[SP 800-38D] NIST SP 800-38D, Recommendation for Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC 11/28/2007 [SP 800-38F] NIST SP 800-38F, Recommendation for Block Cipher Modes without PAA Dell PowerEdge R440 clang 6.0.1 The Module conforms to [140IG] 6.1 Single Operator Mode and Concurrent Operators. Each approved operating system manages processes and threads in a logically module supports two modes of operation: Approved and Non-approved. The module will be in FIPS- approved mode when all power up self-tests have completed successfully, and only Approved algorithms are invoked

further analysis and visualization. 1.4 Kubernetes Components Kubernetes works in a master-node mode, where a master can manage a large number of nodes. Some components run only on masters, some components Reserved. 8 DEPLOYING AND SCALING KUBERNETES WITH RANCHER The master can be run in HA mode with a multi-master setup. Apart from components listed for master as shown in the above diagram Balancing services We have built the frontend service using NodePort in the earlier section; now let’s build the service using LoadBalancer type. The definition of service is same except “type” has value of

operations, whether they are on-premises, in the cloud, or at the edge, giving the DevOps team freedom to build and run containerized applications anywhere. The PowerFlex family offers key value propositions "./rke config” and answer the questions. This file contains all information that is required to build the Kubernetes cluster, such as node connection information and roles like controlplane, etcd, and (flannel, calico, weave, canal, aci) [canal]: [+] Authentication Strategy [x509]: [+] Authorization Mode (rbac, none) [rbac]: [+] Kubernetes Docker image [rancher/hyperkube:v1.20.4- rancher1]: [+] Cluster

--authorization-mode argument is not set to AlwaysAllow (Automated) 1.2.8 Ensure that the --authorization-mode argument includes Node (Automated) 1.2.9 Ensure that the --authorization-mode argument includes 118 118 118 119 119 120 122 122 122 123 123 124 124 4.2.2 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Automated) 4.2.3 Ensure that the --client-ca-file argument is --service-cluster-ip- range=10.43.0.0/16 --tls-cert-file=/etc/kubernetes/ssl/kube- apiserver.pem --authorization-mode=Node,RBAC --audit-log- maxsize=100 --audit-log-format=json --requestheader-allowed- names=kube-

Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--authorization-mode=(Node|RBAC|,)+" Returned Value: Value: --authorization-mode=Node,RBAC Result: Pass 1.1.20 - Ensure that the --token-auth-file parameter is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--token-auth-file= --authorization-mode argument includes Node (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--authorization-mode=(Node|RBAC|,)+").string' Returned Value: --authorization-mode=Node

Guide - v2.4 16 '--kubelet-certificate-authority' is present 1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) Result: PASS Remediation: Edit the API server pod specification on the master node and set the --authorization-mode parameter to values other than AlwaysAllow. One such example could be as below. --authorization-mode=RBAC Audit: /bin/ps -ef | grep kube-apiserver grep Expected result: 'Node,RBAC' not have 'AlwaysAllow' 1.2.8 Ensure that the --authorization-mode argument includes Node (Scored) Result: PASS Remediation: Edit the API server pod specification

Rancher v2.5 16 '--kubelet-certificate-authority' is present 1.2.7 Ensure that the --authorization-mode argument is not set to AlwaysAllow (Scored) Result: PASS Remediation: Edit the API server pod specification on the master node and set the --authorization-mode parameter to values other than AlwaysAllow. One such example could be as below. --authorization-mode=RBAC Audit: /bin/ps -ef | grep kube-apiserver grep Expected result: 'Node,RBAC' not have 'AlwaysAllow' 1.2.8 Ensure that the --authorization-mode argument includes Node (Scored) Result: PASS Remediation: Edit the API server pod specification

Single Cluster CN2 on Rancher RKE2 | 19 Install Single Cluster CN2 on Rancher RKE2 Running Kernel Mode Data Plane | 21 Install Single Cluster CN2 on Rancher RKE2 Running DPDK Data Plane | 24 Install cluster CN2 on Rancher RKE2. IN THIS SECTION Install Single Cluster CN2 on Rancher RKE2 Running Kernel Mode Data Plane | 21 Install Single Cluster CN2 on Rancher RKE2 Running DPDK Data Plane | 24 19 Single Cluster CN2 on Rancher RKE2 Running Kernel Mode Data Plane Use this procedure to install CN2 in a single cluster deployment running a kernel mode data plane. The manifest that you will use in this

HA cluster run: stat /etc/kubernetes/encryption.yaml Ensure that: The file is present The file mode is 0600 The file owner is root:root The file contains: apiVersion: v1 kind: EncryptionConfig control plane node, run: stat /etc/kubernetes/audit.yaml Ensure that: The file is present The file mode is 0600 The file owner is root:root The file contains: apiVersion: audit.k8s.io/v1beta1 kind: yaml stat /etc/kubernetes/event.yaml For each file, ensure that: The file is present The file mode is 0600 The file owner is root:root For admission.yaml ensure that the file contains: apiVersion:

e n t i s s e t t o f al s e ( S c or e d ) • 2. 1. 2 - E n s u r e t h at t h e --authorization-mode ar gu m e n t i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e op t i on s : • --streaming-connection-idle-timeout= • --authorization-mode=Webhook • --protect-kernel-defaults=true • --make-iptables-util-chains=true • --event-qps=0 • e n t i s s e t t o f al s e ( S c or e d ) • 2. 1. 2 - E n s u r e t h at t h e --authorization-mode ar gu m e n t i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e