required in order to build and compile the module: ● Clang compiler version 6.0.1 (http://releases.llvm.org/download.html) ● Go programming language version 1.10.3 (https://golang.org/dl/) ● Ninja build

readable formatting. Known Scored Control Failures The following scored controls do not currently pass, and Rancher Labs is working towards addressing these through future enhancements to the product Args[] | match("--anonymous-auth=false").string' Returned Value: --anonymous-auth=false Result: Pass 1.1.2 - Ensure that the --basic-auth-file argument is not set (Scored) Audit docker inspect kube-apiserver kube-apiserver | jq -e '.[0].Args[] | match("--basic-auth-file=.*").string' Returned Value: null Result: Pass 1.1.3 - Ensure that the --insecure-allow-any-token argument is not set (Scored) Audit docker

Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored) Result: PASS Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir '700' 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Scored) Result: PASS CIS Benchmark Rancher Self-Assessment Guide - v2.4 8 Remediation: On the etcd server node, get Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node

Ensure that the etcd data directory permissions are set to 700 or more restrictive (Scored) Result: PASS Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir '700' 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Scored) Result: PASS CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 8 Remediation: On the etcd server node Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node

Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) Result: pass Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir 700 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated) Result: pass Remediation: On the etcd server node, get the etcd data directory, passed as an argument --data-dir Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated) Result: pass Remediation: Run the below command (based on the file location on your system) on the master node

create secrets is to use the kubectl command line and pass files which have value of username and password: kubectl create secret generic redis-pass --from-file=./username.txt --from-file=./password.txt “redis-pass” in above case. We can also manually encode the values of username/password into b64 and then create a secret object: apiVersion: v1 kind: Secret metadata: name: redis-pass type:

8 / 24 Description Ensure Kubelet options are configured to match CIS controls. Rationale To pass the following controls in the CIS benchmark, ensure the appropriate flags are passed to the Kubelet configuration is set to deploy the kube-api service with the options required for controls. Rationale To pass the following controls for the kube-api server ensure RKE configuration passes the appropriate options

and spins up a new node with the latest configuration. It then tests the new node and if the tests pass, it keeps going instance by instance until the upgrade is complete. The inconsistency across these