supports the following control: 2.1.7 - Ensure that the --protect-kernel-defaults argument is set to true (Scored) Audit Verify vm.overcommit_memory = 1 sysctl vm.overcommit_memory Verify kernel.panic nodes: vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 Run sysctl -p to enable the settings. 1.1.2 - Install the encryption provider configuration on all control plane nodes Profile (Scored) 1.1.35 - Ensure that the encryption provider is set to aescbc (Scored) Audit On the control plane hosts for the Rancher HA cluster run: stat /etc/kubernetes/encryption.yaml Ensure that:

clusters from data center to cloud and edge and unites them with centralized authentication, access control, and observability. SUSE Rancher lets you streamline cluster deployment on bare metal, edge devices components is one CPU and 1 GB of memory. Considering the CPU and memory, it is recommended to host the different roles of the Kubernetes cluster such as etcd , control plane, and workers on different ssh/id_rsa [+] SSH User of host (192.168.153.111) [ubuntu]: tux [+] Is host (192.168.153.111) a Control Plane host (y/n)? [y]: [+] Is host (192.168.153.111) a Worker host (y/n)? [n]: y [+] Is host (192

functions. The Data Output interface consists of the output parameters of the API functions. The Control Input interface consists of the actual API input parameters. The Status Output interface includes Data output Physical ports of the tested platforms API output parameters and return values Control input Physical ports of the tested platforms API input parameters Status output Physical ports return values Power input Physical ports of the tested platforms N/A As a software module, control of the physical ports is outside module scope; however, when the module is performing self-tests

n t i s s e t t o t r u e ( S c or e d ) A u d i t • Ve r i f y vm.overcommit_memory = 1 sysctl vm.overcommit_memory • Ve r i f y vm.panic_on_oom = 0 sysctl vm.panic_on_oom • Ve r i f y kernel.panic ow i n g p ar am e t e r s i n /etc/sysctl.d/90-kubelet.conf on al l n od e s : 3 vm.overcommit_memory=1 vm.panic_on_oom=0 kernel.panic=10 kernel.panic_on_oops=1 kernel.keys.root_maxkeys=1000000 kernel EventRateLimit,PodSecurityPolicy --encryption-provider-config=/etc/kubernetes/ssl/encryption.yaml --admission-control-config-file=/etc/kubernetes/admission.yaml --audit-log-path=/var/log/kube-audit/audit-log.json -

Deployments are a fairly recent addition to the project, but provide a powerful and declarative way to control how service updates are performed and is recommended over rolling- updates. 1.3.9 Resource Monitoring Native Kubernetes Support in Rancher Rancher natively supports Kubernetes and allows users to control its features through a simple and intuitive UI. Kubernetes can be launched in a matter of minutes stack, you will see various components of Kubernetes: • Controller-manager is a core control loop which continuously watches the state of clusters and takes actions if needed to bring it to

(VM) workloads, across multi-cluster compute and storage environments, all from a central point of control. It supports hard multi-tenancy for single or multi-cluster environments shared across many tenants The CN2 implementation consists of a set of Contrail controllers that reside on either Kubernetes control plane nodes or worker nodes depending on distribution. The Contrail controllers manage a distributed available and resilient network controller overseeing all aspects of the network configuration and control planes • Analytics services using telemetry and industry standard monitoring and presentation tools

the admission control plugin EventRateLimit is set (Automated) 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated) 1.2.12 Ensure that the admission control plugin AlwaysPullImages (Manual) 1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual) 1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated) the admission control plugin NamespaceLifecycle is set (Automated) 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set (Automated) 1.2.17 Ensure that the admission control plugin NodeRestriction

security of the hardened cluster against each control in the benchmark. Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes commands also make use of the the jq command to provide human- readable formatting. Known Scored Control Failures The following scored controls do not currently pass, and Rancher Labs is working towards flag was removed in 1.14, so it cannot be set. Result: Pass 1.1.10 - Ensure that the admission control plugin AlwaysAdmit is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[]

differentiated itself by leveraging Project Pacific, a re-architecture of vSphere with Kubernetes as its control plane. While there are other smaller players in the market, the scope of this guide is limited (OpenShift/OCP4) with Red Hat Advanced Cluster Management for Kubernetes (RHACM), VMware Tanzu Mission Control with Tanzu Kubernetes Grid Integrated Edition (collectively referred to as Tanzu in this guide) Copyright © SUSE 2022 8 The exception to these rules is if the environment uses Tanzu Mission Control (TMC), a VMware SaaS offering for cluster management. If so, then TMC acts as the management cluster

Cluster 1 Node Node Control Plane Worker etcd Node Node Node Node Node Node Node All-in-one nodes (cp/etcd/worker) Node Node Node Node Node Node Node Node Node Node Node Control Plane Worker etcd 12 12 Copyright © SUSE 2021 Customer B Rancher as a Service Managed Kubernetes Cluster Control Plane Worker Node Rancher Management Server (RMS) Cluster etcd Node Node Node Node All-in-one Node (cp/etcd/worker) Managed Kubernetes Cluster Control Plane Worker Node etcd Node Node Node Node Managed Kubernetes Cluster Control Plane Worker Node etcd Node Node Node Node Customer