v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.1.12 Ensure that the etcd data directory ownership that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated) 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated) 1.1.1 Ensure that that the API server pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Automated) 1

1.1 Master Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require in as arguments at container run time. 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require

1.1 Master Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require in as arguments at container run time. 1.1.5 Ensure that the scheduler pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require

ority argument is set as appropriate (Scored) 1.4.11 - Ensure that the etcd data directory permissions are set to 700 or more-restrictive (Scored) 1.4.12 - Ensure that the etcd data directory ownership Result: Pass 1.4 - Configuration Files 1.4.1 - Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Notes RKE doesn't require or maintain a configuration Result: Pass (Not Applicable) 1.4.3 - Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Notes RKE doesn't require or maintain a configuration

simplified cluster operations • Consistent Security Policy and User Management: best-practice security policy enforcement and advanced user management on any infrastructure • Access to Shared Tools and Rancher 2.6 is a showcase of the acquisition’s success and includes a new user experience designed for the enterprise user, full lifecycle management across the three major hyperscalers and a strengthened 3 Security Policy and User Management A key benefit of deploying a Kubernetes Management Platform is implementing best practice security policy enforcement and advanced user management on any infrastructure

base64 -i - touch /etc/kubernetes/encryption.yaml Set the file ownership to root:root and the permissions to 0600 chown root:root /etc/kubernetes/encryption.yaml chmod 0600 /etc/kubernetes/encryption configuration file: touch /etc/kubernetes/audit.yaml Set the file ownership to root:root and the permissions to 0600 chown root:root /etc/kubernetes/audit.yaml chmod 0600 /etc/kubernetes/audit.yaml Set /etc/kubernetes/admission.yaml touch /etc/kubernetes/event.yaml Set the file ownership to root:root and the permissions to 0600 chown root:root /etc/kubernetes/admission.yaml chown root:root /etc/kubernetes/event

1 3 3 4 5 6 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing RKE. The uid and gid for the etcd user will be used in the RKE config config.yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the etcd group run the following console commands. addgroup --gid 52034

1 3 4 4 5 7 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing RKE. The uid and gid for the etcd user will be used in the RKE config config.yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the etcd group run the following console commands. groupadd --gid 52034

Isolation of tenants in workspaces and tenant quota management available to meet business needs; User group management supported; Built-in account roles on top of abstraction of Kubernetes RBAC custom role permissions supported; Multi-tenant (cluster, workspace, project) isolation supported for all features on the platform Project-level tenant management supported; User role permission into a unified container platform product, ensuring consistent user experience in all features and interoperability and minimizing user barriers. KubeSphere Functional Architecture 1.3.2 OpenShift

at i on • O n t h e e t c d s e r v e r n od e ( s ) ad d t h e etcd u s e r : useradd -c "Etcd user" -d /var/lib/etcd etcd R e c or d t h e u i d /gi d : id etcd • Ad d t h e f ol l ow i n g t o cluster.yml e t c d s e c t i on u n d e r services: services: etcd: uid: user uid recorded previously> gid: user gid recorded previously> 2 . 1 - R a nche r H A K ube r ne t e s C l us t e r r e q u i r e ad m i n i s t r at i v e p r i v i l e ge s . An y r ol e t h at i s n ot admin or user s h ou l d b e au d i t e d i n t h e R B AC s e c t i on of t h e UI t o e n s u r e t h at t h e