Health Long-running applications may eventually break, or degrade. Kubernetes provides a way to check application health with HTTP endpoints using liveness probes. Some applications start but are not controller with six nodes of nginx, you can use a Deployment and specify the desired state (2) You can check status of a deployment for its success or for failures (3) You can rollback an earlier deployment that once you create a Deployment from one of the options, you won’t see it in the UI but you can check it from kubectl command console. However, you will see associated pods in the appear in the UI as

Rancher creates RoleBindings and ClusterRoleBindings on the default service accounts. The CIS 1.5 5.1.5 check requires the default service accounts have no roles or cluster roles bound to it apart from the defaults tion: false fsGroup: rule: RunAsAny runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - emptyDir false fsGroup: rule: RunAsAny runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes:

Interface file permissions are set to 644 or more restrictive (Not Scored) Notes This is a manual check. Audit ( /var/lib/cni/networks/k8s-pod-network ) Note This may return a lockfile. Permissions on Container Network Interface file ownership is set to root:root (Not Scored) Notes This is a manual check. Audit ( /var/lib/cni/networks/k8s-pod-network ) stat -c "%n - %U:%G" /var/lib/cni/networks/k8s-pod-network/* available to all ServiceAccounts. Audit kubectl get psp restricted -o jsonpath='{.spec.runAsUser.rule}' | grep "RunAsAny" Returned Value: null Result: Pass 1.7.7 - Do not admit containers with dangerous

on your system) on the master node. For example, chown -R root:root / etc/kubernetes/pki/ Audit: check_files_owner_in_dir.sh /node/etc/kubernetes/ssl Expected Result: 'true' is equal to 'true' Audit on your system) on the master node. For example, chmod -R 644 /etc/ kubernetes/pki/*.crt Audit: check_files_permissions.sh /node/etc/kubernetes/ssl/!(*key).pe m Expected Result: 'true' is equal to your system) on the master node. For example, chmod -R 600 /etc/ kubernetes/ssl/*key.pem Audit: check_files_permissions.sh /node/etc/kubernetes/ssl/*key.pem 600 Expected Result: 'true' is equal to

tion: false fsGroup: rule: RunAsAny runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - emptyDir false fsGroup: rule: RunAsAny runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes:

tion: false fsGroup: rule: RunAsAny runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - emptyDir tion: false fsGroup: rule: RunAsAny runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - emptyDir

defaultAllowPrivilegeEscalation: false fsGroup: rule: RunAsAny runAsUser: rule: MustRunAsNonRoot seLinux: rule: RunAsAny supplementalGroups: rule: RunAsAny volumes: - emptyDir - secret - persistentVolumeClaim

multi-dimensional alerting policies required to customize alerting rules alerting rules available; alerting rule configurations on web pages supported Notification Slack, email, and webhook supported Notification

It may take a few minutes for the nodes and pods to come up. 3. Use standard kubectl commands to check on the deployment. 21 a. Show the status of the nodes. kubectl get nodes NAME STATUS ROLES 10+rke2r1 You can see that the nodes are now up. If the nodes are not up, wait a few minutes and check again. b. Show the status of the pods. kubectl get pods -A -o wide NAMESPACE NAME Networks repository. Here is an example of a DNS problem. Log in to each node having a problem and check name resolution for enterprise-hub.juniper.net. For example: ping enterprise-hub.juniper.net ping:

on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions.sh #!/usr/bin/env bash # This script is used to ensure the file permissions are exit fi fi done <<< "${FILES_PERMISSIONS}" echo "true" exit Audit Execution: ./check_files_permissions.sh '/etc/kubernetes/ssl/*.pem' Expected result: 'true' is present 1.1.21 Ensure /etc/kubernetes/ssl/certs/serverca Audit Script: 1.1.21.sh #!/bin/bash -e check_dir=${1:-/etc/kubernetes/ssl} for file in $(find ${check_dir} -name "*key.pem"); do file_permission=$(stat -c %a ${file})