non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Rancher Kubernetes Cryptographic Library FIPS 140-2 Non-Proprietary Security Policy CA 94042 rancher.com Corsec Security, Inc. 13921 Park Center Rd., Ste. 460 Herndon, VA 20171 corsec.com +1 703.276.6050 FIPS 140-2 Security Policy Rancher Kubernetes Cryptographic Specification Name Date [140] FIPS 140-2, Security Requirements for Cryptographic Modules 12/3/2002 [140AA] FIPS 140-2 Annex A: Approved Security Functions 6/10/2019 [140AC] FIPS 140-2 Annex

that a minimal audit policy is created (Automated) 3.2.2 Ensure that the audit policy covers key security concerns (Manual) 4.1 Worker Node Configuration Files 4.1.1 Ensure that the kubelet service file (Automated) 5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual) 5.2 Pod Security Policies 5.2.1 Minimize the admission of privileged containers (Manual) 5.2.2 Minimize the admission that the seccomp profile is set to docker/ default in your pod definitions (Manual) 5.7.3 Apply Security Context to Your Pods and Containers (Manual) 5.7.4 The default namespace should not be used (Automated)

4 5 7 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster, and it is recommended configurations required to address Kubernetes benchmark controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark,

4 5 6 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster, and it is recommended configurations required to address Kubernetes benchmark controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark,

profile intend to: offer practical advice appropriate for the environment; deliver an obvious security benefit; and not alter the functionality or utility of the environment beyond an acceptable margin more of the following characteristics: are intended for use in environments or use cases where security is paramount act as a defense in depth measure may negatively impact the utility or performance the following directives to the kube-api section under services: services: kube-api: pod_security_policy: true extra_args: anonymous-auth: "false" profiling: "false" r

e kube-api s e c t i on u n d e r services: services: kube_api: always_pull_images: true pod_security_policy: true service_node_port_range: 30000-32767 event_rate_limit: enabled: true 8 audit_log: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- apiVersion: v1 kind: Namespace subjects: - apiGroup: rbac.authorization.k8s.io kind: Group 13 name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- apiVersion: extensions/v1beta1

against the CIS 1.4.0 Kubernetes benchmark. This document is a companion to the Rancher v2.2.x security hardening guide. The hardening guide provides prescriptive guidance for hardening a production production installation of Rancher, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the benchmark. Because Rancher and RKE install audit compliance in Rancher-created clusters. This document is to be used by Rancher operators, security teams, auditors and decision makers. For more detail about each audit, including rationales and

※※※ Multi-tenant Management ※※※※ ※※※ ※※※ Authentication and Authorization ※※※※ ※※※※※ ※※※※※ Security ※※※※ ※※※※※ ※※ Windows Container ※ ※※※※ ※※※※ 5 Support Commercial Services and Support ※※※※※ of Kubernetes-native and Kubernetes-based container management platform via UI and API; Security policy configurations across multiple clusters Edge computing Deep integration with KubeEdge; Multi-tenanc y and Security Multi-tenancy and permission management Isolation of tenants in workspaces and tenant quota management available to meet business needs; User group management supported;

solutions to help them build applications quickly without compromising reliability, agility and security. Relying on upstream Kubernetes isn't enough for teams deploying Kubernetes into production production. Basic Kubernetes installations are plagued by a lack of central visibility, inconsistent security practices and complex management processes. Therefore, Kubernetes management platforms need to confidently DevOps efficiencies with simplified cluster operations • Consistent Security Policy and User Management: best-practice security policy enforcement and advanced user management on any infrastructure

on software development. Kubernetes orchestration provides capabilities such as auto scaling, security, and management of containerized applications. A persistent and stable data store is required for PowerFlex SLES SUSE Linux Enterprise Server SSD Solid-State Disk TLS Transport Layer Security VLAN Virtual Local Area Network VM Virtual Machine PowerFlex product overview to run Kubernetes on-premises, in the cloud, and at the edge. It addresses the operational and security challenges of managing multiple Kubernetes clusters anywhere. SUSE Rancher also provides IT operators