Rancher managed Kubernetes cluster through Kubernetes APIs to discover protectable resources such as namespaces and PVCs. PowerProtect Data Manager discovers the Kubernetes clusters using the IP address or complete, the associated namespaces are available as assets for protection. PowerProtect Data Manager protects the following two types of Kubernetes cluster assets - Namespaces and PersistentVolumeClaims PersistentVolumeClaims (PVCs). During the discovery process, PowerProtect Data Manager creates the following namespaces in the cluster: • Velero-ppdm: This namespace contains a Velero pod to backup metadata and stage

2 • Upgrade CN2 software by applying updated manifests. • Uninstall CN2 by deleting Contrail namespaces and resources (where supported). More than a CNI plug-in, CN2 is a networking platform that provides Install CN2 on the central cluster. a. Apply the central cluster manifest. This manifest creates the namespaces and other resources required by the central cluster. It also creates the contrail-k8s-deployer resources in namespaces other than those listed above. To uninstall Contrail Analytics, see the Install Contrail Analytics and the CN2 Web UI section. 4. Delete any other resources and namespaces (for example

Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration Reference Hardened $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat account_update.yaml)" done Ensure that all Namespaces have Network l_ns.sh so the script has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl apply -f default-allow-all.yaml -n

Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration Reference Hardened $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat account_update.yaml)" done Ensure that all Namespaces have Network has execute permissions. Hardening Guide v2.4 6 #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl apply -f default-allow-all.yaml -n

Management and Web Access .......................................23 2.4.5 Manage Kubernetes Namespaces...........................................................................24 3 Deploying a Multi-Service uniform view of your deployment The left hand side menu provides quick navigation between namespaces and multiple types of objects such as Services, Deployments, Secrets etc. The nodes section provides Only View Only Managing user access Yes No No No 2.4.5 Manage Kubernetes Namespaces Namespaces are virtual clusters in Kubernetes that can sit on top of the same physical cluster. They

CNI 5.3.1 Ensure that the CNI in use supports Network Policies (Manual) 5.3.2 Ensure that all Namespaces have Network Policies defined (Automated) 5.4 Secrets Management 5.4.1 Prefer using secrets as (Manual) 5.7 General Policies 5.7.1 Create administrative boundaries between resources using namespaces (Manual) 5.7.2 Ensure that the seccomp profile is set to docker/ default in your pod definitions handle_error() { echo "false" } trap 'handle_error' ERR count_sa=$(kubectl get serviceaccounts --all-namespaces -o json | jq -r '.items[] | select(.metadata.name=="default") | select((.automountServiceAccountToken

between resources using namespaces (Not Scored) With Rancher, users or groups can be assigned access to all clusters, a single cluster or a "Project" (a group of one or more namespaces in a cluster). This (optionally) automatically create Network Policies to isolate "Projects" (a group of one or more namespaces) in a cluster. See "Cluster Options" when creating a cluster with Rancher to turn on Network Isolation (optionally) automatically create Network Policies to isolate projects (a group of one or more namespaces) within a cluster. See the Cluster Options section when creating a cluster with Rancher to turn

'--count={}' Expected result: 1 is greater than 0 5.3 Network Policies and CNI 5.3.2 Ensure that all Namespaces have Network Policies defined (Scored) Result: PASS Remediation: Follow the documentation and Self-Assessment Guide - v2.4 52 echo "fail: kubectl failed" exit 1 fi for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do policy_count=$(kubectl get networkpolicy 5.6.4 The default namespace should not be used (Scored) Result: PASS Remediation: Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources

'--count={}' Expected result: 1 is greater than 0 5.3 Network Policies and CNI 5.3.2 Ensure that all Namespaces have Network Policies defined (Scored) Result: PASS Remediation: Follow the documentation and [ $? -ne 0 ]; then echo "fail: kubectl failed" exit 1 fi for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do policy_count=$(kubectl get networkpolicy 5.6.4 The default namespace should not be used (Scored) Result: PASS Remediation: Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources

YAML and CLI; 11 Network isolation between different tenants (workspaces) and projects (namespaces); Built-in Pod IP pool for visualized management; Visualization of network traffic topology files; Two built-in management roles: administrator and developer; Management of multiple namespaces via projects; Project quota supported; Adding members and binding roles to members supported