cluster host configuration 1.1.1 - Configure default sysctl settings on all hosts Profile Applicability Level 1 Description Rancher_Hardening_Guide.md 11/30/2018 2 / 24 Configure sysctl settings to match Rationale We recommend that users launch the kubelet with the --protect-kernel-defaults option. The settings that the kubelet initially attempts to change can be set manually. This supports the following kernel.panic=10 kernel.panic_on_oops=1 Run sysctl -p to enable the settings. 1.1.2 - Install the encryption provider configuration on all control plane nodes Profile Applicability Level 1 Description

Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration Reference Hardened RKE Template configuration Hardened Reference Ubuntu 18.04 LTS cloud-config: Hardening Guide v2 Self-Assessment Guide - Rancher v2.3.5. Configure Kernel Runtime Parameters The following sysctl configuration is recommended for all nodes type in the cluster. Set the following parameters in /etc/sysctl root_maxbytes=25000000 Hardening Guide v2.3.5 3 Run sysctl -p /etc/sysctl.d/90-kubelet.conf to enable the settings. Configure etcd user and group A user account and group for the etcd service is required to be

Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration Reference Hardened RKE Template configuration Hardened Reference Ubuntu 18.04 LTS cloud-config: Hardening Guide v2 have any explicit rights assignments. Configure Kernel Runtime Parameters The following sysctl configuration is recommended for all nodes type in the cluster. Set the following parameters in /etc/sysctl panic_on_oops=1 kernel.keys.root_maxbytes=25000000 Run sysctl -p /etc/sysctl.d/90-kubelet.conf to enable the settings. Configure etcd user and group A user account and group for the etcd service is required to be

amounts of data, and it runs ful- ly containerized. This document describes the installation and configuration of SAP Data Intelligence 3 deployed on SUSE's RKE2 and VMWare vsphere and vsan. Disclaimer: virtual machines in the vsphere cluster as dedicated nodes for the RKE 2 cluster Creating the configuration of the vsphere CPI/CSI drivers for the use with RKE 2 Installing RKE 2 Kubernetes cluster on recommendations given above in this guide. Make sure that uuid creation for disks is enabled in the settings for the virtual machines. 7 SAP Data Intelligence 3 on Rancher Kubernetes Engine 2 using VMware

Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Plane Configuration 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies 5 Kubernetes services via Docker containers. Configuration is defined by arguments passed to the container at the time of initialization, not via configuration files. CIS Benchmark Rancher Self-Assessment

Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Plane Configuration 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies CIS Kubernetes services via Docker containers. Configuration is defined by arguments passed to the container at the time of initialization, not via configuration files. CIS 1.5 Benchmark - Self-Assessment

Kubernetes services via Docker containers. Configuration is defined by arguments passed to the container at the time of initialization, not via configuration files. Scoring the commands is different in that the --hostname-override argument is not set (Scored) Controls 1 - Master Node Security Configuration 1.1 - API Server 1.1.1 - Ensure that the --anonymous-auth argument is set to false (Scored) the following files: /etc/kubernetes/admission.yaml /etc/kubernetes/event.yaml See Host Configuration for details. Audit (Admissions plugin) docker inspect kube-apiserver | jq -e '.[0].Args[] |

CIS 1.6 Kubernetes Benchmark - Rancher v2.5.4 with Kubernetes v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated) 2 Etcd Node Configuration Files 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated) (Automated) 3.2.2 Ensure that the audit policy covers key security concerns (Manual) 4.1 Worker Node Configuration Files 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive

....................................................................................... 43 Configuration details ..................................................................................... the PowerFlex family products. In this solution, the RKE cluster is deployed in a two-layer configuration using PowerFlex compute-only nodes that are deployed with the VMware ESXi hypervisor and dedicated provisioned disks on the PowerFlex backend storage. For more information about configuration of PowerFlex nodes, check the Configuration details. The management node hosts the vCenter appliance, PowerFlex Gateway

from the cloud to core and at the edge. Each distribution requires the bare minimum of host configuration, usually no more than a supported version of Docker. For edge deployments, SUSE Rancher does Kubernetes in the most efficient way possible. Kubernetes from SUSE Rancher with RKE uses a configuration syntax designed for clarity and dynamic cluster reconfiguration with no downtime. 3.1.1.2 application clusters happens through the installer GUI or via command-line directives that use a YAML configuration file. Clusters can run on vSphere, Amazon, Microsoft Azure or GCP nodes if operators choose to