Channels
academy
amazon
arm
azure
cabpr
chinese
ci-cd
danish
deutsch
developer
elemental
epinio
espanol
events
extensions
fleet
français
gcp
general
harvester
harvester-dev
hobbyfarm
hypper
japanese
k3d
k3os
k3s
k3s-contributor
kim
kubernetes
kubewarden
lima
logging
longhorn-dev
longhorn-storage
masterclass
mesos
mexico
nederlands
neuvector-security
office-hours
one-point-x
onlinemeetup
onlinetraining
opni
os
ozt
phillydotnet
portugues
rancher-desktop
rancher-extensions
rancher-setup
rancher-wrangler
random
rfed_ara
rio
rke
rke2
russian
s3gw
service-mesh
storage
submariner
supermicro-sixsq
swarm
terraform-controller
terraform-provider-rancher2
terraform-provider-rke
theranchcast
training-0110
training-0124
training-0131
training-0207
training-0214
training-1220
ukranian
v16-v21-migration
vsphere
windows
Title
m
millions-book-52954
07/25/2022, 11:07 AMHello,
I'm currently looking to configure my RKE2 cluster (v1.23.6+rke2r2) to be more secure based on CIS 1.6.
Is there a best practice or a consensus to be compliant with this CIS test ?
1.1.12 - Ensure that the etcd data directory ownership is set toetcd:etcd
1. Check that theuser and group exists on the host. If they don’t, exit with an error.etcd
2. Create etcd’s data directory withas the user and group owner.etcd
3. Ensure the etcd process is ran as theSource: https://rancher.com/docs/rancher/v2.6/en/security/hardening-guides/rke2-1.6-hardening-2.6/#ensure-etcd-is-configured-properly User creation is (partly ?) documented:user and group by setting the etcd static pod’setcdappropriately.SecurityContext
sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -USecurityContextconfig.yamlconfig.yaml/var/lib/rancher/rke2/agent/pod-manifests/etcd.yaml👀 1
h
high-waitress-66594
07/25/2022, 5:51 PMYou can specify uid/gid when creating etcd user and group, that's an exercise for the reader. They must both be named
etcdThe etcd static pod manifest is written to disk every startup so unless you want to break expectations, I wouldn't advise changing it.
m
millions-book-52954
07/26/2022, 7:21 AMthat's an exercise for the reader.ok
...so unless you want to break expectations, I wouldn't advise changing it.ok, thank you for this. I will continue my investigations regarding point 2.
r
rapid-helmet-86074
08/01/2022, 6:32 PMI think another reason that UID/GID isn't specified is because they don't need to match between master nodes as they'd be writing to local and not shared file systems.
m
millions-book-52954
08/02/2022, 7:24 AMHello @rapid-helmet-86074
I'm agree with this. But wouldn't it be easier to define it equally over the nodes to set the securitycontext ? For me the answer is "yes".
There's no problem currently, it just takes more time to understand/fix this point (the first time).
r
rapid-helmet-86074
08/02/2022, 2:18 PMIf you don't know the knowledge level of the user following the instructions, you might either confuse people about needing to check available UID/GID numbers or when someone has one conflicting with what's arbitrarily chosen for the docs. So leaving it off avoids the questions while still suggesting to anyone who cares that the UID/GID numbers don't matter and can be set as what they want.