Rancher and RKE install Kubernetes services via Docker containers. Configuration is defined by arguments passed to the container at the time of initialization, not via configuration files. CIS Benchmark require or maintain a configuration file for the API server. All configuration is passed in as arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set require or maintain a configuration file for the API server. All configuration is passed in as arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions

Rancher and RKE install Kubernetes services via Docker containers. Configuration is defined by arguments passed to the container at the time of initialization, not via configuration files. CIS 1.5 Benchmark require or maintain a configuration file for the API server. All configuration is passed in as arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set require or maintain a configuration file for the API server. All configuration is passed in as arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions

to true (Automated) 1.2.5 Ensure that the --kubelet-client-certificate and -- kubelet-client-key arguments are set as appropriate (Automated) 1.2.6 Ensure that the --kubelet-certificate-authority argument the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Automated) 1.2.30 Ensure that the --tls-cert-file and --tls-private- key-file arguments are set as appropriate (Automated) 1.2.31 1 (Automated) 2 Etcd Node Configuration Files 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated) CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4

Rancher and RKE install Kubernetes services via Docker containers. Configuration is defined by arguments passed to the container at the time of initialization, not via configuration files. Scoring the Mitigation) 1.1.22 - Ensure that the --kubelet-client-certificate and -- kubelet-client-key arguments are set as appropriate (Scored) Audit ( --kubelet-client-certificate ) docker inspect kube-apiserver token-key.pem Result: Pass 1.1.26 - Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored) Audit ( --etcd-certfile ) docker inspect kube-apiserver | jq -e

Applicability Rancher_Hardening_Guide.md 11/30/2018 12 / 24 Level 1 Description Set the appropriate arguments on the Kubernetes controller manager. Rationale To address the following controls the options

components related to Heapster deployed: Notice that the Heapster container takes its arguments for source and target based on where the data will be stored. spec: containers: - name: