(CN2) brings this rich SDN feature set natively to Kubernetes as a networking platform and container network interface (CNI) plug-in. Redesigned for cloud-native architectures, CN2 takes advantage of the benefits single-cluster and multi-cluster deployments • Highly available and resilient network controller overseeing all aspects of the network configuration and control planes • Analytics services using telemetry and workload being instantiated, network provisioning events such as a new virtual network being created, routing updates from internal and external sources, and unexpected network events such as link and node

calico on AWS # # network: # plugin: calico # calico_network_provider: # cloud_provider: aws # # # To specify flannel interface # # network: # plugin: flannel # flannel_network_provider: # iface: eth1 # # # To specify flannel interface for canal plugin # # network: # plugin: canal # canal_network_provider: # iface: eth1 28 # network: options: flannel_backend_type: vxlan plugin: canal restore: calico on AWS # # network: # plugin: calico # calico_network_provider: # cloud_provider: aws # # # To specify flannel interface # # network: # plugin: flannel # flannel_network_provider: # iface:

Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration Reference Hardened RKE Template Namespaces have Network Policies defined Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation supposed to. A network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. Network Policies are namespace scoped. When a network policy

Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration Reference Hardened RKE Template Namespaces have Network Policies defined Running different applications on the same Kubernetes cluster creates a risk of one compromised application attacking a neighboring application. Network segmentation v2.4 5 network policy is a specification of how selections of pods are allowed to communicate with each other and other network endpoints. Network Policies are namespace scoped. When a network policy

Mitigation Make sure nodes with role:controlplane are on the same local network as your nodes with role:worker . Use network ACLs to restrict connections to the kubelet port (10250/tcp) on worker nodes that the Container Network Interface file permissions are set to 644 or more restrictive (Not Scored) Notes This is a manual check. Audit ( /var/lib/cni/networks/k8s-pod-network ) Note This may return /var/lib/cni/networks/k8s-pod-network/* Returned Value: /var/lib/cni/networks/k8s-pod-network/10.42.0.2 - 644 /var/lib/cni/networks/k8s-pod-network/10.42.0.3 - 644 /var/lib/cni/networks/k8s-pod-network/last_reserved_ip

Multi-cluster Management ※※※※ ※※※ ※※※※※ Edge Computing ※※※※※ ※※ ※※※※※ Network ※※※※※ ※※※※※ ※※※※ Storage ※※※※※ ※※※※※ ※※※※※ Network Policy and Management ※※※※※ ※※※※※ ※※※ Multi-tenant Management ※※※※ monitoring and logging available commercial solution required Rancher edge cluster Network and Storage Network Major CNIs supported, including Calico, Flannel, Weave, and Kube-OVN; OpenELB, a open-source Load Balancer, available Built-in OpenShift SDN that supports configuring an overlay network using Open vSwitch (OVS) and supports Layer-3 model; CNI supported, including Flannel, Nuage

SUSE Rancher OpenShift Tanzu Anthos Active Directory and LDAP Support 4 4 4 2 Pod and Network Security Policies 4 3 2 2 Configurable Adherence to CIS 4 3 2 2 Global RBAC Policies unsupported. Users must use a browser-based workflow to perform authentication. 3.2.2 Pod and Network Security Policies • SUSE Rancher: 4 • OpenShift: 3 • Tanzu: 2 • Anthos: 2 3.2.2.1 cluster. SCCs can only be edited through the oc command on the CLI. OpenShift includes support for network policies and multiple pod networks for traffic isolation. It also provides operators with compliance

(Automated) 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual) 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root host IPC namespace (Automated) 5.2.4 Minimize the admission of containers wishing to share the host network namespace (Automated) 5.2.5 Minimize the admission of containers with allowPrivilegeEscalation (Automated) capabilities assigned (Manual) 5.3 Network Policies and CNI 5.3.1 Ensure that the CNI in use supports Network Policies (Manual) 5.3.2 Ensure that all Namespaces have Network Policies defined (Automated) 5

state in or with each Opaque copy a computer-network location from which the general network-using public has access to download using public-standard network protocols a complete Transparent copy of the previous sentence. J. Preserve the network location, if any, given in the Document for public access to a Trans- parent copy of the Document, and likewise the network locations given in the Document for previous versions it was based on. These may be placed in the "History" section. You may omit a network location for a work that was published at least four years before the Document itself, or if the

other. Logically, it makes sense to co-locate tightly coupled components as close to enable easier network communication and shared storage usage. Kubernetes enables co-locating related containers through allows networking at the host level only (and Docker Swarm works across hosts), Kubernetes makes network management much easier, by enabling any pod to talk to other pods within same namespace, irrespective Rancher DNS is a drop-in replacement for Sky DNS thus providing transparent, scalable and simplified network management across the cluster. 2.3 Setting Up a Rancher Kubernetes Environment Setting up