H a r d e n i n g G u i d e - R a n c h e r v 2 . 3 . 3 + C o nt e nt s Har d e n i n g G u i d e f or R an c h e r 2. 3. 3+ w i t h K u b e r n e t e s 1. 16 . . . 2 O v e r v i e w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 P r ofi l e D e fi n i t i on s . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. 1 - R an c h e r R K E K u b e r n e t e s c l u s t e r h os . . . . 3 1. 1. 1 - C on fi gu r e d e f au l t s y s c t l s e t t i n gs on al l h os t s . . . . . . . . 3 1. 4. 11 E n s u r e t h at t h e e t c d d at a d i r e c t or y p e r m i s s i on s ar

12h 172.16.0.13 rke2-a2 cert-manager cert-manager-webhook-9d965dff5-cllfm 1/1 Running 0 12h 172.16.0.12 rke2-a1 15h 172.16.0.11 rke2-s1 contrail-system contrail-k8s-apiserver-5d458f8d69-7s9nb 1/1 Running 0 12h 172.16.0.11 rke2-s1 12h 172.16.0.11 rke2-s1 contrail contrail-k8s-kubemanager-7d7f5b4c88-rgk2k 1/1 Running 0 12h 172.16.0.11 rke2-s1

support.sap.com/#/ notes/2589449) Installation Guide at help.sap.com (https://help.sap.com/viewer/a8d90a56d61a49718e- bcb5f65014bbe7/3.2.latest/en-US) 4 Installation of RKE 2 on top of VMware vSphere and 3 on Rancher Kubernetes Engine 2 using VMware vSAN and vSphere $ cat CA.pem > cert_with_cr $ tr -d '\r' < cert_with_cr > cert $ kubectl -n create secret generic cmcertificates --from-file=cert support.s- ap.com/#/notes/2589449 . via https://help.sap.com/viewer/a8d90a56d61a49718ebcb5f65014bbe7/3.3.latest/en- US/8ae38791d71046fab1f25ee0f682dc4c.html . Download the SLC Bridge software to the

[140AC] FIPS 140-2 Annex C: Approved Random Number Generators 6/10/2019 [140AD] FIPS 140-2 Annex D: Approved Key Establishment Techniques 8/12/2020 [140DTR] FIPS 140-2 Derived Test Requirements Recommendation for Block Cipher Modes of Operation: Methods and Techniques 12/1/2001 [SP 800-38D] NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC standalone module embodiment. The validated version of the library is 66005f41fbc3529ffe8d007708756720529da20d. The cryptographic module was tested on the following operational environments on the

${INPUT_DIR}/*) while read -r statInfoLine; do f=$(echo ${statInfoLine} | cut -d' ' -f1) p=$(echo ${statInfoLine} | cut -d' ' -f2) if [[ $(basename "$f" .pem) == "kube-etcd-"* ]]; then if [[ "$p" CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 13 echo "false" exit fi if [[ -d ${USER_INPUT} ]]; then PATTERN="${USER_INPUT}/*" else PATTERN="${USER_INPUT}" fi PERMISSION="" FILES_PERMISSIONS=$(stat -c %n\ %a ${PATTERN}) while read -r fileInfo; do p=$(echo ${fileInfo} | cut -d' ' -f2) if [[ "${PERMISSION}" != "" ]]; then if [[ "$p" != "${PERMISSION}" ]]; then echo

]\([^ ]*\).*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %a Audit Execution: ./1.1.11.sh etcd Expected result: '700' is equal to ]\([^ ]*\).*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %U:%G Audit Execution: ./1.1.12.sh etcd Expected result: 'etcd:etcd' is ' set -H USER_INPUT=$1 if [[ "${USER_INPUT}" == "" ]]; then echo "false" exit fi if [[ -d ${USER_INPUT} ]]; then PATTERN="${USER_INPUT}/*" else PATTERN="${USER_INPUT}" fi PERMISSION=""

]\([^ ]*\).*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %a Audit Execution: ./1.1.11.sh etcd Expected result: '700' is equal to ]\([^ ]*\).*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %U:%G Audit Execution: ./1.1.12.sh etcd Expected result: 'etcd:etcd' is ' set -H USER_INPUT=$1 if [[ "${USER_INPUT}" == "" ]]; then echo "false" exit fi if [[ -d ${USER_INPUT} ]]; then PATTERN="${USER_INPUT}/*" else PATTERN="${USER_INPUT}" fi PERMISSION=""

local disk. Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--audit-log-maxage=\\d+").string' Returned Value: --audit-log-maxage=5 Result: Pass 1.1.17 - Ensure that the --audit-log-maxbackup local disk. Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--audit-log-maxbackup=\\d+").string' Returned Value: --audit-log-maxbackup=5 Result: Pass 1.1.18 - Ensure that the --audit-log-maxsize integrity. Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--audit-log-maxsize=\\d+").string' Returned Value: --audit-log-maxsize=100 Result: Pass 1.1.19 - Ensure that the --authorization-mode

rancher-7f4df87477-mfcxc 1/1 Running 1 36d rancher-webhook-b5b7b76c4-r9nwn 1/1 Running 1 36d Result: Rancher is up and running. Installation of the SUSE jbbpq 5/5 Running 0 15d vxflexos-node-6gnlc 2/2 Running 0 15d vxflexos-node-vswl2 2/2 Running 0 15d vxflexos-node-zr2r4 2/2 Running 0 15d $ For more information about

位的小写字母，数字或"-"，并以字母或数字开头和结尾。 选择部署类型 点击更多选项查看更多部署类型： a) 标准的 Pod 类型 b) DaemonSet 类型 c) StatefulSet 类型 d) Cron 类型 e) Job 类型 填写镜像名 命名空间： 可选择已有的命名空间或者填写并创建新的命名空间 Page 17 端口映射 设置容器访问方式： Hostport： 类似于 docker -p 的方式映射的端口，只有 Pod 所在的节点 IP+端口才可以访问； c) ClusterIP： 为 service 配置 cluster IP 地址； d) L4 负载均衡： 此功能对应公有云的负载均衡器，内网环境或自定义云主机安装的集群请不要使用。 Page 18 环境变量 该步骤用于为应用运行设置相关的环境变量，这里设置的环境变量会通过容器平台传递给应 服务器配置的共享存储路径。 Page 20 d) 上面步骤中最后点击确定后，设置卷名和容器路径。 持久卷声明 升级策略 支持四种策略： a) 滚动: 先启动新 Pod，再停止旧 Pod（默认） b) 滚动: 先停止旧 Pod，再启动新 Pod c) 删除所有 Pod，然后重新开始 d) 自定义 点击右下角的显示高级选项 Page 21