chown -R root:root / etc/kubernetes/pki/ Audit: check_files_owner_in_dir.sh /node/etc/kubernetes/ssl Expected Result: 'true' is equal to 'true' Audit Script: #!/usr/bin/env bash # This script is chmod -R 644 /etc/ kubernetes/pki/*.crt Audit: check_files_permissions.sh /node/etc/kubernetes/ssl/!(*key).pe m Expected Result: 'true' is equal to 'true' Audit Script: #!/usr/bin/env bash # This on the master node. For example, chmod -R 600 /etc/ kubernetes/ssl/*key.pem Audit: check_files_permissions.sh /node/etc/kubernetes/ssl/*key.pem 600 Expected Result: 'true' is equal to 'true' Audit

match("--kubelet-client-certificate=.*").string' Returned Value: --kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem Audit ( --kubelet-client-key ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--kubelet-client-key=.*").string' Returned Value: --kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem Result: Pass 1.1.23 Ensure that the --service-account-lookup argument is match("--service-account-key-file=.*").string' Returned Value: --service-account-key-file=/etc/kubernetes/ssl/kube-service-account- token-key.pem Result: Pass 1.1.26 - Ensure that the --etcd-certfile and

system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root' is present 1.1.20 Ensure that the Kubernetes on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions.sh #!/usr/bin/env bash # This script is used to ensure the "${FILES_PERMISSIONS}" echo "true" exit Audit Execution: ./check_files_permissions.sh '/etc/kubernetes/ssl/*.pem' Expected result: 'true' is present 1.1.21 Ensure that the Kubernetes PKI key file permissions

system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root' is present 1.1.20 Ensure that the Kubernetes on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions.sh #!/usr/bin/env bash # This script is used to ensure the "${FILES_PERMISSIONS}" echo "true" exit Audit Execution: ./check_files_permissions.sh '/etc/kubernetes/ssl/*.pem' Expected result: 'true' is present 1.1.21 Ensure that the Kubernetes PKI key file permissions

Creating cert file to access the secure private registry Create a le named cert that contains the SSL certificate chain for the secure private registry. This imports the certificates into SAP Data Intelligence workflow is successfully finished, you need to carry out some additional tasks: Obtain or create an SSL certificate to securely access the SAP Data Intelligence installation: Create a certificate request metadata: annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/secure-backends: "true" nginx.ingress.kubernetes

- service2:service2 stdin_open: true If you have chosen one of the listening ports to be “SSL” then you get options to choose the certificate for the same. If you want to serve traffic HTTP and HTTPS, this can be achieved by using two listening ports and mapping the target for the SSL-checked port to the HTTP port: The load balancer also supports stickiness on requests using /etc/Docker/certs.d/${DOMAIN}/ca.crt # Append the certificate to a file $ cat ca.crt | sudo tee -a /etc/ssl/certs/ca-certificates.crt # Restart the Docker service to have the changes take affect $ sudo service

DenyEscalatingExec,NodeRestriction,EventRateLimit,PodSecurityPolicy --encryption-provider-config=/etc/kubernetes/ssl/encryption.yaml --admission-control-config-file=/etc/kubernetes/admission.yaml --audit-log-path=/v DenyEscalatingExec,NodeRestriction,EventRateLimit,PodSecurityPolicy --encryption-provider-config=/etc/kubernetes/ssl/encryption.yaml --admission-control-config-file=/etc/kubernetes/admission.yaml --audit-log-path=/v