This hardening guide is intended to be used with specific versions of the CIS Kubernetes Benchmark, Kubernetes, and Rancher:

This document provides prescriptive guidance for hardening a production installation of Rancher v2.4 with Kubernetes v1.15. It outlines the configurations required to address Kubernetes benchmark controls from the Center for Information Security (CIS).

For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.4.

Known Issues

  • Rancher exec shell and view logs for pods are not functional in a CIS 1.5 hardened setup when only public IP is provided when registering custom nodes. This functionality requires a private IP to be provided when registering the custom nodes.
  • When setting the default_pod_security_policy_template_id: to restricted Rancher creates RoleBindings and ClusterRoleBindings on the default service accounts. The CIS 1.5 5.1.5 check requires the default service accounts have no roles or cluster roles bound to it apart from the defaults. In addition the default service accounts should be configured such that it does not provide a service account token and does not have any explicit rights assignments.

Configure Kernel Runtime Parameters

The following sysctl configuration is recommended for all nodes type in the cluster. Set the following parameters in /etc/sysctl.d/90-kubelet.conf:

Run sysctl -p /etc/sysctl.d/90-kubelet.conf to enable the settings.

create etcd user and group

To create the etcd group run the following console commands.

The commands below use 52034 for uid and gid are for example purposes. Any valid unused uid or gid could also be used in lieu of 52034.

  1. groupadd --gid 52034 etcd
  2. useradd --comment "etcd service account" --uid 52034 --gid 52034 etcd

Update the RKE config.yml with the uid and gid of the etcd user:

  1. services:
  2.   etcd:
  3.     gid: 52034
  4.     uid: 52034

Set automountServiceAccountToken to false for default service accounts

Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account. The default service account should be configured such that it does not provide a service account token and does not have any explicit rights assignments.

For each namespace including default and kube-system on a standard RKE install the default service account must include this value:

Save the following yaml to a file called account_update.yaml

  1. apiVersion: v1
  2. kind: ServiceAccount
  3. metadata:
  4.   name: default
  5. automountServiceAccountToken: false

Create a bash script file called account_update.sh. Be sure to chmod +x account_update.sh so the script has execute permissions.

  1. #!/bin/bash -e
  3. for namespace in $(kubectl get namespaces -o custom-columns=NAME:.metadata.name --no-headers); do
  4.   kubectl patch serviceaccount default -n ${namespace} -p "$(cat account_update.yaml)"
  5. done

Ensure that all Namespaces have Network Policies defined

Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace all traffic will be allowed into and out of the pods in that namespace. To enforce network policies, a CNI (container network interface) plugin must be enabled. This guide uses canal to provide the policy enforcement. Additional information about CNI providers can be found

Once a CNI provider is enabled on a cluster a default network policy can be applied. For reference purposes a permissive example is provide below. If you want to allow all traffic to all pods in a namespace (even if policies are added that cause some pods to be treated as “isolated”), you can create a policy that explicitly allows all traffic in that namespace. Save the following yaml as default-allow-all.yaml. Additional documentation about network policies can be found on the Kubernetes site.

This NetworkPolicy is not recommended for production use

Create a bash script file called apply_networkPolicy_to_all_ns.sh. Be sure to chmod +x apply_networkPolicy_to_all_ns.sh so the script has execute permissions.

  1. #!/bin/bash -e
  3. for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do
  4.   kubectl apply -f default-allow-all.yaml -n ${namespace}
  5. done

Execute this script to apply the default-allow-all.yaml the permissive NetworkPolicy to all namespaces.

The reference cluster.yml is used by the RKE CLI that provides the configuration needed to achieve a hardened install of Rancher Kubernetes Engine (RKE). Install is provided with additional details about the configuration items. This reference cluster.yml does not include the required nodes directive which will vary depending on your environment. Documentation for node configuration can be found here: https://rancher.com/docs/rke/latest/en/config-options/nodes

  1. # If you intend to deploy Kubernetes in an air-gapped environment,
  2. # please consult the documentation on how to configure custom RKE images.
  3. kubernetes_version: "v1.15.9-rancher1-1"
  4. enable_network_policy: true
  5. default_pod_security_policy_template_id: "restricted"
  6. # the nodes directive is required and will vary depending on your environment
  7. # documentation for node configuration can be found here:
  8. #  https://rancher.com/docs/rke/latest/en/config-options/nodes
  9. nodes:
  10. services:
  11.   etcd:
  12.     uid: 52034
  13.     gid: 52034
  14.   kube-api:
  15.     pod_security_policy: true
  16.     secrets_encryption_config:
  17.       enabled: true
  18.     audit_log:
  19.       enabled: true
  20.     admission_configuration:
  21.     event_rate_limit:
  22.       enabled: true
  23.   kube-controller:
  24.     extra_args:
  25.       feature-gates: "RotateKubeletServerCertificate=true"
  26.   scheduler:
  27.     image: ""
  28.     extra_args: {}
  29.     extra_binds: []
  30.     extra_env: []
  31.   kubelet:
  32.     generate_serving_certificate: true
  33.     extra_args:
  34.       feature-gates: "RotateKubeletServerCertificate=true"
  35.       protect-kernel-defaults: "true"
  36.       tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
  37.     extra_binds: []
  38.     extra_env: []
  39.     cluster_domain: ""
  40.     infra_container_image: ""
  41.     cluster_dns_server: ""
  42.     fail_swap_on: false
  43.   kubeproxy:
  44.     image: ""
  45.     extra_args: {}
  46.     extra_binds: []
  47.     extra_env: []
  48. network:
  49.   plugin: ""
  50.   options: {}
  51.   mtu: 0
  52.   node_selector: {}
  53. authentication:
  54.   strategy: ""
  55.   sans: []
  56.   webhook: null
  57. addons: |
  58.   ---
  59.   apiVersion: v1
  60.   kind: Namespace
  61.   metadata:
  62.     name: ingress-nginx
  63.   ---
  64.   apiVersion: rbac.authorization.k8s.io/v1
  66.   metadata:
  67.     name: default-psp-role
  68.     namespace: ingress-nginx
  69.   rules:
  70.   - apiGroups:
  71.     - extensions
  72.     resourceNames:
  73.     - default-psp
  74.     resources:
  75.     - podsecuritypolicies
  76.     verbs:
  77.   ---
  78.   apiVersion: rbac.authorization.k8s.io/v1
  79.   kind: RoleBinding
  80.   metadata:
  81.     name: default-psp-rolebinding
  82.     namespace: ingress-nginx
  83.   roleRef:
  84.     apiGroup: rbac.authorization.k8s.io
  85.     kind: Role
  86.     name: default-psp-role
  87.   subjects:
  88.   - apiGroup: rbac.authorization.k8s.io
  89.     kind: Group
  90.     name: system:serviceaccounts
  91.   - apiGroup: rbac.authorization.k8s.io
  92.     kind: Group
  93.     name: system:authenticated
  94.   ---
  95.   apiVersion: v1
  96.   kind: Namespace
  97.   metadata:
  98.     name: cattle-system
  99.   ---
  100.   apiVersion: rbac.authorization.k8s.io/v1
  101.   kind: Role
  102.   metadata:
  103.     name: default-psp-role
  104.     namespace: cattle-system
  105.   rules:
  106.   - apiGroups:
  107.     - extensions
  108.     resourceNames:
  109.     - default-psp
  110.     resources:
  111.     - podsecuritypolicies
  112.     verbs:
  113.     - use
  114.   ---
  115.   apiVersion: rbac.authorization.k8s.io/v1
  116.   kind: RoleBinding
  117.   metadata:
  118.     name: default-psp-rolebinding
  119.     namespace: cattle-system
  120.   roleRef:
  121.     apiGroup: rbac.authorization.k8s.io
  122.     kind: Role
  123.     name: default-psp-role
  124.   subjects:
  125.   - apiGroup: rbac.authorization.k8s.io
  126.     kind: Group
  127.     name: system:serviceaccounts
  128.   - apiGroup: rbac.authorization.k8s.io
  129.     kind: Group
  130.     name: system:authenticated
  131.   ---
  132.   apiVersion: policy/v1beta1
  133.   kind: PodSecurityPolicy
  134.   metadata:
  135.     name: restricted
  136.   spec:
  137.     requiredDropCapabilities:
  138.     - NET_RAW
  139.     privileged: false
  140.     allowPrivilegeEscalation: false
  141.     defaultAllowPrivilegeEscalation: false
  142.     fsGroup:
  143.       rule: RunAsAny
  144.     runAsUser:
  145.       rule: MustRunAsNonRoot
  146.     seLinux:
  147.       rule: RunAsAny
