Definitions Term Definition AES Advanced Encryption Standard API Application Programming Interface CAVP Cryptographic Algorithm Validation Program CKG Cryptographic Key Generation CMVP Cryptographic library which provides FIPS 140-2 approved cryptographic algorithms to serve BoringSSL and other user-space applications. The Module is classified by FIPS 140-2 as a software module, multi-chip standalone approved operating system manages processes and threads in a logically separated manner. The module’s user is considered the owner of the calling application that instantiates the module. The Module conforms

simplified cluster operations • Consistent Security Policy and User Management: best-practice security policy enforcement and advanced user management on any infrastructure • Access to Shared Tools and Rancher 2.6 is a showcase of the acquisition’s success and includes a new user experience designed for the enterprise user, full lifecycle management across the three major hyperscalers and a strengthened 3 Security Policy and User Management A key benefit of deploying a Kubernetes Management Platform is implementing best practice security policy enforcement and advanced user management on any infrastructure

at i on • O n t h e e t c d s e r v e r n od e ( s ) ad d t h e etcd u s e r : useradd -c "Etcd user" -d /var/lib/etcd etcd R e c or d t h e u i d /gi d : id etcd • Ad d t h e f ol l ow i n g t o cluster.yml e t c d s e c t i on u n d e r services: services: etcd: uid: user uid recorded previously> gid: user gid recorded previously> 2 . 1 - R a nche r H A K ube r ne t e s C l us t e r r e q u i r e ad m i n i s t r at i v e p r i v i l e ge s . An y r ol e t h at i s n ot admin or user s h ou l d b e au d i t e d i n t h e R B AC s e c t i on of t h e UI t o e n s u r e t h at t h e

............................................................. 13 PowerFlex Container Storage Interface driver .......................................................................... 25 Steps to Term Definition CA Certificate Authority CNS Cloud Native Storage CSI Container Storage Interface Revisions We value your feedback Objective Audience Terminology Introduction alerting, and centralized audit. Security, policy, and user management SUSE Rancher lets you automate processes and applies a consistent set of user access and security policies to all your clusters, no

..................................................... 9 2.4 How Rancher Extends Kubernetes for User-Friendly Container Management ............14 2.4.1 Infrastructure Visibility ................. cluster. Internal Kubernetes components use log library to log data; kubectl (the command line interface) can be used to fetch log data from containers. This data can be fed to an ELK (Elasticsearch, components listed for master as shown in the above diagram, there are optional components such as: user interface, container resource monitoring and logging-related components. 1.5 Summary Kubernetes

1 3 3 4 5 6 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing RKE. The uid and gid for the etcd user will be used in the RKE config yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the etcd group run the following console commands. addgroup --gid 52034 etcd

1 3 4 4 5 7 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing RKE. The uid and gid for the etcd user will be used in the RKE config yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the etcd group run the following console commands. groupadd --gid 52034 etcd

the year 2038. However, the NTP application is known to have some difficulty in the year 2036. END USER LICENSE AGREEMENT The Juniper Networks product that is the subject of this technical documentation Juniper Networks software. Use of such software is subject to the terms and conditions of the End User License Agreement ("EULA") posted at https://support.juniper.net/support/eula/. By downloading, installing this rich SDN feature set natively to Kubernetes as a networking platform and container network interface (CNI) plug-in. Redesigned for cloud-native architectures, CN2 takes advantage of the benefits that

1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual) 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual) when using '!' set -H USER_INPUT=$1 if [[ "${USER_INPUT}" == "" ]]; then CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 13 echo "false" exit fi if [[ -d ${USER_INPUT} ]]; then PATTERN="${USER_INPUT}/*" else PATTERN="${USER_INPUT}" fi PERMISSION="" if [[ "$2" != "" ]]; then PERMISSION=$2 fi FILES_PERMISSIONS=$(stat -c %n\ %a ${PATTERN}) while read -r fileInfo; do

at container run time. Result: Pass (Not Applicable) 1.4.9 - Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored) Notes This is a manual check /etc/cni/net.d/calico-kubeconfig - 600 Result: Pass 1.4.10 - Ensure that the Container Network Interface file ownership is set to root:root (Not Scored) Notes This is a manual check. Audit ( /var directory ownership is set to etcd:etcd (Scored) Notes The etcd container runs as the root user. The data directory and files are owned by root . Audit stat -c %U:%G /var/lib/etcd Returned Value: