Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 www.juniper.net Juniper Networks, the Juniper Networks logo, Juniper, and Junos are registered trademarks of Juniper terms and conditions of the End User License Agreement ("EULA") posted at https://support.juniper.net/support/eula/. By downloading, installing or using such software, you agree to the terms and conditions Networks download site (https://support.juniper.net/support/downloads/?p=contrail-networking) and access the container repository at https://enterprise-hub.juniper.net. 2. Set up the fabric network and connect

s-pod-network/lock - 750 Audit ( /etc/cni/net.d ) stat -c "%n - %a" /etc/cni/net.d/* Returned Value: /etc/cni/net.d/10-canal.conflist - 664 /etc/cni/net.d/calico-kubeconfig - 600 Result: Pass 1.4 ork/lock - root:root Audit ( /etc/cni/net.d ) stat -c "%n - %U:%G" /etc/cni/net.d/* Returned Value: /etc/cni/net.d/10-canal.conflist - root:root /etc/cni/net.d/calico-kubeconfig - root:root Result: Audit kubectl get psp restricted -o jsonpath='{.spec.requiredDropCapabilities}' | grep "NET_RAW" Returned Value: [NET_RAW] Result: Pass 2 - Worker Node Security Configuration 2.1 - Kubelet 2.1.1 - Ensure

128 128 128 129 129 130 130 130 130 131 5.2.7 Minimize the admission of containers with the NET_RAW capability (Manual) 5.2.8 Minimize the admission of containers with added capabilities (Manual) cfg-kube-node.yaml -- volume-plugin-dir=/var/lib/kubelet/volumeplugins --cni-conf- dir=/etc/cni/net.d --root-dir=/var/lib/kubelet --tls-cert- CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5 cfg-kube-node.yaml -- volume-plugin-dir=/var/lib/kubelet/volumeplugins --cni-conf- dir=/etc/cni/net.d --root-dir=/var/lib/kubelet --tls-cert- file=/etc/kubernetes/ssl/kube-kubelet-192-168-1-225.pem

PodSecurityPolicy metadata: name: restricted spec: requiredDropCapabilities: - NET_RAW privileged: false allowPrivilegeEscalation: false defaultAllowPrivilegeEscalation: PodSecurityPolicy metadata: name: restricted spec: requiredDropCapabilities: - NET_RAW privileged: false allowPrivilegeEscalation: false Hardening Guide v2.3.5 16

PodSecurityPolicy metadata: name: restricted spec: requiredDropCapabilities: - NET_RAW privileged: false allowPrivilegeEscalation: false defaultAllowPrivilegeEscalation: PodSecurityPolicy metadata: name: restricted spec: requiredDropCapabilities: - NET_RAW privileged: false allowPrivilegeEscalation: false defaultAllowPrivilegeEscalation:

PodSecurityPolicy metadata: name: restricted spec: requiredDropCapabilities: - NET_RAW privileged: false allowPrivilegeEscalation: false defaultAllowPrivilegeEscalation: PodSecurityPolicy metadata: name: restricted spec: requiredDropCapabilities: - NET_RAW privileged: false Rancher_Hardening_Guide.md 11/30/2018 24 / 24 allowPrivilegeEscalation:

署应用的方式。云原生应用专为云模型而开 发，团队可以快速将应用构建和部署到可提供横向扩展和硬件解耦的平台，为企业提供更高的敏捷性、弹性和云 间的可移植性。 https://12factor.net/zh_cn/ 云原生应用 传统的企业应用 可预测 不可预测 操作系统抽象化 依赖操作系统 合适的容量 过多容量 协作 孤立 持续交付 瀑布式开发 独立 依赖 自动化可扩展性 手动扩展

extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restricted-psp spec: requiredDropCapabilities: - NET_RAW privileged: false allowPrivilegeEscalation: false defaultAllowPrivilegeEscalation: false fsGroup: