Self-Assessment and Hardening Guides for Rancher
Rancher provides specific security hardening guides for each supported Rancher version's Kubernetes distributions.
Rancher Kubernetes Distributions
Rancher uses the following Kubernetes distributions:
- RKE, Rancher Kubernetes Engine, is a CNCF-certified Kubernetes distribution that runs entirely within Docker containers.
- RKE2 is a fully conformant Kubernetes distribution that focuses on security and compliance within the U.S. Federal Government sector.
- K3s is a fully conformant, lightweight Kubernetes distribution. It is easy to install, with half the memory requirement of upstream Kubernetes, all in a binary of less than 100 MB.
To harden a Kubernetes cluster that's running a distribution other than those listed, refer to your Kubernetes provider docs.
Hardening Guides and Benchmark Versions
Each self-assessment guide is accompanied by a hardening guide. These guides were tested alongside the listed Rancher releases. Each self-assessment guides was tested on a specific Kubernetes version and CIS benchmark version. If a CIS benchmark has not been validated for your Kubernetes version, you can use the existing guides until a guide for your version is added.
RKE Guides
Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guides |
---|---|---|---|
Kubernetes v1.23 | CIS v1.23 | Link | Link |
Kubernetes v1.24 | CIS v1.24 | Link | Link |
Kubernetes v1.25/v1.26/v1.27 | CIS v1.7 | Link | Link |
RKE2 Guides
Type | Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guides |
---|---|---|---|---|
Rancher provisioned RKE2 | Kubernetes v1.23 | CIS v1.23 | Link | Link |
Rancher provisioned RKE2 | Kubernetes v1.24 | CIS v1.24 | Link | Link |
Rancher provisioned RKE2 | Kubernetes v1.25/v1.26/v1.27 | CIS v1.7 | Link | Link |
Standalone RKE2 | Kubernetes v1.25/v1.26/v1.27 | CIS v1.7 | Link | Link |
K3s Guides
Type | Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guides |
---|---|---|---|---|
Rancher provisioned K3s cluster | Kubernetes v1.23 | CIS v1.23 | Link | Link |
Rancher provisioned K3s cluster | Kubernetes v1.24 | CIS v1.24 | Link | Link |
Rancher provisioned K3s cluster | Kubernetes v1.25/v1.26/v1.27 | CIS v1.7 | Link | Link |
Standalone K3s | Kubernetes v1.22 up to v1.24 | CIS v1.23 | Link | Link |
Rancher with SELinux
Security-Enhanced Linux (SELinux) is a kernel module that adds extra access controls and security tools to Linux. Historically used by government agencies, SELinux is now industry-standard. SELinux is enabled by default on RHEL and CentOS.
To use Rancher with SELinux, we recommend installing the rancher-selinux
RPM.