Critical Security Parameter CVL Component Validation List DRBG Deterministic Random Number Generator DTR Derived Test Requirements ECDSA Elliptic Curve Digital Signature Algorithm EC DH Elliptic Derivation Function KTS Key Transport Scheme KW Key Wrap NDRNG Non-Deterministic Random Number Generator NIST National Institute of Standards and Technology OE Operating Environment OS Operating as specified in Section 5 of [SP 800-133 r2]. The module employs a [SP 800-90A r1] random bit generator for creation of the seed for asymmetric key generation. The module requests a minimum number of

Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated) 1.1.19 Ensure that the Kubernetes Kubernetes PKI directory and file ownership is set to root:root (Automated) 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated) 1.1.21 Ensure Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated) 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.2 Ensure

Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain

Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain

that the --kubelet-certificate-authority argument is set as appropriate (Scored) 1.4.11 - Ensure that the etcd data directory permissions are set to 700 or more-restrictive (Scored) 1.4.12 - Ensure Ensure that the etcd data directory ownership is set to etcd:etcd (Scored) 2.1.8 - Ensure that the --hostname-override argument is not set (Scored) Controls 1 - Master Node Security Configuration 1.1 - API Server 1.1.1 - Ensure that the --anonymous-auth argument is set to false (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--anonymous-auth=false").string' Returned

kubelet would set if allowed. Rationale We recommend that users launch the kubelet with the --protect-kernel-defaults option. The settings that the kubelet initially attempts to change can be set manually This supports the following control: 2.1.7 - Ensure that the --protect-kernel-defaults argument is set to true (Scored) Audit Verify vm.overcommit_memory = 1 sysctl vm.overcommit_memory Verify kernel sysctl kernel.panic Verify kernel.panic_on_oops = 1 sysctl kernel.panic_on_oops Remediation Set the following parameters in /etc/sysctl.conf on all nodes: vm.overcommit_memory=1 kernel.panic=10

Cluster A cluster is a set of machines (physical or virtual) on which your applications are managed and run. For Kubernetes, all machines are managed as a cluster (or set of clusters, depending on name and value. The key-value pairs can be used to filter, organize and perform mass operations on a set of resources. Think of labels as a role, group, or any similar mechanism given to a container or running. In cases where only one replica of a pod needs to be running, its replication factor can be set to 1. in which case Kubernetes will bring it back up if it goes down. Autoscaling of pods replicas

across private and public clouds. Cloud-Native Contrail Networking (CN2) brings this rich SDN feature set natively to Kubernetes as a networking platform and container network interface (CNI) plug-in. Redesigned consists of a set of Contrail controllers that reside on either Kubernetes control plane nodes or worker nodes depending on distribution. The Contrail controllers manage a distributed set of data planes scalability, and availability inherent to the Kubernetes architecture, while supporting a rich SDN feature set that can meet the requirements of enterprises and service providers alike. Enterprises and service

standard hardware and deliver extreme SLA outcomes. PowerFlex aggregates resources across a broad set of nodes, unlocking massive input, output, and throughput performance while minimizing the latency Security, policy, and user management SUSE Rancher lets you automate processes and applies a consistent set of user access and security policies to all your clusters, no matter where they are running. Shared resizes the volume. The node section of the Helm chart installs the following components in a daemon set in the namespace vxflexos: • CSI driver for Dell EMC PowerFlex. • Kubernetes Node Registrar

i n s t al l i n g R an c h e r 2. 3. 3 or ab ov e , p r ov i d e t h e f ol l ow i n g fl ag: --set addLocal="false" 3. 1. 2 - E n ab l e R an c h e r A u d i t l oggi n g P r ofi l e A p p l i c ab true # # # Currently only nginx ingress provider is supported. # # To disable ingress controller, set `provider: none` # # To enable ingress on specific nodes, use the node_selector, eg: # provider: nginx true # # # Currently only nginx ingress provider is supported. # # To disable ingress controller, set `provider: none` # # To enable ingress on specific nodes, use the node_selector, eg: # provider: nginx