(Automated) 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated) 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated) 1.1.20 Ensure to 644 or more restrictive (Automated) 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated) 1.1.3 Ensure that the controller manager pod specification file or more restrictive (Automated) 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Automated) 1.1.5 Ensure that the scheduler pod specification file permissions

in as arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain Self-Assessment Guide - v2.4 6 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain in as arguments at container run time. 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain

in as arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain Self-Assessment Guide - Rancher v2.5 6 1.1.4 Ensure that the controller manager pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain in as arguments at container run time. 1.1.6 Ensure that the scheduler pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain

permissions are set to 700 or more-restrictive (Scored) 1.4.12 - Ensure that the etcd data directory ownership is set to etcd:etcd (Scored) 2.1.8 - Ensure that the --hostname-override argument is not set cannot be used on the cluster, as it can interact poorly with certain Pod Security Policies Several system services (such as nginx-ingress ) utilize SecurityContext to switch users and assign capabilities option to map the audit log to the host filesystem. Audit logs should be collected and shipped off-system to guarantee their integrity. Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match

24 head -c 32 /dev/urandom | base64 -i - touch /etc/kubernetes/encryption.yaml Set the file ownership to root:root and the permissions to 0600 chown root:root /etc/kubernetes/encryption.yaml chmod controlplane role: Generate an empty configuration file: touch /etc/kubernetes/audit.yaml Set the file ownership to root:root and the permissions to 0600 chown root:root /etc/kubernetes/audit.yaml chmod 0600 configuration file: touch /etc/kubernetes/admission.yaml touch /etc/kubernetes/event.yaml Set the file ownership to root:root and the permissions to 0600 chown root:root /etc/kubernetes/admission.yaml chown

For installations that want an even smaller attack surface, SUSE Rancher can utilize an operating system such as SLE Micro to help run Kubernetes in the most efficient way possible. Kubernetes from SUSE and upgrades and enables teams to focus on business continuity and reduce their total cost of ownership. 3.1.3.2 OpenShift Red Hat’s offering includes OpenShift managed, including OpenShift dedicated can be used across any platform where GKE or Anthos clusters can run, providing a unified access system for all the clusters. However, the RBAC will be local for each cluster depending on the permissions

6 Deployment Models | 11 Single Cluster Deployment | 11 Multi-Cluster Deployment | 12 System Requirements | 15 2 Install Overview | 17 Before You Install | 18 Install Single Cluster Contrail Networking Overview | 2 Terminology | 4 CN2 Components | 6 Deployment Models | 11 System Requirements | 15 Cloud-Native Contrail Networking Overview SUMMARY Learn about Cloud-Native clusters. The only requirement is that the data plane components are reachable. 14 System Requirements Table 3: System Requirements for Rancher RKE2 Installation with CN2 Machine CPU RAM Storage Notes

name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- apiVersion: v1 kind: Namespace metadata: name: cattle-system authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: - extensions resourceNames: - default-psp resources: cattle-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts

rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- Hardening Guide v2.4 9 apiVersion: metadata: name: cattle-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: cattle-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts

Driver on DELL EMC PowerFlex White Paper Term Definition DD Data Domain DNS Domain Name System DDVE PowerProtect DD Virtual Edition FQDN Fully Qualified Domain Name MDM Meta Data Manager architecture eliminates any hotspots and ensures consistency and simplicity over time. You can scale the system while linearly scaling performance from a minimum of four nodes to thousands of nodes, on-demand option to meet their exact requirements. PowerFlex rack PowerFlex rack is a fully engineered system, with integrated networking that enables the customers to simplify deployments and accelerate time