  148.     supplementalGroups:
  149.       rule: RunAsAny
  150.     volumes:
  151.     - emptyDir
  152.     - secret
  153.     - persistentVolumeClaim
  154.     - downwardAPI
  155.     - configMap
  156.     - projected
  157.   ---
  158.   apiVersion: rbac.authorization.k8s.io/v1
  159.   kind: ClusterRole
  160.   metadata:
  161.     name: psp:restricted
  162.   rules:
  163.   - apiGroups:
  164.     - extensions
  165.     resourceNames:
  166.     - restricted
  167.     resources:
  168.     - podsecuritypolicies
  169.     verbs:
  170.     - use
  171.   ---
  172.   apiVersion: rbac.authorization.k8s.io/v1
  173.   kind: ClusterRoleBinding
  174.   metadata:
  175.     name: psp:restricted
  176.   roleRef:
  177.     apiGroup: rbac.authorization.k8s.io
  178.     kind: ClusterRole
  179.     name: psp:restricted
  181.   - apiGroup: rbac.authorization.k8s.io
  182.     kind: Group
  183.     name: system:serviceaccounts
  184.   - apiGroup: rbac.authorization.k8s.io
  185.     name: system:authenticated
  186.   ---
  187.   apiVersion: v1
  188.   kind: ServiceAccount
  189.   metadata:
  190.     name: tiller
  191.     namespace: kube-system
  192.   ---
  193.   apiVersion: rbac.authorization.k8s.io/v1
  194.   kind: ClusterRoleBinding
  195.   metadata:
  196.     name: tiller
  197.   roleRef:
  198.     apiGroup: rbac.authorization.k8s.io
  199.     kind: ClusterRole
  200.     name: cluster-admin
  201.   subjects:
  202.   - kind: ServiceAccount
  203.     name: tiller
  204.     namespace: kube-system
  206. addons_include: []
  207. system_images:
  208.   etcd: ""
  209.   alpine: ""
  210.   nginx_proxy: ""
  211.   cert_downloader: ""
  212.   kubernetes_services_sidecar: ""
  213.   kubedns: ""
  214.   dnsmasq: ""
  215.   kubedns_sidecar: ""
  216.   kubedns_autoscaler: ""
  217.   coredns: ""
  218.   coredns_autoscaler: ""
  219.   kubernetes: ""
  220.   flannel: ""
  221.   flannel_cni: ""
  222.   calico_node: ""
  223.   calico_cni: ""
  224.   calico_controllers: ""
  225.   calico_ctl: ""
  226.   calico_flexvol: ""
  227.   canal_node: ""
  228.   canal_cni: ""
  229.   canal_flannel: ""
  230.   canal_flexvol: ""
  231.   weave_node: ""
  232.   weave_cni: ""
  233.   pod_infra_container: ""
  234.   ingress: ""
  235.   ingress_backend: ""
  236.   metrics_server: ""
  237.   windows_pod_infra_container: ""
  238. ssh_key_path: ""
  239. ssh_cert_path: ""
  240. ssh_agent_auth: false
  241. authorization:
  242.   mode: ""
  243.   options: {}
  244. ignore_docker_version: false
  245. private_registries: []
  246. ingress:
  247.   provider: ""
  248.   options: {}
  249.   node_selector: {}
  250.   extra_args: {}
  251.   dns_policy: ""
  252.   extra_envs: []
  253.   extra_volumes: []
  254.   extra_volume_mounts: []
  255. cluster_name: ""
  256. prefix_path: ""
  257. addon_job_timeout: 0
  258. bastion_host:
  259.   address: ""
  260.   port: ""
  261.   user: ""
  262.   ssh_key: ""
  263.   ssh_key_path: ""
  264.   ssh_cert: ""
  265.   ssh_cert_path: ""
  266. monitoring:
  267.   provider: ""
  268.   options: {}
  269.   node_selector: {}
  270. restore:
  271.   restore: false
  272.   snapshot_name: ""
  273. dns: null

Reference Hardened RKE Template configuration

The reference RKE Template provides the configuration needed to achieve a hardened install of Kubenetes. RKE Templates are used to provision Kubernetes and define Rancher settings. Follow the Rancher documentaion for additional installation and RKE Template details.

  1. #cloud-config
  2. packages:
  3.   - curl
  4.   - jq
  5. runcmd:
  6.   - sysctl -w vm.overcommit_memory=1
  7.   - sysctl -w kernel.panic=10
  8.   - sysctl -w kernel.panic_on_oops=1
  9.   - curl https://releases.rancher.com/install-docker/18.09.sh | sh
  10.   - usermod -aG docker ubuntu
  11.   - return=1; while [ $return != 0 ]; do sleep 2; docker ps; return=$?; done
  12.   - addgroup --gid 52034 etcd
  13.   - useradd --comment "etcd service account" --uid 52034 --gid 52034 etcd
  14. write_files:
  15.   - path: /etc/sysctl.d/kubelet.conf
  16.     owner: root:root
  17.     permissions: "0644"
  18.     content: |
  19.       vm.overcommit_memory=1
  20.       kernel.panic_on_oops=1