strategy: x509 authorization: {} bastion_host: ssh_agent_auth: false cloud_provider: {} ignore_docker_version: true # # # Currently only nginx ingress provider is supported. # # To disable ingress controller ingress: provider: nginx kubernetes_version: v1.14.9-rancher1-1 monitoring: provider: metrics-server # # If you are using calico on AWS # # network: # plugin: calico # calico_network_provider: # flannel interface # # network: # plugin: flannel # flannel_network_provider: # iface: eth1 # # # To specify flannel interface for canal plugin # # network: # plugin: canal # canal_network_provider:

Hardening Guide Version Rancher Version CIS Benchmark Version Kubernetes Version Hardening Guide v2.3.5 Rancher v2.3.5 Benchmark v1.5 Kubernetes 1.15 Click here to download a PDF version of this document out of the pods in that namespace. To enforce network policies, a CNI (container network interface) plugin must be enabled. This guide uses canal to provide the policy enforcement. Additional information the documentation on how to configure custom RKE images. Hardening Guide v2.3.5 6 kubernetes_version: "v1.15.9-rancher1-1" enable_network_policy: true default_pod_security_policy_template_id: "restricted"

Hardening Guide Version Rancher Version CIS Benchmark Version Kubernetes Version Hardening Guide v2.4 Rancher v2.4 Benchmark v1.5 Kubernetes 1.15 Click here to download a PDF version of this document out of the pods in that namespace. To enforce network policies, a CNI (container network interface) plugin must be enabled. This guide uses canal to provide the policy enforcement. Additional information environment, # please consult the documentation on how to configure custom RKE images. kubernetes_version: "v1.15.9-rancher1-1" enable_network_policy: true default_pod_security_policy_template_id: "restricted"

the workloads reside in the worker nodes in the distributed workload clusters. The Contrail CNI plugin and vRouter sit in the worker nodes of the workload clusters. The Kubernetes control plane in the the status of the nodes. kubectl get nodes NAME STATUS ROLES AGE VERSION rke2-a1 Ready 17h v1.25.10+rke2r1 rke2-a2 Ready the cluster with the following characteristics: • Cluster has no CNI plug-in. • Enable multus version 0.3.1. 2. Specify the DPDK nodes. For each node running DPDK, label it as follows: kubectl label

admission control plugin EventRateLimit is set (Automated) 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated) 1.2.12 Ensure that the admission control plugin AlwaysPullImages 2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual) 1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated) 1.2.15 admission control plugin NamespaceLifecycle is set (Automated) 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set (Automated) 1.2.17 Ensure that the admission control plugin NodeRestriction

CIS Kubernetes Benchmark v1.5 - Rancher v2.4 with Kubernetes v1.15 Click here to download a PDF version of this document Overview This document is a companion to the Rancher v2.4 security hardening guide Kubernetes, and the CIS Benchmark: Self Assessment Guide Version Rancher Version Hardening Guide Version Kubernetes Version CIS Benchmark Version Self Assessment Guide v2.4 Rancher v2.4 Hardening Guide grep -v grep Expected result: 'Node,RBAC' has 'RBAC' 1.2.11 Ensure that the admission control plugin AlwaysAd mit is not set (Scored) Result: PASS Remediation: Edit the API server pod specification

CIS v1.5 Kubernetes Benchmark - Rancher v2.5 with Kubernetes v1.15 Click here to download a PDF version of this document Overview This document is a companion to the Rancher v2.5 security hardening guide hardening guide, Rancher, CIS Benchmark, and Kubernetes: Hardening Guide Version Rancher Version CIS Benchmark Version Kubernetes Version Hardening Guide with CIS 1.5 Benchmark Rancher v2.5 CIS v1.5 Kubernetes grep -v grep Expected result: 'Node,RBAC' has 'RBAC' 1.2.11 Ensure that the admission control plugin AlwaysAd mit is not set (Scored) Result: PASS Remediation: Edit the API server pod specification

Rancher CIS Kubernetes v.1.4.0 Benchmark Self Assessment Rancher v2.2.x Version 1.1.0 - August 2019 Authors Taylor Price Overview The following document scores a Kubernetes 1.13.x RKE cluster provisioned was removed in 1.14, so it cannot be set. Result: Pass 1.1.10 - Ensure that the admission control plugin AlwaysAdmit is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | m captures[].string' Returned Value: null Result: Pass 1.1.11 - Ensure that the admission control plugin AlwaysPullImages is set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] |

Rancher_Hardening_Guide.md 11/30/2018 1 / 24 Rancher Hardening Guide Rancher v2.1.x Version: 0.1.0 - November 26th 2018 Overview This document provides prescriptive guidance for hardening a production the control plane nodes in the cluster. Rationale Set up the EventRateLimit admission control plugin to prevent clients from overwhelming the API server. The settings below are intended as an initial larger clusters. This supports the following control: 1.1.36 - Ensure that the admission control plugin EventRateLimit is set (Scored) Audit On nodes with the controlplane role run: stat /etc/kubernetes/admission

Provisioning 4 4 4 1 Private Registry & Image Management 3 4 4 2 Cluster Upgrades & Version Management 4 4 2 2 Storage Support 4 4 4 3 Arm Support 4 2 1 0 Airgap Support distribution requires the bare minimum of host configuration, usually no more than a supported version of Docker. For edge deployments, SUSE Rancher does not need Docker containers when used with distributions in doing so, operators will lose access to some features of Tanzu. Upgrades are bound to the version of the TKGI CLI and require that users download and install virtual machines and base image templates