v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.1.12 Ensure that the etcd data directory ownership ownership is set to etcd:etcd (Automated) 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated) 1.1.20 Ensure that the Kubernetes PKI certificate file permissions root:root (Automated) 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root

Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security that the etcd pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for etcd. All configuration configuration is passed in as arguments at container run time. 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Scored) Result: Not Applicable CIS Benchmark Rancher Self-Assessment

Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security that the etcd pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for etcd. All configuration configuration is passed in as arguments at container run time. 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Scored) Result: Not Applicable CIS 1.5 Benchmark - Self-Assessment

4.11 - Ensure that the etcd data directory permissions are set to 700 or more-restrictive (Scored) 1.4.12 - Ensure that the etcd data directory ownership is set to etcd:etcd (Scored) 2.1.8 - Ensure Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored) Audit ( --etcd-certfile ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--etcd-certfile=.*") Value: --etcd-certfile=/etc/kubernetes/ssl/kube-node.pem Audit ( --etcd-keyfile ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--etcd-keyfile=.*").string' Returned Value: --etcd-keyfi

4. 12 - E n s u r e t h at t h e e t c d d at a d i r e c t or y ow n e r s h i p i s s e t t o etcd:etcd . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. 1 - R an c h e r HA K u b e r n e t e an d : ps -ef | grep etcd R u n t h e b e l ow c om m an d ( b as e d on t h e e t c d d at a d i r e c t or y f ou n d ab ov e ) . F or e x am p l e , stat -c %a /var/lib/etcd Ve r i f y t h at t h e t t o etcd:etcd P r ofi l e A p p l i c ab i l i t y • Le v e l 1 4 D e s c r i p t i on E n s u r e t h at t h e e t c d d at a d i r e c t or y ow n e r s h i p i s s e t t o etcd:etcd. R at i

Control Plane Worker etcd Node Node Node Node Node Node Node All-in-one nodes (cp/etcd/worker) Node Node Node Node Node Node Node Node Node Node Node Control Plane Worker etcd MSP Admin Customer 2021 Namespace/Container as a Service Rancher Management Server Cluster All-in-one nodes (cp/etcd/worker) Node Node Node Namespace as a Service Managed Shared Kubernetes Cluster 1 Node Node Node Server (RMS) Cluster etcd Node Node Node Node All-in-one nodes Node Node Node Node Node (cp/etcd/worker) Managed Kubernetes Cluster Control Plane Worker Node etcd Node Node Node Node Managed

3.5 1 3 3 4 5 6 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster enable the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing RKE. The uid and gid for the etcd user will be used in the RKE create etcd user and group To create the etcd group run the following console commands. addgroup --gid 52034 etcd useradd --comment "etcd service account" --uid 52034 --gid 52034 etcd Update the

v2.4 1 3 4 4 5 7 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster enable the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing RKE. The uid and gid for the etcd user will be used in the RKE create etcd user and group To create the etcd group run the following console commands. groupadd --gid 52034 etcd useradd --comment "etcd service account" --uid 52034 --gid 52034 etcd Update the

the CPU and memory, it is recommended to host the different roles of the Kubernetes cluster such as etcd , control plane, and workers on different nodes, so that they can scale independently from one another to build the Kubernetes cluster, such as node connection information and roles like controlplane, etcd, and worker to apply to each node. Setup as many nodes as needed, in this example, it runs as a [y]: [+] Is host (192.168.153.111) a Worker host (y/n)? [n]: y [+] Is host (192.168.153.111) an etcd host (y/n)? [n]: y [+] Override Hostname of host (192.168.153.111) [none]: [+] Internal IP of host

cluster data in the main Kubernetes etcd database by default. When running on OpenShift, the Contrail controller stores all CN2 cluster data in its own Contrail etcd database. 9 The kube-apiserver is rke2-a2 Ready 17h v1.25.10+rke2r1 rke2-s1 Ready control-plane,etcd,master 17h v1.25.10+rke2r1 You can see that the nodes are now up. If the nodes are not up, wait Running 0 17h 172.16.0.11 rke2-s1 kube-system etcd-rke2-s1 1/1 Running 0 17h 172.16