2021 Rancher Labs This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Rancher Kubernetes Cryptographic Library FIPS Version 1.1 January 4, 2021 Prepared for: Prepared by: Rancher Labs P.O. Box 1658 Mountain View, CA 94042 rancher.com Corsec Security, Inc. 13921 Park Center corsec.com +1 703.276.6050 FIPS 140-2 Security Policy Rancher Kubernetes Cryptographic Library Page 2 of 16 References Ref Full Specification Name Date [140] FIPS 140-2, Security

management is very competitive. In December 2020, open source technology leader SUSE acquired Rancher Labs and its flagship product, Rancher. Rancher remains available as an open source project that anyone or via command-line directives that use a YAML configuration file. Clusters can run on vSphere, Amazon, Microsoft Azure or GCP nodes if operators choose to use the bring your own host feature (BYOH) 3.1.1.4 Anthos If you're already operating in GKE, installing Anthos is easy. Using Anthos with AWS or Azure is more challenging as they have dependencies on Google Cloud projects. Anthos can also

Overview Product name KubeSphere OpenShift Rancher Company name QingCloud Technologies Red Hat Rancher Labs Parent company None IBM SUSE Place of incorporation of parent company China United States Luxembourg and Edge Multicloud Support Deep integration with major cloud container services, including AWS EKS, Azure AKS, DigitalOcean Kubernetes, and QKE; importing of hosted clusters running on major container services supported Deep integration with major cloud container services, including AWS, Azure, IBM Cloud; importing of any Kubernetes cluster or hosted Kubernetes services not supported;

Rancher is a trademark of Rancher Labs, Inc. in the United States and/or other countries. Other brand names mentioned herein are for identification purposes only and may be trademarks of their respective Information is subject to change without notice. © 2017 Rancher Labs, Inc. All rights reserved. March 2017. 1 ©Rancher Labs 2017. All rights Reserved. 2 DEPLOYING AND SCALING KUBERNETES .................................................................................32 ©Rancher Labs 2017. All rights Reserved. 3 DEPLOYING AND SCALING KUBERNETES WITH RANCHER 3.6 Secrets

2020 Rancher Labs. All Rights Reserved. Confidential © Copyright 2020 Rancher Labs. All Rights Reserved. 应用容器化最佳实践 2020.11.14 Dehua Ye dehua@rancher.com © Copyright 2020 Rancher Labs. All Rights Reserved App） 基准代码 依赖 配置 后端服务 构建、发布、运行 进程 端口绑定 并发 易处理 开发环境与线上环境等价 日志 管理进程 © Copyright 2020 Rancher Labs. All Rights Reserved. Confidential 应用容器化一般流程 分析解耦 基础镜像 配置管理 制作镜像 应用编排 运行测试 • 组成模块分析 • 外部组件依赖 ConfigMap • Secret • Service • Ingress • …… • 功能测试 • 性能测试 • 升级回滚 • …… © Copyright 2020 Rancher Labs. All Rights Reserved. Confidential 应用分析解耦 ✓ 应用开发语言或平台及对应版本 ✓ 应用技术架构、运行环境及组件依赖 ✓ 应用运行包大小、一般启动时长、是否有启停脚本

the commands is different in Rancher Labs than in the CIS Benchmark. Where the commands differ from the original CIS benchmark, the commands specific to Rancher Labs are provided for testing. When performing Known Scored Control Failures The following scored controls do not currently pass, and Rancher Labs is working towards addressing these through future enhancements to the product. 1.1.21 - Ensure Notes Audit logs should be collected and shipped off-system to guarantee their integrity. Rancher Labs recommends setting this argument to a low value to prevent audit logs from filling the local disk

CIS-Kubernetes self assessment using RKE This document has been created by the Engineering team at Rancher Labs. Profile Definitions The following profile definitions agree with the CIS Benchmarks for Kubernetes

Where control audits differ from the original CIS benchmark, the audit commands specific to Rancher Labs are provided for testing. When performing the tests, you will need access to the Docker command line

Where control audits differ from the original CIS benchmark, the audit commands specific to Rancher Labs are provided for testing. When performing the tests, you will need access to the Docker command line

Provisioning & Lifecycle Management Platform Services (Build & Run) SUSE Linux Enterprise Product Family Amazon EKS Azure AKS Google GKE Cloud Datacenter Edge Branch Dev Secret Management in Kubernetes Secrets Static Secrets (Versioned) Crypto as a Service LDAP/AD OIDC JWT Github MFA/Radius Okta AWS Azure GCP AliCloud Kubernetes Cloud Foundry AppRole Databases Public Cloud Consul / Nomad X.509 Certs