Engineering team at Rancher Labs. Profile Definitions The following profile definitions agree with the CIS Benchmarks for Kubernetes. Level 1 Items in this profile intend to: offer practical advice or utility of the environment beyond an acceptable margin Level 2 Items in this profile extend the “Level 1” profile and exhibit one or more of the following characteristics: are intended for use in HA Kubernetes cluster host configuration 1.1.1 - Configure default sysctl settings on all hosts Profile Applicability Level 1 Description Rancher_Hardening_Guide.md 11/30/2018 2 / 24 Configure sysctl

administrative boundaries between resources using namespaces (Manual) 5.7.2 Ensure that the seccomp profile is set to docker/ default in your pod definitions (Manual) 5.7.3 Apply Security Context to Your Pods namespaces for objects in your deployment as you need them. Audit: 5.7.2 Ensure that the seccomp profile is set to docker/default in your pod definitions (Manual) Result: warn Remediation: Seccomp is example: systemctl restart kube- apiserver.service Use annotations to enable the docker/default seccomp profile in your pod definitions. An example is as below: apiVersion: v1 kind: Pod metadata: name: trustworthy-pod

creating a cluster with Rancher to turn on Network Isolation. 1.6.4 - Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored) Since this requires the enabling