From 35d5a5d9a13fe294c7646b05634a568a64e00438 Mon Sep 17 00:00:00 2001
From: martyav <marty.avedon@suse.com>
Date: Tue, 14 May 2024 16:07:44 -0400
Subject: [PATCH 1/6] 1283 update Rancher security best practices to address
 public IP exposure

---
 .../rancher-security-best-practices.md              | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/docs/reference-guides/rancher-security/rancher-security-best-practices.md b/docs/reference-guides/rancher-security/rancher-security-best-practices.md
index df921789f25e..0954e2270dda 100644
--- a/docs/reference-guides/rancher-security/rancher-security-best-practices.md
+++ b/docs/reference-guides/rancher-security/rancher-security-best-practices.md
@@ -6,7 +6,7 @@ title: Rancher Security Best Practices
   <link rel="canonical" href="https://ranchermanager.docs.rancher.com/reference-guides/rancher-security/rancher-security-best-practices"/>
 </head>
 
-### Restrict Public Access to /version and /rancherversion Path
+## Restrict Public Access to /version and /rancherversion Path
 
 The upstream (local) Rancher instance provides information about the Rancher version it is running and the Go version that was used to build it. That information is accessible via the `/version` path, which is used for tasks such as automating version bumps, or confirming that a deployment was successful. The upstream instance also provides Rancher version information accessible via the `/rancherversion` path.
 
@@ -14,8 +14,17 @@ Adversaries can misuse this information to identify the running Rancher version
 
 See [OWASP Web Application Security Testing - Enumerate Infrastructure and Application Admin Interfaces](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces.html) for more information on protecting your server.
 
-### Session Management
+## Session Management
 
 Some environments may require additional security controls for session management. For example, you may want to limit users' concurrent active sessions or restrict which geolocations those sessions can be initiated from. Such features are not supported by Rancher out of the box. 
 
 If you require such features, combine Layer 7 firewalls with [external authentication providers](../../how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/authentication-config.md#external-vs-local-authentication).
+
+## Use External Load Balancers to Protect Vulnerable Ports
+
+You should protect the following ports behind an external load balancer that has SSL offload enabled:
+
+**K3s:** Port 6443, used by the Kubernetes API.
+**RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
+
+These ports have SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.

From d4af47a378fc243e94eaa7b52134e9f53ad13882 Mon Sep 17 00:00:00 2001
From: martyav <marty.avedon@suse.com>
Date: Tue, 14 May 2024 16:16:12 -0400
Subject: [PATCH 2/6] link and bullet points

---
 .../rancher-security/rancher-security-best-practices.md     | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/reference-guides/rancher-security/rancher-security-best-practices.md b/docs/reference-guides/rancher-security/rancher-security-best-practices.md
index 0954e2270dda..ec6f170ecf39 100644
--- a/docs/reference-guides/rancher-security/rancher-security-best-practices.md
+++ b/docs/reference-guides/rancher-security/rancher-security-best-practices.md
@@ -22,9 +22,9 @@ If you require such features, combine Layer 7 firewalls with [external authentic
 
 ## Use External Load Balancers to Protect Vulnerable Ports
 
-You should protect the following ports behind an external load balancer that has SSL offload enabled:
+You should protect the following ports behind an [external load balancer](../../how-to-guides/new-user-guides/kubernetes-resources-setup/load-balancer-and-ingress-controller/layer-4-and-layer-7-load-balancing.md#layer-4-load-balancer) that has SSL offload enabled:
 
-**K3s:** Port 6443, used by the Kubernetes API.
-**RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
+- **K3s:** Port 6443, used by the Kubernetes API.
+- **RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
 
 These ports have SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.

