countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes no responsibility for any inaccuracies in 6 Deployment Models | 11 Single Cluster Deployment | 11 Multi-Cluster Deployment | 12 System Requirements | 15 2 Install Overview | 17 Before You Install | 18 Install Single Cluster Contrail Networking Overview | 2 Terminology | 4 CN2 Components | 6 Deployment Models | 11 System Requirements | 15 Cloud-Native Contrail Networking Overview SUMMARY Learn about Cloud-Native

NIST National Institute of Standards and Technology OE Operating Environment OS Operating System PCT Pairwise Consistency Test RSA Rivest, Shamir, Adleman algorithm SHA/SHS Secure Hash Algorithm/Standard general-purpose computer (GPC) platforms detailed below: Table 1 - Tested Configurations # Operating System Processor Platform Compiler 1 CentOS 7.8 Intel® Xeon® Silver 4214R with PAA Dell PowerEdge Module conforms to [140IG] 6.1 Single Operator Mode and Concurrent Operators. Each approved operating system manages processes and threads in a logically separated manner. The module’s user is considered the

Linux Enterprise Compliance Security Availability Management The most adaptable Linux operating system Other Linux Datacenter Edge Block Storage Container Security I.a.a.S Copyright © SUSE 2021 5 64 GB 16VCPU Node 64 GB 16VCPU NS: Customer 2 Website 1 (4GB 2vCPU) NS: Customer 1 – Logging System (16GB 4vCPU) Customer 4 Wordpress Admin NS: Customer 4 Wordpress (4GB 2vCPU) https://Wordpress trademarks of SUSE LLC in the United States and other countries. All third-party trademarks are the property of their respective owners. For more information, contact SUSE at: +1 800 796 3700 (U.S./Canada)

Description Configure a restrictive pod security policy (PSP) as the default and create role bindings for system level services to use the less restrictive default PSP. Rationale To address the following controls restrictive default PSP needs to be applied as the default. Role bindings need to be in place to allow system services to still function. 1.7.1 - Do not admit privileged containers (Not Scored) 1.7.2 - Do cattle-system namespace exists: kubectl get ns |grep cattle Verify that the roles exist: kubectl get role default-psp-role -n ingress-nginx kubectl get role default-psp-role -n cattle-system kubectl

root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G restrictive (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions 600 (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, CIS Benchmark Rancher Self-Assessment Guide - v2.4 13 chmod

root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G restrictive (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions 600 (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 13

command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd A system service account is required for etcd data directory ownership. Refer to Rancher's hardening guide (Automated) Result: pass Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root / etc/kubernetes/pki/ Audit: check_files_owner_in_dir Guide - Rancher v2.5.4 12 Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/ kubernetes/pki/*.crt Audit: check_files_permissions

name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- apiVersion: v1 kind: Namespace metadata: name: cattle-system authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: - extensions resourceNames: - default-psp resources: cattle-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts

rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- Hardening Guide v2.4 9 apiVersion: metadata: name: cattle-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: cattle-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts

Driver on DELL EMC PowerFlex White Paper Term Definition DD Data Domain DNS Domain Name System DDVE PowerProtect DD Virtual Edition FQDN Fully Qualified Domain Name MDM Meta Data Manager architecture eliminates any hotspots and ensures consistency and simplicity over time. You can scale the system while linearly scaling performance from a minimum of four nodes to thousands of nodes, on-demand option to meet their exact requirements. PowerFlex rack PowerFlex rack is a fully engineered system, with integrated networking that enables the customers to simplify deployments and accelerate time