should be collected and shipped off-system to guarantee their integrity. Rancher Labs recommends setting this argument to a low value to prevent audit logs from filling the local disk. Audit docker inspect should be collected and shipped off-system to guarantee their integrity. Rancher Labs recommends setting this argument to a low value to prevent audit logs from filling the local disk. Audit docker inspect admission control plugin EventRateLimit is set (Scored) Notes The EventRateLimit plugin requires setting the --admission-control-config-file option and configuring details in the following files:

This functionality requires a private IP to be provided when registering the custom nodes. When setting the default_pod_security_policy_template_id: to restricted Rancher creates RoleBindings and ClusterRoleBindings e make-iptables-util-chains: 'true' protect-kernel-defaults: 'true' streaming-connection-idle-timeout: 1800s tls-cipher-suites: >- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

applicable for our use case. 2.1.1 Hardware Sizing Correct hardware sizing is very important for setting up SAP Data Intelligence 3.3 on RKE 2. 2.1.1.1 Development systems Minimal hardware requirements Access to a storage solution providing dynamically physical volumes If it is planned to use Vora’s streaming tables checkpoint store, an S3 bucket like object store is needed If it is planned to enable backup

CIS benchmark, ensure the appropriate flags are passed to the Kubelet. 2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) 2.1.7 - Ensure that the --protect-kernel-defaults Kubelet containers on all hosts and verify that they are running with the following options: --streaming-connection-idle-timeout= --protect-kernel-defaults=false --make-ipta RKE cluster.yml kubelet section under services: services: kubelet: extra_args: streaming-connection-idle-timeout: "" protect-kernel-defaults: "true" make-iptables-util-chains:

4.2.4 Ensure that the --read-only-port argument is set to 0 (Automated) 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Automated) 4.2.6 Ensure that the --protect-kernel-defaults -fC kubelet Expected Result: '' is not present OR '' is not present 4.2.5 Ensure that the --streaming- connection-idle-timeout argument is not set to 0 (Automated) Result: pass CIS 1.6 Benchmark - d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. -- streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl

/bin/cat /var/lib/kubelet/config.yaml Expected result: '0' is equal to '0' 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Scored) Result: PASS Remediation: If using conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl Config: /bin/cat /var/lib/kubelet/config.yaml Expected result: '30m' is not equal to '0' OR '--streaming-connection-idle- timeout' is not present 4.2.6 Ensure that the --protect-kernel-defaults argument

gu m e n t i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u v e r i f y t h at t h e y ar e r u n n i n g w i t h t h e f ol l ow i n g op t i on s : • --streaming-connection-idle-timeout= • --authorization-mode=Webhook • --protect- gu m e n t i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u

/bin/cat /var/lib/kubelet/config.yaml Expected result: '0' is equal to '0' 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Scored) Result: PASS Remediation: If using conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl Config: /bin/cat /var/lib/kubelet/config.yaml Expected result: '30m' is not equal to '0' OR '--streaming-connection-idle- timeout' is not present 4.2.6 Ensure that the --protect-kernel-defaults argument

e make-iptables-util-chains: 'true' protect-kernel-defaults: 'true' streaming-connection-idle-timeout: 1800s tls-cipher-suites: >- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

Support in Rancher ........................................................................ 9 2.3 Setting Up a Rancher Kubernetes Environment ........................................................... 9 transparent, scalable and simplified network management across the cluster. 2.3 Setting Up a Rancher Kubernetes Environment Setting up a Rancher server is easy. You can set one up by following instructions from Kubernetes menu, you will notice various groups of stacks which have been deployed as part of setting up Kubernetes: ©Rancher Labs 2017. All rights Reserved. 13 DEPLOYING AND SCALING KUBERNETES