Add v2.6 hardening guides

[macedogm]

Add hardening guides for Rancher v2.6.

We also need to upload, please, the following PDF files to our site:

• File content/rancher/v2.6/en/security/hardening-guides/1.6-hardening-2.6/Rancher_v2-6_CIS_v1-6_Hardening_Guide.pdf to https://releases.rancher.com/documents/security/2.6/Rancher_v2-6_CIS_v1-6_Hardening_Guide.pdf
• File content/rancher/v2.6/en/security/hardening-guides/1.6-benchmark-2.6/Rancher_v2-6_CIS_v1-6_Benchmark_Assessment.pdf to https://releases.rancher.com/documents/security/2.6/Rancher_v2-6_CIS_v1-6_Benchmark_Assessment.pdf

Signed-off-by: Guilherme Macedo guilherme.macedo@suse.com

[macedogm]

I'm moving this temporarily to draft, while we wait for @anupama2501's review.

[macedogm]

As discussed with @cbron, PR is ready for review by Caleb and @paraglade.

[paraglade]

looks good enough to publish from what I can see

[ryansann]

@macedogm I have a few additional items in my cloud-config I use for hardening, posting here in case they are needed:

ssh_pwauth: false
runcmd:
...
# allow kubernetes api inbound traffic to 6443
- iptables -A INPUT -p tcp --dport 6443 -j ACCEPT
# allow etcd inbound traffic to 2379
- iptables -A INPUT -p tcp --dport 2379 -j ACCEPT

[ryansann]

Something about the PDF generation for the benchmark assessment is causing not enough padding to be added between lines in the Contents

(I tried this in multiple browsers and saw the same)

[macedogm]

@macedogm I have a few additional items in my cloud-config I use for hardening, posting here in case they are needed:

ssh_pwauth: false
runcmd:
...
# allow kubernetes api inbound traffic to 6443
- iptables -A INPUT -p tcp --dport 6443 -j ACCEPT
# allow etcd inbound traffic to 2379
- iptables -A INPUT -p tcp --dport 2379 -j ACCEPT

@ryansann Thanks for this idea. For now I added only ssh_pwauth: false, which is a great hardening step. I would refrain from adding the iptables rules now, to avoid messing with other possible firewall rules from the users.

[macedogm]

Something about the PDF generation for the benchmark assessment is causing not enough padding to be added between lines in the Contents

(I tried this in multiple browsers and saw the same)

@ryansann Thanks for spotting this. Somehow I missed, but it's fixed now. Can you please have a look if the new style for the contents section is better?

[ryansann]

Something about the PDF generation for the benchmark assessment is causing not enough padding to be added between lines in the Contents
(I tried this in multiple browsers and saw the same)

@ryansann Thanks for spotting this. Somehow I missed, but it's fixed now. Can you please have a look if the new style for the contents section is better?

No problem! I pulled the most recent changes and the PDFs look good now 👍

[cbron]

We either need to re-open this against staging, or do QA before we merge, as this PR will go live to docs site.

[cbron]

Didn't deep dive but seems fine to me besides branch changes. Will need to talk to docs team about PDFs.

[cbron]

Are we also going to link our rke2 guides down the road ? We can adjust then, just curious.

[macedogm]

Yes, in case you want to have them separated from the current RKE2 guides. My initial plan was only to update those guides in their current place (docs.rke2.io), instead of "forking" them to be inside rancher.com/docs. WDYT?

[cbron]

If there are details specific to Rancher then it should be on Rancher side. RKE2 docs should be standalone RKE2 only.

[macedogm]

We either need to re-open this against staging, or do QA before we merge, as this PR will go live to docs site.

@cbron okay, I changed the branch to go to staging.

@btat can you please advise how this now goes to staging and then master? Is this done automatically or do I need to keep track?

[macedogm]

Didn't deep dive but seems fine to me besides branch changes. Will need to talk to docs team about PDFs.

@btat regarding this point raised by Caleb, do you want to change the format/styling of the PDFs? I reused the same format and style of the current guides, but a revamp in terms of branding might be good too. Please let me know if you want to chat about this.

[btat]

We either need to re-open this against staging, or do QA before we merge, as this PR will go live to docs site.

@cbron okay, I changed the branch to go to staging.

@btat can you please advise how this now goes to staging and then master? Is this done automatically or do I need to keep track?

@macedogm after this is merged to staging, you do not need to keep track of it. The docs team will handle bringing over updates from staging back to master, which will happen around release time.

Didn't deep dive but seems fine to me besides branch changes. Will need to talk to docs team about PDFs.

@btat regarding this point raised by Caleb, do you want to change the format/styling of the PDFs? I reused the same format and style of the current guides, but a revamp in terms of branding might be good too. Please let me know if you want to chat about this.

The current format/styling looks fine to me, but I'm not familiar with the latest branding guidelines. I can circulate this among the docs team for additional feedback and then we can sync up afterwards if needed.

[macedogm]

@btat

@macedogm after this is merged to staging, you do not need to keep track of it. The docs team will handle bringing over updates from staging back to master, which will happen around release time.

Thanks!

The current format/styling looks fine to me, but I'm not familiar with the latest branding guidelines. I can circulate this among the docs team for additional feedback and then we can sync up afterwards if needed.

Also thanks for checking this. 👍🏻

[macedogm]

@btat I believe that this PR is also good to be merged to staging.

[btat]

@btat I believe that this PR is also good to be merged to staging.

Done :)