Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply. This guide will walk through the various addressing these through future enhancements to the product. 1.1.21 - Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored) 1.4.11 - Ensure that the etcd data directory match("--token-auth-file=.*").string' Returned Value: null Result: Pass 1.1.21 - Ensure that the --kubelet-certificate-authority argument is set as appropriate (Scored) Notes RKE is using the kubelet's ability to

Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply and will have a result of Not Applicable. chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root' is present 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions.sh #!/usr/bin/env bash # This script is used to ensure the

Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply and will have a result of Not Applicable. chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root' is present 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions.sh #!/usr/bin/env bash # This script is used to ensure the

directory and file ownership is set to root:root (Automated) 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated) 1.1.21 Ensure that the Kubernetes 2.5 Ensure that the --kubelet-client-certificate and -- kubelet-client-key arguments are set as appropriate (Automated) 1.2.6 Ensure that the --kubelet-certificate-authority argument is set as appropriate to true (Automated) 2.7 Ensure that a unique Certificate Authority is used for etcd (Automated) 3.1 Authentication and Authorization 3.1.1 Client certificate authentication should not be used for users

stdin_open: true If you have chosen one of the listening ports to be “SSL” then you get options to choose the certificate for the same. If you want to serve traffic from both HTTP and HTTPS HTTPS, this can be achieved by using two listening ports and mapping the target for the SSL-checked port to the HTTP port: The load balancer also supports stickiness on requests using cookie. private registry. You can also configure an insecure or internal certificate registry, though these require bypassing a certificate check in Docker configuration files on all nodes. Each environment

Creating cert file to access the secure private registry Create a le named cert that contains the SSL certificate chain for the secure private registry. This imports the certificates into SAP Data Intelligence carry out some additional tasks: Obtain or create an SSL certificate to securely access the SAP Data Intelligence installation: Create a certificate request using openssl , for example: $ openssl req Let a CA sign the .csr You will receive a .crt. Create a secret from the certificate and the key in the SAP Data Intelligence 3 name- space: $ export NAMESPACE=<{di} 3 namespace>

cluster.yml k u b e l e t s e c t i on u n d e r services: services: kubelet: generate_serving_certificate: true extra_args: feature-gates: "RotateKubeletServerCertificate=true" protect-kernel-defaults: DenyEscalatingExec,NodeRestriction,EventRateLimit,PodSecurityPolicy --encryption-provider-config=/etc/kubernetes/ssl/encryption.yaml --admission-control-config-file=/etc/kubernetes/admission.yaml --audit-log-path=/v cluster.yml k u b e l e t s e c t i on u n d e r services: services: kubelet: generate_serving_certificate: true extra_args: feature-gates: "RotateKubeletServerCertificate=true" protect-kernel-defaults:

DRBG seed, internal state V and Key values User, CO Write/Execute Signature Generation/ Verification CTR_DRBG, RSA, ECDSA RSA, ECDSA private key User, CO Write/Execute Key Transport RSA (non-compliant) User, CO N/A Hashing MD4, MD5, POLYVAL User, CO N/A Signature Generation/ Verification RSA (non-compliant), ECDSA (non-compliant) User, CO N/A Key Transport RSA (non-compliant) SHA-1, SHA-224, SHA-256, SHA-384, SHA-512 Digital Signature Generation, Digital Signature Verification, non-Digital Signature Applications A865 Triple-DES [SP 800-38A], [SP 800-67 r2] TCBC

extra_args: {} extra_binds: [] extra_env: [] kubelet: generate_serving_certificate: true extra_args: feature-gates: "RotateKubeletServerCertificate=true" prot infra_container_image: "" cluster_dns_server: "" fail_swap_on: false generate_serving_certificate: true kubeproxy: image: "" extra_args: {} extra_binds: [] extra_env: [] _256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 fail_swap_on: false generate_serving_certificate: true scheduler: Hardening Guide v2.3.5 20 extra_args: address: 127.0.0

extra_args: {} extra_binds: [] extra_env: [] kubelet: generate_serving_certificate: true extra_args: feature-gates: "RotateKubeletServerCertificate=true" prot _256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256 fail_swap_on: false generate_serving_certificate: true scheduler: extra_args: address: 127.0.0.1 profiling: 'false'