Update the CIS Hardening Guide for 2.6x

[Jono-SUSE-Rancher]

We currently need to have an up-to-date hardening guide for the v2.6x line. Our Rancher 2.6 documentation (https://rancher.com/docs/rancher/v2.6/en/cis-scans/) will need updated.

For reference purposes, here is the Rancher 2.4 hardening guide: https://rancher.com/docs/rancher/v2.0-v2.4/en/security/rancher-2.4/hardening-2.4/

[macedogm]

Initial PR to restructure Security section of docs - rancher/docs#3761

[macedogm]

Related issue for updating CIS benchmarks to v1.20 - rancher/cis-operator#135.

[macedogm]

PR adding hardening guides for Rancher v2.6 - rancher/docs#3810

[macedogm]

@anupama2501 I tagged you in the docs PR for review, please.

[macedogm]

@anupama2501

Root cause

There is no up to date CIS hardening guide for Rancher v2.6. The latest CIS hardening guide is available only for Rancher 2.5.

What was fixed?

The CIS hardening guide for Rancher 2.5 was reviewed and small improvements were added to update it for Rancher 2.6. The updated hardening guide focus on CIS profile v1.6 for Kubernetes v1.18, v1.19, v1.20 and v1.21.

What should be tested?

1. Install a local Rancher 2.6.3 cluster through Helm.
2. Create a cluster with RKE and import it in Rancher.
3. Install CIS Benchmark (2.0.2) chart in the imported RKE cluster.
4. Execute a CIS scan with the rke-profile-hardened-1.6 profile.
5. Verify the failed tests.
6. Create a new cluster with RKE, apply the hardening steps and import it in Rancher.
7. Install CIS Benchmark (2.0.2) chart in the new imported hardened RKE cluster.
8. Execute a CIS scan with the rke-profile-hardened-1.6 profile.
9. Verify that no tests failed in the hardened RKE cluster.

What areas could experience regressions?

No regression is expected.

[macedogm]

@anupama2501 Besides the PDFs of the hardening and assessment pages that were regenerated, and the assessment page that is generated with a script which the input is the output of the CIS scan itself, the major change was only in the hardening page.

It's a bit difficult to easily check in GitHub the diff between the 2.6 guide in macedogm/docs/blob/rancher/35735-hardening-docs-add-v2.6/content/rancher/v2.6/en/security/hardening-guides/1.6-hardening-2.6/_index.md and the 2.5 guide in macedogm/docs/blob/rancher/35735-hardening-docs-add-v2.6/content/rancher/v2.5/en/security/rancher-2.5/1.6-hardening-2.5/_index.md, so I'm attaching a diff that I generated from my docs PR branch.

% git branch
  master
* rancher/35735-hardening-docs-add-v2.6
% diff content/rancher/v2.6/en/security/hardening-guides/1.6-hardening-2.6/_index.md content/rancher/v2.5/en/security/rancher-2.5/1.6-hardening-2.5/_index.md | more > hardening-guides.txt

hardening-guides.txt

Please let me know if this helps you or not.

[anupama2501]

Verified on v2.6-head d0d20a7

Rke version 1.3.7

• Created an rke cluster with the cluster.yml:

cluster-new.txt
Added the following config on the nodes at etc/sysctl.d/90-kubelet.conf:

vm.overcommit_memory=1
vm.panic_on_oom=0
kernel.panic=10
kernel.panic_on_oops=1
kernel.keys.root_maxbytes=25000000

• Config on the etcd nodes:

groupadd --gid 52034 etcd
useradd --comment "etcd service account" --uid 52034 --gid 52034 etcd --shell /usr/sbin/nologin

• Imported the rke1 cluster into the rancher server.
• Followed the steps at https://rancher.com/docs/rancher/v2.5/en/security/rancher-2.5/1.6-hardening-2.5/ for network policy and the automated service account token.
• Installed the cis scan chart version 2.0.2
• Ran the rke-profile-hardened-1.6
• Scans have passed

[anupama2501]

Re opening as the CIS scans on local cluster have failed for the test Ensure that default service accounts are not actively used. (Automated) even after executing the account-update.sh script against the local clusters kube config.

Steps:

• Created an rke cluster by following same steps as mentioned in the above step.
• Installed certs and rancher version v2.6-head d0d2087
• Install the cis chart of version v2.0.2
• Execute the scripts for network policy and the automated service account token for the local cluster's kubeconfig
• Run the cis scans rke-profile-hardened-1.6
• the scan for Ensure that default service accounts are not actively used. (Automated) fails.

[anupama2501]

Since this is a known issue, closing this ticket and tracking them separately from security repo.