v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.1.12 Ensure that the etcd data directory ownership that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated) 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated) 1.1.1 Ensure that that the API server pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated) 1

1.1 Master Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require in as arguments at container run time. 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require

1.1 Master Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require in as arguments at container run time. 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require

ority argument is set as appropriate (Scored) 1.4.11 - Ensure that the etcd data directory permissions are set to 700 or more-restrictive (Scored) 1.4.12 - Ensure that the etcd data directory ownership Result: Pass 1.4 - Configuration Files 1.4.1 - Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Notes RKE doesn't require or maintain a configuration Result: Pass (Not Applicable) 1.4.3 - Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Notes RKE doesn't require or maintain a configuration

installing RKE. The uid and gid for the etcd user will be used in the RKE config.yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the file called account_update.sh. Be sure to chmod +x account_update.sh so the script has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata to_all_ns.sh. Be sure to chmod +x apply_networkPolicy_to_all_ns.sh so the script has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata

installing RKE. The uid and gid for the etcd user will be used in the RKE config.yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the file called account_update.sh. Be sure to chmod +x account_update.sh so the script has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata to_all_ns.sh. Be sure to chmod +x apply_networkPolicy_to_all_ns.sh so the script has execute permissions. Hardening Guide v2.4 6 #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json

OpenShift: 4 • Tanzu: 4 • Anthos: 1 3.1.10.1 SUSE Rancher SUSE Rancher uses a granular permissions scheme to grant or deny access to resources at the Global, Cluster, and Namespace levels. Users images. Access to the local registry uses the credentials of the requesting user when determining permissions. Access to external registries use the oc CLI to create image pull secrets and optionally attach user templates can inherit from existing templates to create a hierarchy of easily maintained permissions. 3.2.4.2 OpenShift OpenShift uses native Kubernetes RBAC, which is managed through the oc

base64 -i - touch /etc/kubernetes/encryption.yaml Set the file ownership to root:root and the permissions to 0600 chown root:root /etc/kubernetes/encryption.yaml chmod 0600 /etc/kubernetes/encryption configuration file: touch /etc/kubernetes/audit.yaml Set the file ownership to root:root and the permissions to 0600 chown root:root /etc/kubernetes/audit.yaml chmod 0600 /etc/kubernetes/audit.yaml Set /etc/kubernetes/admission.yaml touch /etc/kubernetes/event.yaml Set the file ownership to root:root and the permissions to 0600 chown root:root /etc/kubernetes/admission.yaml chown root:root /etc/kubernetes/event

Kubernetes RBAC for different levels, including platform, cluster, and application; custom role permissions supported; Multi-tenant (cluster, workspace, project) isolation supported for all features

Configure default sysctl settings on all hosts - path: /etc/sysctl.d/90-kubelet.conf owner: root:root permissions: '0644' content: | vm.overcommit_memory=1 vm.panic_on_oom=0 kernel.panic=10 kernel.panic_on_oops=1