1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated) 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated) (Automated) 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated) 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated) Ensure that the API server pod specification file ownership is set to root:root (Automated) 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive

server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the controller manager

server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the controller manager

Create a Kubernetes encryption configuration file on each of the RKE nodes that will be provisioned with the controlplane role: Rationale This configuration file will ensure that the Rancher RKE cluster run: stat /etc/kubernetes/encryption.yaml Ensure that: The file is present The file mode is 0600 The file owner is root:root The file contains: apiVersion: v1 kind: EncryptionConfig resources: and an empty configuration file: Rancher_Hardening_Guide.md 11/30/2018 4 / 24 head -c 32 /dev/urandom | base64 -i - touch /etc/kubernetes/encryption.yaml Set the file ownership to root:root and the

6 Deployment Models | 11 Single Cluster Deployment | 11 Multi-Cluster Deployment | 12 System Requirements | 15 2 Install Overview | 17 Before You Install | 18 Install Single Cluster Contrail Networking Overview | 2 Terminology | 4 CN2 Components | 6 Deployment Models | 11 System Requirements | 15 Cloud-Native Contrail Networking Overview SUMMARY Learn about Cloud-Native clusters. The only requirement is that the data plane components are reachable. 14 System Requirements Table 3: System Requirements for Rancher RKE2 Installation with CN2 Machine CPU RAM Storage Notes

Driver on DELL EMC PowerFlex White Paper Term Definition DD Data Domain DNS Domain Name System DDVE PowerProtect DD Virtual Edition FQDN Fully Qualified Domain Name MDM Meta Data Manager architecture eliminates any hotspots and ensures consistency and simplicity over time. You can scale the system while linearly scaling performance from a minimum of four nodes to thousands of nodes, on-demand option to meet their exact requirements. PowerFlex rack PowerFlex rack is a fully engineered system, with integrated networking that enables the customers to simplify deployments and accelerate time

Pass 1.1.2 - Ensure that the --basic-auth-file argument is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--basic-auth-file=.*").string' Returned Value: null Result: cannot be used on the cluster, as it can interact poorly with certain Pod Security Policies Several system services (such as nginx-ingress ) utilize SecurityContext to switch users and assign capabilities option to map the audit log to the host filesystem. Audit logs should be collected and shipped off-system to guarantee their integrity. Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match

............................................................................56 4.8 Kubernetes System Stack Upgrades in Rancher ........................................................57 5 Managing Services, Deployments, Secrets etc. The nodes section provides a quick overview of the nodes in the system: ©Rancher Labs 2017. All rights Reserved. 19 DEPLOYING AND SCALING KUBERNETES WITH on right top corner. You can input all parameters one by one or simply upload a JSON/YAML format file with specifications of the object to be created. 2.4.3 GUI-Based CRUD Operations for Kubernetes

yaml to a file called account_update.yaml Hardening Guide v2.3.5 4 apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: false Create a bash script file called default-allow-all spec: podSelector: {} policyTypes: - Ingress - Egress Create a bash script file called apply_networkPolicy_to_all_ns.sh. Be sure to chmod +x apply_networkPolicy_to_all_ns.sh so name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- apiVersion: v1 kind: Namespace metadata: name: cattle-system

following yaml to a file called account_update.yaml apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: false Create a bash script file called account_update ingress: - {} egress: - {} policyTypes: - Ingress - Egress Create a bash script file called apply_networkPolicy_to_all_ns.sh. Be sure to chmod +x apply_networkPolicy_to_all_ns.sh so rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- Hardening Guide v2.4 9 apiVersion: