vsphere CPI and CSI provider and to access the resources in the vSphere installation. To use the vSphere CPI and CSI, RKE2 must be configured to use the rancher-vsphere cloud provider. $ sudo mkdir -p -p /etc/rancher/rke2 $ sudo echo "cloud-provider-name: rancher-vsphere" > /etc/rancher/rke2/config.yaml" This enables the deployment of the vSphere CPI and CSI from pre-packaged Helm charts in RKE 2 class that makes use of the vSphere CPI/CSI drivers. Create the configuration for the CPI vSphere provider Helm chart: Create the directory structure on rst the master node $ sudo mkdir -p /var/lib/r

the --etcd-cafile argument is set as appropriate (Automated) 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Automated) 1.2.34 Ensure that encryption providers are appropriately maxsize=100 --audit-log-format=json --requestheader-allowed- names=kube-apiserver-proxy-client --cloud-provider= --etcd- prefix=/registry --proxy-client-key-file=/etc/kubernetes/ssl/ kube-apiserver-proxy-client-key / kube-ca.pem --tls-private-key-file=/etc/kubernetes/ssl/kube- apiserver-key.pem --encryption-provider-config=/etc/ kubernetes/ssl/encryption.yaml --requestheader-extra-headers- prefix=X-Remote-Extra-

ogr ap h i c C i p h e r s ( Not S c or e d ) • 1. 1. 34 - E n s u r e t h at t h e --encryption-provider-config ar gu m e n t i s s e t as ap p r op r i at e ( S c or e d ) • 1. 1. 35 - E n s u r e t AlwaysPullImages,DenyEscalatingExec,NodeRestriction,EventRateLimit,PodSecurityPolicy --encryption-provider-config=/etc/kubernetes/ssl/encryption.yaml --admission-control-config-file=/etc/kubernetes/admission ogr ap h i c C i p h e r s ( Not S c or e d ) • 1. 1. 34 - E n s u r e t h at t h e --encryption-provider-config ar gu m e n t i s s e t as ap p r op r i at e ( S c or e d ) • 1. 1. 35 - E n s u r e t

for public and private cloud providers, along with guides for bare metal and "any other provider." Cloud provider installers require administrator access to the environment to create the resources but deploying Kubernetes clusters. It offers full lifecycle management across the major public cloud provider’s distributions, including EKS, AKS and GKE as well as RKE, RKE2 and K3s or any CNCF-conformant DigitalOcean and Tencent. If a user wishes to deploy a cluster with a new provider, they can import a driver for that provider directly from the UI. With EKS, GKE and AKS, SUSE Rancher can now import

kernel.panic_on_oops=1 Run sysctl -p to enable the settings. 1.1.2 - Install the encryption provider configuration on all control plane nodes Profile Applicability Level 1 Description Rancher_Hardening_Guide 1.34 - Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored) 1.1.35 - Ensure that the encryption provider is set to aescbc (Scored) Audit On the control 1.34 - Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored) 1.1.35 - Ensure that the encryption provider is set to aescbc (Scored) 1.1.36 - Ensure that the

the policy enforcement. Additional information about CNI providers can be found here Once a CNI provider is enabled on a cluster a default network policy can be applied. For reference purposes a permissive authorization: mode: "" options: {} ignore_docker_version: false private_registries: [] ingress: provider: "" options: {} node_selector: {} extra_args: {} dns_policy: "" extra_envs: [] ssh_key_path: "" ssh_cert: "" Hardening Guide v2.3.5 13 ssh_cert_path: "" monitoring: provider: "" options: {} node_selector: {} restore: restore: false snapshot_name: "" dns: null

the policy enforcement. Additional information about CNI providers can be found here Once a CNI provider is enabled on a cluster a default network policy can be applied. For reference purposes a permissive {} ignore_docker_version: false private_registries: [] Hardening Guide v2.4 13 ingress: provider: "" options: {} node_selector: {} extra_args: {} dns_policy: "" extra_envs: [] user: "" ssh_key: "" ssh_key_path: "" ssh_cert: "" ssh_cert_path: "" monitoring: provider: "" options: {} node_selector: {} restore: restore: false snapshot_name: "" dns: null

Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored) Notes In Kubernetes 1.13.x this flag is --encryption-provider-config Audit docker inspect kube-apiserver match("--encryption-provider-config=.*").string' Returned Value: encryption-provider-config=/etc/kubernetes/encryption.yaml Result: Pass 1.1.35 - Ensure that the encryption provider is set to aescbc aescbc (Scored) Notes Only the first provider in the list is active. Audit grep -A 1 providers: /etc/kubernetes/encryption.yaml | grep aescbc Returned Value: - aescbc: Result: Pass 1.1.36 - Ensure that

grep -v grep Expected result: '--etcd-cafile' is present 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes be-apiserver.yaml on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config= Audit: /bin/ps -ef | | grep kube-apiserver | grep -v grep Expected result: '--encryption-provider-config' is present CIS Benchmark Rancher Self-Assessment Guide - v2.4 28 1.2.34 Ensure that encryption providers are appropriately

grep -v grep Expected result: '--etcd-cafile' is present 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Scored) Result: PASS Remediation: Follow the Kubernetes be-apiserver.yaml on the master node and set the --encryption-provider-config parameter to the path of that file: --encryption-provider-config= Audit: /bin/ps -ef | | grep kube-apiserver | grep -v grep Expected result: '--encryption-provider-config' is present CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 28 1.2.34 Ensure that encryption providers are