of a larger cluster on which you can run your applications. Pod A co-located group of containers and their storage is called a pod. For example, it makes sense to have database processes and data data containers as close as possible - ideally they should be in same pod. Label Labels are names given to resources to classify them, and are always a key pair of name and value. The key-value pairs actions. Replication Controller Replication Controllers (RC) are an abstraction used to manage pod lifecycles. One of key uses of replication controllers is to maintain a certain number of pods. This

and status monitoring. 6 Table 2: CN2 Components Pod Name Where Description Configuration Plane1 contrail-k8s-apiserver Control Plane Node This pod is an aggregated API server that is the entry point er for handling. There is one contrail-k8s-apiserver pod per Kubernetes control plane node. contrail-k8s-controller Control Plane Node This pod performs the Kubernetes control loop function to reconcile intended state. There is one contrail-k8s-controller pod per Kubernetes control plane node. contrail-k8s- kubemanager Control Plane Node This pod is the interface between Kubernetes resources and Contrail

functionality requires a private IP to be provided when registering the custom nodes. When setting the default_pod_security_policy_template_id: to restricted Rancher creates RoleBindings and ClusterRoleBindings on specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account 9-rancher1-1" enable_network_policy: true default_pod_security_policy_template_id: "restricted" services: etcd: uid: 52034 gid: 52034 kube-api: pod_security_policy: true secrets_encryption_config:

specific service account is assigned to the pod. Where access to the Kubernetes API from a pod is required, a specific service account should be created for that pod, and rights granted to that service account 9-rancher1-1" enable_network_policy: true default_pod_security_policy_template_id: "restricted" services: etcd: uid: 52034 gid: 52034 kube-api: pod_security_policy: true secrets_encryption_config: decar: "" kubedns: "" dnsmasq: "" kubedns_sidecar: "" kubedns_autoscaler: "" coredns: "" coredns_autoscaler: "" kubernetes: "" flannel: "" flannel_cni: "" calico_node: ""

，Kubernetes提供了 ConfigMap资源对象来实现配置管理，可以通过以下几种方式来使用ConfigMap配置Pod中的容器： • 容器 entrypoint 的命令行参数 • 容器的环境变量 • 在只读卷里面添加一个文件，应用读取 • 编写代码在 Pod 中运行，应用通过使用 Kubernetes API 来读取 © Copyright 2020 Rancher Labs. 的配置信息，如果 涉及安全敏感的数据，推荐使用另一个Secret资源对象。Secret 对象 用来保存敏感信息，例如密码、OAuth 令牌和 SSH 密钥，这些信息放 在Secret中比放在Pod的定义或者容器镜像中更加安全和灵活。 Secret 主要使用的有以下三种类型： • Opaque： base64 编码格式的 Secret，用来存储密码、密钥等。 但也可以通过base64-decode解码得到原始数据，安全性较弱 kubernetes.io/service-account-token：使用ServiceAccount 资 源对象时，会默认创建一个对应的 Secret 对象，对应的Secret 会 自动挂载到Pod 目录 /run/secrets/kubernetes.io/serviceaccount © Copyright 2020 Rancher Labs. All Rights Reserved. Confidential

Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies 5.3 Network Policies and CNI CIS Benchmark Rancher Self-Assessment Guide - v2.4 Node Security Configuration 1.1 Master Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable All configuration is passed in as arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE

Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 2 52 53 5.3 Network Node Security Configuration 1.1 Master Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable All configuration is passed in as arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE

(Automated) 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.2 Ensure that the API server pod specification file ownership is set to root:root 3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.4 Ensure that the controller manager pod specification file ownership is set to (Automated) 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root

........................ 28 6.8. 应用容器日志查询 ......................................... 28 6.9. POD 终端登录 ............................................ 29 6.10. 应用删除 ................................ 点击右侧部署服务按钮进入服务部署界面 填写应用名称 应用名称只允许最多 15 位的小写字母，数字或"-"，并以字母或数字开头和结尾。 选择部署类型 点击更多选项查看更多部署类型： a) 标准的 Pod 类型 b) DaemonSet 类型 c) StatefulSet 类型 d) Cron 类型 e) Job 类型 填写镜像名 命名空间： 可选择已有的命名空间或者填写并创建新的命名空间 网络模式： a) Nodeport： 此网络模式为全局模式，即集群中每台节点的 IP+端口都可以访问对应的服务，Pod 跨主机 时通过 iptables 规则来转发数据； b) Hostport： 类似于 docker -p 的方式映射的端口，只有 Pod 所在的节点 IP+端口才可以访问； c) ClusterIP： 为 service 配置 cluster IP 地址；

This admission controller should only be used where Pod Security Policies cannot be used on the cluster, as it can interact poorly with certain Pod Security Policies Several system services (such as Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored) Audit docker inspect kube-controller-manager | jq -e '.[0].Args[] | match("--terminated-pod-gc-threshold=\\d+").string' string' Returned Value: --terminated-pod-gc-threshold=1000 Result: Pass 1.3.2 - Ensure that the --profiling argument is set to false (Scored) Audit docker inspect kube-controller-manager | jq -e '