Ensure that the --profiling argument is set to false (Automated) 1.2.22 Ensure that the --audit-log-path argument is set (Automated) 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as set to root:root for # the given directory and all the files in it # # inputs: # $1 = /full/path/to/directory # # outputs: # true/false INPUT_DIR=$1 if [[ "${INPUT_DIR}" == "" ]]; then in a given directory or a wildcard # selection of files # # inputs: # $1 = /full/path/to/directory or /path/to/fileswithpattern # ex: !(*key).pem # # $2 (optional)

in a given directory or a wildcard # selection of files # # inputs: # $1 = /full/path/to/directory or /path/to/fileswithpattern # ex: !(*key).pem # # $2 (optional) certificate and key parameters as below. --kubelet-client-certificate=<path/to/client-certificate-file> --kubelet-client-key=<path/to/client-key-file> Audit: /bin/ps -ef | grep kube-apiserver | grep apiserver.yaml on the master node and set the --kubelet- certificate-authority parameter to the path to the cert file for the certificate authority. --kubelet-certificate-authority= Audit:

in a given directory or a wildcard # selection of files # # inputs: # $1 = /full/path/to/directory or /path/to/fileswithpattern # ex: !(*key).pem # # $2 (optional) certificate and key parameters as below. --kubelet-client-certificate=<path/to/client-certificate-file> --kubelet-client-key=<path/to/client-key-file> Audit: /bin/ps -ef | grep kube-apiserver | grep apiserver.yaml on the master node and set the --kubelet- certificate-authority parameter to the path to the cert file for the certificate authority. --kubelet-certificate-authority= Audit:

example.com ## The incoming host name http: paths: - path: /test ## Path to service backend: serviceName: backend-service above example, we have defined a single rule with a host, path and corresponding backend service and port. We can define multiple host and path combinations pointing to backend services. For our nginx code snippet below. Since host is not specified, it defaults to an asterisk “*” and the path defaults to root path. apiVersion: extensions/v1beta1 kind: Ingress metadata: name: simplelb spec:

actions in the cluster. This supports the following controls: 1.1.15 - Ensure that the --audit-log-path argument is set as appropriate (Scored) 1.1.16 - Ensure that the --audit-log-maxage argument is as apiVersion: apiserver.k8s.io/v1alpha1 kind: AdmissionConfiguration plugins: - name: EventRateLimit path: /etc/kubernetes/event.yaml For event.yaml ensure that the file contains: apiVersion: eventratelimit apiVersion: apiserver.k8s.io/v1alpha1 kind: AdmissionConfiguration plugins: - name: EventRateLimit path: /etc/kubernetes/event.yaml For event.yaml set the contents to: apiVersion: eventratelimit.admission

ingress_backend: "" metrics_server: "" windows_pod_infra_container: "" ssh_key_path: "" ssh_cert_path: "" ssh_agent_auth: false authorization: mode: "" options: {} ignore_docker_version: "" prefix_path: "" addon_job_timeout: 0 bastion_host: address: "" port: "" user: "" ssh_key: "" ssh_key_path: "" ssh_cert: "" Hardening Guide v2.3.5 13 ssh_cert_path: "" monitoring: etcd - useradd --comment "etcd service account" --uid 52034 -- gid 52034 etcd write_files: - path: /etc/sysctl.d/kubelet.conf owner: root:root permissions: "0644" content: |

ingress_backend: "" metrics_server: "" windows_pod_infra_container: "" ssh_key_path: "" ssh_cert_path: "" ssh_agent_auth: false authorization: mode: "" options: {} ignore_docker_version: cluster_name: "" prefix_path: "" addon_job_timeout: 0 bastion_host: address: "" port: "" user: "" ssh_key: "" ssh_key_path: "" ssh_cert: "" ssh_cert_path: "" monitoring: provider: etcd - useradd --comment "etcd service account" --uid 52034 -- gid 52034 etcd write_files: - path: /etc/sysctl.d/kubelet.conf owner: root:root permissions: "0644" content: |

deployer-yaml. kubectl create configmap deployer-yaml --from-file=<path_to_deployer_manifest> where <path_to_deployer_manifest> is the full path to the deployer manifest that you want to apply or have applied --from- file=kubeconfig=/root/contrail/central-cluster-kubeconfig NOTE: You must specify the absolute path to the central-cluster-kubeconfig file. d. On the workload cluster, apply the deployer manifest. mkdir ~/.kube cp /etc/rancher/rke2/rke2.yaml ~/.kube/config 5. Copy kubectl into your default path. For convenience, Rancher provides the kubectl binary at the location shown. cp /var/lib/rancher/rke2/bin/kubectl

NamespaceLifecycle Result: Pass 1.1.15 - Ensure that the --audit-log-path argument is set as appropriate (Scored) Notes This path is the path inside of the container. It's combined with the RKE cluster.yml guarantee their integrity. Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--audit-log-path=/var/log/kube-audit/audit-log.json").string' Returned Value: --audit-log-log=/var/log/kube-audit/audit-log

Level SSH Private Key Path [~/.ssh/id_rsa]: [+] Number of Hosts [1]: [+] SSH Address of host (1) [none]: 192.168.153.111 [+] SSH Port of host (1) [22]: [+] SSH Private Key Path of host (192.168.153 153.111) [none]: [-] You have entered empty SSH key path, trying fetch from SSH key parameter [+] SSH Private Key of host (192.168.153.111) [none]: [-] You have entered empty SSH key, defaulting to cluster host (192.168.153.111) [none]: [+] Internal IP of host (192.168.153.111) [none]: [+] Docker socket path on host (192.168.153.111) [/var/run/docker.sock]: [+] Network Plugin Type (flannel, calico, weave