/bin/sh -c 'if test -e /etc/kubernetes/manifests/kube- apiserver.yaml; then stat -c permissions=%a /etc/kubernetes/ manifests/kube-apiserver.yaml; fi' 1.1.2 Ensure that the API server pod specification file /bin/sh -c 'if test -e /etc/kubernetes/manifests/kube- apiserver.yaml; then stat -c %U:%G /etc/kubernetes/manifests/ kube-apiserver.yaml; fi' CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 -e /etc/kubernetes/manifests/kube- controller-manager.yaml; then stat -c permissions=%a /etc/ kubernetes/manifests/kube-controller-manager.yaml; fi' 1.1.4 Ensure that the controller manager pod specification

authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --basic-auth-file= parameter. Audit: CIS Benchmark authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --token-auth-file= parameter. Audit: /bin/ps -ef | Remediation: Edit the API server pod specification file /etc/kubernetes/ manifests/kube-apiserver.yaml on the master node and remove the --kubelet-https parameter. Audit: /bin/ps -ef | grep kube-apiserver

authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --basic-auth-file= parameter. Audit: CIS 1.5 Benchmark authentication. Then, edit the API server pod specification file /etc/kubernetes/manifests/kube-apiserver.yaml on the master node and remove the --token-auth-file= parameter. Audit: /bin/ps -ef | Remediation: Edit the API server pod specification file /etc/kubernetes/ manifests/kube-apiserver.yaml on the master node and remove the --kubelet-https parameter. Audit: /bin/ps -ef | grep kube-apiserver

that you will use in this example procedure is k8s/single-cluster/ single_cluster_deployer_example.yaml. The procedure assumes that you've placed this manifest into a manifests directory. To install CN2 Apply the Contrail deployer manifest. kubectl apply -f manifests/single_cluster_deployer_example.yaml It may take a few minutes for the nodes and pods to come up. 3. Use standard kubectl commands to that you will use in this example procedure is k8s/single-cluster/ single_cluster_deployer_example.yaml. The procedure assumes that you've placed this manifest into a manifests directory. To install CN2

Audit On the control plane hosts for the Rancher HA cluster run: stat /etc/kubernetes/encryption.yaml Ensure that: The file is present The file mode is 0600 The file owner is root:root The file /etc/kubernetes/encryption.yaml Set the file ownership to root:root and the permissions to 0600 chown root:root /etc/kubernetes/encryption.yaml chmod 0600 /etc/kubernetes/encryption.yaml Set the contents Rancher_Hardening_Guide.md 11/30/2018 5 / 24 Audit On each control plane node, run: stat /etc/kubernetes/audit.yaml Ensure that: The file is present The file mode is 0600 The file owner is root:root The file

vider-config=.*").string' Returned Value: encryption-provider-config=/etc/kubernetes/encryption.yaml Result: Pass 1.1.35 - Ensure that the encryption provider is set to aescbc (Scored) Notes Only the first provider in the list is active. Audit grep -A 1 providers: /etc/kubernetes/encryption.yaml | grep aescbc Returned Value: - aescbc: Result: Pass 1.1.36 - Ensure that the admission control option and configuring details in the following files: /etc/kubernetes/admission.yaml /etc/kubernetes/event.yaml See Host Configuration for details. Audit (Admissions plugin) docker inspect kube-apiserver

Network CIDR [10.42.0.0/16]: [+] Cluster DNS Service IP [10.43.0.10]: [+] Add addon manifest URLs or YAML files [no]: $ Installation of the SUSE Rancher Kubernetes cluster 18 kubectl apply -f https://github.com/jetstack/cert- manager/releases/download/v1.2.0/cert-manager.crds.yaml 4. Run the following command to add the Jetstack repo to helm. Jetstack cert- manager helps with (rancher- values.yaml) for SUSE Rancher server, specifying the hostname and other details. In the following example, ranchersles15sp2 is the hostname: $ cat << EOF > rancher-values.yaml hostname: ranchersles15sp2

create option on right top corner. You can input all parameters one by one or simply upload a JSON/YAML format file with specifications of the object to be created. 2.4.3 GUI-Based CRUD Operations Deployment definitions for: o Front End o Redis Master o Redis Slave Open the “frontend-service.yaml” and uncomment the line with content “type: LoadBalancer”, after changes the code should look like: DEPLOYING AND SCALING KUBERNETES WITH RANCHER You can also add namespaces with simple YAML configuration: apiVersion: v1 kind: Namespace metadata: name: test-namespace

must include this value: automountServiceAccountToken: false Save the following yaml to a file called account_update.yaml Hardening Guide v2.3.5 4 apiVersion: v1 kind: ServiceAccount metadata: name: metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat account_update.yaml)" done Ensure that all Namespaces have Network Policies defined Running different applications create a policy that explicitly allows all traffic in that namespace. Save the following yaml as default-allow-all.yaml. Additional documentation about network policies can be found on the Kubernetes site

must include this value: automountServiceAccountToken: false Save the following yaml to a file called account_update.yaml apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat account_update.yaml)" done Ensure that all Namespaces have Network Policies defined Running different applications create a policy that explicitly allows all traffic in that namespace. Save the following yaml as default-allow-all.yaml. Additional documentation about network policies can be found on the Kubernetes site