From f08108947d8500ea6bb89062e43c0a74949d35b7 Mon Sep 17 00:00:00 2001
From: Marty Hernandez Avedon <martyavedon@gmail.com>
Date: Thu, 16 May 2024 12:08:53 -0400
Subject: [PATCH 3/6] Update
 docs/reference-guides/rancher-security/rancher-security-best-practices.md

---
 .../rancher-security/rancher-security-best-practices.md         | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docs/reference-guides/rancher-security/rancher-security-best-practices.md b/docs/reference-guides/rancher-security/rancher-security-best-practices.md
index ec6f170ecf39..00724d0005ee 100644
--- a/docs/reference-guides/rancher-security/rancher-security-best-practices.md
+++ b/docs/reference-guides/rancher-security/rancher-security-best-practices.md
@@ -27,4 +27,4 @@ You should protect the following ports behind an [external load balancer](../../
 - **K3s:** Port 6443, used by the Kubernetes API.
 - **RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
 
-These ports have SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.
+These ports have TSL SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.

From d316426e5114a30ed48f88994f9d89e1e699c63b Mon Sep 17 00:00:00 2001
From: martyav <marty.avedon@suse.com>
Date: Thu, 16 May 2024 12:38:04 -0400
Subject: [PATCH 4/6] versioning

---
 .../rancher-security-best-practices.md            | 15 ++++++++++++---
 .../rancher-security-best-practices.md            | 13 +++++++++++--
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/versioned_docs/version-2.7/reference-guides/rancher-security/rancher-security-best-practices.md b/versioned_docs/version-2.7/reference-guides/rancher-security/rancher-security-best-practices.md
index ea78abe7d0eb..02bf42d0d449 100644
--- a/versioned_docs/version-2.7/reference-guides/rancher-security/rancher-security-best-practices.md
+++ b/versioned_docs/version-2.7/reference-guides/rancher-security/rancher-security-best-practices.md
@@ -6,7 +6,7 @@ title: Rancher Security Best Practices
   <link rel="canonical" href="https://ranchermanager.docs.rancher.com/reference-guides/rancher-security/rancher-security-best-practices"/>
 </head>
 
-### Restrict Public Access to /version and /rancherversion Path
+## Restrict Public Access to /version and /rancherversion Path
 
 The upstream (local) Rancher instance provides information about the Rancher version it is running and the Go version that was used to build it. That information is accessible via the `/version` path, which is used for tasks such as automating version bumps, or confirming that a deployment was successful. The upstream instance also provides Rancher version information accessible via the `/rancherversion` path.
 
@@ -14,8 +14,17 @@ Adversaries can misuse this information to identify the running Rancher version
 
 See [OWASP Web Application Security Testing - Enumerate Infrastructure and Application Admin Interfaces](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces.html) for more information on protecting your server.
 
-### Session Management
+## Session Management
 
 Some environments may require additional security controls for session management. For example, you may want to limit users' concurrent active sessions or restrict which geolocations those sessions can be initiated from. Such features are not supported by Rancher out of the box. 
 
-If you require such features, combine Layer 7 firewalls with [external authentication providers](../../how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/authentication-config.md#external-vs-local-authentication).
\ No newline at end of file
+If you require such features, combine Layer 7 firewalls with [external authentication providers](../../how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/authentication-config.md#external-vs-local-authentication).
+
+## Use External Load Balancers to Protect Vulnerable Ports
+
+You should protect the following ports behind an [external load balancer](../../how-to-guides/new-user-guides/kubernetes-resources-setup/load-balancer-and-ingress-controller/layer-4-and-layer-7-load-balancing.md#layer-4-load-balancer) that has SSL offload enabled:
+
+- **K3s:** Port 6443, used by the Kubernetes API.
+- **RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
+
+These ports have TSL SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.
\ No newline at end of file
diff --git a/versioned_docs/version-2.8/reference-guides/rancher-security/rancher-security-best-practices.md b/versioned_docs/version-2.8/reference-guides/rancher-security/rancher-security-best-practices.md
index ea78abe7d0eb..77e9979da605 100644
--- a/versioned_docs/version-2.8/reference-guides/rancher-security/rancher-security-best-practices.md
+++ b/versioned_docs/version-2.8/reference-guides/rancher-security/rancher-security-best-practices.md
@@ -14,8 +14,17 @@ Adversaries can misuse this information to identify the running Rancher version
 
 See [OWASP Web Application Security Testing - Enumerate Infrastructure and Application Admin Interfaces](https://owasp.org/www-project-web-security-testing-guide/stable/4-Web_Application_Security_Testing/02-Configuration_and_Deployment_Management_Testing/05-Enumerate_Infrastructure_and_Application_Admin_Interfaces.html) for more information on protecting your server.
 
