Kubernetes Engine 2 using VMware vSAN and vSphere Date: 2023-07-24 SAP Data Intelligence 3 is the tool set to govern big amounts of data, and it runs ful- ly containerized. This document describes the installation cluster and Rancher Kubernetes Engine (RKE) 2. This guide does not provide information on how to set up a VMware vsphere / vsan cluster. In a nutshell, the installation of SAP Data Intelligence 3.3 consists Data Intelligence 3.3 installation: Parameter Condition Recommendation Kubernetes Namespace Always set to namespace created be- forehand Installation Type installation or update either Container Registry

many of the control verification checks in the CIS Kubernetes Benchmark don't apply and will have a result of Not Applicable. This guide will walk through the various controls and provide updated example Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for

many of the control verification checks in the CIS Kubernetes Benchmark don't apply and will have a result of Not Applicable. This guide will walk through the various controls and provide updated example Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for

Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated) 1.1.19 Ensure that the Kubernetes Kubernetes PKI directory and file ownership is set to root:root (Automated) 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated) 1.1.21 Ensure Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated) 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.2 Ensure

that the --kubelet-certificate-authority argument is set as appropriate (Scored) 1.4.11 - Ensure that the etcd data directory permissions are set to 700 or more-restrictive (Scored) 1.4.12 - Ensure Ensure that the etcd data directory ownership is set to etcd:etcd (Scored) 2.1.8 - Ensure that the --hostname-override argument is not set (Scored) Controls 1 - Master Node Security Configuration argument is set to false (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--anonymous-auth=false").string' Returned Value: --anonymous-auth=false Result: Pass 1.1.2

methods listed in Table 9, which are not allowed for use in a FIPS-Approved mode. Their use will result in the module operating in a non-Approved mode. Table 9 - Non-Approved Algorithms Algorithm the following command to create a CMake toolchain file to specify the use of Clang: ● printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain The FIPS tar.xz The set of files specified in the archive constitutes the complete set of source files of the validated module. There shall be no additions, deletions, or alterations of this set as used during

standard hardware and deliver extreme SLA outcomes. PowerFlex aggregates resources across a broad set of nodes, unlocking massive input, output, and throughput performance while minimizing the latency Security, policy, and user management SUSE Rancher lets you automate processes and applies a consistent set of user access and security policies to all your clusters, no matter where they are running. Shared Running 1 36d rancher-webhook-b5b7b76c4-r9nwn 1/1 Running 1 36d Result: Rancher is up and running. Installation of the SUSE Rancher Kubernetes cluster 21 SUSE Rancher

across private and public clouds. Cloud-Native Contrail Networking (CN2) brings this rich SDN feature set natively to Kubernetes as a networking platform and container network interface (CNI) plug-in. Redesigned consists of a set of Contrail controllers that reside on either Kubernetes control plane nodes or worker nodes depending on distribution. The Contrail controllers manage a distributed set of data planes scalability, and availability inherent to the Kubernetes architecture, while supporting a rich SDN feature set that can meet the requirements of enterprises and service providers alike. Enterprises and service

OpenShift Container Platform 4 (OCP4) ships a large installation binary that includes Terraform and a set of scripts to deploy OCP4. Installation guides are provided for public and private cloud providers Mission Control (TMC). VMware has developed with Terraform a TMC provider which provides a new set of tools to developers to self-provision TGK workload clusters. 3.1.10.4 Anthos Anthos does not this could be automated with cron, it includes no provision for saving to a remote endpoint. As a result, an effective backup solution will depend on the operator to design, install and maintain it.

kubelet would set if allowed. Rationale We recommend that users launch the kubelet with the --protect-kernel-defaults option. The settings that the kubelet initially attempts to change can be set manually This supports the following control: 2.1.7 - Ensure that the --protect-kernel-defaults argument is set to true (Scored) Audit Verify vm.overcommit_memory = 1 sysctl vm.overcommit_memory Verify kernel sysctl kernel.panic Verify kernel.panic_on_oops = 1 sysctl kernel.panic_on_oops Remediation Set the following parameters in /etc/sysctl.conf on all nodes: vm.overcommit_memory=1 kernel.panic=10