are using calico on AWS # # network: # plugin: calico # calico_network_provider: # cloud_provider: aws # # # To specify flannel interface # # network: # plugin: flannel # flannel_network_provider: specify flannel interface for canal plugin # # network: # plugin: canal # canal_network_provider: # iface: eth1 28 # network: options: flannel_backend_type: vxlan plugin: canal restore: restore: false are using calico on AWS # # network: # plugin: calico # calico_network_provider: # cloud_provider: aws # # # To specify flannel interface # # network: # plugin: flannel # flannel_network_provider:

admission control plugin EventRateLimit is set (Automated) 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated) 1.2.12 Ensure that the admission control plugin AlwaysPullImages 2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual) 1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated) 1.2.15 admission control plugin NamespaceLifecycle is set (Automated) 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set (Automated) 1.2.17 Ensure that the admission control plugin NodeRestriction

was removed in 1.14, so it cannot be set. Result: Pass 1.1.10 - Ensure that the admission control plugin AlwaysAdmit is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | m captures[].string' Returned Value: null Result: Pass 1.1.11 - Ensure that the admission control plugin AlwaysPullImages is set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | string' Returned Value: AlwaysPullImages Result: Pass 1.1.12 - Ensure that the admission control plugin DenyEscalatingExec is set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] |

out of the pods in that namespace. To enforce network policies, a CNI (container network interface) plugin must be enabled. This guide uses canal to provide the policy enforcement. Additional information kubeproxy: image: "" extra_args: {} extra_binds: [] extra_env: [] network: plugin: "" options: {} mtu: 0 node_selector: {} authentication: strategy: "" sans: [] network: # plugin: calico # calico_network_provider: # cloud_provider: aws # # # To specify flannel interface Hardening Guide v2.3.5 18 # # network: # plugin: flannel #

out of the pods in that namespace. To enforce network policies, a CNI (container network interface) plugin must be enabled. This guide uses canal to provide the policy enforcement. Additional information kubeproxy: image: "" extra_args: {} extra_binds: [] extra_env: [] network: plugin: "" options: {} mtu: 0 node_selector: {} authentication: strategy: "" sans: [] # # network: # plugin: calico # calico_network_provider: # cloud_provider: aws # # # To specify flannel interface # # network: # plugin: flannel # flannel_network_provider:

the control plane nodes in the cluster. Rationale Set up the EventRateLimit admission control plugin to prevent clients from overwhelming the API server. The settings below are intended as an initial larger clusters. This supports the following control: 1.1.36 - Ensure that the admission control plugin EventRateLimit is set (Scored) Audit On nodes with the controlplane role run: stat /etc/kubernetes/admission admission control plugin AlwaysPullImages is set (Scored) 1.1.12 - Ensure that the admission control plugin DenyEscalatingExec is set (Scored) 1.1.14 - Ensure that the admission control plugin NamespaceLifecycle

the workloads reside in the worker nodes in the distributed workload clusters. The Contrail CNI plugin and vRouter sit in the worker nodes of the workload clusters. The Kubernetes control plane in the installed. 7. Download and install the CNI plugin. a. Create the following directory for the CNI plugin. mkdir -p /opt/cni/bin b. Download the CNI plugin. cd /opt/cni/bin/ wget 'https://github.c 5. Download and install the CNI plugin. a. Create the following directory for the CNI plugin. mkdir -p /opt/cni/bin b. Download the CNI plugin. cd /opt/cni/bin/ wget 'https://github.c

grep -v grep Expected result: 'Node,RBAC' has 'RBAC' 1.2.11 Ensure that the admission control plugin AlwaysAd mit is not set (Scored) Result: PASS Remediation: Edit the API server pod specification CIS Benchmark Rancher Self-Assessment Guide - v2.4 18 1.2.14 Ensure that the admission control plugin Service Account is set (Scored) Result: PASS Remediation: Follow the documentation and create 'ServiceAccount' OR '--enable- admission-plugins' is not present 1.2.15 Ensure that the admission control plugin Namespa ceLifecycle is set (Scored) Result: PASS Remediation: Edit the API server pod specification

grep -v grep Expected result: 'Node,RBAC' has 'RBAC' 1.2.11 Ensure that the admission control plugin AlwaysAd mit is not set (Scored) Result: PASS Remediation: Edit the API server pod specification 5 Benchmark - Self-Assessment Guide - Rancher v2.5 18 1.2.14 Ensure that the admission control plugin Service Account is set (Scored) Result: PASS Remediation: Follow the documentation and create 'ServiceAccount' OR '--enable- admission-plugins' is not present 1.2.15 Ensure that the admission control plugin Namespa ceLifecycle is set (Scored) Result: PASS Remediation: Edit the API server pod specification

Tanzu Authorized users can deploy, configure, and interact with TKG clusters using the vSphere plugin for kubectl. Self-service deployments are also available through Tanzu Mission Control (TMC). VMware The documentation specifies that it is a beta feature exclusively for vSphere with Flannel network plugin and using NSX-T for networking. 3.3.7.4 Anthos GKE (GCP) and GKE on-prem (VMware) support Windows