accounts • • Hardening Guide v2.4 3 should be configured such that it does not provide a service account token and does not have any explicit rights assignments. Configure Kernel Runtime Parameters The root_maxbytes=25000000 Run sysctl -p /etc/sysctl.d/90-kubelet.conf to enable the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing run the following console commands. groupadd --gid 52034 etcd useradd --comment "etcd service account" --uid 52034 --gid 52034 etcd Update the RKE config.yml with the uid and gid of the etcd user:

Guide v2.3.5 3 Run sysctl -p /etc/sysctl.d/90-kubelet.conf to enable the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing run the following console commands. addgroup --gid 52034 etcd useradd --comment "etcd service account" --uid 52034 --gid 52034 etcd Update the RKE config.yml with the uid and gid of the etcd user: service account which is used by cluster workloads where no specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should

1.1 - Configure default sysctl settings on all hosts Profile Applicability Level 1 Description Rancher_Hardening_Guide.md 11/30/2018 2 / 24 Configure sysctl settings to match what the kubelet would Rationale We recommend that users launch the kubelet with the --protect-kernel-defaults option. The settings that the kubelet initially attempts to change can be set manually. This supports the following nodes: vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 Run sysctl -p to enable the settings. 1.1.2 - Install the encryption provider configuration on all control plane nodes Profile Applicability

s s e t as ap p r o- p r i at e ( S c or e d ) • 1. 1. 23 - E n s u r e t h at t h e --service-account-lookup ar gu m e n t i s s e t t o t r u e ( S c or e d ) 7 • 1. 1. 24 - E n s u r e t h at t h om m an d s e c t i on of t h e ou t p u t : --anonymous-auth=false --profiling=false --service-account-lookup=true --enable-admission-plugins=ServiceAccount,NamespaceLifecycle,LimitRanger,PersistentVolumeLabel DenyEscalatingExec,NodeRestriction,EventRateLimit,PodSecurityPolicy" profiling: "false" service-account-lookup: "true" tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

appropriate (Automated) 1.2.27 Ensure that the --service-account-lookup argument is set to true (Automated) 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Automated) 1.2 false (Automated) 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated) 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate (Automated) Ensure that default service accounts are not actively used. (Automated) 5.1.6 Ensure that Service Account Tokens are only mounted where necessary (Manual) 5.2 Pod Security Policies 5.2.1 Minimize the admission

1.23 Ensure that the --service-account-lookup argument is set to true (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--service-account-lookup=true").string' Returned Returned Value: --service-account-lookup=true Result: Pass 1.1.24 - Ensure that the admission control plugin PodSecurityPolicy is set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | - Ensure that the --service-account-key-file argument is set as appropriate (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--service-account-key-file=.*").string' Returned

Rancher Self-Assessment Guide - v2.4 18 1.2.14 Ensure that the admission control plugin Service Account is set (Scored) Result: PASS Remediation: Follow the documentation and create ServiceAccount objects '--request-timeout' is not present OR '--request-timeout' is present 1.2.27 Ensure that the --service-account-lookup argument is set to true (Scored) Result: PASS Remediation: Edit the API server pod specification yaml on the master node and set the below parameter. --service-account-lookup=true Alternatively, you can delete the --service-account-lookup parameter from this file so that the default takes effect

Self-Assessment Guide - Rancher v2.5 18 1.2.14 Ensure that the admission control plugin Service Account is set (Scored) Result: PASS Remediation: Follow the documentation and create ServiceAccount objects '--request-timeout' is not present OR '--request-timeout' is present 1.2.27 Ensure that the --service-account-lookup argument is set to true (Scored) Result: PASS Remediation: Edit the API server pod specification yaml on the master node and set the below parameter. --service-account-lookup=true Alternatively, you can delete the --service-account-lookup parameter from this file so that the default takes effect

member of the docker group on the node. 3. Run the following command to create a Linux user account on every node: $ useradd -m -G docker $ su - $ mkdir $HOME/.ssh $ chmod Kubernetes clusters using the IP address or FQDN. PowerProtect Data Manager uses the discovery service account and the token kubeconfig file to integrate with kube-apiserver. The following high-level architecture Rancher and RKE Kubernetes cluster using CSI Driver on DELL EMC PowerFlex White Paper The service account must have the following privileges: • Get, Create, Update, and List for CustomResourceDefinitions

SDN solution that emphasizes centralized control and scalability Before You Install 1. Set up an account with Juniper Networks so you can download CN2 manifests from the Juniper Networks download site (https://support downloading from the Juniper Networks software download site, you'll need an account to download. If you don't have an account, contact your Juniper Networks sales representative to have one created for tools are compatible with CN2 within the same release only. You'll need an account to download. If you don't have an account, contact your Juniper Networks sales representative to have one created for