Uninstall CN2 | 56 5 Appendix Create a Rancher RKE2 Cluster | 59 Configure a Server Node | 59 Configure an Agent Node | 63 Configure Repository Credentials | 66 Prepare a Cluster Node for DPDK CN2 using standard Kubernetes and third-party tools. • Scale CN2 by adding or removing nodes. • Configure CN2 by using custom resource definitions (CRDs). 2 • Upgrade CN2 software by applying updated CN2 using familiar, industry-standard tools and practices. • Optionally, use the CN2 Web UI to configure and monitor your network. • Leverage the skill set of your existing DevOps engineers to quickly

host configuration 1.1.1 - Configure default sysctl settings on all hosts Profile Applicability Level 1 Description Rancher_Hardening_Guide.md 11/30/2018 2 / 24 Configure sysctl settings to match what Kubernetes Cluster Configuration via RKE (See Appendix A. for full RKE cluster.yml example) 2.1.1 - Configure kubelet options Profile Applicability Level 1 Rancher_Hardening_Guide.md 11/30/2018 8 / 24 is in a form like 1800s. Reconfigure the cluster: rke up --config cluster.yml 2.1.2 - Configure kube-api options Profile Applicability Level 1 Description Rancher_Hardening_Guide.md 11/30/2018

(Manual) 5.4.2 Consider external secret storage (Manual) 5.5 Extensible Admission Control 5.5.1 Configure Image Provenance using ImagePolicyWebhook admission controller (Manual) 5.7 General Policies 5 for etcd data directory ownership. Refer to Rancher's hardening guide for more details on how to configure this ownership. Audit: stat -c %U:%G /node/var/lib/etcd CIS 1.6 Benchmark - Self-Assessment Guide --basic-auth-file argument is not set (Automated) Result: pass Remediation: Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/

--basic-auth-file argument is not set (Scored) Result: PASS Remediation: Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/ --token-auth-file parameter is not set (Scored) Result: PASS Remediation: Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/ NodeRes triction is set (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and configure Nod eRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/k

--basic-auth-file argument is not set (Scored) Result: PASS Remediation: Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/ --token-auth-file parameter is not set (Scored) Result: PASS Remediation: Follow the documentation and configure alternate mechanisms for authentication. Then, edit the API server pod specification file /etc/ NodeRes triction is set (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and configure Nod eRestriction plug-in on kubelets. Then, edit the API server pod specification file /etc/k

v2.3.5 Hardening Guide v2.3.5 1 3 3 4 5 6 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.3.5. Configure Kernel Runtime Parameters The following sysctl configuration is recommended for all nodes type Hardening Guide v2.3.5 3 Run sysctl -p /etc/sysctl.d/90-kubelet.conf to enable the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior

Guide v2.4 Hardening Guide v2.4 1 3 4 4 5 7 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined it does not provide a service account token and does not have any explicit rights assignments. Configure Kernel Runtime Parameters The following sysctl configuration is recommended for all nodes type keys.root_maxbytes=25000000 Run sysctl -p /etc/sysctl.d/90-kubelet.conf to enable the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior

WITH RANCHER Rancher supports L4 load balancing and forwards the ports to targets. You can configure multiple ports and services, and the load balancer will forward traffic to a combination of host setting some advanced options. If you don’t configure the additional optional choices, then it will work like a L4 LB. In the above screen, we can configure different hostnames and request paths to helpful in some cases. 4.2 Rancher Private Registry Support for Kubernetes In Rancher, you can configure private registries, and then use container images from those registries for template definitions

support fine-grained traffic governance policies Manually configure and integrate the third-party tool Kiali Manually configure and integrate the third-party tool Kiali 9 Tracing Built-in microservice tracing available with no manual configurations required Manually configure the Jaeger UI Manually configure the Jaeger UI Multicloud and Edge Multicloud Support Deep integration

users to set various Security Context options when launching pods via the GUI interface. 1.6.6 - Configure image provenance using the ImagePolicyWebhook admission controller (Not Scored) Image Policy --admission-control-config-file . See the Host configuration section for the admission.yaml file. 1.6.7 - Configure network policies as appropriate (Not Scored) Rancher can (optionally) automatically create Network RBAC for privileged container usage (Not Scored) Section 1.7 of this guide shows how to add and configure a default "restricted" PSP based on controls. With Rancher you can create a centrally maintained