-### Session Management
+## Session Management
 
 Some environments may require additional security controls for session management. For example, you may want to limit users' concurrent active sessions or restrict which geolocations those sessions can be initiated from. Such features are not supported by Rancher out of the box. 
 
-If you require such features, combine Layer 7 firewalls with [external authentication providers](../../how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/authentication-config.md#external-vs-local-authentication).
\ No newline at end of file
+If you require such features, combine Layer 7 firewalls with [external authentication providers](../../how-to-guides/new-user-guides/authentication-permissions-and-global-configuration/authentication-config/authentication-config.md#external-vs-local-authentication).
+
+## Use External Load Balancers to Protect Vulnerable Ports
+
+You should protect the following ports behind an [external load balancer](../../how-to-guides/new-user-guides/kubernetes-resources-setup/load-balancer-and-ingress-controller/layer-4-and-layer-7-load-balancing.md#layer-4-load-balancer) that has SSL offload enabled:
+
+- **K3s:** Port 6443, used by the Kubernetes API.
+- **RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
+
+These ports have TSL SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.

From 06b16e21036242519c52b93d9a8c7578bcff8816 Mon Sep 17 00:00:00 2001
From: martyav <marty.avedon@suse.com>
Date: Thu, 16 May 2024 12:39:02 -0400
Subject: [PATCH 5/6] typo

---
 .../rancher-security/rancher-security-best-practices.md         | 2 +-
 .../rancher-security/rancher-security-best-practices.md         | 2 +-
 .../rancher-security/rancher-security-best-practices.md         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/reference-guides/rancher-security/rancher-security-best-practices.md b/docs/reference-guides/rancher-security/rancher-security-best-practices.md
index 00724d0005ee..beeb28888801 100644
--- a/docs/reference-guides/rancher-security/rancher-security-best-practices.md
+++ b/docs/reference-guides/rancher-security/rancher-security-best-practices.md
@@ -27,4 +27,4 @@ You should protect the following ports behind an [external load balancer](../../
 - **K3s:** Port 6443, used by the Kubernetes API.
 - **RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
 
-These ports have TSL SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.
+These ports have TLS SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.
diff --git a/versioned_docs/version-2.7/reference-guides/rancher-security/rancher-security-best-practices.md b/versioned_docs/version-2.7/reference-guides/rancher-security/rancher-security-best-practices.md
index 02bf42d0d449..ae098093f98f 100644
--- a/versioned_docs/version-2.7/reference-guides/rancher-security/rancher-security-best-practices.md
+++ b/versioned_docs/version-2.7/reference-guides/rancher-security/rancher-security-best-practices.md
@@ -27,4 +27,4 @@ You should protect the following ports behind an [external load balancer](../../
 - **K3s:** Port 6443, used by the Kubernetes API.
 - **RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
 
-These ports have TSL SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.
\ No newline at end of file
+These ports have TLS SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.
\ No newline at end of file
diff --git a/versioned_docs/version-2.8/reference-guides/rancher-security/rancher-security-best-practices.md b/versioned_docs/version-2.8/reference-guides/rancher-security/rancher-security-best-practices.md
index 77e9979da605..98f0329b5fda 100644
--- a/versioned_docs/version-2.8/reference-guides/rancher-security/rancher-security-best-practices.md
+++ b/versioned_docs/version-2.8/reference-guides/rancher-security/rancher-security-best-practices.md
@@ -27,4 +27,4 @@ You should protect the following ports behind an [external load balancer](../../
 - **K3s:** Port 6443, used by the Kubernetes API.
 - **RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
 
-These ports have TSL SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.
+These ports have TLS SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.

