and LDAP Support 4 4 4 2 Pod and Network Security Policies 4 3 2 2 Configurable Adherence to CIS 4 3 2 2 Global RBAC Policies 4 2 3 2 2.4 Shared Tools and Services Once deployed must use a browser-based workflow to perform authentication. 3.2.2 Pod and Network Security Policies • SUSE Rancher: 4 • OpenShift: 3 • Tanzu: 2 • Anthos: 2 3.2.2.1 SUSE Rancher SUSE downstream clusters. This ensures conformance and reduces the risk of human error when changing policies. PSPs can be created and edited through the UI. SUSE Rancher also ships with OPA Gatekeeper as

Plane Service mesh security architecture Cluster Workload Edge Operations Ingress Policies Egress Policies WAF / IDS Firewall User AuthN/Z Data Loss Prevention Certificate Authority K8s security Edge Security Cluster security Service Proxy Ingress 1. Define ingress security policies to control accesses to services. Deploy web application firewall to defend against DDoS, injection injection, remote execution attacks. Edge security Egress 2. Define egress security policies to defend against data exfiltration, botnet attacks. 3. Define firewall and virtual private network to

to pass further security policies. Proxy Service Low to high Incoming traffic to proxy can be coming from outside the cluster and is validated against the specified policies before it reaches the service trust boundary as it passes the proxy. Controlplane Dataplane High to low Policies are created by users with privileges. The policies are propagated to the dataplane. Egress Sidecar External Apis High to the advantages of using Istio is that it offers a series of security features related to identity, policies, TLS encryption, authentication, authorization and internal auditing to enhance the security in

policy. In the searchbox, enter the AWS service and click on the checkbox. You can select multiple policies and later click on Next:Review. AWS Lambda 34 It is also possible to create click Add button to add the policy. Similarly, you can create policies for other services. Here, we have selected two policies AmazonS3FullAccess and AmazonDynamoDBFullACcess.We have given AWS Lambda 40 You can follow the steps discussed earlier to create the policies using ARN. Step 1 Click Create role button to create the role. All the roles created are displayed

5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies 5.3 Network Policies and CNI CIS Benchmark Rancher Self-Assessment Guide - v2.4 2 53 5.6 General Policies CIS Benchmark 'true' is equal to 'true' CIS Benchmark Rancher Self-Assessment Guide - v2.4 48 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.1.5 Ensure that default service accounts are not actively used exit 0 Audit Execution: ./5.1.5.sh Expected result: '--pass' is present 5.2 Pod Security Policies 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Scored)

Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 2 52 53 5.3 Network Policies and CNI 5.6 General Policies CIS 1 'true' is equal to 'true' CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 48 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.1.5 Ensure that default service accounts are not actively used "--pass" exit 0 Audit Execution: ./5.1.5.sh Expected result: '--pass' is present 5.2 Pod Security Policies 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Scored)

maxConcurrency: 1 timeout: 240 status: 2 conditions: - message: The ClusterGroupUpgrade CR has upgrade policies that are still non compliant reason: UpgradeNotCompleted status: "False" type: Ready conditions: - message: The ClusterGroupUpgrade CR has all clusters compliant with all the managed policies reason: UpgradeCompleted status: "True" type: Ready managedPoliciesForUpgrade: - maxConcurrency: 1 timeout: 240 status: conditions: - message: The ClusterGroupUpgrade CR has upgrade policies that are still non compliant 1 reason: UpgradeNotCompleted status: "False" type: Ready

controller should only be used where Pod Security Policies cannot be used on the cluster, as it can interact poorly with certain Pod Security Policies Several system services (such as nginx-ingress ) resources. 1.6.3 - Create network segmentation using Network Policies (Not Scored) Rancher can (optionally) automatically create Network Policies to isolate "Projects" (a group of one or more namespaces) the admission.yaml file. 1.6.7 - Configure network policies as appropriate (Not Scored) Rancher can (optionally) automatically create Network Policies to isolate projects (a group of one or more namespaces)

Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration Reference Hardened RKE Template configuration -n ${namespace} -p "$ (cat account_update.yaml)" done Ensure that all Namespaces have Network Policies defined Running different applications on the same Kubernetes cluster creates a risk of one compromised Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace

Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration Reference Hardened RKE Template configuration -n ${namespace} -p "$ (cat account_update.yaml)" done Ensure that all Namespaces have Network Policies defined Running different applications on the same Kubernetes cluster creates a risk of one compromised Network Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace