# Rancher CIS Kubernetes v.1.4.0 Benchmark Self Assessment Rancher v2.2.x Version 1.1.0 - August 2019 Authors Taylor Price Overview The following document scores a Kubernetes 1.13.x RKE cluster provisioned provisioned according to the Rancher v2.2.x hardening guide against the CIS 1.4.0 Kubernetes benchmark. This document is a companion to the Rancher v2.2.x security hardening guide. The hardening guide RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply. This guide will walk through the various controls and provide

CIS Benchmark Rancher Self-Assessment Guide - v2.4 ## Contents CIS Kubernetes Benchmark v1.5 - Rancher v2.4 with Kubernetes v1.15.4 Controls 5 1 Master Node Security Configuration 6 1.1 Master Accounts 49 5.2 Pod Security Policies 50 5.3 Network Policies and CNI 52 ### 5.6 General Policies # CIS Kubernetes Benchmark v1.5 – Rancher v2.4 with Kubernetes v1.15 Click here to download a PDF version hardening guide, Rancher, Kubernetes, and the CIS Benchmark: |Self Assessment Guide Version|Rancher Version|Hardening Guide Version|Kubernetes Version|CIS Benchmark Version| |---|---|---|---|---| |Self

CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 ## Contents ###### CIS 1.6 Kubernetes Benchmark - Rancher v2.5.4 with Kubernetes v1.18 ## Controls ### 1.1 Etcd Node Configuration Files 1 1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated) 85 ##### CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 2.2 Ensure that the --client-cert-auth argument Kubelet 110 4.2.1 Ensure that the anonymous-auth argument is set to false (Automated) 110 ##### CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 4.2.2 Ensure that the --authorization-mode

CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 ## Contents CIS v1.5 Kubernetes Benchmark - Rancher v2.5 with Kubernetes v1.15.4 Controls 5 1 Master Node Security Configuration 6 Accounts 49 5.2 Pod Security Policies 50 CIS 1.5 Benchmark – Self-Assessment Guide – Rancher v2.5 5.3 Network Policies and CNI 52 5.6 General Policies 53 # CIS v1.5 Kubernetes Benchmark – Rancher v2.5 Rancher, CIS Benchmark, and Kubernetes: |Hardening Guide Version|Rancher Version|CIS Benchmark Version|Kubernetes Version| |---|---|---|---| |Hardening Guide with CIS 1.5 Benchmark|Rancher v2.5|CIS v1.5|Kubernetes

controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment Guide - Rancher Rancher v2.3.3+. ## Profile Definitions The following profile definitions agree with the CIS benchmarks for Kubernetes. A profile is a set of configurations that provide a certain amount of hardening 1 ## Description Ensure Kubelet options are configured to match CIS controls. ## Rationale To pass the following controls in the CIS benchmark, ensure the appropriate flags are passed to the Kubelet

2. 编写测试用例 3. 自动化性能测试用例 4. 执行性能测试用例 5. 分析性能测试结果 6. 性能调优 7. 性能基准测试(Performance Benchmarking) 8. 向客户推荐合适的配置 ## 可靠的测试环境 ## 什么是可靠的性能基准测试环境 ## 影响测试环境的软硬件因素 • 硬件: CPU 型号、温度、IO 等 软件：操作系统版本、当前系统调度的负载等 总是存在一个可以比较的基本线(有比较才有伤害) ## go test -bench ## 进行性能基准测试的方法 func BenchmarkFoo(b *testing.B) { for i := 0; i < b.N; i++ { foo() // 被测函数 } } 执行性能基准测试： $ go test -bench=. ## benchstat benchstat none） ## benchstat 的原理: 异常值消除+假设检验 当对一个性能基准测试 B 结果反复执行 n 次后，就能得到 $ b_{1} $ ，…， $ b_{n} $ 个不同的结果；在优化代码后，还能得到另外 m 个不同的结果 $ b_{1}' $ ，…， $ b_{m}' $ 。 一个稳定的基准测试，结果倾向于在某个值附近波动，于是通过通用的计算 1.5 倍四分位距法则(1

controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster, and it is recommended to is intended to be used with specific versions of the CIS Kubernetes Benchmark, Kubernetes, and Rancher: |Hardening Guide Version|Rancher Version|CIS Benchmark Version|Kubernetes Version| |---|---|---|---| controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment Guide – Rancher

controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster, and it is recommended to is intended to be used with specific versions of the CIS Kubernetes Benchmark, Kubernetes, and Rancher: |Hardening Guide Version|Rancher Version|CIS Benchmark Version|Kubernetes Version| |---|---|---|---| controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment Guide – Rancher