following command to create a namespace for SUSE Rancher as cattle- system: $ kubectl create ns cattle-system 3. Run the following command to create and apply a namespace for certificate manager as cert- manager --version v1.2.0 –wait 7. Run the following command to check the cert-manager namespace for running pods to verify that it is deployed correctly: $ kubectl get pods -n cert-manager –-version v2.5.7 -f rancher-values.yaml NAME: rancher LAST DEPLOYED: Tue Mar 16 11:05:11 2021 NAMESPACE: cattle-system STATUS: DEPLOYED .. .. NOTES: Rancher Server has been installed. NOTE: Rancher

not provide a service account token and does not have any explicit rights assignments. For each namespace the default service account must include this value: automountServiceAccountToken: false Save permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat account_update.yaml)" Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace all traffic

not provide a service account token and does not have any explicit rights assignments. For each namespace the default service account must include this value: automountServiceAccountToken: false Save permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat account_update.yaml)" Policies are namespace scoped. When a network policy is introduced to a given namespace, all traffic not allowed by the policy is denied. However, if there are no network policies in a namespace all traffic

It watches the kube- apiserver for changes to regular Kubernetes resources such as service and namespace and acts on any changes that affect the networking resources. In a single-cluster deployment, there wait a few minutes and check again. b. Show the status of the pods. kubectl get pods -A -o wide NAMESPACE NAME READY STATUS RESTARTS If the nodes are not up, wait a few minutes and check again. b. Show the status of the pods. NAMESPACE NAME READY STATUS RESTARTS

co-terminates with the pods that encloses it. Name A name by which a resource is identified. Namespace Namespace provides additional qualification to a resource name. This is especially helpful when multiple teams/projects are using same cluster and there is a potential for name collision. You can think of namespace as a virtual wall between multiple clusters. Annotation An annotation is a Label but with much Kubernetes makes network management much easier, by enabling any pod to talk to other pods within same namespace, irrespective of the host. This makes exposing ports and managing links between different services

process ID namespace (Not Scored) 1.7.3 - Do not admit containers wishing to share the host IPC namespace (Not Scored) 1.7.4 - Do not admit containers wishing to share the host network namespace (Not Scored) admit containers with dangerous capabilities (Not Scored) Audit Verify that the cattle-system namespace exists: kubectl get ns |grep cattle Verify that the roles exist: kubectl get role default-psp-role apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx rules: - apiGroups: - extensions resourceNames: - default-psp

helm.cattle.io/v1 kind: HelmChartConfig metadata: name: rancher-vsphere-cpi labels: namespace: kube-system spec: valuesContent: |- vCenter: host: "vcenterhostname" datacenters: apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata: name: rancher-vsphere-csi namespace: kube-system spec: valuesContent: |- vCenter: host: "vcenter host" datacenters: steps need to be executed before the deployment of SAP Data Intelligence 3.3 can start: Create a namespace for SAP Data Intelligence 3.3. Create an access to a secure private registry. Download and install

== null) or (.automountServiceAccountToken == true)) | "fail \ (.metadata.name) \(.metadata.namespace)"')" if [[ "${accounts}" != "" ]]; then echo "fail: automountServiceAccountToken not false for Security Policies 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Scored) Result: PASS Remediation: Create a PSP as described in the Kubernetes documentation, 1 is greater than 0 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace (Scored) Result: PASS Remediation: Create a PSP as described in the Kubernetes documentation,

== null) or (.automountServiceAccountToken == true)) | "fail \ (.metadata.name) \(.metadata.namespace)"')" if [[ "${accounts}" != "" ]]; then echo "fail: automountServiceAccountToken not false for Security Policies 5.2.2 Minimize the admission of containers wishing to share the host process ID namespace (Scored) Result: PASS Remediation: Create a PSP as described in the Kubernetes documentation, 1 is greater than 0 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace (Scored) Result: PASS Remediation: Create a PSP as described in the Kubernetes documentation,

containers wishing to share the host process ID namespace (Automated) 5.2.3 Minimize the admission of containers wishing to share the host IPC namespace (Automated) 5.2.4 Minimize the admission of containers containers wishing to share the host network namespace (Automated) 5.2.5 Minimize the admission of containers with allowPrivilegeEscalation (Automated) 5.2.6 Minimize the admission of root containers (Manual) definitions (Manual) 5.7.3 Apply Security Context to Your Pods and Containers (Manual) 5.7.4 The default namespace should not be used (Automated) CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 7 CIS