file permissions are set to 644 or more restrictive (Automated) 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated) 1.1.1 Ensure that the API server pod specification file is set to true (Automated) 1.2.5 Ensure that the --kubelet-client-certificate and -- kubelet-client-key arguments are set as appropriate (Automated) 1.2.6 Ensure that the --kubelet-certificate-authority --service-account-lookup argument is set to true (Automated) 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Automated) 1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile

140-2 Annex C: Approved Random Number Generators 6/10/2019 [140AD] FIPS 140-2 Annex D: Approved Key Establishment Techniques 8/12/2020 [140DTR] FIPS 140-2 Derived Test Requirements 1/4/2011 [140IG] Block Cipher Modes of Operation: Methods for Key Wrapping 12/13/2012 [SP 800-56A Revised] NIST SP 800-56A Revised, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Logarithm Cryptography 3/14/2007 [SP 800-57 P1 r5] NIST SP 800-57 Part 1 Rev. 5, Recommendation for Key Management: Part 1 – General 5/4/2020 [SP 800-67 r2] NIST SP 800-67 Rev. 2, Recommendation for

(See Mitigation) 1.1.22 - Ensure that the --kubelet-client-certificate and -- kubelet-client-key arguments are set as appropriate (Scored) Audit ( --kubelet-client-certificate ) docker inspect --kubelet-client-key ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--kubelet-client-key=.*").string' Returned Value: --kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem Result: Ensure that the --service-account-key-file argument is set as appropriate (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--service-account-key-file=.*").string' Returned Value:

= /full/path/to/directory or /path/to/fileswithpattern # ex: !(*key).pem # # $2 (optional) = permission (ex: 600) # # outputs: # true/false # Turn on "extended '/etc/kubernetes/ssl/*.pem' Expected result: 'true' is present 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored) Result: PASS Remediation: Run the below command (based on 21.sh #!/bin/bash -e check_dir=${1:-/etc/kubernetes/ssl} for file in $(find ${check_dir} -name "*key.pem"); do file_permission=$(stat -c %a ${file}) if [[ "${file_permission}" == "600" ]]; then

= /full/path/to/directory or /path/to/fileswithpattern # ex: !(*key).pem # # $2 (optional) = permission (ex: 600) # # outputs: # true/false # Turn on "extended '/etc/kubernetes/ssl/*.pem' Expected result: 'true' is present 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Scored) Result: PASS Remediation: Run the below command (based on 21.sh #!/bin/bash -e check_dir=${1:-/etc/kubernetes/ssl} for file in $(find ${check_dir} -name "*key.pem"); do file_permission=$(stat -c %a ${file}) if [[ "${file_permission}" == "600" ]]; then

DevOps team freedom to build and run containerized applications anywhere. The PowerFlex family offers key value propositions for traditional and cloud-native production workloads, deployment flexibility, CSI Driver on DELL EMC PowerFlex White Paper Figure 1. PowerFlex family Software is the key factor of success in the PowerFlex offering. PowerFlex software components provide software-defined systems. In this solution, RKE is run from a Linux workstation VM. RKE connects to the nodes using SSH key pairs. Note: Make sure that the SSH login that is used for node access is a member of the docker

Label Labels are names given to resources to classify them, and are always a key pair of name and value. The key-value pairs can be used to filter, organize and perform mass operations on a set Controller Replication Controllers (RC) are an abstraction used to manage pod lifecycles. One of key uses of replication controllers is to maintain a certain number of pods. This is also useful when command on a new machine, the host(s) tries to contact the Rancher server with the key. The server then verifies the key and registers the agent. Based on the environment to which the agent belongs, further

openssl req -newkey rsa:2048 -keyout .key -out .csr Decrypt the key: $ openssl rsa -in .key -out decrypted-.key Let a CA sign the .csr You will receive receive a .crt. Create a secret from the certificate and the key in the SAP Data Intelligence 3 name- space: $ export NAMESPACE=<{di} 3 namespace> 15 SAP Data Intelligence 3 on Rancher Kubernetes VMware vSAN and vSphere $ kubectl -n $NAMESPACE create secret tls vsystem-tls-certs --key decrypted- .key--cert .crt Deploy an nginx-ingress controller: For more information, see

providers: - aescbc: keys: - name: key1 secret: <32-byte base64 encoded string> - identity: {} Where aescbc is the key type, and secret is populated with a 32-byte base64 base64 encoded string. Remediation Generate a key and an empty configuration file: Rancher_Hardening_Guide.md 11/30/2018 4 / 24 head -c 32 /dev/urandom | base64 -i - touch /etc/kubernetes/encryption resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: <32-byte base64 encoded string> - identity: {} Where secret is the 32-byte

ingress: "" ingress_backend: "" metrics_server: "" windows_pod_infra_container: "" ssh_key_path: "" ssh_cert_path: "" ssh_agent_auth: false authorization: mode: "" options: {} ignore_docker_version: prefix_path: "" addon_job_timeout: 0 bastion_host: address: "" port: "" user: "" ssh_key: "" ssh_key_path: "" ssh_cert: "" Hardening Guide v2.3.5 13 ssh_cert_path: "" monitoring: provider: