Install Single Cluster CN2 on Rancher RKE2 | 19 Install Single Cluster CN2 on Rancher RKE2 Running Kernel Mode Data Plane | 21 Install Single Cluster CN2 on Rancher RKE2 Running DPDK Data Plane | 24 nodes. a. Install a fresh OS on all servers/VMs that you'll use as cluster nodes. Ensure the OS and kernel versions on the cluster nodes are on the list of supported OSes and kernels (see the CN2 Tested Integrations cluster CN2 on Rancher RKE2. IN THIS SECTION Install Single Cluster CN2 on Rancher RKE2 Running Kernel Mode Data Plane | 21 Install Single Cluster CN2 on Rancher RKE2 Running DPDK Data Plane | 24

Practices SAP SAP Data Intelligence 3 on Rancher Kubernetes Engine 2 using VMware vSAN and vSphere SUSE Linux Enterprise Server 15 SP4 Rancher Kubernetes Engine 2 SAP Data Intelligence 3 Dr. Ulrich Schairer describes the hardware requirements for installing SAP Data Intelligence 3.3 on RKE 2 on top of SUSE Linux Enterprise Server 15 SP3. Only the AMD64/Intel 64 architecture is applicable for our use case. 2 list contains the software components needed to install SAP Data Intelligence 3.3 on RKE 2: SUSE Linux Enterprise Server 15 SP4 Rancher Kubernetes Engine 2 SAP Software Lifecycle Bridge SAP Data Intelligence

al e W e r e c om m e n d t h at u s e r s l au n c h t h e k u b e l e t w i t h t h e --protect-kernel-defaults op t i on . T h e s e t t i n gs t h at t h e k u b e l e t i n i t i al l y at t e m p u p p or t s t h e f ol l ow i n g c on t r ol : • 2. 1. 7 - E n s u r e t h at t h e --protect-kernel-defaults ar gu m e n t i s s e t t o t r u e ( S c or e d ) A u d i t • Ve r i f y vm.overcommit_memory panic_on_oom • Ve r i f y kernel.panic = 10 sysctl kernel.panic • Ve r i f y kernel.panic_on_oops = 1 sysctl kernel.panic_on_oops • Ve r i f y kernel.keys.root_maxkeys = 1000000 sysctl kernel.keys.root_maxkeys

--streaming-connection-idle- timeout argument is not set to 0 (Automated) 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Automated) 4.2.7 Ensure that the --make-iptables-util-chains argument kube-kubelet-192-168-1-225-key.pem --address=0.0.0.0 --cni- bin-dir=/opt/cni/bin --anonymous-auth=false --protect-kernel- defaults=true --cloud-provider= --hostname-override=cis-aio-0 --fail-swap-on=false --cgroups-per-qos=True cgroup-driver=cgroupfs --resolv-conf=/run/systemd/resolve/ resolv.conf 4.2.6 Ensure that the --protect-kernel- defaults argument is set to true (Automated) Result: pass Remediation: If using a Kubelet config

university days. Girish has worked on HPC file systems, Lustre, GPFS and has multiple contributions to Linux Kernel & Apache Cloudstack projects. Girish has worked with startups to build storage and cloud platforms

--protect-kernel-defaults option. The settings that the kubelet initially attempts to change can be set manually. This supports the following control: 2.1.7 - Ensure that the --protect-kernel-defaults overcommit_memory = 1 sysctl vm.overcommit_memory Verify kernel.panic = 10 sysctl kernel.panic Verify kernel.panic_on_oops = 1 sysctl kernel.panic_on_oops Remediation Set the following parameters parameters in /etc/sysctl.conf on all nodes: vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 Run sysctl -p to enable the settings. 1.1.2 - Install the encryption provider configuration on all

Hardening Guide v2.3.5 Hardening Guide v2.3.5 1 3 3 4 5 6 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies benchmark, refer to the CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.3.5. Configure Kernel Runtime Parameters The following sysctl configuration is recommended for all nodes type in the /etc/sysctl.d/90- kubelet.conf: vm.overcommit_memory=1 vm.panic_on_oom=0 kernel.panic=10 kernel.panic_on_oops=1 kernel.keys.root_maxbytes=25000000 Hardening Guide v2.3.5 3 Run sysctl -p /etc/sysctl

Hardening Guide v2.4 Hardening Guide v2.4 1 3 4 4 5 7 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies not provide a service account token and does not have any explicit rights assignments. Configure Kernel Runtime Parameters The following sysctl configuration is recommended for all nodes type in the /etc/sysctl.d/90- kubelet.conf: vm.overcommit_memory=1 vm.panic_on_oom=0 kernel.panic=10 kernel.panic_on_oops=1 kernel.keys.root_maxbytes=25000000 Run sysctl -p /etc/sysctl.d/90-kubelet.conf to enable

--protect-kernel-defaults argument is set to true (Scored) Audit docker inspect kubelet | jq -e '.[0].Args[] | match("--protect-kernel-defaults=true").string' Returned Value: --protect-kernel-defaults=true

to '0' OR '--streaming-connection-idle- timeout' is not present 4.2.6 Ensure that the --protect-kernel-defaults argument is set to true (Scored) Result: PASS Remediation: If using a Kubelet config file on each worker node and set the below parameter in KU BELET_SYSTEM_PODS_ARGS variable. --protect-kernel-defaults=true Based on your system, restart the kubelet service. For example: systemctl daemon-reload