root_maxbytes=25000000 Hardening Guide v2.3.5 3 Run sysctl -p /etc/sysctl.d/90-kubelet.conf to enable the settings. Configure etcd user and group A user account and group for the etcd service is required to be ingress_backend: "" metrics_server: "" windows_pod_infra_container: "" ssh_key_path: "" ssh_cert_path: "" ssh_agent_auth: false authorization: mode: "" options: {} ignore_docker_version: 0 bastion_host: address: "" port: "" user: "" ssh_key: "" ssh_key_path: "" ssh_cert: "" Hardening Guide v2.3.5 13 ssh_cert_path: "" monitoring: provider: "" options: {}

panic_on_oops=1 kernel.keys.root_maxbytes=25000000 Run sysctl -p /etc/sysctl.d/90-kubelet.conf to enable the settings. Configure etcd user and group A user account and group for the etcd service is required to be ingress_backend: "" metrics_server: "" windows_pod_infra_container: "" ssh_key_path: "" ssh_cert_path: "" ssh_agent_auth: false authorization: mode: "" options: {} ignore_docker_version: addon_job_timeout: 0 bastion_host: address: "" port: "" user: "" ssh_key: "" ssh_key_path: "" ssh_cert: "" ssh_cert_path: "" monitoring: provider: "" options: {} node_selector:

[docker-ce, '5:19.03.5~3-0~ubuntu-bionic'] 26 - jq write_files: # 1.1.1 - Configure default sysctl settings on all hosts - path: /etc/sysctl.d/90-kubelet.conf owner: root:root permissions: '0644' content: "worker" ] addon_job_timeout: 30 authentication: strategy: x509 authorization: {} bastion_host: ssh_agent_auth: false cloud_provider: {} ignore_docker_version: true # # # Currently only nginx ingress generate_serving_certificate: true kubeproxy: {} scheduler: extra_args: address: 127.0.0.1 profiling: 'false' ssh_agent_auth: false {{% /ac c or d i on % }} {{% ac c or d i on i d = “c l u s t e r - 1. 15” l ab

recommendations given above in this guide. Make sure that uuid creation for disks is enabled in the settings for the virtual machines. 7 SAP Data Intelligence 3 on Rancher Kubernetes Engine 2 using VMware Store Validation if Checkpoint is enabled Object store access will be verified Container Registry Settings for Pipeline Modeler optional used if a second container registry is used StorageClass Configuration default SC Enable Kaniko Usage optional if running on Dock- er enable Container Image Repository Settings for SAP Data Intelli- gence Modeler mandatory Container Registry for Pipeline Modeler optional

#zypper install docker SLES15 SP2 nodes SLES15 SP2 Ensure that the nodes are accessed using SSH and the required ports must be opened before the cluster installation. https://rancher.com/docs/rke/l solution, RKE is run from a Linux workstation VM. RKE connects to the nodes using SSH key pairs. Note: Make sure that the SSH login that is used for node access is a member of the docker group on the node node: $ useradd -m -G docker $ su - $ mkdir $HOME/.ssh $ chmod 600 $HOME/.ssh $ touch $HOME/.ssh/authorized_keys 4. Run the following command to test the docker socket

https://kubernetes.io/docs/tasks/administer-cluster/dns-debugging-resolution/ #known-issues 18 • SSH connectivity including root SSH access • NTP (must be chrony) The cluster nodes in our examples are running Ubuntu cluster example is an Ubuntu host reachable at IP address 172.16.0.11. 1. From your local computer, SSH into the server node as the root user. 59 2. Create a config.yaml file at /etc/rancher/rke2 with 172.16.0.12 and 172.16.0.13. NOTE: Repeat these steps for the desired amount of agent nodes. 1. SSH into the agent node as the root user. 2. Create a config.yaml file in the /etc/rancher/rke2 directory

16 17 18 Secret Management Challenges ● Secrets sprawl ● Secrets rotation ● X.509 certificates, SSH and Cloud access ● Encryption ● Multi-platform and multi-cloud ● Central control and management ● AliCloud Kubernetes Cloud Foundry AppRole Databases Public Cloud Consul / Nomad X.509 Certs RabbitMQ SSH / Active Directory Encrypt / Decrypt Format-preserving encryption Sign / Verify HMAC Masking Key

由于ConfigMap是明文存储，适合用来存储非安全的配置信息，如果 涉及安全敏感的数据，推荐使用另一个Secret资源对象。Secret 对象 用来保存敏感信息，例如密码、OAuth 令牌和 SSH 密钥，这些信息放 在Secret中比放在Pod的定义或者容器镜像中更加安全和灵活。 Secret 主要使用的有以下三种类型： • Opaque： base64 编码格式的 Secret，用来存储密码、密钥等。

cater to various use cases. 1.3.3 Secret Management Applications use secrets such as passwords, SSH keys and API tokens all the time. To prevent disclosing the secrets in the definition files that define

1.1 - Configure default sysctl settings on all hosts Profile Applicability Level 1 Description Rancher_Hardening_Guide.md 11/30/2018 2 / 24 Configure sysctl settings to match what the kubelet would Rationale We recommend that users launch the kubelet with the --protect-kernel-defaults option. The settings that the kubelet initially attempts to change can be set manually. This supports the following nodes: vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 Run sysctl -p to enable the settings. 1.1.2 - Install the encryption provider configuration on all control plane nodes Profile Applicability