admission control plugin NodeRestriction is set (Automated) 1.2.18 Ensure that the --insecure-bind-address argument is not set (Automated) 1.2.19 Ensure that the --insecure-port argument is set to 0 (Automated) that the --bind-address argument is set to 127.0.0.1 (Automated) 1.4 Scheduler 1.4.1 Ensure that the --profiling argument is set to false (Automated) 1.4.2 Ensure that the --bind-address argument is set anonymous-auth=false --kubelet-preferred-address- CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 23 types=InternalIP,ExternalIP,Hostname --advertise- address=192.168.1.225 --audit-log-maxage=30

on s f or t h e K u b e r n e t e s s c h e d u l i n g s e r v i c e . NO TE : S e t t i n g --address t o 127.0.0.1 w i l l p r e v e n t R an c h e r c l u s t e r m on i t or - i n g f r om s c r ap --profiling ar gu m e n t i s s e t t o false ( S c or e d ) • 1. 2. 2 - E n s u r e t h at t h e --address ar gu m e n t i s s e t t o 127.0.0.1 ( S c or e d ) A u d i t • O n n od e s w i t h t h e controlplane h e f ol l ow i n g op t i on s ar e s e t i n t h e command s e c t i on . --profiling=false --address=127.0.0.1 R e m e d i at i on • I n t h e R K E cluster.yml fi l e e n s u r e t h e f ol l ow

production installation of Rancher v2.1.x. It outlines the configurations and controls required to address CIS-Kubernetes benchmark controls. Rancher CIS-Kubernetes self assessment using RKE This document Description Set the appropriate options for the Kubernetes scheduling service. Rationale To address the following controls on the CIS benchmark, the command line options should be set on the Kubernetes 1.2.1 - Ensure that the --profiling argument is set to false (Scored) 1.2.2 - Ensure that the --address argument is set to 127.0.0.1 (Scored) Audit On nodes with the controlplane role: inspect the kube-scheduler

that the --insecure-bind-address argument is not set (Scored) Notes Flag not set or --insecure-bind-address=127.0.0.1 . RKE sets this flag to --insecure-bind- address=127.0.0.1 Audit docker inspect inspect kube-apiserver | jq -e '.[0].Args[] | match("--insecure-bind-address=(?:(?!127\\.0\\.0\\.1).)+")' Returned Value: null Result: Pass 1.1.6 - Ensure that the --insecure-port argument is set that the --address argument is set to 127.0.0.1 (Scored) Audit docker inspect kube-scheduler | jq -e '.[0].Args[] | match("--address=127\\.0\\.0\\.1").string' Returned Value: --address=127.0.0.1

PodSecurityPoli cy,EventRateLimit' has 'NodeRestriction' 1.2.18 Ensure that the --insecure-bind-address argument is not set (Scored) Result: PASS Remediation: Edit the API server pod specification file master node and remove the --insecure-bind-address parameter. Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: '--insecure-bind-address' is not present 1.2.19 Ensure that the ificate=true' is equal to 'RotateKubeletServerCertificate=true' 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Scored) Result: PASS Remediation: Edit the Controller Manager pod

PodSecurityPoli cy,EventRateLimit' has 'NodeRestriction' 1.2.18 Ensure that the --insecure-bind-address argument is not set (Scored) Result: PASS Remediation: Edit the API server pod specification file master node and remove the --insecure-bind-address parameter. Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: '--insecure-bind-address' is not present 1.2.19 Ensure that the ificate=true' is equal to 'RotateKubeletServerCertificate=true' 1.3.7 Ensure that the --bind-address argument is set to 127.0.0.1 (Scored) Result: PASS Remediation: Edit the Controller Manager pod

integrations.html). b. Configure the OS on each node minimally for the following: • static IP address and mask as per the example cluster you want to install (for example, 172.16.0.11/24 through 172 Contrail Analytics is installed as a NodePort service. You can reach the service by specifying the IP address of any node running Contrail Analytics. By default, the port to use is 30443. 3. To install Contrail Contrail Analytics is installed as a NodePort service. You can reach the service by specifying the IP address of any node running Contrail Analytics. By default, the port to use is 30443. 37 4. Verify that

production installation of Rancher v2.3.5. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide installation of Rancher v2.3.5 with Kubernetes v1.15. It outlines the configurations required to address Kubernetes benchmark controls from the Center for Information Security (CIS). For more detail about extra_volume_mounts: [] cluster_name: "" prefix_path: "" addon_job_timeout: 0 bastion_host: address: "" port: "" user: "" ssh_key: "" ssh_key_path: "" ssh_cert: "" Hardening Guide v2

production installation of Rancher v2.4. It outlines the configurations and controls required to address Kubernetes benchmark controls from the Center for Information Security (CIS). This hardening guide production installation of Rancher v2.4 with Kubernetes v1.15. It outlines the configurations required to address Kubernetes benchmark controls from the Center for Information Security (CIS). For more detail about extra_volume_mounts: [] cluster_name: "" prefix_path: "" addon_job_timeout: 0 bastion_host: address: "" port: "" user: "" ssh_key: "" ssh_key_path: "" ssh_cert: "" ssh_cert_path:

yml [+] Cluster Level SSH Private Key Path [~/.ssh/id_rsa]: [+] Number of Hosts [1]: [+] SSH Address of host (1) [none]: 192.168.153.111 [+] SSH Port of host (1) [22]: [+] SSH Private Key Path of namespaces and PVCs. PowerProtect Data Manager discovers the Kubernetes clusters using the IP address or FQDN. PowerProtect Data Manager uses the discovery service account and the token kubeconfig file White Paper • Name: Kubernetes cluster name to display in asset sources list. • Address: FQDN or the IP address of the Kubernetes API server or Load Balancer. • Port: Port to use for communication