Multi-Cluster CN2 on Rancher RKE2 | 28 Install Contrail Tools | 29 Install ContrailReadiness Controller | 30 Manifests | 31 Manifests in Release 23.2 | 31 Contrail Tools in Release 23.2 | services in single-cluster and multi-cluster deployments • Highly available and resilient network controller overseeing all aspects of the network configuration and control planes • Analytics services using container and VM workloads (using kubevirt) • Support for DPDK data plane acceleration The Contrail controller automatically detects workload provisioning events such as a new workload being instantiated, network

(Automated) 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.4 Ensure that the controller manager pod specification file ownership root:root (Automated) 1.1.17 Ensure that the controller-manager.conf file permissions are set to 644 or more restrictive (Automated) 1.1.18 Ensure that the controller-manager.conf file ownership is set to root:root 2.35 Ensure that the API Server only makes use of Strong Cryptographic Ciphers (Automated) 1.3 Controller Manager 1.3.1 Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Automated)

1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane server. All configuration is passed in as arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: file for the controller manager. All configuration is passed in as arguments at container run time. CIS Benchmark Rancher Self-Assessment Guide - v2.4 6 1.1.4 Ensure that the controller manager pod specification

1 Master Node Security Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane server. All configuration is passed in as arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: file for the controller manager. All configuration is passed in as arguments at container run time. CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 6 1.1.4 Ensure that the controller manager pod

classify resources and use selectors to find them and use them for certain actions. Replication Controller Replication Controllers (RC) are an abstraction used to manage pod lifecycles. One of key uses is important that it is replaced by a new one. To achieve this, Kubernetes uses a replication controller, which ensures that a certain number of replicas of a pod are always running. In cases where only After expanding the Kubernetes stack, you will see various components of Kubernetes: • Controller-manager is a core control loop which continuously watches the state of clusters and takes actions

if you are using a PodSecurityPolicy (PSP). From the CIS Benchmark document: This admission controller should only be used where Pod Security Policies cannot be used on the cluster, as it can interact 1 Result: Pass 1.3 - Controller Manager 1.3.1 - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored) Audit docker inspect kube-controller-manager | jq -e '.[0].Args[] 2 - Ensure that the --profiling argument is set to false (Scored) Audit docker inspect kube-controller-manager | jq -e '.[0].Args[] | match("--profiling=false").string' Returned Value: --profiling=false

od e s w i t h t h e controlplane r ol e i n s p e c t t h e kube-controller-manager c on t ai n e r : 10 docker inspect kube-controller-manager • Ve r i f y t h e f ol l ow i n g op t i on s ar e s e cluster.yml fi l e e n s u r e t h e f ol l ow i n g op t i on s ar e s e t : services: kube-controller: extra_args: profiling: "false" address: "127.0.0.1" terminated-pod-gc-threshold: "1000" feature-gates: od e s w i t h t h e controlplane r ol e i n s p e c t t h e kube-controller-manager c on t ai n e r : docker inspect kube-controller-manager • Ve r i f y t h e f ol l ow i n g op t i on s ar e s e t

management aggregation architecture: Note: There is an additional 1 Gb link from the PowerFlex controller nodes to the out-of-band management switch. Figure 4. Logical layout of PowerFlex rack access installs the CSI driver container image along with the required Kubernetes sidecar containers. The controller section of the Helm chart installs the following components in a single deployment in the namespace script. 5. Edit myvalues.yaml to set the parameters like file system types, volume name prefix, and controller count, for the installation. 6. Create a config.json for driver configuration. This file contains

4 - Configure controller options Profile Applicability Rancher_Hardening_Guide.md 11/30/2018 12 / 24 Level 1 Description Set the appropriate arguments on the Kubernetes controller manager. Rationale Rationale To address the following controls the options need to be passed to the Kubernetes controller manager. 1.3.1 - Ensure that the --terminated-pod-gc-threshold argument is set as appropriate (Scored) (Scored) Audit On nodes with the controlplane role inspect the kube-controller-manager container: docker inspect kube-controller-manager Verify the following options are set in the command section:

crt Deploy an nginx-ingress controller: For more information, see https://kubernetes.github.io/ingress-nginx/deploy/#bare- metal . Create the nginx-ingress controller as a nodePort service according x/ controller-v0.46.0/deploy/static/provider/baremetal/deploy.yaml Determine the port the nginx controller is redirecting HTTPS to: $ kubectl -n ingress-nginx get svc ingress-nginx-controller The ingress-nginx get svc ingress-nginx-controller NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE ingress-nginx-controller NodePort 10.43.86.90