Access to a storage solution providing dynamically physical volumes If it is planned to use Vora’s streaming tables checkpoint store, an S3 bucket like object store is needed If it is planned to enable backup other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited

Contrail Networking (CN2) brings this rich SDN feature set natively to Kubernetes as a networking platform and container network interface (CNI) plug-in. Redesigned for cloud-native architectures, CN2 takes Kubernetes offers, from simplified DevOps to turnkey scalability, all built on a highly available platform. These benefits include leveraging standard Kubernetes tools and practices to manage Contrail throughout Contrail namespaces and resources (where supported). More than a CNI plug-in, CN2 is a networking platform that provides dynamic end-to-end virtual networking and security for cloud-native containerized

visual interface that supports auditing logs retrieval in multiple dimensions of cluster, platform, and application Auditing logs inspection through OpenShift CLI Workload-level auditing logs supported Multi-cluster Management Kubernetes-native and Kubernetes-based container management platform supported; Unified application distribution and scheduling across clusters supported; multi-cluster OpenShift clusters Management of Kubernetes-native and Kubernetes-based container management platform via UI and API; Security policy configurations across multiple clusters Edge computing Deep

portfolio. Their initial go-to-market strategy saw a high premium for an immature multi-cluster platform. In 2020, Google introduced a new pay-as-you-go pricing model and invested heavily in developing the capabilities of the four leading Kubernetes Management Platforms: Red Hat OpenShift Container Platform 4.9 (OpenShift/OCP4) with Red Hat Advanced Cluster Management for Kubernetes (RHACM), VMware Tanzu illustrate how each vendor compares to the others by category: • The full ball (4) is applied to the platform that is best-of-breed in that category. • The three-quarters ball (3) is applied to the runner-up

CIS benchmark, ensure the appropriate flags are passed to the Kubelet. 2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) 2.1.7 - Ensure that the --protect-kernel-defaults Kubelet containers on all hosts and verify that they are running with the following options: --streaming-connection-idle-timeout= --protect-kernel-defaults=false --make-ipta RKE cluster.yml kubelet section under services: services: kubelet: extra_args: streaming-connection-idle-timeout: "" protect-kernel-defaults: "true" make-iptables-util-chains:

4.2.4 Ensure that the --read-only-port argument is set to 0 (Automated) 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Automated) 4.2.6 Ensure that the --protect-kernel-defaults -fC kubelet Expected Result: '' is not present OR '' is not present 4.2.5 Ensure that the --streaming- connection-idle-timeout argument is not set to 0 (Automated) Result: pass CIS 1.6 Benchmark - d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. -- streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl

2.1.5 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) Audit docker inspect kubelet | jq -e '.[0].Args[] | match("--streaming-connection-idle-timeout=.*") *").string' Returned Value: --streaming-connection-idle-timeout=1800s Result: Pass 2.1.6 - Ensure that the --protect-kernel-defaults argument is set to true (Scored) Audit docker inspect kubelet

/bin/cat /var/lib/kubelet/config.yaml Expected result: '0' is equal to '0' 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Scored) Result: PASS Remediation: If using conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl Config: /bin/cat /var/lib/kubelet/config.yaml Expected result: '30m' is not equal to '0' OR '--streaming-connection-idle- timeout' is not present 4.2.6 Ensure that the --protect-kernel-defaults argument

gu m e n t i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u v e r i f y t h at t h e y ar e r u n n i n g w i t h t h e f ol l ow i n g op t i on s : • --streaming-connection-idle-timeout= • --authorization-mode=Webhook • --protect- gu m e n t i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u

/bin/cat /var/lib/kubelet/config.yaml Expected result: '0' is equal to '0' 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Scored) Result: PASS Remediation: If using conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl Config: /bin/cat /var/lib/kubelet/config.yaml Expected result: '30m' is not equal to '0' OR '--streaming-connection-idle- timeout' is not present 4.2.6 Ensure that the --protect-kernel-defaults argument