From a09eb326a7bf71c30df6db69f5931e713fcd4d24 Mon Sep 17 00:00:00 2001 From: Andy Pitcher Date: Tue, 22 Aug 2023 17:47:23 +0200 Subject: [PATCH 1/6] Update k3s-hardening-guide based on CIS-1.24 and CIS-1.7 by removing --protect-kernel-defaults and updating notes --- .../k3s-hardening-guide.md | 21 +++---------------- 1 file changed, 3 insertions(+), 18 deletions(-) diff --git a/docs/pages-for-subheaders/k3s-hardening-guide.md b/docs/pages-for-subheaders/k3s-hardening-guide.md index fc356dfda175..c3b8eb51ef11 100644 --- a/docs/pages-for-subheaders/k3s-hardening-guide.md +++ b/docs/pages-for-subheaders/k3s-hardening-guide.md @@ -12,10 +12,11 @@ This hardening guide is intended to be used for K3s clusters and is associated w | Rancher Version | CIS Benchmark Version | Kubernetes Version | |-----------------|-----------------------|------------------------------| -| Rancher v2.7 | Benchmark v1.23 | Kubernetes v1.23 up to v1.25 | +| Rancher v2.7 | Benchmark v1.7 | Kubernetes v1.24 up to v1.25 | :::note -At the time of writing, the upstream CIS Kubernetes v1.25 benchmark is not yet available in Rancher. At this time Rancher is using the CIS v1.23 benchmark when scanning Kubernetes v1.25 clusters. +- Since Benchmark v1.24, some check ids might fail due to file permission new requirements (600 instead of 644). Impacted check ids: `1.1.1`, `1.1.3`, `1.1.5`, `1.1.7`, `1.1.13`, `1.1.15`, `4.1.7`, `4.1.9`, `4.1.15`. + - Since Benchmark v1.7 (latest), `--protect-kernel-defaults` (check id 4.2.6) parameter is not required anymore, and was replaced. ::: For more details on how to evaluate a hardened K3s cluster against the official CIS benchmark, refer to the K3s self-assessment guides for specific Kubernetes and CIS benchmark versions. @@ -31,20 +32,6 @@ The first section (1.1) of the CIS Benchmark primarily focuses on pod manifest ## Host-level Requirements -### Ensure `protect-kernel-defaults` is set - -This is a kubelet flag that will cause the kubelet to exit if the required kernel parameters are unset or are set to values that are different from the kubelet's defaults. - -The `protect-kernel-defaults` flag can be set in the cluster configuration in Rancher. - -```yaml -spec: - rkeConfig: - machineSelectorConfig: - - config: - protect-kernel-defaults: true -``` - ### Set kernel parameters The following `sysctl` configuration is recommended for all nodes type in the cluster. Set the following parameters in `/etc/sysctl.d/90-kubelet.conf`: @@ -685,7 +672,6 @@ spec: - config: kubelet-arg: - make-iptables-util-chains=true # CIS 4.2.7 - protect-kernel-defaults: true # CIS 4.2.6 ``` @@ -717,7 +703,6 @@ spec: - config: kubelet-arg: - make-iptables-util-chains=true # CIS 4.2.7 - protect-kernel-defaults: true # CIS 4.2.6 ``` From c48f9f4162360f7fe6f60d59cd33fad2a71cee59 Mon Sep 17 00:00:00 2001 From: Andy Pitcher Date: Thu, 24 Aug 2023 10:55:32 +0200 Subject: [PATCH 2/6] Update notes in k3s-hardening-guide.md Co-authored-by: Marty Hernandez Avedon --- docs/pages-for-subheaders/k3s-hardening-guide.