If you have questions, comments, or have identified ways to improve this guide, please write us at Checklist Role: To obtain the latest version of this guide, please visit. 18.This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu 18.04 LTS. # Cluster Config # default_pod_security_policy_template_id: restricted docker_root_dir: /var/lib/docker enable_cluster_alerting: false enable_cluster_monitoring: false enable_network_policy: true # Rancher Config # rancher_kubernetes_engine_config: addon_job_timeout: 45 ignore_docker_version: true kubernetes_version: v1.
Follow the Rancherĭocumentaion for additional installation and RKE Template details. RKE Templates are used to provision Kubernetes and define Rancher settings.
The reference RKE Template provides the configuration needed to achieve a hardened install of Kubenetes.
02/01, Express Security Content Update for RHEL 7 (CIS Benchmark v2.2.0) Download.
Kubectl patch serviceaccount default -n $ update_strategy: null replicas: null restore: restore: false snapshot_name: "" dns: null upgrade_strategy: max_unavailable_worker: "" max_unavailable_controlplane: "" drain: null node_drain_input: null Reference Hardened RKE Template configuration Each Express SCU comprises an installer to install a single predefined. Set the following parameters in /etc/sysctl.d/nf:įor namespace in $(kubectl get namespaces -A -o json | jq -r '.' ) do This creates a new tensorflow-dev directory which will contain all of the packages that you install while this environment is activated. Run the following command to create the environment: python3 -m venv tensorflow-dev. The following sysctl configuration is recommended for all nodes type in the cluster. Then create a new virtual environment called tensorflow-dev. Pod may fail to run because of missing namesapce like ingress-nginx, cattle-system. Addons were removed in HG 2.5, and therefore namespaces on migration may be not created on the downstream clusters. 4 P a g e Overview CIS-CAT is a configuration assessment software tool available to CIS members as a benefit of membership. In addition the default service accounts should be configured such that it does not provide a service account token and does not have any explicit rights assignments. The CIS 1.6 5.1.5 check requires the default service accounts have no roles or cluster roles bound to it apart from the defaults.
This hardening guide is intended to be used for RKE clusters and associated with specific versions of the CIS Kubernetes Benchmark, Kubernetes, and Rancher: Rancher VersionĬlick here to download a PDF version of this document Overview sudo usg audit cislevel1server This will generate a report placed in /var/lib/usg with the results of the audit. We will audit our system using USG and that benchmark with the following command.
This hardening guide describes how to secure the nodes in your cluster, and it is recommended to follow this guide before installing Kubernetes. At the time of this writing, the corresponding CIS benchmark for Ubuntu 20.04 LTS is the CIS Ubuntu Linux 20.04 LTS Benchmark v1.0.0. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This document provides prescriptive guidance for hardening a production installation of a RKE cluster to be used with Rancher v2.5.4.