Access to a storage solution providing dynamically physical volumes If it is planned to use Vora’s streaming tables checkpoint store, an S3 bucket like object store is needed If it is planned to enable backup other work, in any medium, that contains a notice placed by the copyright holder saying it can be distributed under the terms of this License. Such a notice grants a world-wide, royalty-free license, unlimited

CIS benchmark, ensure the appropriate flags are passed to the Kubelet. 2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) 2.1.7 - Ensure that the --protect-kernel-defaults Kubelet containers on all hosts and verify that they are running with the following options: --streaming-connection-idle-timeout= --protect-kernel-defaults=false --make-ipta RKE cluster.yml kubelet section under services: services: kubelet: extra_args: streaming-connection-idle-timeout: "" protect-kernel-defaults: "true" make-iptables-util-chains:

4.2.4 Ensure that the --read-only-port argument is set to 0 (Automated) 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Automated) 4.2.6 Ensure that the --protect-kernel-defaults -fC kubelet Expected Result: '' is not present OR '' is not present 4.2.5 Ensure that the --streaming- connection-idle-timeout argument is not set to 0 (Automated) Result: pass CIS 1.6 Benchmark - d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. -- streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl

2.1.5 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) Audit docker inspect kubelet | jq -e '.[0].Args[] | match("--streaming-connection-idle-timeout=.*") *").string' Returned Value: --streaming-connection-idle-timeout=1800s Result: Pass 2.1.6 - Ensure that the --protect-kernel-defaults argument is set to true (Scored) Audit docker inspect kubelet

/bin/cat /var/lib/kubelet/config.yaml Expected result: '0' is equal to '0' 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Scored) Result: PASS Remediation: If using conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl Config: /bin/cat /var/lib/kubelet/config.yaml Expected result: '30m' is not equal to '0' OR '--streaming-connection-idle- timeout' is not present 4.2.6 Ensure that the --protect-kernel-defaults argument

gu m e n t i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u v e r i f y t h at t h e y ar e r u n n i n g w i t h t h e f ol l ow i n g op t i on s : • --streaming-connection-idle-timeout= • --authorization-mode=Webhook • --protect- gu m e n t i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u

/bin/cat /var/lib/kubelet/config.yaml Expected result: '0' is equal to '0' 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Scored) Result: PASS Remediation: If using conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl Config: /bin/cat /var/lib/kubelet/config.yaml Expected result: '30m' is not equal to '0' OR '--streaming-connection-idle- timeout' is not present 4.2.6 Ensure that the --protect-kernel-defaults argument

e make-iptables-util-chains: 'true' protect-kernel-defaults: 'true' streaming-connection-idle-timeout: 1800s tls-cipher-suites: >- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

e make-iptables-util-chains: 'true' protect-kernel-defaults: 'true' streaming-connection-idle-timeout: 1800s tls-cipher-suites: >- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

control plane nodes or worker nodes depending on distribution. The Contrail controllers manage a distributed set of data planes implemented by a CNI plug-in and vRouter on every node. Integrating a full-fledged Terminology (Continued) Term Meaning Workload cluster In a multi-cluster deployment, this is the distributed cluster that contains the workloads. CN2 Components The CN2 architecture consists of pods that capability. It uses BGP to communicate with other controllers and XMPP to communicate with the distributed data plane components on the worker nodes. • The network data plane refers to the packet transmit