
Security-Enhanced Linux (SELinux) is a kernel module that adds extra access controls and security tools to Linux. Historically used by government agencies, SELinux is now industry-standard. SELinux is enabled by default on RHEL and CentOS.
To use Rancher with SELinux, we recommend installing the rancher-selinux RPM.