and --etcd-keyfile arguments are set as appropriate (Automated) 1.2.30 Ensure that the --tls-cert-file and --tls-private- key-file arguments are set as appropriate (Automated) 1.2.31 Ensure that the --client-ca-file Ensure that the --client-cert-auth argument is set to true (Automated) 2.3 Ensure that the --auto-tls argument is not set to true (Automated) 2.4 Ensure that the --peer-cert-file and --peer-key-file arguments that the --peer-client-cert-auth argument is set to true (Automated) 2.6 Ensure that the --peer-auto-tls argument is not set to true (Automated) 2.7 Ensure that a unique Certificate Authority is used for

true" • --tls-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_W TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256" R e m e d i at i on • Ad d t h e f ol l ow i n g t o t h e R K E cluster ts: "true" tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_

that the --tls-cert-file and --tls-private-key- file arguments are set as appropriate (Scored) Audit ( --tls-cert-file ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--tls-cert-file= string' Returned Value: --tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem Audit ( --tls-key-file ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--tls-private-key-file=.*").string' string' Returned Value: --tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem Result: Pass 1.1.29 - Ensure that the --client-ca-file argument is set as appropriate (Scored) Audit docker

appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file /etc/k appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file /e appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/k

appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and kubelets. Then, edit API server pod specification file /etc/k appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and setup the TLS connection between the apiserver and kubelets. Then, edit the API server pod specification file /e appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes documentation and set up the TLS connection between the apiserver and etcd. Then, edit the API server pod specification file /etc/k

"true" tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA 256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH _CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_E CDHE_ CDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_G CM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128 _GCM_SHA256" extra_binds: [] extra_env: [] cluster_domain: "" eout: 1800s tls-cipher-suites: >- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES _128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECD HE_RSA_WITH_AES_256_GCM_SHA384

"true" tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA 256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH _CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_E CDHE_ CDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_G CM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128 _GCM_SHA256" extra_binds: [] extra_env: [] cluster_domain: "" eout: 1800s tls-cipher-suites: >- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES _128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECD HE_RSA_WITH_AES_256_GCM_SHA384

KTS [SP 800-38F] 128, 256 AES-KW Key Wrapping, Key Unwrapping A865 CVL [SP 800-135 r1] TLS 1.0/1.1 and 1.2 KDF Key Derivation Vendor Affirmed CKG [SP 800-133 r2] Cryptographic Key Generation establishment methodology provides between 112 and 256 bits of encryption strength MD5 When used with the TLS protocol version 1.0 and 1.1 NDRNG Used only to seed the Approved DRBG 7.3 Non-Approved Cryptographic Output via API in plaintext TLS Master Secret Shared Secret; 48 bytes of pseudorandom data Internally derived via key derivation function defined in [SP 800-135 r1] KDF (TLS) Output via API in plaintext

Rancher Kubernetes Engine 2 using VMware vSAN and vSphere $ kubectl -n $NAMESPACE create secret tls vsystem-tls-certs --key decrypted- .key--cert .crt Deploy an nginx-ingress controller: 10.43.86.90 80:31963/ TCP,443:{di_version}06/TCP 53d In our example here, the TLS port is be 3.306. Note the port IP down as you will need it to access the SAP Data Intelligence installation vsystem servicePort: 8797 path: / tls: - hosts: - "" secretName: vsystem-tls-certs EOF $ kubectl apply -f ingress.yaml Connecting

with TLS Ingress can be also be set up with TLS. As a prerequisite, you will need to upload the certificate in Rancher. You can then use TLS by specifying the port and the secretname in the tls field: field: metadata: name: tlslb annotations: https.port: "444" spec: tls: - secretName: foo backend: 4.6 Container Logging ©Rancher Labs 2017. All rights Reserved. 52