Test Requirements 1/4/2011 [140IG] Implementation Guidance for FIPS 140-2 and the Cryptographic Module Validation Program 8/28/2020 [SP 800-38A] NIST SP 800-38A, Recommendation for Block Cipher Cryptographic Algorithm Validation Program CKG Cryptographic Key Generation CMVP Cryptographic Module Validation Program CO Cryptographic Officer CSP Critical Security Parameter CVL Component NIST National Institute of Standards and Technology OE Operating Environment OS Operating System PCT Pairwise Consistency Test RSA Rivest, Shamir, Adleman algorithm SHA/SHS Secure Hash Algorithm/Standard

6 Deployment Models | 11 Single Cluster Deployment | 11 Multi-Cluster Deployment | 12 System Requirements | 15 2 Install Overview | 17 Before You Install | 18 Install Single Cluster Contrail Networking Overview | 2 Terminology | 4 CN2 Components | 6 Deployment Models | 11 System Requirements | 15 Cloud-Native Contrail Networking Overview SUMMARY Learn about Cloud-Native clusters. The only requirement is that the data plane components are reachable. 14 System Requirements Table 3: System Requirements for Rancher RKE2 Installation with CN2 Machine CPU RAM Storage Notes

Driver on DELL EMC PowerFlex White Paper Term Definition DD Data Domain DNS Domain Name System DDVE PowerProtect DD Virtual Edition FQDN Fully Qualified Domain Name MDM Meta Data Manager architecture eliminates any hotspots and ensures consistency and simplicity over time. You can scale the system while linearly scaling performance from a minimum of four nodes to thousands of nodes, on-demand option to meet their exact requirements. PowerFlex rack PowerFlex rack is a fully engineered system, with integrated networking that enables the customers to simplify deployments and accelerate time

Multi-platform and multi-cloud ● Central control and management ● Auditing ● Compliance & Hardware Security Module (HSM) integration ● Costs, scalability & productivity HashiCorp Vault Provides the foundation

Description Configure a restrictive pod security policy (PSP) as the default and create role bindings for system level services to use the less restrictive default PSP. Rationale To address the following controls restrictive default PSP needs to be applied as the default. Role bindings need to be in place to allow system services to still function. 1.7.1 - Do not admit privileged containers (Not Scored) 1.7.2 - Do cattle-system namespace exists: kubectl get ns |grep cattle Verify that the roles exist: kubectl get role default-psp-role -n ingress-nginx kubectl get role default-psp-role -n cattle-system kubectl

root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G restrictive (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions 600 (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, CIS Benchmark Rancher Self-Assessment Guide - v2.4 13 chmod

root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G restrictive (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions 600 (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 13

command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd A system service account is required for etcd data directory ownership. Refer to Rancher's hardening guide (Automated) Result: pass Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root / etc/kubernetes/pki/ Audit: check_files_owner_in_dir Guide - Rancher v2.5.4 12 Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/ kubernetes/pki/*.crt Audit: check_files_permissions

name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- apiVersion: v1 kind: Namespace metadata: name: cattle-system authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: - extensions resourceNames: - default-psp resources: cattle-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts

rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- Hardening Guide v2.4 9 apiVersion: metadata: name: cattle-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: cattle-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts