Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Plane Configuration 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies 5 Kubernetes services via Docker containers. Configuration is defined by arguments passed to the container at the time of initialization, not via configuration files. CIS Benchmark Rancher Self-Assessment

Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Plane Configuration 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies CIS Kubernetes services via Docker containers. Configuration is defined by arguments passed to the container at the time of initialization, not via configuration files. CIS 1.5 Benchmark - Self-Assessment

Kubernetes services via Docker containers. Configuration is defined by arguments passed to the container at the time of initialization, not via configuration files. Scoring the commands is different in that the --hostname-override argument is not set (Scored) Controls 1 - Master Node Security Configuration 1.1 - API Server 1.1.1 - Ensure that the --anonymous-auth argument is set to false (Scored) Pass 1.1.2 - Ensure that the --basic-auth-file argument is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--basic-auth-file=.*").string' Returned Value: null Result:

CIS 1.6 Kubernetes Benchmark - Rancher v2.5.4 with Kubernetes v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive 1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated) 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated) (Automated) 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated) 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)

technology Authors Jason Greathouse Bill Maxwell 1.1 - Rancher HA Kubernetes cluster host configuration 1.1.1 - Configure default sysctl settings on all hosts Profile Applicability Level 1 Description provider configuration on all control plane nodes Profile Applicability Level 1 Description Rancher_Hardening_Guide.md 11/30/2018 3 / 24 Create a Kubernetes encryption configuration file on each of of the RKE nodes that will be provisioned with the controlplane role: Rationale This configuration file will ensure that the Rancher RKE cluster encrypts secrets at rest, which Kubernetes does not

deployments • Highly available and resilient network controller overseeing all aspects of the network configuration and control planes • Analytics services using telemetry and industry standard monitoring and facilitates virtual network abstraction, orchestration, and automation. Network configuration plane The network configuration plane interacts with Kubernetes control plane components to manage all CN2 resources the Contrail vRouter. Contrail controller This is the part of CN2 that provides the network configuration and network control plane functionality. This name is purely conceptual – there is no corresponding

....................................................................................... 43 Configuration details ..................................................................................... the PowerFlex family products. In this solution, the RKE cluster is deployed in a two-layer configuration using PowerFlex compute-only nodes that are deployed with the VMware ESXi hypervisor and dedicated provisioned disks on the PowerFlex backend storage. For more information about configuration of PowerFlex nodes, check the Configuration details. The management node hosts the vCenter appliance, PowerFlex Gateway

provides a single IP address and DNS name by which the pods can be accessed. This load balancing configuration is much easier to manage, and helps scale pods seamlessly. Volume A volume is a directory on right top corner. You can input all parameters one by one or simply upload a JSON/YAML format file with specifications of the object to be created. 2.4.3 GUI-Based CRUD Operations for Kubernetes frontend Open the Kubernetes Dashboard, click on “Create” and upload the newlymodified service file. Similarly also deploy other .yml files in the guestbook directory. After you have created

Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration Reference Hardened RKE Template configuration Hardened Reference Ubuntu 18.04 LTS cloud-config: Hardening Guide v2 Self-Assessment Guide - Rancher v2.3.5. Configure Kernel Runtime Parameters The following sysctl configuration is recommended for all nodes type in the cluster. Set the following parameters in /etc/sysctl yaml to a file called account_update.yaml Hardening Guide v2.3.5 4 apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: false Create a bash script file called

Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration Reference Hardened RKE Template configuration Hardened Reference Ubuntu 18.04 LTS cloud-config: Hardening Guide v2 have any explicit rights assignments. Configure Kernel Runtime Parameters The following sysctl configuration is recommended for all nodes type in the cluster. Set the following parameters in /etc/sysctl following yaml to a file called account_update.yaml apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: false Create a bash script file called account_update