identification purposes only and may be trademarks of their respective holder(s). Information is subject to change without notice. © 2017 Rancher Labs, Inc. All rights reserved. March 2017. 1 ©Rancher ..................................................................................... 7 1.3.10 Log Management ....................................................................................... visualization. 1.3.10 Log Management Fetching and analyzing log data is critical to understanding what is happening with a given cluster. Internal Kubernetes components use log library to log data; kubectl

kubelet with the --protect-kernel-defaults option. The settings that the kubelet initially attempts to change can be set manually. This supports the following control: 2.1.7 - Ensure that the --protect-kernel-defaults secret is the 32-byte base64-encoded string generated in the first step. 1.1.3 - Install the audit log configuration on all control plane nodes. Profile Applicability Level 1 Description Place the configuration that the --audit-log-path argument is set as appropriate (Scored) 1.1.16 - Ensure that the --audit-log-maxage argument is as appropriate (Scored) 1.1.17 - Ensure that the --audit-log-maxbackup argument

Solutions 3 4 2 4 Advanced Monitoring 4 4 3 2 Alerts and Notifications 4 4 3 2 External Log Shipping 4 4 2 3 Windows Container Support 4 4 1 2 Integrated Service Mesh Support 4 supports the standard API logging available from Kubernetes. 3.1.9.2 OpenShift OpenShift can log all interactions with the OCP API, including request and response body and metadata. OpenShift collect Anthos clusters. GKE clusters by default run the GCP Cloud Logging service. At installation you can change this behavior to use a different logging service. Anthos clusters hosted on VMware or bare metal

no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Cloud Native Contrail Networking preventing the node from reaching the Juniper Networks repository. Here is an example of a DNS problem. Log in to each node having a problem and check name resolution for enterprise-hub.juniper.net. For example: preventing the node from reaching the Juniper Networks repository. Here is an example of a DNS problem. Log in to each node having a problem and check name resolution for enterprise-hub.juniper.net. For example:

Conformance Certification Yes Yes Yes Trusted Cloud Yes Yes Yes 6 Certification Kubernetes-native No change to Kubernetes code Deep customization Official Kubernetes distribution, RKE, recommended multi-tenant and multi-dimensional log retrieval system that supports on-disk log collection and provides flexibility to integrate multiple external log receivers Third-party ELK required for

information in this document is accurate as of its publication date. The information is subject to change without notice. Contents 3 SUSE Rancher and RKE Kubernetes cluster using CSI Driver the following steps to deploy an RKE Kubernetes cluster using the SUSE Rancher Server UI: 1. Log in to the Rancher Server from the browser. 2. Click Add Cluster to create a cluster 3. In

argument is set to false (Automated) 1.2.22 Ensure that the --audit-log-path argument is set (Automated) 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated) CIS 1 83 83 83 85 85 1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated) 1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated) --tls-cert-file=/etc/kubernetes/ssl/kube- apiserver.pem --authorization-mode=Node,RBAC --audit-log- maxsize=100 --audit-log-format=json --requestheader-allowed- names=kube-apiserver-proxy-client --cloud-provider=

1. 15 - E n s u r e t h at t h e --audit-log-path ar gu m e n t i s s e t as ap p r op r i at e ( S c or e d ) • 1. 1. 16 - E n s u r e t h at t h e --audit-log-maxage ar gu m e n t i s s e t as ap p r 17 - E n s u r e t h at t h e --audit-log-maxbackup ar gu m e n t i s s e t as ap - p r op r i at e ( S c or e d ) • 1. 1. 18 - E n s u r e t h at t h e --audit-log-maxsize ar gu m e n t i s s e t as ap tc/kubernetes/admission.yaml --audit-log-path=/var/log/kube-audit/audit-log.json --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-format=json --audit-policy-file=/etc

--audit-log-path argument is set as appropriate (Scored) Notes This path is the path inside of the container. It's combined with the RKE cluster.yml extra- binds: option to map the audit log to the match("--audit-log-path=/var/log/kube-audit/audit-log.json").string' Returned Value: --audit-log-log=/var/log/kube-audit/audit-log.json Result: Pass 1.1.16 - Ensure that the --audit-log-maxage argument kube-apiserver | jq -e '.[0].Args[] | match("--audit-log-maxage=\\d+").string' Returned Value: --audit-log-maxage=5 Result: Pass 1.1.17 - Ensure that the --audit-log-maxbackup argument is set to 10 or as

Rancher Self-Assessment Guide - v2.4 22 'false' is equal to 'false' 1.2.22 Ensure that the --audit-log-path argument is set (Scored) Result: PASS Remediation: Edit the API server pod specification file node and set the --audit-log-path parameter to a suitable path and file where you would like audit logs to be written, for example: --audit-log-path=/var/log/apiserver/audit.log Audit: /bin/ps -ef | grep grep kube-apiserver | grep -v grep Expected result: '--audit-log-path' is present 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Scored) Result: PASS Remediation: