Self-Assessment and Hardening Guides for SUSE Rancher Prime
Rancher provides specific security hardening guides for each supported Rancher version’s Kubernetes distributions.
Rancher Kubernetes Distributions
Rancher uses the following Kubernetes distributions:
-
RKE, Rancher Kubernetes Engine, is a CNCF-certified Kubernetes distribution that runs entirely within Docker containers.
-
RKE2 is a fully conformant Kubernetes distribution that focuses on security and compliance within the U.S. Federal Government sector.
-
K3s is a fully conformant, lightweight Kubernetes distribution. It is easy to install, with half the memory requirement of upstream Kubernetes, all in a binary of less than 100 MB.
To harden a Kubernetes cluster that’s running a distribution other than those listed, refer to your Kubernetes provider docs.
Hardening Guides and Benchmark Versions
Each self-assessment guide is accompanied by a hardening guide. These guides were tested alongside the listed Rancher releases. Each self-assessment guides was tested on a specific Kubernetes version and CIS benchmark version. If a CIS benchmark has not been validated for your Kubernetes version, you can use the existing guides until a guide for your version is added.
RKE Guides
| Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guides |
|---|---|---|---|
Kubernetes v1.23 |
CIS v1.23 |
||
Kubernetes v1.24 |
CIS v1.24 |
||
Kubernetes v1.25/v1.26/v1.27 |
CIS v1.7 |
SUSE® Rancher Prime: RKE2 Guides
| Type | Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guides |
|---|---|---|---|---|
Rancher provisioned RKE2 |
Kubernetes v1.23 |
CIS v1.23 |
||
Rancher provisioned RKE2 |
Kubernetes v1.24 |
CIS v1.24 |
||
Rancher provisioned RKE2 |
Kubernetes v1.25/v1.26/v1.27 |
CIS v1.7 |
||
Standalone RKE2 |
Kubernetes v1.25/v1.26/v1.27 |
CIS v1.7 |
SUSE® Rancher Prime: K3s Guides
| Type | Kubernetes Version | CIS Benchmark Version | Self Assessment Guide | Hardening Guides |
|---|---|---|---|---|
Rancher provisioned K3s cluster |
Kubernetes v1.23 |
CIS v1.23 |
||
Rancher provisioned K3s cluster |
Kubernetes v1.24 |
CIS v1.24 |
||
Rancher provisioned K3s cluster |
Kubernetes v1.25/v1.26/v1.27 |
CIS v1.7 |
||
Standalone K3s |
Kubernetes v1.22 up to v1.24 |
CIS v1.23 |
Rancher with SELinux
Security-Enhanced Linux (SELinux) is a kernel module that adds extra access controls and security tools to Linux. Historically used by government agencies, SELinux is now industry-standard. SELinux is enabled by default on RHEL and CentOS.
To use Rancher with SELinux, we recommend installing the rancher-selinux RPM.