From a4f1a2a9f4fcd3b1c33202d5798d5cce53b06c98 Mon Sep 17 00:00:00 2001
From: martyav <marty.avedon@suse.com>
Date: Mon, 10 Jun 2024 12:30:40 -0400
Subject: [PATCH 6/6] #1287 - ports listed also relevant for rke

---
 .../rancher-security/rancher-security-best-practices.md         | 2 +-
 .../rancher-security/rancher-security-best-practices.md         | 2 +-
 .../rancher-security/rancher-security-best-practices.md         | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/reference-guides/rancher-security/rancher-security-best-practices.md b/docs/reference-guides/rancher-security/rancher-security-best-practices.md
index beeb28888801..fa958639c1f4 100644
--- a/docs/reference-guides/rancher-security/rancher-security-best-practices.md
+++ b/docs/reference-guides/rancher-security/rancher-security-best-practices.md
@@ -25,6 +25,6 @@ If you require such features, combine Layer 7 firewalls with [external authentic
 You should protect the following ports behind an [external load balancer](../../how-to-guides/new-user-guides/kubernetes-resources-setup/load-balancer-and-ingress-controller/layer-4-and-layer-7-load-balancing.md#layer-4-load-balancer) that has SSL offload enabled:
 
 - **K3s:** Port 6443, used by the Kubernetes API.
-- **RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
+- **RKE and RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
 
 These ports have TLS SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.
diff --git a/versioned_docs/version-2.7/reference-guides/rancher-security/rancher-security-best-practices.md b/versioned_docs/version-2.7/reference-guides/rancher-security/rancher-security-best-practices.md
index ae098093f98f..92a681bfc8b7 100644
--- a/versioned_docs/version-2.7/reference-guides/rancher-security/rancher-security-best-practices.md
+++ b/versioned_docs/version-2.7/reference-guides/rancher-security/rancher-security-best-practices.md
@@ -25,6 +25,6 @@ If you require such features, combine Layer 7 firewalls with [external authentic
 You should protect the following ports behind an [external load balancer](../../how-to-guides/new-user-guides/kubernetes-resources-setup/load-balancer-and-ingress-controller/layer-4-and-layer-7-load-balancing.md#layer-4-load-balancer) that has SSL offload enabled:
 
 - **K3s:** Port 6443, used by the Kubernetes API.
-- **RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
+- **RKE and RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
 
 These ports have TLS SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.
\ No newline at end of file
diff --git a/versioned_docs/version-2.8/reference-guides/rancher-security/rancher-security-best-practices.md b/versioned_docs/version-2.8/reference-guides/rancher-security/rancher-security-best-practices.md
index 98f0329b5fda..664647697228 100644
--- a/versioned_docs/version-2.8/reference-guides/rancher-security/rancher-security-best-practices.md
+++ b/versioned_docs/version-2.8/reference-guides/rancher-security/rancher-security-best-practices.md
@@ -25,6 +25,6 @@ If you require such features, combine Layer 7 firewalls with [external authentic
 You should protect the following ports behind an [external load balancer](../../how-to-guides/new-user-guides/kubernetes-resources-setup/load-balancer-and-ingress-controller/layer-4-and-layer-7-load-balancing.md#layer-4-load-balancer) that has SSL offload enabled:
 
 - **K3s:** Port 6443, used by the Kubernetes API.
-- **RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
+- **RKE and RKE2:** Port 6443, used by the Kubernetes API, and port 9345, used for node registration. 
 
 These ports have TLS SAN certificates which list nodes' public IP addresses. An attacker could use that information to gain unauthorized access or monitor activity on the cluster. Protecting these ports helps mitigate against nodes' public IP addresses being disclosed to potential attackers.