level through a REST endpoint. Heapster natively supports Kubernetes and CoreOS, and a variety of backends can be used to store and visualize the data. Data for all containers on a host is fetched by cAdvisor and aggregated based on pods, services etc. The data is then stored into one of the configured backends, such as InfluxDB. ©Rancher Labs 2017. All rights Reserved. 46 DEPLOYING AND SCALING

multi-dimensional event query center available on the console; forwarding to multiple storage backends supported Unified event query and management Unified event query and management Alerting

configure an identity provider for authentication. Rationale Rancher supports several authentication backends that are common in enterprises. It is recommended to tie Rancher into an external authentication

nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/secure-backends: "true" nginx.ingress.kubernetes.io/backend-protocol: HTTPS nginx.ingress.kubernetes.io/proxy-body-size:

many of the control verification checks in the CIS Kubernetes Benchmark don't apply and will have a result of Not Applicable. This guide will walk through the various controls and provide updated example that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server

many of the control verification checks in the CIS Kubernetes Benchmark don't apply and will have a result of Not Applicable. This guide will walk through the various controls and provide updated example that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server

many of the control verification checks in the CIS Kubernetes Benchmark don't apply and will have a result of Not Applicable. This guide will walk through the various controls and provide updated example 11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) Result: pass Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir /node/var/lib/etcd Expected Result: '700' is equal to '700' Returned Value: 700 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated) Result: pass Remediation: On the

'.[0].Args[] | match("--anonymous-auth=false").string' Returned Value: --anonymous-auth=false Result: Pass 1.1.2 - Ensure that the --basic-auth-file argument is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--basic-auth-file=.*").string' Returned Value: null Result: Pass 1.1.3 - Ensure that the --insecure-allow-any-token argument is not set (Scored) Audit kube-apiserver | jq -e '.[0].Args[] | match("--insecure-allow-any-token").string' Returned Value: null Result: Pass 1.1.4 - Ensure that the --kubelet-https argument is set to true (Scored) Audit docker

methods listed in Table 9, which are not allowed for use in a FIPS-Approved mode. Their use will result in the module operating in a non-Approved mode. Table 9 - Non-Approved Algorithms Algorithm per [SP 800-131A r2]. Therefore, the cryptographic operations with the non-approved key sizes will result in the module operating in non-Approved mode implicitly. Approved algorithms shall not use the

Running 1 36d rancher-webhook-b5b7b76c4-r9nwn 1/1 Running 1 36d Result: Rancher is up and running. Installation of the SUSE Rancher Kubernetes cluster 21 SUSE Rancher