apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: - level: Metadata 1.1.4 - Place Kubernetes event limit configuration on each control plane host Rancher_Hardening_Guide.md 11/30/2018 6 / 24 Profile Profile Applicability Level 1 Description Place the configuration file for Kubernetes event limit configuration on each of the control plane nodes in the cluster. Rationale Set up the EventRateLimit nodes with the controlplane role run: stat /etc/kubernetes/admission.yaml stat /etc/kubernetes/event.yaml For each file, ensure that: The file is present The file mode is 0600 The file owner is

ains ar gu m e n t i s s e t t o t r u e ( S c or e d ) • 2. 1. 10 - E n s u r e t h at t h e --event-qps ar gu m e n t i s s e t t o 0 ( S c or e d ) • 2. 1. 13 - E n s u r e t h at t h e RotateKub --authorization-mode=Webhook • --protect-kernel-defaults=true • --make-iptables-util-chains=true • --event-qps=0 • --anonymous-auth=false • --feature-gates="RotateKubeletServerCertificate=true" • --tls kube_api: always_pull_images: true pod_security_policy: true service_node_port_range: 30000-32767 event_rate_limit: enabled: true 8 audit_log: enabled: true secrets_encryption_config: enabled: true

and configuring details in the following files: /etc/kubernetes/admission.yaml /etc/kubernetes/event.yaml See Host Configuration for details. Audit (Admissions plugin) docker inspect kube-apiserver 9 - Ensure that the --event-qps argument is set to 0 (Scored) Audit docker inspect kubelet | jq -e '.[0].Args[] | match("--event-qps=0").string' Returned Value: --event-qps=0 Result: Pass 2

--hostname-override argument is not set (Manual) 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Automated) 4.2.10 Ensure that the --tls-cert-file and --tls-private- --hostname-override=cis-aio-0 --fail-swap-on=false --cgroups-per-qos=True --authentication- token-webhook=true --event-qps=0 --v=2 --pod-infra-container- image=rancher/pause:3.1 --authorization-mode=Webhook -- network-plugin=cni configuration errors Audit: /bin/ps -fC kubelet 4.2.9 Ensure that the --event-qps argument is set to 0 or a level which ensures appropriate event capture (Automated) Result: pass Remediation: If using a Kubelet

and multi-dimensional event query center available on the console; forwarding to multiple storage backends supported Unified event query and management Unified event query and management

ig: enabled: true audit_log: enabled: true admission_configuration: event_rate_limit: enabled: true kube-controller: extra_args: feature-gates: "Rota 52034 kube_api: always_pull_images: false audit_log: enabled: true event_rate_limit: enabled: true pod_security_policy: true secrets_encryption_config: terminated-pod-gc-threshold: '1000' kubelet: extra_args: anonymous-auth: 'false' event-qps: '0' feature-gates: RotateKubeletServerCertificate=true make-iptables-util-chains:

ig: enabled: true audit_log: enabled: true admission_configuration: event_rate_limit: enabled: true kube-controller: extra_args: Hardening Guide v2.4 7 52034 kube_api: always_pull_images: false audit_log: enabled: true event_rate_limit: enabled: true pod_security_policy: true secrets_encryption_config: terminated-pod-gc-threshold: '1000' kubelet: extra_args: anonymous-auth: 'false' event-qps: '0' feature-gates: RotateKubeletServerCertificate=true make-iptables-util-chains:

you will see various components of Kubernetes: • Controller-manager is a core control loop which continuously watches the state of clusters and takes actions if needed to bring it to the desired

control plane node. contrail-k8s-controller Control Plane Node This pod performs the Kubernetes control loop function to reconcile networking resources. It constantly monitors networking resources to make sure

users of the module must not utilize GCM with an externally generated IV. Per [140IG] A.5, in the event module power is lost and restored the consuming application must ensure that any of its AES-GCM keys