(VM) workloads, across multi-cluster compute and storage environments, all from a central point of control. It supports hard multi-tenancy for single or multi-cluster environments shared across many tenants The CN2 implementation consists of a set of Contrail controllers that reside on either Kubernetes control plane nodes or worker nodes depending on distribution. The Contrail controllers manage a distributed available and resilient network controller overseeing all aspects of the network configuration and control planes • Analytics services using telemetry and industry standard monitoring and presentation tools

the admission control plugin EventRateLimit is set (Automated) 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated) 1.2.12 Ensure that the admission control plugin AlwaysPullImages (Manual) 1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual) 1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated) the admission control plugin NamespaceLifecycle is set (Automated) 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set (Automated) 1.2.17 Ensure that the admission control plugin NodeRestriction

that the kubelet initially attempts to change can be set manually. This supports the following control: 2.1.7 - Ensure that the --protect-kernel-defaults argument is set to true (Scored) Audit Verify sysctl -p to enable the settings. 1.1.2 - Install the encryption provider configuration on all control plane nodes Profile Applicability Level 1 Description Rancher_Hardening_Guide.md 11/30/2018 (Scored) 1.1.35 - Ensure that the encryption provider is set to aescbc (Scored) Audit On the control plane hosts for the Rancher HA cluster run: stat /etc/kubernetes/encryption.yaml Ensure that:

security of the hardened cluster against each control in the benchmark. Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes commands also make use of the the jq command to provide human- readable formatting. Known Scored Control Failures The following scored controls do not currently pass, and Rancher Labs is working towards flag was removed in 1.14, so it cannot be set. Result: Pass 1.1.10 - Ensure that the admission control plugin AlwaysAdmit is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[]

differentiated itself by leveraging Project Pacific, a re-architecture of vSphere with Kubernetes as its control plane. While there are other smaller players in the market, the scope of this guide is limited (OpenShift/OCP4) with Red Hat Advanced Cluster Management for Kubernetes (RHACM), VMware Tanzu Mission Control with Tanzu Kubernetes Grid Integrated Edition (collectively referred to as Tanzu in this guide) Copyright © SUSE 2022 8 The exception to these rules is if the environment uses Tanzu Mission Control (TMC), a VMware SaaS offering for cluster management. If so, then TMC acts as the management cluster

Cluster 1 Node Node Control Plane Worker etcd Node Node Node Node Node Node Node All-in-one nodes (cp/etcd/worker) Node Node Node Node Node Node Node Node Node Node Node Control Plane Worker etcd 12 12 Copyright © SUSE 2021 Customer B Rancher as a Service Managed Kubernetes Cluster Control Plane Worker Node Rancher Management Server (RMS) Cluster etcd Node Node Node Node All-in-one Node (cp/etcd/worker) Managed Kubernetes Cluster Control Plane Worker Node etcd Node Node Node Node Managed Kubernetes Cluster Control Plane Worker Node etcd Node Node Node Node Customer

Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the benchmark. This guide corresponds to specific versions of the hardening guide, Rancher, Kubernetes Benchmark v1.5 Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply and will have a result of Not Applicable

Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the benchmark. This guide corresponds to specific versions of the hardening guide, Rancher, CIS Kubernetes v1.15 Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes Benchmark don't apply and will have a result of Not Applicable

Deployments are a fairly recent addition to the project, but provide a powerful and declarative way to control how service updates are performed and is recommended over rolling- updates. 1.3.9 Resource Monitoring Native Kubernetes Support in Rancher Rancher natively supports Kubernetes and allows users to control its features through a simple and intuitive UI. Kubernetes can be launched in a matter of minutes stack, you will see various components of Kubernetes: • Controller-manager is a core control loop which continuously watches the state of clusters and takes actions if needed to bring it to

Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control DEV DATA CENTER CLOUD BRANCH 5G / EDGE ✔ Common API & Packaging ✔ Health Checks/HA ✔ Load Balancing Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control ✔ Common API & Packaging ✔ Health Checks/HA ✔ Load Balancing ✔ Overlay Networking ✔ Network Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control Common compute platform across any infrastructure & a consistent set of infrastructure capabilities