encryption configuration file on each of the RKE nodes that will be provisioned with the controlplane role: Rationale This configuration file will ensure that the Rancher RKE cluster encrypts secrets at io/v1beta1 kind: Policy rules: - level: Metadata Remediation On nodes with the controlplane role: Generate an empty configuration file: touch /etc/kubernetes/audit.yaml Set the file ownership the admission control plugin EventRateLimit is set (Scored) Audit On nodes with the controlplane role run: stat /etc/kubernetes/admission.yaml stat /etc/kubernetes/event.yaml For each file, ensure

cattle • Ve r i f y t h at t h e r ol e s e x i s t : kubectl get role default-psp-role -n ingress-nginx kubectl get role default-psp-role -n cattle-system kubectl get clusterrole restricted-clusterrole t i on s ar e s e t : addons: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx rules: - apiGroups: - extensions resourceNames: - default-psp ng 12 namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts

name: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx rules: - apiGroups: - extensions namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: s name: cattle-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: - extensions

name: ingress-nginx --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx rules: - apiGroups: - extensions namespace: ingress-nginx roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: s name: cattle-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: - extensions

on a set of resources. Think of labels as a role, group, or any similar mechanism given to a container or resource. One container can have a database role, while the other can be a load-balancer. Similarly clouds. • Rancher enables teams to set up and manage multiple Kubernetes environments, and provides role-based access management (RBAC) for both teams and individuals for each environments. • Rancher’s component: elk role: logspout spec: replicas: 1 selector:d component: elk role: logspout template: metadata: labels: component: elk role: logspout

needed for the Kubernetes cluster. Minimum sizing of the nodes needs to be as shown below: Server Role Count RAM CPU Disk space Management Workstation 1 16 GiB 4 >100 GiB Master Node 3 16 GiB 4 >120 needed for the Kubernetes cluster. Minimum sizing of the nodes needs to be as shown below: Server Role Count RAM CPU Disk space Management Workstation 1 16 GiB 4 >100 GiB Master Node 3 16 GiB 4 >120 credentialsSecret: generate: true cloudControllerManager: nodeSelector: node-role.kubernetes.io/control-plane: "true" EOF In the same directory, the le rancher-vsphere-csi-config

newly created cluster name. 6. Click Get Registration Command. 7. Select the required node role and copy the command. Installation of the SUSE Rancher Kubernetes cluster 24 SUSE Rancher is registered with the cluster. Repeat this step for each Kubernetes node with the required node role. Once all the nodes are registered, it is displayed under the Nodes tab of the cluster. PowerFlex for CustomResourceDefinitions. • Get, Create, and Update ClusterRoleBinding for 'cluster-admin' role. • Create and Update for the PowerProtect namespace. • Get, List, Create, Update, Delete, and

Cryptographic Ciphers (Automated) 5.1 RBAC and Service Accounts 5.1.1 Ensure that the cluster-admin role is only used where required (Manual) 5.1.2 Minimize access to secrets (Manual) 5.1.3 Minimize wildcard cluster-admin role is only used where required (Manual) Result: warn Remediation: Identify all clusterrolebindings to the cluster-admin role. Check if they are used and if they need this role or if they they could use a role with fewer privileges. Where possible, first bind users to a lower privileged role and then remove the clusterrolebinding to the cluster-admin role : kubectl delete clusterrolebinding

kube-apiserver and kubelet . Mitigation Make sure nodes with role:controlplane are on the same local network as your nodes with role:worker . Use network ACLs to restrict connections to the kubelet creating clusters with Rancher rather than using RKE alone. 1.6.1 - Ensure that the cluster-admin role is only used where required (Not Scored) Rancher has built in support for maintaining and enforcing

Kubernetes control plane can only run on Linux nodes, and the Windows nodes can only have the worker role. Windows nodes can only be used for deploying workloads and can only be added if Windows support to establish and maintain a secure configuration baseline for Kubernetes. • RBAC policies o Role-based Access Control (RBAC) policies are vital for the correct management of your cluster, as they Management Platforms Copyright © SUSE 2022 37 actions are permitted, depending on the user and their role in your organization. Common RBAC policies include securing your cluster by granting privileged