/
Deploying Product in CIS hardened OS or K3s

Deploying Product in CIS hardened OS or K3s

Owned by Space Sync for Confluence
Jul 24, 2024
2 min read


CIS-hardened OS

To successfully deploy a GetVisibility product on an operating system that has been hardened according to the CIS (Center for Internet Security) standards, there are no specific additional requirements to follow.
The product can be deployed in a standard manner.

Additional OS-hardening

If the customer has employed an "in-house" hardening process that goes beyond the official CIS recommendations, it is important to perform certain checks.

  1. One key aspect to verify is the configuration of the /etc/fstab file. Ensure that the /var partition is not mounted with the noexec flag, as this could impact the functionality of the product.

This section will be updated in the future as we get more feedback from customers using various methods of hardening.

 


CIS Hardened K3s

Our product requires several exemptions to function properly on Kubernetes K3s clusters that have been hardened in accordance with the CIS (Center for Internet Security) standards.

Specifically, the Pod Security Admission (PSA) policy needs exemptions for the cattle-monitoring-system and default namespaces. All settings within this PSA policy should be configured to the "baseline" level rather than "restricted."

The relevant configuration file for these settings is typically located at /var/lib/rancher/k3s/server/psa.yaml.
To confirm the exact location of this file in a hardened K3s environment, it is advisable to check the /etc/systemd/system/k3s.service file, which should provide the details necessary to locate and modify the psa.yaml file as detailed below.

psa.yaml:

apiVersion: apiserver.config.k8s.io/v1 kind: AdmissionConfiguration plugins: - name: PodSecurity configuration: apiVersion: pod-security.admission.config.k8s.io/v1beta1 kind: PodSecurityConfiguration defaults: enforce: "baseline" enforce-version: "latest" audit: "baseline" audit-version: "latest" warn: "baseline" warn-version: "latest" exemptions: usernames: [] runtimeClasses: [] namespaces: [kube-system, cattle-monitoring-system, default]

The cattle-monitoring-system, specifically the pushprox-k3s-server-client, requires an exemption to effectively collect metrics from the nodes. Similarly, the default namespace also needs exemptions to allow multiple containers to communicate with the host.

Additionally, it is necessary to temporarily disable network policies.
This decision will be revisited after the installation of Cilium, as it will then be easier to configure and ensure that all necessary communications are properly set up.

 

Concerning other hardening methods, there are no critical impacts to be expected.

However, it is important to ensure that there is sufficient disk space available, especially if audit logs are to be stored on the same partition as the application. This is to prevent any potential issues related to storage constraints, which could affect the application's performance or data integrity.

 

Related content

K3s Installation
K3s Installation
GV-KnowledgeBase
More like this
Agent CLI Usage Guide
Agent CLI Usage Guide
GV-KnowledgeBase
Read with this
Secure Mode K3s
Secure Mode K3s
GV-KnowledgeBase
More like this
Install Synergy/Focus/Enterprise using Helm without Rancher
Install Synergy/Focus/Enterprise using Helm without Rancher
GV-KnowledgeBase
Read with this
Admin Guide Agent v4
Admin Guide Agent v4
GV-KnowledgeBase
Read with this

Classified as Getvisibility - Partner/Customer Confidential