H a r d e n i n g G u i d e - R a n c h e r v 2 . 3 . 3 + C o nt e nt s Har d e n i n g G u i d e f or R an c h e r 2. 3. 3+ w i t h K u b e r n e t e s 1. 16 . . . 2 O v e r v i e w . . . . . . . . . . . . . 2 P r ofi l e D e fi n i t i on s . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. 1 - R an c h e r R K E K u b e r n e t e s c l u s t e r h os t c on fi gu r at i on . . . . . 3 1. 1. 1 - C on fi gu r e d e f au l t s y s c t l s e t t i n gs on al l h os t s . . . . . . . . 3 1. 4. 11 E n s u r e t h at t h e e t c d d at a d i r e c t or y p e r m i s s i on s ar e s e t

Logarithm Cryptography 3/14/2007 [SP 800-57 P1 r5] NIST SP 800-57 Part 1 Rev. 5, Recommendation for Key Management: Part 1 – General 5/4/2020 [SP 800-67 r2] NIST SP 800-67 Rev. 2, Recommendation for Cipher 11/17/2017 [SP 800-90A r1] NIST SP 800-90A Rev. 1, Recommendation for Random Number Generation Using Deterministic Random Bit Generators 6/24/2015 [SP 800-131A r2] NIST SP 800-131A Rev. 2, Algorithms and Key Lengths 3/21/2019 [SP 800-133 r2] NIST SP 800-133 Rev. 2, Recommendation for Cryptographic Key Generation 6/4/2020 [SP 800-135 r1] NIST SP 800-135 Rev. 1, Recommendation for Existing

kube-apiserver-proxy-client-key.pem -rw-r--r-- 1 root root 1107 Jul 1 19:53 kube-apiserver-proxy-client.pem -rw------- 1 root root 1675 Jul 1 19:53 kube-apiserver-requestheader-ca-key.pem -rw-r--r-- 1 root root 1082 Jul kube-apiserver-requestheader-ca.pem -rw-r--r-- 1 root root 1285 Jul 1 19:53 kube-apiserver.pem -rw------- 1 root root 1675 Jul 1 19:53 kube-ca-key.pem -rw-r--r-- 1 root root 1017 Jul 1 19:53 kube-ca kube-controller-manager-key.pem -rw-r--r-- 1 root root 1062 Jul 1 19:53 kube-controller-manager.pem -rw------- 1 root root 1675 Jul 1 19:53 kube-etcd-172-31-16-161-key.pem -rw-r--r-- 1 root root 1277 Jul 1 19:53

${etcd_bin} | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %a Audit Execution: ${etcd_bin} | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %U:%G Audit Execution: below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root'

${etcd_bin} | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %a Audit Execution: ${etcd_bin} | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %U:%G Audit Execution: below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root'

AGE rancher-7f4df87477-mfcxc 1/1 Running 1 36d rancher-webhook-b5b7b76c4-r9nwn 1/1 Running 1 36d Result: Rancher is up and running. Installation of the vxflexos-node-6gnlc 2/2 Running 0 15d vxflexos-node-vswl2 2/2 Running 0 15d vxflexos-node-zr2r4 2/2 Running 0 15d $ For more information about CSI driver installation, see GitHub. 9. details of a Dell EMC PowerEdge R640 server storage-only and compute-only nodes: Table 3. Storage-only nodes Hardware Configuration CPU Cores 2 x Intel(R) Xeon(R) Gold 6126 CPU @ 2.60 GHz

the below command (based on the file location on your system) on the master node. For example, chown -R root:root / etc/kubernetes/pki/ Audit: check_files_owner_in_dir.sh /node/etc/kubernetes/ssl Expected then echo "false" exit fi statInfoLines=$(stat -c "%n %U:%G" ${INPUT_DIR}/*) while read -r statInfoLine; do f=$(echo ${statInfoLine} | cut -d' ' -f1) p=$(echo ${statInfoLine} | cut -d' the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/ kubernetes/pki/*.crt Audit: check_files_permissions.sh /node/etc/kubernetes/ssl/!(*key)

17h v1.25.10+rke2r1 rke2-a2 Ready 17h v1.25.10+rke2r1 rke2-s1 Ready control-plane,etcd,master 17h v1.25.10+rke2r1 You can see that the nodes are 17h v1.25.10+rke2r1 rke2-a2 Ready 17h v1.25.10+rke2r1 rke2-s1 Ready control-plane,etcd,master 17h v1.25.10+rke2r1 You can see that the nodes are

has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl apply -f default-allow-all.yaml -n ${namespace} done Execute

has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat Hardening Guide v2.4 6 #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl apply -f default-allow-all.yaml -n ${namespace} done Execute