Closed juadk closed 1 year ago
After speaking with @ldevulder , we have decided to configure hardened cluster in our k3s CLI test. We will do it first on k3s and then, we will port the test to RKE2. Because all our tests are using k3s to host Rancher Manager. I will open another issue to mention implementing RKE2 as a management cluster.
https://docs.k3s.io/security/hardening-guide https://ranchermanager.docs.rancher.com/reference-guides/rancher-security/rancher-v2.7-hardening-guides/k3s-hardening-guide-with-cis-benchmark
I'm also checking https://ranchermanager.docs.rancher.com/pages-for-subheaders/rancher-security and I just downloaded the latest CIS Benchmark from https://www.cisecurity.org/
Well... that's not so easy... I followed all the documentation and I cannot deploy cert-manager in the hardened. I think I need to add a network policy. I also reached Rancher QA guy and he does not know how to do it manually. Moreover, they have automation for RKE1 only.
EDIT: ok... I've found this comment from Rancher QA
The network policy was not added, as it might block network traffic when Rancher agent is installed in the cluster.
The network policy is provided as an example that must be improved by the user, as it varies from user to user environment.
Let's do it without network policy then.
Finally, I managed to configure all the things without disabling any security! I was able to deploy Rancher + elemental operator inside a hardened k3s cluster and ran a scan with k3s-cis-1.23-profile-hardened. I'm going to start the automation!
As PSP is deprecated and will be removed in 1.25, I did a quick test with PSA and that's pretty straightforward using it and it also fixes the cert-mamanger issue. However, rancher is not already supported on k3s 1.25. We will do it later.
Test to make sure we will not hit https://github.com/rancher/elemental-operator/issues/317 anymore.