source: "deb [arch=amd64] https://download.docker.com/linux/ubuntu $RELEASE stable" keyid: 0EBFCD88 packages: - [docker-ce, '5:19.03.5~3-0~ubuntu-bionic'] 26 - jq write_files: # 1.1.1 - Configure default homedir: /var/lib/etcd # 1.4.11 etcd data dir runcmd: - chmod 0700 /var/lib/etcd - usermod -G docker -a ubuntu - sysctl -p /etc/sysctl.d/90-kubelet.conf A ppe ndi x B - C o m pl e t e R K E cluster.yml E x a internal_address: 172.31.24.213 user: ubuntu role: [ "controlplane", "etcd", "worker" ] - address: 18.191.190.203 internal_address: 172.31.24.203 user: ubuntu role: [ "controlplane", "etcd", "worker"

Cluster | 55 Uninstall CN2 | 56 5 Appendix Create a Rancher RKE2 Cluster | 59 Configure a Server Node | 59 Configure an Agent Node | 63 Configure Repository Credentials | 66 Prepare a Cluster machine that hosts the Kubernetes control plane, formerly known as a master node. Server node In Rancher terminology, a server node is a Kubernetes control plane node. 4 Table 1: Terminology (Continued) Description Configuration Plane1 contrail-k8s-apiserver Control Plane Node This pod is an aggregated API server that is the entry point for managing all Contrail resources. It is registered with the regular kube-apiserver

Set up the EventRateLimit admission control plugin to prevent clients from overwhelming the API server. The settings below are intended as an initial value and may need to be adjusted for larger clusters contains: apiVersion: eventratelimit.admission.k8s.io/v1alpha1 kind: Configuration limits: - type: Server qps: 500 burst: 5000 Rancher_Hardening_Guide.md 11/30/2018 7 / 24 Remediation On nodes to: apiVersion: eventratelimit.admission.k8s.io/v1alpha1 kind: Configuration limits: - type: Server qps: 500 burst: 5000 2.1 - Rancher HA Kubernetes Cluster Configuration via RKE (See Appendix

RKE cluster.yml configuration Reference Hardened RKE Template configuration Hardened Reference Ubuntu 18.04 LTS cloud-config: Hardening Guide v2.3.5 2 This document provides prescriptive guidance cluster_domain: "" Hardening Guide v2.3.5 7 infra_container_image: "" cluster_dns_server: "" fail_swap_on: false generate_serving_certificate: true kubeproxy: image: "" weave_node: "" weave_cni: "" pod_infra_container: "" ingress: "" ingress_backend: "" metrics_server: "" windows_pod_infra_container: "" ssh_key_path: "" ssh_cert_path: "" ssh_agent_auth: false

RKE cluster.yml configuration Reference Hardened RKE Template configuration Hardened Reference Ubuntu 18.04 LTS cloud-config: Hardening Guide v2.4 2 This document provides prescriptive guidance for extra_binds: [] extra_env: [] cluster_domain: "" infra_container_image: "" cluster_dns_server: "" fail_swap_on: false kubeproxy: image: "" extra_args: {} extra_binds: [] weave_node: "" weave_cni: "" pod_infra_container: "" ingress: "" ingress_backend: "" metrics_server: "" windows_pod_infra_container: "" ssh_key_path: "" ssh_cert_path: "" ssh_agent_auth: false

Alternative Name SDC Storage Data Client for PowerFlex SDS Storage Data Server for PowerFlex SLES SUSE Linux Enterprise Server SSD Solid-State Disk TLS Transport Layer Security VLAN Virtual PowerFlex Gateway, PowerFlex Presentation server, Repository Mirroring Tool (RMT) server, Linux workstation for RKE, PowerProtect Data Manager, and DDVE. The RMT server and Linux workstation are VMs configured configured with SLES15 SP2 operating system. The RMT server acts as a proxy server to SUSE customer center with repositories. It helps the customers with SUSE Linux Enterprise software updates and subscription

dist-upgrade，因为一方面父级镜像中的有些核心软件包无法在非特权容器中更新升级，另一方面 大范围的更新软件及其依赖，会增加镜像大小。所以，建议只更新必要的指定软件，并做好清除动作 以下示例基础镜像基于ubuntu:18.04，其他操作系统类似： © Copyright 2020 Rancher Labs. All Rights Reserved. Confidential 通过ConfigMap管理可变应用配置

15 Controls 1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files Master Node Security Configuration 1.1 Master Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable require or maintain a configuration file for the API server. All configuration is passed in as arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root

15 Controls 1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files Master Node Security Configuration 1.1 Master Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable require or maintain a configuration file for the API server. All configuration is passed in as arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root

600 (Automated) 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.2 Ensure that the API server pod specification file ownership is set 18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated) 1.2 API Server 1.2.1 Ensure that the --anonymous-auth argument is set to false (Automated) 1.2.2 Ensure that the Ensure that encryption providers are appropriately configured (Automated) 1.2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated) 1.3 Controller Manager 1.3.1 Ensure