--- apiVersion: v1 kind: Namespace metadata: name: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-psp-rolebinding namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated

--- apiVersion: v1 kind: Namespace metadata: name: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-psp-rolebinding namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated

Remediation In the RKE cluster.yml file ensure the following options are set: addons: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-psp-rolebinding namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated

--authorization-mode argument includes Node (Automated) 1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated) 1.2.10 Ensure that the admission control plugin EventRateLimit is set (Automated) 1.2 (Automated) 4.2.13 Ensure that the Kubelet only makes use of Strong Cryptographic Ciphers (Automated) 5.1 RBAC and Service Accounts 5.1.1 Ensure that the cluster-admin role is only used where required (Manual) range=10.43.0.0/16 --tls-cert-file=/etc/kubernetes/ssl/kube- apiserver.pem --authorization-mode=Node,RBAC --audit-log- maxsize=100 --audit-log-format=json --requestheader-allowed- names=kube-apiserver-proxy-client

Pod and Network Security Policies 4 3 2 2 Configurable Adherence to CIS 4 3 2 2 Global RBAC Policies 4 2 3 2 2.4 Shared Tools and Services Once deployed, Kubernetes Management Platforms After an administrator launches a user cluster, end users can access it according to Kubernetes RBAC boundaries. 3.1.11 Private Registry and Image Management • SUSE Rancher: 3 • OpenShift: 4 the global level, after which users and groups from the provider are available for assignment to RBAC roles and downstream clusters. A Buyer’s Guide to Enterprise Kubernetes Management Platforms Copyright

cluster.yml fi l e e n s u r e t h e f ol l ow i n g op t i on s ar e s e t : addons: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx rules: verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-psp-rolebinding 12 namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated ---

Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies 5.3 Network Policies and CNI CIS Benchmark Rancher such example could be as below. --authorization-mode=RBAC Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: 'Node,RBAC' not have 'AlwaysAllow' 1.2.8 Ensure that the --authorization-mode value that includes Nod e. --authorization-mode=Node,RBAC Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: 'Node,RBAC' has 'Node' CIS Benchmark Rancher Self-Assessment Guide

Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies CIS 1.5 Benchmark - Self-Assessment Guide - Rancher such example could be as below. --authorization-mode=RBAC Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: 'Node,RBAC' not have 'AlwaysAllow' 1.2.8 Ensure that the --authorization-mode value that includes Nod e. --authorization-mode=Node,RBAC Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: 'Node,RBAC' has 'Node' CIS 1.5 Benchmark - Self-Assessment Guide

kube-apiserver | jq -e '.[0].Args[] | match("--authorization-mode=(Node|RBAC|,)+" Returned Value: --authorization-mode=Node,RBAC Result: Pass 1.1.20 - Ensure that the --token-auth-file parameter kube-apiserver | jq -e '.[0].Args[] | match("--authorization-mode=(Node|RBAC|,)+").string' Returned Value: --authorization-mode=Node,RBAC Result: Pass 1.1.33 - Ensure that the admission control plugin argument includes RBAC (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--authorization-mode=.*").string' Returned Value: "--authorization-mode=Node,RBAC" Result: Pass 1

Network Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control DEV DATA CENTER CLOUD BRANCH 5G / EDGE ✔ Common API & Packaging ✔ Health Checks/HA Network Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control ✔ Common API & Packaging ✔ Health Checks/HA ✔ Load Balancing ✔ Overlay Networking Network Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control Common compute platform across any infrastructure & a consistent set of infrastructure