2 | 34 3 Monitor Overview | 36 iii Install Contrail Analytics and the CN2 Web UI | 36 Kubectl Contrailstatus | 39 4 Manage Manage Single Cluster CN2 | 45 Overview | 45 Run Preflight plan on running kubectl. Contrailstatus is a kubectl plug-in you can use to query Contrail microservices and Contrail-specific resources. In the examples in this document, we run kubectl on an RKE2 server contrailstatus executable is packaged within the downloaded tools package. Extract and copy the kubectl-contrailstatus executable to /usr/local/bin. If you're installing a multi-cluster, then repeat steps

is happening with a given cluster. Internal Kubernetes components use log library to log data; kubectl (the command line interface) can be used to fetch log data from containers. This data can be fed Kubernetes API server as it may contain sensitive information. • kubectld is the daemon which runs kubectl. ©Rancher Labs 2017. All rights Reserved. 14 DEPLOYING AND SCALING KUBERNETES WITH RANCHER right from UI. • Rancher has built-in credentials management. • Rancher can provide access to kubectl from the Rancher UI itself. • The Rancher load balancer allows traffic routing from hosts to Kubernetes

https://github.com/rancher/rke/ releases/latest Kubectl 1.20.4 Kubectl to interact with Kubernetes cluster. https://kubernetes.io/docs/task s/tools/install-kubectl/ Docker 19.03.1 5 Docker is installed install kubectl. $ curl -LO https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kube ctl $ chmod +x kubectl $ mv kubectl /usr/local/bin/ $ kubectl version Finished building Kubernetes cluster successfully 7. Run the following command to configure the kubectl config file: $ ls bin cluster.rkestate cluster.yml kube_config_cluster.yml public_html rke

Docker command line on the hosts of all three RKE roles. The commands also make use of the the jq and kubectl (with valid config) tools to and are required in the testing and evaluation of test results. NOTE: KUBECONFIG=${KUBECONFIG:-/root/.kube/config} kubectl version > /dev/null if [ $? -ne 0 ]; then echo "fail: kubectl failed" exit 1 fi accounts="$(kubectl --kubeconfig=${KUBECONFIG} get serviceaccounts ${accounts}" exit 1 CIS Benchmark Rancher Self-Assessment Guide - v2.4 49 fi default_binding="$(kubectl get rolebindings,clusterrolebindings -A -o json | jq -r '.items[] | select(.subjects[].kind=="ServiceAccount"

Docker command line on the hosts of all three RKE roles. The commands also make use of the the jq and kubectl (with valid config) tools to and are required in the testing and evaluation of test results. NOTE: KUBECONFIG=${KUBECONFIG:-/root/.kube/config} kubectl version > /dev/null if [ $? -ne 0 ]; then echo "fail: kubectl failed" exit 1 fi accounts="$(kubectl --kubeconfig=${KUBECONFIG} get serviceaccounts exit 1 CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 49 fi default_binding="$(kubectl get rolebindings,clusterrolebindings -A -o json | jq -r '.items[] | select(.subjects[].kind=="ServiceAccount"

check the availability of the storage class vsphere-csi-sc which should have been created. $ kubectl get sc NAME PROVISIONER RECLAIMPOLICY VOLUMEBINDINGMODE the namespace in the Kubernetes cluster where DI 3.3 will be deployed. $ kubectl create ns $ kubectl get ns 5.1.2 Creating cert file to access the secure private registry Create using VMware vSAN and vSphere $ cat CA.pem > cert_with_cr $ tr -d '\r' < cert_with_cr > cert $ kubectl -n create secret generic cmcertificates --from-file=cert 5.2 Downloading the

t s : kubectl get ns |grep cattle • Ve r i f y t h at t h e r ol e s e x i s t : kubectl get role default-psp-role -n ingress-nginx kubectl get role default-psp-role -n cattle-system kubectl get clusterrole ar e s e t c or r e c t l y : kubectl get rolebinding -n ingress-nginx default-psp-rolebinding kubectl get rolebinding -n cattle-system default-psp-rolebinding kubectl get clusterrolebinding restrict restricted-clusterrolebinding • Ve r i f y t h e r e s t r i c t e d P S P i s p r e s e n t . kubectl get psp restricted-psp R e m e d i at i on • I n t h e R K E cluster.yml fi l e e n s u r e t h e f ol

namespace exists: kubectl get ns |grep cattle Verify that the roles exist: kubectl get role default-psp-role -n ingress-nginx kubectl get role default-psp-role -n cattle-system kubectl get clusterrole the bindings are set correctly: kubectl get rolebinding -n ingress-nginx default-psp-rolebinding kubectl get rolebinding -n cattle-system default-psp-rolebinding kubectl get clusterrolebinding psp:restricted psp:restricted Verify the restricted PSP is present. kubectl get psp restricted Rancher_Hardening_Guide.md 11/30/2018 14 / 24 Remediation In the RKE cluster.yml file ensure the following options are set:

ownership of admin.conf is set to root:root (Scored) Notes RKE does not store the default kubectl config credentials file on the nodes. It presents credentials to the user when rke is first run (Not Scored) Notes The restricted PodSecurityPolicy is available to all ServiceAccounts. Audit kubectl get psp restricted -o jsonpath='{.spec.privileged}' | grep "true" Returned Value: null Result: namespace (Scored) Notes The restricted PodSecurityPolicy is available to all ServiceAccounts. Audit kubectl get psp restricted -o jsonpath='{.spec.hostPID}' | grep "true" Returned Value: null Result: Pass

Docker command line on the hosts of all three RKE roles. The commands also make use of the the jq and kubectl (with valid config) tools to and are required in the testing and evaluation of test results. Controls users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding [name] Audit: 5.1.2 Minimize access to secrets (Manual) Result: warn #!/bin/bash set -eE handle_error() { echo "false" } trap 'handle_error' ERR count_sa=$(kubectl get serviceaccounts --all-namespaces -o json | jq -r '.items[] | select(.metadata.name=="default")