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/pages-for-subheaders/k3s-hardening-guide.md b/docs/pages-for-subheaders/k3s-hardening-guide.md index c3b8eb51ef11..d91eaff90489 100644 --- a/docs/pages-for-subheaders/k3s-hardening-guide.md +++ b/docs/pages-for-subheaders/k3s-hardening-guide.md @@ -15,8 +15,8 @@ This hardening guide is intended to be used for K3s clusters and is associated w | Rancher v2.7 | Benchmark v1.7 | Kubernetes v1.24 up to v1.25 | :::note -- Since Benchmark v1.24, some check ids might fail due to file permission new requirements (600 instead of 644). Impacted check ids: `1.1.1`, `1.1.3`, `1.1.5`, `1.1.7`, `1.1.13`, `1.1.15`, `4.1.7`, `4.1.9`, `4.1.15`. - - Since Benchmark v1.7 (latest), `--protect-kernel-defaults` (check id 4.2.6) parameter is not required anymore, and was replaced. +- In Benchmark v1.24 and later, some check ids might fail due to new file permission requirements (600 instead of 644). Impacted check ids: `1.1.15`, `1.1.17` and `4.1.15`. + - In Benchmark v1.7, the `--protect-kernel-defaults` (`4.2.6`) parameter isn't required anymore, and was removed by CIS. ::: For more details on how to evaluate a hardened K3s cluster against the official CIS benchmark, refer to the K3s self-assessment guides for specific Kubernetes and CIS benchmark versions. From fef03ce751ba2c7a11186a57d8aa41049dd685a8 Mon Sep 17 00:00:00 2001 From: Andy Pitcher Date: Thu, 24 Aug 2023 10:56:01 +0200 Subject: [PATCH 3/6] Update k8s version in k3s-hardening-guide.md --- docs/pages-for-subheaders/k3s-hardening-guide.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/pages-for-subheaders/k3s-hardening-guide.md b/docs/pages-for-subheaders/k3s-hardening-guide.md index d91eaff90489..17d79026580d 100644 --- a/docs/pages-for-subheaders/k3s-hardening-guide.md +++ b/docs/pages-for-subheaders/k3s-hardening-guide.md @@ -12,7 +12,7 @@ This hardening guide is intended to be used for K3s clusters and is associated w | Rancher Version | CIS Benchmark Version | Kubernetes Version | |-----------------|-----------------------|------------------------------| -| Rancher v2.7 | Benchmark v1.7 | Kubernetes v1.24 up to v1.25 | +| Rancher v2.7 | Benchmark v1.7 | Kubernetes v1.25 | :::note - In Benchmark v1.24 and later, some check ids might fail due to new file permission requirements (600 instead of 644). Impacted check ids: `1.1.15`, `1.1.17` and `4.1.15`. From b36876110e056be68c37b5c6d834f1465195d90e Mon Sep 17 00:00:00 2001 From: Andy Pitcher Date: Mon, 4 Sep 2023 10:15:24 -0400 Subject: [PATCH 4/6] Update docs/pages-for-subheaders/k3s-hardening-guide.md Co-authored-by: Guilherme Macedo --- docs/pages-for-subheaders/k3s-hardening-guide.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/docs/pages-for-subheaders/k3s-hardening-guide.md b/docs/pages-for-subheaders/k3s-hardening-guide.md index 17d79026580d..0d46e5112362 100644 --- a/docs/pages-for-subheaders/k3s-hardening-guide.md +++ b/docs/pages-for-subheaders/k3s-hardening-guide.md @@ -12,7 +12,9 @@ This hardening guide is intended to be used for K3s clusters and is associated w | Rancher Version | CIS Benchmark Version | Kubernetes Version | |-----------------|-----------------------|------------------------------| -| Rancher v2.7 | Benchmark v1.7 | Kubernetes v1.25 | +| Rancher v2.7 | Benchmark v1.23 | Kubernetes v1.23 | +| Rancher v2.7 | Benchmark v1.24 | Kubernetes v1.24 | +| Rancher v2.7 | Benchmark v1.7 | Kubernetes v1.25 up to v1.26 | :::note - In Benchmark v1.24 and later, some check ids might fail due to new file permission requirements (600 instead of 644). Impacted check ids: `1.1.15`, `1.1.17` and `4.1.15`. From ec43045b579f64f0d69207d3b7158ebbf53ea73e Mon Sep 17 00:00:00 2001 From: Andy Pitcher Date: Thu, 7 Sep 2023 14:50:49 -0400 Subject: [PATCH 5/6] k3s doc: Update protect-kernel-defaults and remove failing checks note --- .../k3s-hardening-guide.md | 26 +++++++++++++++++-- 1 file changed, 24 insertions(+), 2 deletions(-) diff --git a/docs/pages-for-subheaders/k3s-hardening-guide.md