Shulou(Shulou.com)05/31 Report--

This article mainly explains "how to implement CIS cluster in Rancher 2.4". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's take you to learn "How to implement CIS cluster in Rancher 2.4"!

Why does IT Ops need CIS Security Scan?

Manual evaluation of clusters against CIS benchmarks is a time-consuming and failure-prone process. In reality, our systems are constantly changing, so we need to reassess them frequently. That's where kube-bench comes in. This is an open source tool created by Aqua to automatically evaluate clusters against CIS Benchmark.

Rancher 2.4 uses kube-bench as a security engine and adds some additions to it. CIS Security Scan in Rancher 2.4 allows you to schedule cluster scans with one click. Rancher is responsible for getting the kube-bench tool and connecting it to the cluster. Rancher will then summarize the results from all nodes into an easy-to-read report showing the areas where the cluster passed or failed. Additionally, Rancher lets you schedule periodic scans at the cluster level. This setting can be enabled at the cluster template level and, by default, allows administrators to configure templates for scheduled scans to run scans for each new cluster created by any user in the Rancher settings. Finally, Rancher provides custom alerts and notifications for CIS security scanning, notifying security administrators by email, WeChat, etc. when security is not compliant due to cluster configuration changes, or when the cluster configuration itself is not compliant.

Hands-on CIS clustering in Rancher 2.4

Let's start a Rancher RKE cluster.

Pre-preparation: CentOS VM (at least 2 cores), and Docker installed

Step 1: Run Rancher Server

[root@rancher-rke ~]# sudo docker run -d --restart=unless-stopped -p 80:80 -p 443:443 rancher/rancher:v2.4.0-rc3Unable to find image 'rancher/rancher:v2.4.0-rc3' locallyTrying to pull repository docker.io/rancher/rancher ... v2.4.0-rc3: Pulling from docker.io/rancher/rancher423ae2b273f4: Pull completede83a2304fa1: Pull completef9a83bce3af0: Pull completeb6b53be908de: Pull completeb365c90117f7: Pull completec939267bea55: Pull complete7669306d1ae0: Pull complete25e0f5e123a3: Pull completed6664495480f: Pull complete99f55ceed479: Pull completeedd7d0bc05aa: Pull complete77e4b172baa4: Pull complete48f474afa2cd: Pull complete2270fe22f735: Pull complete44c4786f7637: Pull complete45e3db8be413: Pull complete6be735114771: Pull completedfa5473bfef3: Pull completeDigest: sha256:496bd1d204744099d70f191e86d6a35a5827f86501322b55f11c686206010b51Status: Downloaded newer image for docker.io/rancher/rancher:v2.4.0-rc3a145d93e8fa66a6a08b4f0e936dafc4b9717a93c59013e78118a4c5af8209a53[root@rancher-rke ~]# docker psCONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMESa145d93e8fa6 rancher/rancher:v2.4.0-rc3 "entrypoint.sh" About a minute ago Up About a minute 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp distracted_albattani

Step2: Visit the Rancher URL and install RKEhttp://{hostIP}

Set password and URL

Set Rancher password and URL as host IP

Add a new cluster and select From existing nodes (Custom)

Select default options and select etcd, control plane and worker because we will install it all on one VM.

Copy the above command and run it on the VM instance

[root@rancher-rke ~]# **sudo docker run -d --privileged --restart=unless-stopped --net=host -v /etc/kubernetes:/etc/kubernetes -v /var/run:/var/run rancher/rancher-agent:v2.4.0-rc3 --server https://185.136.233.195 --token** hwpf4kpjf49gk9wq5xvw7gdjxtj257j8wmnn5rj6lb98csz2zmkcgq --ca-checksum 3f9640ab12533287fd5e0ad1663cccf354a4ce2a76243cd6735abcfb085bdbf2 --etcd --controlplane --workerUnable to find image 'rancher/rancher-agent:v2.4.0-rc3' locallyTrying to pull repository docker.io/rancher/rancher-agent ... v2.4.0-rc3: Pulling from docker.io/rancher/rancher-agent423ae2b273f4: Already existsde83a2304fa1: Already existsf9a83bce3af0: Already existsb6b53be908de: Already exists931af2228ddf: Pull complete94b51e50d654: Pull complete7e7961efe32b: Pull complete85725dc92c8d: Pull complete5a82c6e509a6: Pull complete3b675e73aee3: Pull completeDigest: sha256:89017bd846a8cc597186f41eb17cfe1520aa0f7e6d86b48d8c32a5490c588f1eStatus: Downloaded newer image for docker.io/rancher/rancher-agent:v2.4.0-rc35aaa9fab48db4557c84b7ce0c61816384075570ed3e593446795bf8443610b64

Import the cluster in the Rancher UI and we can see that the cluster status is active:

Now click Cluster and from the Tools menu, select CIS Security Scan.

Currently CIS security scanning is only for RKE clusters and there are two scanning profiles: Permissive and Hardened.

Permissive: This profile has a set of tests that will be skipped because they are unnecessary for users who are just starting out with Kubernetes.

Hardened: This profile does not skip any tests. This configuration is aimed at advanced users as well as security experts.

For each configuration type, some of these tests are marked as not applicable because they do not apply to RKE clusters.

Now we select the "loose" profile and run the scan. The result is that all standard RKE clusters pass.

To see more details about the test execution, click on the test and the entire list of tests will be displayed with fail/skip/pass information.

Now, we use the "strict" profile to perform the same tests, and we'll see that the tests we skipped last time failed.

As you can see, according to the CIS benchmark, failed results provide descriptions and remedial steps. This works because you can not only know what is going to crash in the cluster based on CIS benchmarks, but you can also fix the cluster based on recommendations.

Next steps to strengthen cluster security

Although CIS security scans can be run with a single click, it would be better to automate them. It can also be configured in Rancher. Regular safety scans give you peace of mind and are a centering agent for the team. If there is some non-compliance in the cluster, you can also find it faster.

At this point, I believe that everyone has a deeper understanding of "how to implement CIS clusters in Rancher 2.4," so let's actually operate it! Here is the website, more related content can enter the relevant channels for inquiry, pay attention to us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.