routes. If a Contrail controller goes down, the Contrail controllers on the other nodes retain all database information and continue to provide the network control plane uninterrupted. On the worker nodes data in the main Kubernetes etcd database by default. When running on OpenShift, the Contrail controller stores all CN2 cluster data in its own Contrail etcd database. 9 The kube-apiserver is the entry node on which the neighbor BGP router is running. ENCODING Whether this connection is XMPP or BGP. STATE The state of this connection. POD The name of the pod on which the local BGP router is running.

appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file /etc/kubernetes/manifests/kube- appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file /etc/kube appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-

appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file /etc/kubernetes/manifests/kube- appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file /etc/kube appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-

Ensure that the --read-only-port argument is set to 0 (Automated) 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Automated) 4.2.6 Ensure that the --protect-kernel-defaults (Automated) Result: pass Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file /etc/kubernetes/manifests/kube- appropriate (Automated) Result: pass Remediation: Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file /etc/kube

co-located group of containers and their storage is called a pod. For example, it makes sense to have database processes and data containers as close as possible - ideally they should be in same pod. Label role, group, or any similar mechanism given to a container or resource. One container can have a database role, while the other can be a load-balancer. Similarly, all pods could be labeled by geography that belong to a certain service, or find all containers that have a specific tier label value as database. Labels and selectors are inherently two sides of the same coin. You can use labels to classify

benchmark, ensure the appropriate flags are passed to the Kubelet. 2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) 2.1.7 - Ensure that the --protect-kernel-defaults containers on all hosts and verify that they are running with the following options: --streaming-connection-idle-timeout= --protect-kernel-defaults=false --make-iptables-util-chains=false cluster.yml kubelet section under services: services: kubelet: extra_args: streaming-connection-idle-timeout: "" protect-kernel-defaults: "true" make-iptables-util-chains:

multi- tenant environment — The Ondat data platform is used by SunnyVision as the basis for its database as a service (DBaaS) “Secrets management has always been one of the most difficult issues in Kubernetes Application 1 Application 2 Customer B Cluster 1 Application 1 Customer A Copyright © SUSE 2021 K8s Database as a Service Rancher Management Server (RMS) Cluster All-in-one nodes Node Node Node Node Worker All-in-one nodes Node* Node* Node* Node* Node* Node* Node* Copyright © SUSE 2021 K8s Database as a Service Rancher Management Server (RMS) Cluster All-in-one nodes Node Node Node Node

Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) Audit docker inspect kubelet | jq -e '.[0].Args[] | match("--streaming-connection-idle-timeout=.*").string' Returned Returned Value: --streaming-connection-idle-timeout=1800s Result: Pass 2.1.6 - Ensure that the --protect-kernel-defaults argument is set to true (Scored) Audit docker inspect kubelet | jq -e

i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u r e t h at y t h at t h e y ar e r u n n i n g w i t h t h e f ol l ow i n g op t i on s : • --streaming-connection-idle-timeout= • --authorization-mode=Webhook • --protect-kernel-defaults=true i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u r e t h at

hashicorp.com/role: "internal-app" vault.hashicorp.com/agent-inject-secret-database-config.txt: "internal/data/database/config" https://learn.hashicorp.com/tutorials/vault/kubernetes-sidecar Vault