configure and monitor your network. • Leverage the skill set of your existing DevOps engineers to quickly get CN2 up and running. • Combine with Juniper Networks fabric devices and fabric management solutions standard kubectl commands to check on the deployment. 21 a. Show the status of the nodes. kubectl get nodes NAME STATUS ROLES AGE VERSION rke2-a1 Ready the nodes are not up, wait a few minutes and check again. b. Show the status of the pods. kubectl get pods -A -o wide NAMESPACE NAME READY

kubectl get ns |grep cattle • Ve r i f y t h at t h e r ol e s e x i s t : kubectl get role default-psp-role -n ingress-nginx kubectl get role default-psp-role -n cattle-system kubectl get clusterrole s e t c or r e c t l y : kubectl get rolebinding -n ingress-nginx default-psp-rolebinding kubectl get rolebinding -n cattle-system default-psp-rolebinding kubectl get clusterrolebinding restricted-clusterrolebinding restricted-clusterrolebinding • Ve r i f y t h e r e s t r i c t e d P S P i s p r e s e n t . kubectl get psp restricted-psp R e m e d i at i on • I n t h e R K E cluster.yml fi l e e n s u r e t h e f ol l ow

Option1 $ curl https://raw.githubusercontent.com/helm/helm/master/scripts /get-helm-3 | bash Option2 $ curl -sfL https://get.helm.sh/helm-v3.5.3-linux- amd64.tar.gz -o helm.tgz $ tar xf helm.tgz $ mv following output shows that all the nodes have both master and worker roles installed: $ kubectl get nodes NAME STATUS ROLES AGE VERSION 192.168.153.111 Ready the cert-manager namespace for running pods to verify that it is deployed correctly: $ kubectl get pods -n cert-manager NAME READY STATUS RESTARTS AGE

3 Preparations Get a SUSE Linux Enterprise Server 15 SP4 subscription. Download the installer for SUSE Linux Enterprise Server 15 SP4. Check the storage requirements. Create a or get access to a private private container registry. Get an SAP S-user to access software and documentation by SAP. Read the relevant SAP documentation: Release Note for SAP DI 3 (https://launchpad.support.sap.com/#/notes/2871970) INSTALL_RKE2_TYPE=server $ export INSTALL_RKE2_VERSION= $ curl -sfL https://get.rke2.io | sh - $ systemctl enable --now rke2-server.service Connect to the nodes dedicated as workers

exists: kubectl get ns |grep cattle Verify that the roles exist: kubectl get role default-psp-role -n ingress-nginx kubectl get role default-psp-role -n cattle-system kubectl get clusterrole psp:restricted bindings are set correctly: kubectl get rolebinding -n ingress-nginx default-psp-rolebinding kubectl get rolebinding -n cattle-system default-psp-rolebinding kubectl get clusterrolebinding psp:restricted psp:restricted Verify the restricted PSP is present. kubectl get psp restricted Rancher_Hardening_Guide.md 11/30/2018 14 / 24 Remediation In the RKE cluster.yml file ensure the following options are set: addons:

permissions are set to 700 or more restrictive (Scored) Result: PASS Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the below command: ps -ef | grep etcd PASS CIS Benchmark Rancher Self-Assessment Guide - v2.4 8 Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the below command: ps -ef | grep etcd then echo "fail: kubectl failed" exit 1 fi accounts="$(kubectl --kubeconfig=${KUBECONFIG} get serviceaccounts -A -o json | jq -r '.items[] | select(.metadata.name=="default") | select((.

permissions are set to 700 or more restrictive (Scored) Result: PASS Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the below command: ps -ef | grep etcd CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 8 Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the below command: ps -ef | grep etcd then echo "fail: kubectl failed" exit 1 fi accounts="$(kubectl --kubeconfig=${KUBECONFIG} get serviceaccounts -A -o json | jq -r '.items[] | select(.metadata.name=="default") | select((.

are set to 700 or more restrictive (Automated) Result: pass Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the below command: ps -ef | grep etcd directory ownership is set to etcd:etcd (Automated) Result: pass Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir, from the below command: ps -ef | grep etcd Audit: 5.1.2 Minimize access to secrets (Manual) Result: warn Remediation: Where possible, remove get, list and watch access to secret objects in the cluster. Audit: 5.1.3 Minimize wildcard use in Roles

Scored) Notes The restricted PodSecurityPolicy is available to all ServiceAccounts. Audit kubectl get psp restricted -o jsonpath='{.spec.privileged}' | grep "true" Returned Value: null Result: Pass (Scored) Notes The restricted PodSecurityPolicy is available to all ServiceAccounts. Audit kubectl get psp restricted -o jsonpath='{.spec.hostPID}' | grep "true" Returned Value: null Result: Pass 1 (Scored) Notes The restricted PodSecurityPolicy is available to all ServiceAccounts. Audit kubectl get psp restricted -o jsonpath='{.spec.hostIPC}' | grep "true" Returned Value: null Result: Pass 1

in two versions: Standard and Advanced. Depending on the version of TMC users purchase, they can get access to additional features. 3.1.2.4 Anthos Anthos and Anthos GKE’s user experience is derived operators also get access to a policy engine via GitOps help manage clusters at scale. OpenShift clusters will also have full monitoring capabilities with RHACM where as non-OpenShift clusters will get access running in vSphere and clusters running on cloud infrastructure from Amazon EC2 or Microsoft Azure. To get comprehensive full lifecycle management and full functionality of TKGI Clusters, operators must subscribe