paper also explains how to protect the above Kubernetes workloads with Dell EMC PowerProtect Data Manager. Dell Technologies Solutions PowerFlex Engineering Validated Copyright ....................... 26 Rancher Kubernetes Cluster Data Protection using PowerProtect Data Manager ................. 29 Conclusion............................................................... Dell EMC PowerProtect Data Manager enables users to protect, manage, and recover data in on-premises, virtualized, or cloud deployments. The PowerProtect Data Manager platform provides centralized

Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration configuration is passed in as arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable the controller manager. All configuration is passed in as arguments at container run time. CIS Benchmark Rancher Self-Assessment Guide - v2.4 6 1.1.4 Ensure that the controller manager pod specification

Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration configuration is passed in as arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable controller manager. All configuration is passed in as arguments at container run time. CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 6 1.1.4 Ensure that the controller manager pod specification

(Automated) 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.4 Ensure that the controller manager pod specification file ownership is (Automated) 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated) 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root (Automated) Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated) 1.3 Controller Manager 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Automated) 1

Result: Pass 1.3 - Controller Manager 1.3.1 - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored) Audit docker inspect kube-controller-manager | jq -e '.[0].Args[] | m that the --profiling argument is set to false (Scored) Audit docker inspect kube-controller-manager | jq -e '.[0].Args[] | match("--profiling=false").string' Returned Value: --profiling=false Result: --use-service-account-credentials argument is set to true (Scored) Audit docker inspect kube-controller-manager | jq -e '.[0].Args[] | match("--use-service-account-credentials=true").string' Returned Value:

cert-manager cert-manager-6dc787b997-cfbvp 1/1 Running 0 12h 172.16.0.12 rke2-a1 cert-manager cert-manager-cain Running 0 12h 172.16.0.13 rke2-a2 cert-manager cert-manager-webhook-9d965dff5-cllfm 1/1 Running 0 12h 172 12h 172.16.0.12 rke2-a1 kube-system cloud-controller-manager-rke2-s1 1/1 Running 0 17h 172.16.0.11 rke2-s1

load balancing, resource monitoring and isolation, and more. For years, Google has used a cluster manager called Borg to run thousands of jobs, supporting thousands of applications, running on multiple expanding the Kubernetes stack, you will see various components of Kubernetes: • Controller-manager is a core control loop which continuously watches the state of clusters and takes actions if needed NFS allows writing to multiple containers. Flocker Flocker is an open source cluster volume manager. Flocker volumes are not tied to the lifecycle of the container to which it is mounted; data written

arguments on the Kubernetes controller manager. Rationale To address the following controls the options need to be passed to the Kubernetes controller manager. 1.3.1 - Ensure that the --terminated-pod-gc-threshold Audit On nodes with the controlplane role inspect the kube-controller-manager container: docker inspect kube-controller-manager Verify the following options are set in the command section: --term

t h t h e controlplane r ol e i n s p e c t t h e kube-controller-manager c on t ai n e r : 10 docker inspect kube-controller-manager • Ve r i f y t h e f ol l ow i n g op t i on s ar e s e t i n t h i t h t h e controlplane r ol e i n s p e c t t h e kube-controller-manager c on t ai n e r : docker inspect kube-controller-manager • Ve r i f y t h e f ol l ow i n g op t i on s ar e s e t i n t h e

VMware Wavefront, a separate paid-for monitoring solution, or via manual configuration of the Alert Manager component of Prometheus. 3.3.5.4 Anthos Anthos enables alerting for clusters and service mesh its own paid service. Users can also deploy the open source Prometheus solution with its Alert Manager. This is a standard pattern for Kubernetes. 3.3.6 External Log Shipping • SUSE Rancher: 4 a subscription or license), and a higher tier that consists of a dedicated Technical Account Manager (TAM) for "faster resolution and technical guidance." Premium Support includes 24x7 access for Severity