classify resources and use selectors to find them and use them for certain actions. Replication Controller Replication Controllers (RC) are an abstraction used to manage pod lifecycles. One of key uses is important that it is replaced by a new one. To achieve this, Kubernetes uses a replication controller, which ensures that a certain number of replicas of a pod are always running. In cases where only Kubernetes, Mesos, and Docker Swarm for container orchestration, and allows teams to transparently view and manage the infrastructure and containers supporting their applications. Rancher provides built-in

4 - Configure controller options Profile Applicability Rancher_Hardening_Guide.md 11/30/2018 12 / 24 Level 1 Description Set the appropriate arguments on the Kubernetes controller manager. Rationale Rationale To address the following controls the options need to be passed to the Kubernetes controller manager. 1.3.1 - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored) (Scored) Audit On nodes with the controlplane role inspect the kube-controller-manager container: docker inspect kube-controller-manager Verify the following options are set in the command section:

Growth for Global Container Management Software and Services Through 2024” by Susan Moore, Gartner – View Press Release A Buyer’s Guide to Enterprise Kubernetes Management Platforms Copyright © SUSE 2022 all within a single platform. 3.1.2.2 OpenShift OpenShift’s user interface provides a curated view for administrators and developers. Common workflows exist at the top of menus, and access to both directly support PodSecurityPolicies and instead provides a proprietary resource called a Policy Controller that implements similar functionality. 3.2.3 Configurable Adherence to CIS Security Benchmarks

CIS Benchmark Rancher Self-Assessment Guide - Rancher v2.4. Known Issues Rancher exec shell and view logs for pods are not functional in a CIS 1.5 hardened setup when only public IP is provided when enabled: true admission_configuration: event_rate_limit: enabled: true kube-controller: extra_args: Hardening Guide v2.4 7 feature-gates: "RotateKubeletServerCertificate=true" kube-api: Hardening Guide v2.4 19 # service_cluster_ip_range: 10.43.0.0/16 # kube-controller: # cluster_cidr: 10.42.0.0/16 # service_cluster_ip_range: 10.43.0.0/16 #

Multi-Cluster CN2 on Rancher RKE2 | 28 Install Contrail Tools | 29 Install ContrailReadiness Controller | 30 Manifests | 31 Manifests in Release 23.2 | 31 Contrail Tools in Release 23.2 | services in single-cluster and multi-cluster deployments • Highly available and resilient network controller overseeing all aspects of the network configuration and control planes • Analytics services using container and VM workloads (using kubevirt) • Support for DPDK data plane acceleration The Contrail controller automatically detects workload provisioning events such as a new workload being instantiated, network

(Automated) 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.4 Ensure that the controller manager pod specification file ownership root:root (Automated) 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated) 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root 2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated) 1.3 Controller Manager 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Automated)

1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane server. All configuration is passed in as arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: file for the controller manager. All configuration is passed in as arguments at container run time. CIS Benchmark Rancher Self-Assessment Guide - v2.4 6 1.1.4 Ensure that the controller manager pod specification

1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane server. All configuration is passed in as arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: file for the controller manager. All configuration is passed in as arguments at container run time. CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 6 1.1.4 Ensure that the controller manager pod

if you are using a PodSecurityPolicy (PSP). From the CIS Benchmark document: This admission controller should only be used where Pod Security Policies cannot be used on the cluster, as it can interact 1 Result: Pass 1.3 - Controller Manager 1.3.1 - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored) Audit docker inspect kube-controller-manager | jq -e '.[0].Args[] 2 - Ensure that the --profiling argument is set to false (Scored) Audit docker inspect kube-controller-manager | jq -e '.[0].Args[] | match("--profiling=false").string' Returned Value: --profiling=false

od e s w i t h t h e controlplane r ol e i n s p e c t t h e kube-controller-manager c on t ai n e r : 10 docker inspect kube-controller-manager • Ve r i f y t h e f ol l ow i n g op t i on s ar e s e cluster.yml fi l e e n s u r e t h e f ol l ow i n g op t i on s ar e s e t : services: kube-controller: extra_args: profiling: "false" address: "127.0.0.1" terminated-pod-gc-threshold: "1000" feature-gates: od e s w i t h t h e controlplane r ol e i n s p e c t t h e kube-controller-manager c on t ai n e r : docker inspect kube-controller-manager • Ve r i f y t h e f ol l ow i n g op t i on s ar e s e t