Node Control Plane Worker etcd Node Node Node Node Node Node Node All-in-one nodes (cp/etcd/worker) Node Node Node Node Node Node Node Node Node Node Node Control Plane Worker etcd MSP Admin Cluster All-in-one nodes (cp/etcd/worker) Node Node Node Namespace as a Service Managed Shared Kubernetes Cluster 1 Node Node Node Node 64 GB 16VCPU Worker Master Nodes Node 64 GB 16VCPU Kubernetes Cluster Control Plane Worker Node Rancher Management Server (RMS) Cluster etcd Node Node Node Node All-in-one nodes Node Node Node Node Node (cp/etcd/worker) Managed Kubernetes Cluster

consists of a set of Contrail controllers that reside on either Kubernetes control plane nodes or worker nodes depending on distribution. The Contrail controllers manage a distributed set of data planes all database information and continue to provide the network control plane uninterrupted. On the worker nodes where workloads reside, each vRouter establishes communications with two Contrail controllers The Kubernetes control plane is the collection of pods that manage containerized workloads on the worker nodes in a cluster. Kubernetes control plane node This is the virtual or physical machine that

Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service '--audit-policy-file' is present CIS Benchmark Rancher Self-Assessment Guide - v2.4 37 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.1.1 Ensure that the kubelet service file permissions PASS Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 /etc/kubernetes/ssl/kubecfg-kube-proxy.yaml Audit: /bin/sh -c 'if

Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service is present CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 37 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.1.1 Ensure that the kubelet service file permissions PASS Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 /etc/kubernetes/ssl/kubecfg-kube-proxy.yaml Audit: /bin/sh -c 'if

created (Automated) 3.2.2 Ensure that the audit policy covers key security concerns (Manual) 4.1 Worker Node Configuration Files 4.1.1 Ensure that the kubelet service file permissions are set to 644 or items, at a minimum. Audit: CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 104 4.1 Worker Node Configuration Files 4.1.1 Ensure that the kubelet service file permissions are set to 644 105 Remediation: Run the below command (based on the file location on your system) on the each worker node. For example, chmod 644 $proykubeconfig Audit: /bin/sh -c 'if test -e /node/etc/kubernetes/ssl/kubecfg-kube-

ubuntu role: [ "controlplane", "etcd", "worker" ] - address: 18.191.190.203 internal_address: 172.31.24.203 user: ubuntu role: [ "controlplane", "etcd", "worker" ] - address: 18.191.190.10 27 internal_address: internal_address: 172.31.24.244 user: ubuntu role: [ "controlplane", "etcd", "worker" ] addon_job_timeout: 30 authentication: strategy: x509 authorization: {} bastion_host: ssh_agent_auth: false cloud_provider: ubuntu role: [ "controlplane", "etcd", "worker" ] - address: 18.191.190.203 internal_address: 172.31.24.203 user: ubuntu role: [ "controlplane", "etcd", "worker" ] - address: 18.191.190.10 internal_address:

RAM CPU Disk space Management Workstation 1 16 GiB 4 >100 GiB Master Node 3 16 GiB 4 >120 GiB Worker Node 4 32 GiB 8 >120 GiB 5 SAP Data Intelligence 3 on Rancher Kubernetes Engine 2 using VMware vSAN RAM CPU Disk space Management Workstation 1 16 GiB 4 >100 GiB Master Node 3 16 GiB 4 >120 GiB Worker Node 4 64 GiB 16 >120 GiB 2.2 Software requirements The following list contains the software components images Loading NFS Modules optional Make sure that nfsd and nfsv4 kernel modules are loaded on all worker nodes Additional Installer Parame- ters optional 14 SAP Data Intelligence 3 on Rancher Kubernetes

Kubernetes cluster, such as node connection information and roles like controlplane, etcd, and worker to apply to each node. Setup as many nodes as needed, in this example, it runs as a single node: [+] Is host (192.168.153.111) a Control Plane host (y/n)? [y]: [+] Is host (192.168.153.111) a Worker host (y/n)? [n]: y [+] Is host (192.168.153.111) an etcd host (y/n)? [n]: y [+] Override Hostname both master and worker roles installed: $ kubectl get nodes NAME STATUS ROLES AGE VERSION 192.168.153.111 Ready controlplane,etcd,worker 48m v1.20.4

cattle-system 2. Tail logs: kubectl logs -n cattle-system -c rancher-audit-log hostPath 1. On the worker nodes running the Rancher pods, verify that the log files are being written to the destination indicated role: [ "controlplane", "etcd", "worker" ] - address: 18.191.190.203 internal_address: 172.31.24.203 user: ubuntu role: [ "controlplane", "etcd", "worker" ] - address: 18.191.190.10 internal_address: internal_address: 172.31.24.244 user: ubuntu role: [ "controlplane", "etcd", "worker" ] services: kubelet: extra_args: streaming-connection-idle-timeout: "1800s" protect-kernel-defaults:

are on the same local network as your nodes with role:worker . Use network ACLs to restrict connections to the kubelet port (10250/tcp) on worker nodes, only permitting it from controlplane nodes. Audit spec.requiredDropCapabilities}' | grep "NET_RAW" Returned Value: [NET_RAW] Result: Pass 2 - Worker Node Security Configuration 2.1 - Kubelet 2.1.1 - Ensure that the --anonymous-auth argument is