b/docs/pages-for-subheaders/k3s-hardening-guide.md index 36596a4ae07a..6eeb92f201df 100644 --- a/docs/pages-for-subheaders/k3s-hardening-guide.md +++ b/docs/pages-for-subheaders/k3s-hardening-guide.md @@ -21,8 +21,7 @@ This hardening guide is intended to be used for K3s clusters and is associated w | Rancher v2.7 | Benchmark v1.7 | Kubernetes v1.25 up to v1.26 | :::note -- In Benchmark v1.24 and later, some check ids might fail due to new file permission requirements (600 instead of 644). Impacted check ids: `1.1.15`, `1.1.17` and `4.1.15`. - - In Benchmark v1.7, the `--protect-kernel-defaults` (`4.2.6`) parameter isn't required anymore, and was removed by CIS. +- In Benchmark v1.7, the `--protect-kernel-defaults` (`4.2.6`) parameter isn't required anymore, and was removed by CIS. ::: For more details on how to evaluate a hardened K3s cluster against the official CIS benchmark, refer to the K3s self-assessment guides for specific Kubernetes and CIS benchmark versions. @@ -38,6 +37,28 @@ The first section (1.1) of the CIS Benchmark primarily focuses on pod manifest ## Host-level Requirements +### Ensure `protect-kernel-defaults` is set + + + + +`protect-kernel-defaults` is no longer required since CIS benchmark 1.7. + + + + +This is a kubelet flag that will cause the kubelet to exit if the required kernel parameters are unset or are set to values that are different from the kubelet's defaults. + +The `protect-kernel-defaults` flag can be set in the cluster configuration in Rancher. + +```yaml +spec: + rkeConfig: + machineSelectorConfig: + - config: + protect-kernel-defaults: true +``` + ### Set kernel parameters The following `sysctl` configuration is recommended for all nodes type in the cluster. Set the following parameters in `/etc/sysctl.d/90-kubelet.conf`: @@ -709,6 +730,7 @@ spec: - config: kubelet-arg: - make-iptables-util-chains=true # CIS 4.2.7 + protect-kernel-defaults: true # CIS 4.2.6 ``` From a9da000dfe4562124717d84f6dad5ae915a5328a Mon Sep 17 00:00:00 2001 From: Andy Pitcher Date: Thu, 7 Sep 2023 15:34:58 -0400 Subject: [PATCH 6/6] Fix markdown --- docs/pages-for-subheaders/k3s-hardening-guide.md | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/docs/pages-for-subheaders/k3s-hardening-guide.md b/docs/pages-for-subheaders/k3s-hardening-guide.md index 6eeb92f201df..ee564ada2b4c 100644 --- a/docs/pages-for-subheaders/k3s-hardening-guide.md +++ b/docs/pages-for-subheaders/k3s-hardening-guide.md @@ -21,7 +21,7 @@ This hardening guide is intended to be used for K3s clusters and is associated w | Rancher v2.7 | Benchmark v1.7 | Kubernetes v1.25 up to v1.26 | :::note -- In Benchmark v1.7, the `--protect-kernel-defaults` (`4.2.6`) parameter isn't required anymore, and was removed by CIS. +- In Benchmark v1.7, the `--protect-kernel-defaults` (4.2.6) parameter isn't required anymore, and was removed by CIS. ::: For more details on how to evaluate a hardened K3s cluster against the official CIS benchmark, refer to the K3s self-assessment guides for specific Kubernetes and CIS benchmark versions. @@ -42,7 +42,7 @@ The first section (1.1) of the CIS Benchmark primarily focuses on pod manifest -`protect-kernel-defaults` is no longer required since CIS benchmark 1.7. +The `protect-kernel-defaults` is no longer required since CIS benchmark 1.7. @@ -59,6 +59,9 @@ spec: protect-kernel-defaults: true ``` + + + ### Set kernel parameters The following `sysctl` configuration is recommended for all nodes type in the cluster. Set the following parameters in `/etc/sysctl.d/90-kubelet.conf`: