encryption configuration file on each of the RKE nodes that will be provisioned with the controlplane role: Rationale This configuration file will ensure that the Rancher RKE cluster encrypts secrets at base64 -i - touch /etc/kubernetes/encryption.yaml Set the file ownership to root:root and the permissions to 0600 chown root:root /etc/kubernetes/encryption.yaml chmod 0600 /etc/kubernetes/encryption On nodes with the controlplane role: Generate an empty configuration file: touch /etc/kubernetes/audit.yaml Set the file ownership to root:root and the permissions to 0600 chown root:root /etc/kubernetes/audit

installing RKE. The uid and gid for the etcd user will be used in the RKE config.yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the file called account_update.sh. Be sure to chmod +x account_update.sh so the script has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata to_all_ns.sh. Be sure to chmod +x apply_networkPolicy_to_all_ns.sh so the script has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata

installing RKE. The uid and gid for the etcd user will be used in the RKE config.yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the file called account_update.sh. Be sure to chmod +x account_update.sh so the script has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata to_all_ns.sh. Be sure to chmod +x apply_networkPolicy_to_all_ns.sh so the script has execute permissions. Hardening Guide v2.4 6 #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json

v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.1.12 Ensure that the etcd data directory ownership that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated) 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated) 1.1.1 Ensure that that the API server pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated) 1

ority argument is set as appropriate (Scored) 1.4.11 - Ensure that the etcd data directory permissions are set to 700 or more-restrictive (Scored) 1.4.12 - Ensure that the etcd data directory ownership kube-apiserver and kubelet . Mitigation Make sure nodes with role:controlplane are on the same local network as your nodes with role:worker . Use network ACLs to restrict connections to the kubelet Result: Pass 1.4 - Configuration Files 1.4.1 - Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Notes RKE doesn't require or maintain a configuration

OpenShift: 4 • Tanzu: 4 • Anthos: 1 3.1.10.1 SUSE Rancher SUSE Rancher uses a granular permissions scheme to grant or deny access to resources at the Global, Cluster, and Namespace levels. Users images. Access to the local registry uses the credentials of the requesting user when determining permissions. Access to external registries use the oc CLI to create image pull secrets and optionally attach user templates can inherit from existing templates to create a hierarchy of easily maintained permissions. 3.2.4.2 OpenShift OpenShift uses native Kubernetes RBAC, which is managed through the oc

cattle • Ve r i f y t h at t h e r ol e s e x i s t : kubectl get role default-psp-role -n ingress-nginx kubectl get role default-psp-role -n cattle-system kubectl get clusterrole restricted-clusterrole t i on s ar e s e t : addons: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx rules: - apiGroups: - extensions resourceNames: - default-psp ng 12 namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts

custom role permissions supported; Multi-tenant (cluster, workspace, project) isolation supported for all features on the platform Project-level tenant management supported; User role permission

1.1 Master Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require in as arguments at container run time. 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require

1.1 Master Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require in as arguments at container run time. 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require