Self-Assessment and Hardening Guides for Rancher v2.6
Rancher provides specific security hardening guides for each supported Rancher's Kubernetes distributions.
Rancher Kubernetes Distributions
Rancher uses the following Kubernetes distributions:
- RKE, Rancher Kubernetes Engine, is a CNCF-certified Kubernetes distribution that runs entirely within Docker containers.
- RKE2 is a fully conformant Kubernetes distribution that focuses on security and compliance within the U.S. Federal Government sector.
- K3s is a fully conformant, lightweight Kubernetes distribution. It is easy to install, with half the memory of upstream Kubernetes, all in a binary of less than 100 MB.
To harden a Kubernetes cluster outside of Rancher's distributions, refer to your Kubernetes provider docs.
Hardening Guides and Benchmark Versions
These guides have been tested along with the Rancher v2.6 release. Each self-assessment guide is accompanied with a hardening guide and tested on a specific Kubernetes version and CIS benchmark version. If a CIS benchmark has not been validated for your Kubernetes version, you can choose to use the existing guides until a newer version is added.
RKE Guides
| Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guides |
|---|---|---|---|
| Kubernetes v1.18 up to v1.23 | CIS v1.6 | Link | Link |
- CIS v1.20 benchmark version for Kubernetes v1.19 and v1.20 is not yet released as a profile in Rancher's CIS Benchmark chart.
RKE2 Guides
| Type | Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guides |
|---|---|---|---|---|
| Rancher provisioned RKE2 cluster | Kubernetes v1.21 up to v1.23 | CIS v1.6 | Link | Link |
| Standalone RKE2 | Kubernetes v1.21 up to v1.23 | CIS v1.6 | Link | Link |
K3s Guides
| Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guides |
|---|---|---|---|
| Kubernetes v1.21 and v1.22 | CIS v1.6 | Link | Link |
Rancher with SELinux
Security-Enhanced Linux (SELinux) is a security enhancement to Linux. After being historically used by government agencies, SELinux is now industry standard and is enabled by default on RHEL and CentOS.
To use Rancher with SELinux, we recommend installing the rancher-selinux RPM according to the instructions on this page.