H a r d e n i n g G u i d e - R a n c h e r v 2 . 3 . 3 + C o nt e nt s Har d e n i n g G u i d e f or R an c h e r 2. 3. 3+ w i t h K u b e r n e t e s 1. 16 . . . 2 O v e r v i e w . . . . . . . . . . . . . 2 P r ofi l e D e fi n i t i on s . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. 1 - R an c h e r R K E K u b e r n e t e s c l u s t e r h os t c on fi gu r at i on . . . . . 3 1. 1. 1 - C on fi gu r e d e f au l t s y s c t l s e t t i n gs on al l h os t s . . . . . . . . 3 1. 4. 11 E n s u r e t h at t h e e t c d d at a d i r e c t or y p e r m i s s i on s ar e s e t

was removed in 1.14, so it cannot be set. Result: Pass 1.1.10 - Ensure that the admission control plugin AlwaysAdmit is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | m captures[].string' Returned Value: null Result: Pass 1.1.11 - Ensure that the admission control plugin AlwaysPullImages is set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | string' Returned Value: AlwaysPullImages Result: Pass 1.1.12 - Ensure that the admission control plugin DenyEscalatingExec is set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] |

admission control plugin EventRateLimit is set (Automated) 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated) 1.2.12 Ensure that the admission control plugin AlwaysPullImages 2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual) 1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated) 1.2.15 admission control plugin NamespaceLifecycle is set (Automated) 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set (Automated) 1.2.17 Ensure that the admission control plugin NodeRestriction

${etcd_bin} | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %a Audit Execution: ${etcd_bin} | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %U:%G Audit Execution: below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root'

${etcd_bin} | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %a Audit Execution: ${etcd_bin} | grep -- --data-dir | sed 's%.*data-dir[= ]\([^ ]*\).*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %U:%G Audit Execution: below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G /etc/kubernetes/ssl Expected result: 'root:root'

the workloads reside in the worker nodes in the distributed workload clusters. The Contrail CNI plugin and vRouter sit in the worker nodes of the workload clusters. The Kubernetes control plane in the 17h v1.25.10+rke2r1 rke2-a2 Ready 17h v1.25.10+rke2r1 rke2-s1 Ready control-plane,etcd,master 17h v1.25.10+rke2r1 You can see that the nodes are 17h v1.25.10+rke2r1 rke2-a2 Ready 17h v1.25.10+rke2r1 rke2-s1 Ready control-plane,etcd,master 17h v1.25.10+rke2r1 You can see that the nodes are

has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat out of the pods in that namespace. To enforce network policies, a CNI (container network interface) plugin must be enabled. This guide uses canal to provide the policy enforcement. Additional information has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl apply -f default-allow-all.yaml -n ${namespace} done Execute

has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat out of the pods in that namespace. To enforce network policies, a CNI (container network interface) plugin must be enabled. This guide uses canal to provide the policy enforcement. Additional information Hardening Guide v2.4 6 #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl apply -f default-allow-all.yaml -n ${namespace} done Execute

the control plane nodes in the cluster. Rationale Set up the EventRateLimit admission control plugin to prevent clients from overwhelming the API server. The settings below are intended as an initial larger clusters. This supports the following control: 1.1.36 - Ensure that the admission control plugin EventRateLimit is set (Scored) Audit On nodes with the controlplane role run: stat /etc/kubernetes/admission admission control plugin AlwaysPullImages is set (Scored) 1.1.12 - Ensure that the admission control plugin DenyEscalatingExec is set (Scored) 1.1.14 - Ensure that the admission control plugin NamespaceLifecycle

111) [none]: [+] Docker socket path on host (192.168.153.111) [/var/run/docker.sock]: [+] Network Plugin Type (flannel, calico, weave, canal, aci) [canal]: [+] Authentication Strategy [x509]: [+] Authorization AGE rancher-7f4df87477-mfcxc 1/1 Running 1 36d rancher-webhook-b5b7b76c4-r9nwn 1/1 Running 1 36d Result: Rancher is up and running. Installation of the vxflexos-node-6gnlc 2/2 Running 0 15d vxflexos-node-vswl2 2/2 Running 0 15d vxflexos-node-zr2r4 2/2 Running 0 15d $ For more information about CSI driver installation, see GitHub. 9.