minimum hardware requirement to run Kubernetes node components is one CPU and 1 GB of memory. Considering the CPU and memory, it is recommended to host the different roles of the Kubernetes cluster such as Storage-only nodes Hardware Configuration CPU Cores 2 x Intel(R) Xeon(R) Gold 6126 CPU @ 2.60 GHz Memory 14 x 16 GB NIC 2 x Mellanox ConnectX-4 LX 25 GbE SFP Adapter 1 x Intel(R) Ethernet 10G 4P Compute-only nodes Hardware Configuration CPU Cores 2 x Intel(R) Xeon(R) Gold 6248 CPU @ 2.50 GHz Memory 24 x 32 GB NIC 2 x Mellanox ConnectX-4 LX 25GbE SFP Adapter 1 x Intel(R) Ethernet 10G 4P

in the cluster. Set the following parameters in /etc/sysctl.d/90- kubelet.conf: vm.overcommit_memory=1 vm.panic_on_oom=0 kernel.panic=10 kernel.panic_on_oops=1 kernel.keys.root_maxbytes=25000000 installing kubernetes. #cloud-config packages: - curl - jq runcmd: - sysctl -w vm.overcommit_memory=1 - sysctl -w kernel.panic=10 - sysctl -w kernel.panic_on_oops=1 - curl https://releases d/kubelet.conf owner: root:root permissions: "0644" content: | vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 Hardening Guide v2.3.5 21

in the cluster. Set the following parameters in /etc/sysctl.d/90- kubelet.conf: vm.overcommit_memory=1 vm.panic_on_oom=0 kernel.panic=10 kernel.panic_on_oops=1 kernel.keys.root_maxbytes=25000000 installing kubernetes. #cloud-config packages: - curl - jq runcmd: - sysctl -w vm.overcommit_memory=1 - sysctl -w kernel.panic=10 Hardening Guide v2.4 21 - sysctl -w kernel.panic_on_oops=1 d/kubelet.conf owner: root:root permissions: "0644" content: | vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 Hardening Guide v2.4 22

--protect-kernel-defaults argument is set to true (Scored) Audit Verify vm.overcommit_memory = 1 sysctl vm.overcommit_memory Verify kernel.panic = 10 sysctl kernel.panic Verify kernel.panic_on_oops = 1 panic_on_oops Remediation Set the following parameters in /etc/sysctl.conf on all nodes: vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 Run sysctl -p to enable the settings. 1.1.2 - Install

n t i s s e t t o t r u e ( S c or e d ) A u d i t • Ve r i f y vm.overcommit_memory = 1 sysctl vm.overcommit_memory • Ve r i f y vm.panic_on_oom = 0 sysctl vm.panic_on_oom • Ve r i f y kernel.panic ow i n g p ar am e t e r s i n /etc/sysctl.d/90-kubelet.conf on al l n od e s : 3 vm.overcommit_memory=1 vm.panic_on_oom=0 kernel.panic=10 kernel.panic_on_oops=1 kernel.keys.root_maxkeys=1000000 kernel path: /etc/sysctl.d/90-kubelet.conf owner: root:root permissions: '0644' content: | vm.overcommit_memory=1 vm.panic_on_oom=0 kernel.panic=10 kernel.panic_on_oops=1 kernel.keys.root_maxkeys=1000000 kernel

Keys and CSPs are passed to the module by the calling application. The keys and CSPs are stored in memory in plaintext. Keys and CSPs residing in internally allocated data structures (during the lifetime of an API call) can only be accessed using the module defined API. The operating system protects memory and process space from unauthorized access. 7.8 Key Zeroization The module is passed keys as

container from the list, you will see detailed, vital information about that container such as CPU, memory, network and disk consumption. Information about labels, ©Rancher Labs 2017. All rights Reserved