Self-Assessment and Hardening Guides for SUSE® Rancher Manager

Rancher provides specific security hardening guides for each supported Rancher version’s Kubernetes distributions.

Rancher Kubernetes Distributions

Rancher uses the following Kubernetes distributions:

  • RKE, Rancher Kubernetes Engine, is a CNCF-certified Kubernetes distribution that runs entirely within Docker containers.

  • RKE2 is a fully conformant Kubernetes distribution that focuses on security and compliance within the U.S. Federal Government sector.

  • K3s is a fully conformant, lightweight Kubernetes distribution. It is easy to install, with half the memory requirement of upstream Kubernetes, all in a binary of less than 100 MB.

To harden a Kubernetes cluster that’s running a distribution other than those listed, refer to your Kubernetes provider docs.

Hardening Guides and Benchmark Versions

Each self-assessment guide is accompanied by a hardening guide. These guides were tested alongside the listed Rancher releases. Each self-assessment guides was tested on a specific Kubernetes version and CIS benchmark version. If a CIS benchmark has not been validated for your Kubernetes version, you can use the existing guides until a guide for your version is added.

RKE Guides

Kubernetes Version CIS Benchmark Version Self Assessment Guide Hardening Guides

Kubernetes v1.23

CIS v1.23

Link

Link

Kubernetes v1.24

CIS v1.24

Link

Link

Kubernetes v1.25/v1.26/v1.27

CIS v1.7

Link

Link

SUSE® Rancher Prime RKE2 Guides

Type Kubernetes Version CIS Benchmark Version Self Assessment Guide Hardening Guides

Rancher provisioned RKE2

Kubernetes v1.23

CIS v1.23

Link

Link

Rancher provisioned RKE2

Kubernetes v1.24

CIS v1.24

Link

Link

Rancher provisioned RKE2

Kubernetes v1.25/v1.26/v1.27

CIS v1.7

Link

Link

Standalone RKE2

Kubernetes v1.25/v1.26/v1.27

CIS v1.7

Link

Link

SUSE® Rancher Prime Lightweight Kubernetes Guides

Type Kubernetes Version CIS Benchmark Version Self Assessment Guide Hardening Guides

Rancher provisioned K3s cluster

Kubernetes v1.23

CIS v1.23

Link

Link

Rancher provisioned K3s cluster

Kubernetes v1.24

CIS v1.24

Link

Link

Rancher provisioned K3s cluster

Kubernetes v1.25/v1.26/v1.27

CIS v1.7

Link

Link

Standalone K3s

Kubernetes v1.22 up to v1.24

CIS v1.23

Link

Link

Rancher with SELinux

Security-Enhanced Linux (SELinux) is a kernel module that adds extra access controls and security tools to Linux. Historically used by government agencies, SELinux is now industry-standard. SELinux is enabled by default on RHEL and CentOS.

To use Rancher with SELinux, we recommend installing the rancher-selinux RPM.