disclosing the secrets in the definition files that define containers/clusters, Kubernetes encodes them in Secret objects for later referral in the definition files. 1.3.4 Application Health Long-running Reserved. 20 DEPLOYING AND SCALING KUBERNETES WITH RANCHER apiVersion: v1 kind: Service metadata: name: frontend labels: app: guestbook tier: frontend spec: # if your cluster Dashboard, click on “Create” and upload the newlymodified service file. Similarly also deploy other .yml files in the guestbook directory. After you have created all Services and RCs, you will see the complete

Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies 5.3 Network Policies and CNI defined by arguments passed to the container at the time of initialization, not via configuration files. CIS Benchmark Rancher Self-Assessment Guide - v2.4 4 Where control audits differ from the original

Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies CIS 1.5 Benchmark - Self-Assessment defined by arguments passed to the container at the time of initialization, not via configuration files. CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 4 Where control audits differ from the

Kubernetes Benchmark - Rancher v2.5.4 with Kubernetes v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) Ensure that the --bind-address argument is set to 127.0.0.1 (Automated) 2 Etcd Node Configuration Files 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated) CIS Ensure that the audit policy covers key security concerns (Manual) 4.1 Worker Node Configuration Files 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)

uid and gid for the etcd user will be used in the RKE config.yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the etcd group run file called account_update.yaml Hardening Guide v2.3.5 4 apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: false Create a bash script file called account_update permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat account_update.yaml)"

uid and gid for the etcd user will be used in the RKE config.yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the etcd group run Save the following yaml to a file called account_update.yaml apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: false Create a bash script file called account_update permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat account_update.yaml)"

root:root The file contains: apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: - level: Metadata Remediation On nodes with the controlplane role: Generate an empty configuration file: touch t.yaml Set the contents to: apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: - level: Metadata 1.1.4 - Place Kubernetes event limit configuration on each control plane host Rancher_Hardening_Guide following options are set: addons: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx rules: - apiGroups: - extensions

Workstation VM where RKE binary exists to create an SSH key pair: $ ssh-keygen The following files are created after SSH key pairing: $HOME/.ssh/id_rsa (SSH private key, keep this secure) $HOME/ CIDR [10.42.0.0/16]: [+] Cluster DNS Service IP [10.43.0.10]: [+] Add addon manifest URLs or YAML files [no]: $ Installation of the SUSE Rancher Kubernetes cluster 18 SUSE install CSI drives for PowerFlex 1. Run the following command to download the installation source files from GitHub: $ git clone https://github.com/dell/csi-vxflexos 2. Run the following command to create

ow i n g op t i on s ar e s e t : addons: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx rules: - apiGroups: - extensions resourceNames: podsecuritypolicies verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-psp-rolebinding 12 namespace: ingress-nginx roleRef: apiGroup: rbac.authorization system:authenticated --- apiVersion: v1 kind: Namespace metadata: name: cattle-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: cattle-system rules:

using VMware vSAN and vSphere $ cat < apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata: name: rancher-vsphere-cpi labels: namespace: kube-system spec: valuesContent: |- anifests/rancher-vsphere-csi-config.yaml apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata: name: rancher-vsphere-csi namespace: kube-system spec: valuesContent: |- vCenter: Intelligence installation: $ cat < ingress.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/force-ssl-redirect: