Kubernetes. 3.1.9.2 OpenShift OpenShift can log all interactions with the OCP API, including request and response body and metadata. OpenShift collect logs from applications, infrastructure and audit user when determining permissions. Access to external registries use the oc CLI to create image pull secrets and optionally attach them to service accounts. 3.1.11.3 Tanzu vSphere with Tanzu embeds installations. Before performing the installation, an internet-connected workstation must run a script to pull images from the Internet and populate a private registry server within the air-gapped environment

r e c t i v e s t o t h e kube-api s e c t i on u n d e r services: services: kube_api: always_pull_images: true pod_security_policy: true service_node_port_range: 30000-32767 event_rate_limit: enabled: r e c t i v e s t o t h e kube-api s e c t i on u n d e r services: services: kube_api: always_pull_images: true pod_security_policy: true service_node_port_range: 30000-32767 event_rate_limit: enabled: '5000' heartbeat-interval: '500' gid: 1000 retention: 72h snapshot: false uid: 1000 kube-api: always_pull_images: true audit_log: enabled: true event_rate_limit: enabled: true extra_args: anonymous-auth:

Example name The name of the custom resource. kubemanager-cluster1 image The repository where you pull images enterprise-hub.juniper.net/ contrail-container-prod/contrail- k8s-kubemanager:23.2.0.156 if you don't already have docker installed. 2. Log in to the Juniper Networks repository where you pull the container images. docker login enterprise-hub.juniper.net Enter your login credentials when

52034 retention: 72h snapshot: false uid: 52034 kube_api: always_pull_images: false audit_log: enabled: true event_rate_limit: enabled:

52034 retention: 72h snapshot: false uid: 52034 kube_api: always_pull_images: false audit_log: enabled: true event_rate_limit: enabled:

above screen, we can configure different hostnames and request paths to be routed to different target services. For example, an incoming request to Rancher.com can be routed to a web application, while load balancer also supports stickiness on requests using cookie. You can define a cookie for all request, and responses and can be customized based on needs of session stickiness: ©Rancher Labs user; underlying storage can be any NFS, EBS, etc. PesistentVolumeClaim: This represents the request by a pod or user for attaching a storage to a running container. If a match is found from pool of

or equal to 100 CIS Benchmark Rancher Self-Assessment Guide - v2.4 24 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Scored) Result: PASS Remediation: Edit the API server pod if needed. For example, --request-timeout=300s Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: '--request-timeout' is not present OR '--request-timeout' is present 1.2

equal to 100 CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 24 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Scored) Result: PASS Remediation: Edit the API server pod if needed. For example, --request-timeout=300s Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep Expected result: '--request-timeout' is not present OR '--request-timeout' is present 1.2

--audit-log-maxsize argument is set to 100 or as appropriate (Automated) 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Automated) 1.2.27 Ensure that the --service-account-lookup be-apiserver-key.pem -- requestheader-username-headers=X-Remote-User 1.2.26 Ensure that the --request-timeout argument is set as appropriate (Automated) Result: pass Remediation: Edit the API server For example, --request- timeout=300s Audit: /bin/ps -ef | grep kube-apiserver | grep -v grep CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 61 Expected Result: '--request-timeout' is not

Value: --audit-policy-file=/etc/kubernetes/audit.yaml Result: Pass 1.1.38 Ensure that the --request-timeout argument is set as appropriate (Scored) Notes RKE uses the default value of 60s and doesn't specific to the environment. Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--request-timeout=.*").string' Returned Value: null Result: Pass Ensure that the --authorization-mode