Bridge SAP Data Intelligence 3.3 Secure private registry for container images, for example https://documenta- tion.suse.com/sbp/all/single-html/SBP-Private-Registry/index.html Access to a storage solution vSphere CPI and CSI, RKE2 must be configured to use the rancher-vsphere cloud provider. $ sudo mkdir -p /etc/rancher/rke2 $ sudo echo "cloud-provider-name: rancher-vsphere" > /etc/rancher/rke2/config.yaml" vSphere provider Helm chart: Create the directory structure on rst the master node $ sudo mkdir -p /var/lib/rancher/rke2/server/manifests $ cd /var/lib/rancher/rke2/server/manifests Then create the

• Service definitions for: o FrontEnd component : o Redis Master o Redis Slave component • Deployment definitions for: o Front End o Redis Master o Redis Slave Open the “frontend-service ports (P1 and P2), then the mapping will be done for all four combinations of services and ports (S1-P1, S1-P2, S2-P1, S2-P2). This will introduce traffic from the P1 to S2, or conversely, P2 to S1. deactivate a registry. After deactivation, o No new images can be fetched from the deactivated registry (but images already in use will continue to work). o Any user who has access to the environment

+ C o nt e nt s Har d e n i n g G u i d e f or R an c h e r 2. 3. 3+ w i t h K u b e r n e t e s 1. 16 . . . 2 O v e r v i e w . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 P r ofi . . . . . . 3 1. 4. 11 E n s u r e t h at t h e e t c d d at a d i r e c t or y p e r m i s s i on s ar e s e t t o 700 or m or e r e s t r i c t i v e . . . . . . . . . . . . . . . . . . . . 4 1. 4 4. 12 - E n s u r e t h at t h e e t c d d at a d i r e c t or y ow n e r s h i p i s s e t t o etcd:etcd . . . . . . . . . . . . . . . . . . . . . . . . . . 4 2. 1 - R an c h e r HA K u b e r n e t e

industry standard monitoring and presentation tools such as Prometheus and Grafana • Support for both CRI-O and containerd runtimes • Support for container and VM workloads (using kubevirt) • Support for DPDK CN2 manifests from the Juniper Networks download site (https://support.juniper.net/support/downloads/?p=contrail-networking) and access the container repository at https://enterprise-hub.juniper.net. 2. not up, wait a few minutes and check again. b. Show the status of the pods. kubectl get pods -A -o wide NAMESPACE NAME READY STATUS

${statInfoLine} | cut -d' ' -f1) p=$(echo ${statInfoLine} | cut -d' ' -f2) if [[ $(basename "$f" .pem) == "kube-etcd-"* ]]; then if [[ "$p" != "root:root" && "$p" != "etcd:etcd" ]]; then echo "false" exit fi else if [[ "$p" != "root:root" ]]; then echo "false" exit fi fi done <<< "${statInfoLines}" echo "true" exit Returned Value: true 1 fileInfo; do p=$(echo ${fileInfo} | cut -d' ' -f2) if [[ "${PERMISSION}" != "" ]]; then if [[ "$p" != "${PERMISSION}" ]]; then echo "false" exit fi else if [[ "$p" != "644"

fileInfo; do p=$(echo ${fileInfo} | cut -d' ' -f2) if [[ "${PERMISSION}" != "" ]]; then if [[ "$p" != "${PERMISSION}" ]]; then echo "false" exit fi else if [[ "$p" != "644" "644" && "$p" != "640" && "$p" != "600" ]]; then echo "false" exit fi fi done <<< "${FILES_PERMISSIONS}" echo "true" exit Audit Execution: ./check_files_permissions.sh '/etc/kubernetes/ssl/* kubectl failed" exit 1 fi accounts="$(kubectl --kubeconfig=${KUBECONFIG} get serviceaccounts -A -o json | jq -r '.items[] | select(.metadata.name=="default") | select((.automountServiceAccountToken

fileInfo; do p=$(echo ${fileInfo} | cut -d' ' -f2) if [[ "${PERMISSION}" != "" ]]; then if [[ "$p" != "${PERMISSION}" ]]; then echo "false" exit fi else if [[ "$p" != "644" "644" && "$p" != "640" && "$p" != "600" ]]; then echo "false" exit fi fi done <<< "${FILES_PERMISSIONS}" echo "true" exit Audit Execution: ./check_files_permissions.sh '/etc/kubernetes/ssl/* kubectl failed" exit 1 fi accounts="$(kubectl --kubeconfig=${KUBECONFIG} get serviceaccounts -A -o json | jq -r '.items[] | select(.metadata.name=="default") | select((.automountServiceAccountToken

January 4, 2021 Prepared for: Prepared by: Rancher Labs P.O. Box 1658 Mountain View, CA 94042 rancher.com Corsec Security, Inc. 13921 Park Center Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography 3/14/2007 [SP 800-57 P1 r5] NIST SP 800-57 Part 1 Rev. 5, Recommendation for Key Management: Part 1 – General 5/4/2020 boundary of the Rancher Kubernetes Cryptographic Library module is a single object file named bcm.o which is statically linked to BoringSSL. The module performs no communications other than with the

s/tools/install-kubectl/ Docker 19.03.1 5 Docker is installed on each SLES node. #SUSEConnect -p sle- module- containers/15.2/x86_64 #zypper install docker SLES15 SP2 nodes SLES15 SP2 Ensure zypper update. 1. Run the following command to activate the containers module: $ SUSEConnect -p sle-module-containers/15.2/x86_64 2. Run the following commands to Install the docker, enable and ipts /get-helm-3 | bash Option2 $ curl -sfL https://get.helm.sh/helm-v3.5.3-linux- amd64.tar.gz -o helm.tgz $ tar xf helm.tgz $ mv linux-amd64/helm /usr/local/bin/ $ chmod +x usr/local/bin/helm $

kernel.panic_on_oops=1 kernel.keys.root_maxbytes=25000000 Hardening Guide v2.3.5 3 Run sysctl -p /etc/sysctl.d/90-kubelet.conf to enable the settings. Configure etcd user and group A user account for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat account_update.yaml)" done Ensure that the script has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl apply -f default-allow-all.yaml -n ${namespace}