as appropriate (Automated) 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Automated) 1.2.34 Ensure that encryption providers are appropriately configured (Automated) --tls-private-key-file=/etc/kubernetes/ssl/kube- apiserver-key.pem --encryption-provider-config=/etc/ kubernetes/ssl/encryption.yaml --requestheader-extra-headers- prefix=X-Remote-Extra- --profiling=false --tls-private-key-file=/etc/kubernetes/ssl/kube- apiserver-key.pem --encryption-provider-config=/etc/ kubernetes/ssl/encryption.yaml --requestheader-extra-headers- prefix=X-Remote-Extra- --profiling=false

General 5/4/2020 [SP 800-67 r2] NIST SP 800-67 Rev. 2, Recommendation for the Triple Data Encryption Algorithm (TDEA) Block Cipher 11/17/2017 [SP 800-90A r1] NIST SP 800-90A Rev. 1, Recommendation 186-4] FIPS 186-4, Digital Signature Standard (DSS) 7/19/2013 [FIPS 197] FIPS 197, Advanced Encryption Standard (AES) 11/26/2001 [FIPS 198-1] FIPS 198-1, The Keyed Hash Message Authentication Code Cryptographic Library Page 3 of 16 Acronyms and Definitions Term Definition AES Advanced Encryption Standard API Application Programming Interface CAVP Cryptographic Algorithm Validation Program

Install the encryption provider configuration on all control plane nodes Profile Applicability Level 1 Description Rancher_Hardening_Guide.md 11/30/2018 3 / 24 Create a Kubernetes encryption configuration controls: 1.1.34 - Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored) 1.1.35 - Ensure that the encryption provider is set to aescbc (Scored) Audit On the the control plane hosts for the Rancher HA cluster run: stat /etc/kubernetes/encryption.yaml Ensure that: The file is present The file mode is 0600 The file owner is root:root The file contains:

r y p t ogr ap h i c C i p h e r s ( Not S c or e d ) • 1. 1. 34 - E n s u r e t h at t h e --encryption-provider-config ar gu m e n t i s s e t as ap p r op r i at e ( S c or e d ) • 1. 1. 35 - E n AlwaysPullImages,DenyEscalatingExec,NodeRestriction,EventRateLimit,PodSecurityPolicy --encryption-provider-config=/etc/kubernetes/ssl/encryption.yaml --admission-control-config-file=/etc/kubernetes/admission.yaml --a service_node_port_range: 30000-32767 event_rate_limit: enabled: true 8 audit_log: enabled: true secrets_encryption_config: enabled: true extra_args: anonymous-auth: "false" enable-admission-plugins: "ServiceAccount

kube-apiserver | grep -v grep Expected result: '--etcd-cafile' is present 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Scored) Result: PASS Remediation: Follow the etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config= Audit: /bin/ps | grep -v grep Expected result: '--encryption-provider-config' is present CIS Benchmark Rancher Self-Assessment Guide - v2.4 28 1.2.34 Ensure that encryption providers are appropriately configured

kube-apiserver | grep -v grep Expected result: '--etcd-cafile' is present 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Scored) Result: PASS Remediation: Follow the etc/kubernetes/manifests/kube-apiserver.yaml on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config= Audit: /bin/ps grep -v grep Expected result: '--encryption-provider-config' is present CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 28 1.2.34 Ensure that encryption providers are appropriately configured

1.34 - Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored) Notes In Kubernetes 1.13.x this flag is --encryption-provider-config Audit docker inspect Args[] | match("--encryption-provider-config=.*").string' Returned Value: encryption-provider-config=/etc/kubernetes/encryption.yaml Result: Pass 1.1.35 - Ensure that the encryption provider is set Notes Only the first provider in the list is active. Audit grep -A 1 providers: /etc/kubernetes/encryption.yaml | grep aescbc Returned Value: - aescbc: Result: Pass 1.1.36 - Ensure that the admission

Management Challenges ● Secrets sprawl ● Secrets rotation ● X.509 certificates, SSH and Cloud access ● Encryption ● Multi-platform and multi-cloud ● Central control and management ● Auditing ● Compliance & Hardware Secrets management to centrally store and protect secrets across clouds and applications ● Data encryption to keep application data secure across environments and workloads ● Advanced Data Protection to Consul / Nomad X.509 Certs RabbitMQ SSH / Active Directory Encrypt / Decrypt Format-preserving encryption Sign / Verify HMAC Masking Key Management via KMIP WEB UI CLI Under what conditions? Which secrets

etcd: uid: 52034 gid: 52034 kube-api: pod_security_policy: true secrets_encryption_config: enabled: true audit_log: enabled: true admission_configuration: event_rate_limit: enabled: true pod_security_policy: true secrets_encryption_config: enabled: true service_node_port_range: 30000-32767 kube_controller:

etcd: uid: 52034 gid: 52034 kube-api: pod_security_policy: true secrets_encryption_config: enabled: true audit_log: enabled: true admission_configuration: event_rate_limit: enabled: true pod_security_policy: true secrets_encryption_config: enabled: true service_node_port_range: 30000-32767 kube_controller: