6 Deployment Models | 11 Single Cluster Deployment | 11 Multi-Cluster Deployment | 12 System Requirements | 15 2 Install Overview | 17 Before You Install | 18 Install Single Cluster Contrail Networking Overview | 2 Terminology | 4 CN2 Components | 6 Deployment Models | 11 System Requirements | 15 Cloud-Native Contrail Networking Overview SUMMARY Learn about Cloud-Native control plane nodes or worker nodes depending on distribution. The Contrail controllers manage a distributed set of data planes implemented by a CNI plug-in and vRouter on every node. Integrating a full-fledged

easy-to-use installation tool RancherD, an easy-to-use installation tool, available Operating system support All major Linux operating systems supported Coupled to Red Hat underlying infrastructure displaying complex metrics Logging Built-in multi-tenant and multi-dimensional log retrieval system that supports on-disk log collection and provides flexibility to integrate multiple external of any Kubernetes cluster or hosted Kubernetes services not supported; underlying operating system coupled to RHCOS and RHEL Deep integration with major cloud container services, AWS and Azure;

2021 Rancher Labs This non-proprietary security policy document may be freely reproduced and distributed in its entirety without modification. Rancher Kubernetes Cryptographic Library FIPS NIST National Institute of Standards and Technology OE Operating Environment OS Operating System PCT Pairwise Consistency Test RSA Rivest, Shamir, Adleman algorithm SHA/SHS Secure Hash Algorithm/Standard general-purpose computer (GPC) platforms detailed below: Table 1 - Tested Configurations # Operating System Processor Platform Compiler 1 CentOS 7.8 Intel® Xeon® Silver 4214R with PAA Dell PowerEdge

For installations that want an even smaller attack surface, SUSE Rancher can utilize an operating system such as SLE Micro to help run Kubernetes in the most efficient way possible. Kubernetes from SUSE can be used across any platform where GKE or Anthos clusters can run, providing a unified access system for all the clusters. However, the RBAC will be local for each cluster depending on the permissions with any external Helm repository, giving users the means to install applications from either system. Helm 3.0 is required for inclusion in SUSE Rancher's application catalog. 3.3.1.2 OpenShift

the virtual machines for the RKE 2 cluster with SUSE Linux Enterprise Server 15 SP4 as operating system in the vSphere environment. Make sure these virtual machines are sized according to the recommendations io/v1 kind: HelmChartConfig metadata: name: rancher-vsphere-cpi labels: namespace: kube-system spec: valuesContent: |- vCenter: host: "vcenterhostname" datacenters: "datacentername" helm.cattle.io/v1 kind: HelmChartConfig metadata: name: rancher-vsphere-csi namespace: kube-system spec: valuesContent: |- vCenter: host: "vcenter host" datacenters: "datacenter"

............................................................................56 4.8 Kubernetes System Stack Upgrades in Rancher ........................................................57 5 Managing Services, Deployments, Secrets etc. The nodes section provides a quick overview of the nodes in the system: ©Rancher Labs 2017. All rights Reserved. 19 DEPLOYING AND SCALING KUBERNETES WITH service definition, we can explicitly create a load balancer and with more fine-grained options. The system section has option to add load balancer: You can run a fixed number of containers of

Description Configure a restrictive pod security policy (PSP) as the default and create role bindings for system level services to use the less restrictive default PSP. Rationale To address the following controls restrictive default PSP needs to be applied as the default. Role bindings need to be in place to allow system services to still function. 1.7.1 - Do not admit privileged containers (Not Scored) 1.7.2 - Do cattle-system namespace exists: kubectl get ns |grep cattle Verify that the roles exist: kubectl get role default-psp-role -n ingress-nginx kubectl get role default-psp-role -n cattle-system kubectl

root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G restrictive (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions 600 (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, CIS Benchmark Rancher Self-Assessment Guide - v2.4 13 chmod

root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G restrictive (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions 600 (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 13

command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd A system service account is required for etcd data directory ownership. Refer to Rancher's hardening guide (Automated) Result: pass Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root / etc/kubernetes/pki/ Audit: check_files_owner_in_dir Guide - Rancher v2.5.4 12 Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/ kubernetes/pki/*.crt Audit: check_files_permissions