--audit-log-maxsize argument is set to 100 or as appropriate (Automated) 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Automated) 1.2.27 Ensure that the --service-account-lookup argument --read-only-port argument is set to 0 (Automated) 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Automated) 4.2.6 Ensure that the --protect-kernel-defaults argument is rver-key.pem -- requestheader-username-headers=X-Remote-User 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Automated) Result: pass Remediation: Edit the API server pod specification

t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u r e t h at t h e --protect-kernel-defaults y ar e r u n n i n g w i t h t h e f ol l ow i n g op t i on s : • --streaming-connection-idle-timeout= • --authorization-mode=Webhook • --protect-kernel-defaults=true • - t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u r e t h at t h e --protect-kernel-defaults

to 100 CIS Benchmark Rancher Self-Assessment Guide - v2.4 24 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Scored) Result: PASS Remediation: Edit the API server pod specification needed. For example, --request-timeout=300s Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: '--request-timeout' is not present OR '--request-timeout' is present 1.2.27 Ensure yaml Expected result: '0' is equal to '0' 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Scored) Result: PASS Remediation: If using a Kubelet config file, edit

CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 24 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Scored) Result: PASS Remediation: Edit the API server pod specification needed. For example, --request-timeout=300s Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: '--request-timeout' is not present OR '--request-timeout' is present 1.2.27 Ensure yaml Expected result: '0' is equal to '0' 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Scored) Result: PASS Remediation: If using a Kubelet config file, edit

--audit-policy-file=/etc/kubernetes/audit.yaml Result: Pass 1.1.38 Ensure that the --request-timeout argument is set as appropriate (Scored) Notes RKE uses the default value of 60s and doesn't set the environment. Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--request-timeout=.*").string' Returned Value: null Result: Pass Ensure that the --authorization-mode argument --streaming-connection-idle-timeout argument is not set to 0 (Scored) Audit docker inspect kubelet | jq -e '.[0].Args[] | match("--streaming-connection-idle-timeout=.*").string' Returned Value:

[] extra_volumes: [] extra_volume_mounts: [] cluster_name: "" prefix_path: "" addon_job_timeout: 0 bastion_host: address: "" port: "" user: "" ssh_key: "" ssh_key_path: "" ssh_cert: enable_network_policy: true # # Rancher Config # rancher_kubernetes_engine_config: addon_job_timeout: 30 addons: |- --- apiVersion: v1 kind: Namespace metadata: name: ingress-nginx retention: 6 safe_timestamp: false creation: 12h extra_args: election-timeout: '5000' heartbeat-interval: '500' Hardening Guide v2.3.5 19 gid: 52034 retention:

[] extra_volumes: [] extra_volume_mounts: [] cluster_name: "" prefix_path: "" addon_job_timeout: 0 bastion_host: address: "" port: "" user: "" ssh_key: "" ssh_key_path: "" ssh_cert: enable_network_policy: true # # Rancher Config # rancher_kubernetes_engine_config: addon_job_timeout: 30 addons: |- --- apiVersion: v1 kind: Namespace metadata: name: ingress-nginx retention: 6 safe_timestamp: false creation: 12h extra_args: election-timeout: '5000' heartbeat-interval: '500' gid: 52034 retention: 72h snapshot:

appropriate flags are passed to the Kubelet. 2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) 2.1.7 - Ensure that the --protect-kernel-defaults argument is hosts and verify that they are running with the following options: --streaming-connection-idle-timeout= --protect-kernel-defaults=false --make-iptables-util-chains=false --event-qps=0 section under services: services: kubelet: extra_args: streaming-connection-idle-timeout: "" protect-kernel-defaults: "true" make-iptables-util-chains: "true"

nginx.ingress.kubernetes.io/proxy-connect-timeout: "30" nginx.ingress.kubernetes.io/proxy-read-timeout: "1800" nginx.ingress.kubernetes.io/proxy-send-timeout: "1800" name: vsystem 16 SAP Data