成功。 • readinessProbe：判断容器是否启动完成，即容器的Ready是否 为True，可以接收请求，如果ReadinessProbe探测失败，则容器 的Ready将为False，控制器将此Pod的Endpoint从对应的service 的Endpoint列表中移除，从此不再将任何请求调度此Pod上，直 到下次探测成功。 • startupProbe：启动探测，判断容器内的应用程序是否已启动。 如果容器没有提供启动探测，则默认状态为成功。 © Copyright 2020 Rancher Labs. All Rights Reserved. Confidential 选择合适的日志处理方式 优先推荐使用控制台输出日志，但这个推荐是基于容器只作为简单应用 的场景，实际的业务场景中需要根据实际情况按需选择最合适的方式： ➢ 业务直写 • 建议在日志量大的场景中使用 • 针对某些业务指标埋点统计场景 容器安全性有诸多考量因素，从应用角度来看，至少需要考虑RBAC授权、密钥凭据管理、SecurityContext等，在做应用 容器化时，这些也是应用开发人员所要关注的关键点。 © Copyright 2020 Rancher Labs. All Rights Reserved. Confidential 通过Ingress对外发布应用 通常情况下，Service和Pod仅可在集群内部网络中通过IP地址访问。 Ingress是

--- apiVersion: v1 kind: Namespace metadata: name: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-psp-rolebinding namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated

--- apiVersion: v1 kind: Namespace metadata: name: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-psp-rolebinding namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated

Remediation In the RKE cluster.yml file ensure the following options are set: addons: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-psp-rolebinding namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated

--authorization-mode argument includes Node (Automated) 1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated) 1.2.10 Ensure that the admission control plugin EventRateLimit is set (Automated) 1.2 (Automated) 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automated) 5.1 RBAC and Service Accounts 5.1.1 Ensure that the cluster-admin role is only used where required (Manual) range=10.43.0.0/16 --tls-cert-file=/etc/kubernetes/ssl/kube- apiserver.pem --authorization-mode=Node,RBAC --audit-log- maxsize=100 --audit-log-format=json --requestheader-allowed- names=kube-apiserver-proxy-client

Pod and Network Security Policies 4 3 2 2 Configurable Adherence to CIS 4 3 2 2 Global RBAC Policies 4 2 3 2 2.4 Shared Tools and Services Once deployed, Kubernetes Management Platforms After an administrator launches a user cluster, end users can access it according to Kubernetes RBAC boundaries. 3.1.11 Private Registry and Image Management • SUSE Rancher: 3 • OpenShift: 4 the global level, after which users and groups from the provider are available for assignment to RBAC roles and downstream clusters. A Buyer’s Guide to Enterprise Kubernetes Management Platforms Copyright

cluster.yml fi l e e n s u r e t h e f ol l ow i n g op t i on s ar e s e t : addons: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx rules: verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-psp-rolebinding 12 namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated ---

Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies 5.3 Network Policies and CNI CIS Benchmark Rancher such example could be as below. --authorization-mode=RBAC Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: 'Node,RBAC' not have 'AlwaysAllow' 1.2.8 Ensure that the --authorization-mode value that includes Nod e. --authorization-mode=Node,RBAC Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: 'Node,RBAC' has 'Node' CIS Benchmark Rancher Self-Assessment Guide

Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies CIS 1.5 Benchmark - Self-Assessment Guide - Rancher such example could be as below. --authorization-mode=RBAC Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: 'Node,RBAC' not have 'AlwaysAllow' 1.2.8 Ensure that the --authorization-mode value that includes Nod e. --authorization-mode=Node,RBAC Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: 'Node,RBAC' has 'Node' CIS 1.5 Benchmark - Self-Assessment Guide

kube-apiserver | jq -e '.[0].Args[] | match("--authorization-mode=(Node|RBAC|,)+" Returned Value: --authorization-mode=Node,RBAC Result: Pass 1.1.20 - Ensure that the --token-auth-file parameter kube-apiserver | jq -e '.[0].Args[] | match("--authorization-mode=(Node|RBAC|,)+").string' Returned Value: --authorization-mode=Node,RBAC Result: Pass 1.1.33 - Ensure that the admission control plugin argument includes RBAC (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--authorization-mode=.*").string' Returned Value: "--authorization-mode=Node,RBAC" Result: Pass 1