H a r d e n i n g G u i d e - R a n c h e r v 2 . 3 . 3 + C o nt e nt s Har d e n i n g G u i d e f or R an c h e r 2. 3. 3+ w i t h K u b e r n e t e s 1. 16 . . . 2 O v e r v i e w . . . . . . . . . . . . . . . . . . . 2 P r ofi l e D e fi n i t i on s . . . . . . . . . . . . . . . . . . . . . . . . . . 2 1. 1 - R an c h e r R K E K u b e r n e t e s c l u s t e r h os t c on fi gu r at i on . . . . . 3 1. 1. 1 - C on fi gu r e d e f au l t s y s c t l s e t t i n gs on al l h os t s . . . . . . . . 3 1. 4. 11 E n s u r e t h at t h e e t c d d at a d i r e c t or y p e r m i s s i on s

/contrail-readiness-controller.yaml 30 Check that the controller has come up. kubectl get pods -n contrail-readiness Manifests SUMMARY We provide sample manifests to make your installation easier contrail-analytics-.tgz 36 2. To install Contrail Analytics with a single instance of Prometheus: helm -n contrail-analytics install analytics contrail-analytics-.tgz --create-namespace The --create-namespace available metric system. b. Install Contrail Analytics (referencing the thanos-values.yaml) file. helm -n contrail-analytics install analytics contrail-analytics-.tgz -f thanos-values.yaml --create-namespace

ports of the tested platforms API return values Power input Physical ports of the tested platforms N/A As a software module, control of the physical ports is outside module scope; however, when the Functions Keys and/or CSPs Roles Access Rights to Keys and/or CSPs Module Initialization N/A N/A CO N/A Symmetric Encryption/ Decryption AES, Triple-DES AES, Triple-DES symmetric keys User CO Execute Keyed Hashing HMAC-SHA HMAC key User, CO Execute Hashing SHS None User, CO N/A Random Bit Generation CTR_DRBG DRBG seed, internal state V and Key values User, CO Write/Execute

(192.168.153.111) a Control Plane host (y/n)? [y]: [+] Is host (192.168.153.111) a Worker host (y/n)? [n]: y [+] Is host (192.168.153.111) an etcd host (y/n)? [n]: y [+] Override Hostname of host (192 domain [cluster.local]: [+] Service Cluster IP Range [10.43.0.0/16]: [+] Enable PodSecurityPolicy [n]: [+] Cluster Network CIDR [10.42.0.0/16]: [+] Cluster DNS Service IP [10.43.0.10]: [+] Add addon jetstack/cert-manager -n cert- manager --version v1.2.0 –wait 7. Run the following command to check the cert-manager namespace for running pods to verify that it is deployed correctly: $ kubectl get pods -n cert-manager

default-psp-role -n ingress-nginx kubectl get role default-psp-role -n cattle-system kubectl get clusterrole psp:restricted Verify the bindings are set correctly: kubectl get rolebinding -n ingress-nginx ingress-nginx default-psp-rolebinding kubectl get rolebinding -n cattle-system default-psp-rolebinding kubectl get clusterrolebinding psp:restricted Verify the restricted PSP is present. kubectl get psp restricted Verify the Rancher deployment has the --add-local=false option set. kubectl get deployment rancher -n cattle-system -o yaml |grep 'add- local' In the Rancher UI go to Clusters in the Global view and verify

a lockfile. Permissions on this file do not need to be as restrictive as the CNI files. stat -c "%n - %a" /var/lib/cni/networks/k8s-pod-network/* Returned Value: /var/lib/cni/networks/k8s-pod-network/10 d_ip.0 - 644 /var/lib/cni/networks/k8s-pod-network/lock - 750 Audit ( /etc/cni/net.d ) stat -c "%n - %a" /etc/cni/net.d/* Returned Value: /etc/cni/net.d/10-canal.conflist - 664 /etc/cni/net.d/calico-kubeconfig Scored) Notes This is a manual check. Audit ( /var/lib/cni/networks/k8s-pod-network ) stat -c "%n - %U:%G" /var/lib/cni/networks/k8s-pod-network/* Returned Value: /var/lib/cni/networks/k8s-pod-network/10

VMware vSAN and vSphere $ cat CA.pem > cert_with_cr $ tr -d '\r' < cert_with_cr > cert $ kubectl -n create secret generic cmcertificates --from-file=cert 5.2 Downloading the SLC backup. If you forgot to note it down, the following command will list the service port: $ kubectl -n sap-slcbridge get svc 12 SAP Data Intelligence 3 on Rancher Kubernetes Engine 2 using VMware vSAN and 15 SAP Data Intelligence 3 on Rancher Kubernetes Engine 2 using VMware vSAN and vSphere $ kubectl -n $NAMESPACE create secret tls vsystem-tls-certs --key decrypted- .key--cert .crt

%U:%G ${INPUT_DIR}) != "root:root" ]]; then echo "false" exit fi statInfoLines=$(stat -c "%n %U:%G" ${INPUT_DIR}/*) while read -r statInfoLine; do f=$(echo ${statInfoLine} | cut -d' ' -f1) " fi PERMISSION="" if [[ "$2" != "" ]]; then PERMISSION=$2 fi FILES_PERMISSIONS=$(stat -c %n\ %a ${PATTERN}) while read -r fileInfo; do p=$(echo ${fileInfo} | cut -d' ' -f2) if [[ "${PERMISSION}" " fi PERMISSION="" if [[ "$2" != "" ]]; then PERMISSION=$2 fi FILES_PERMISSIONS=$(stat -c %n\ %a ${PATTERN}) while read -r fileInfo; do p=$(echo ${fileInfo} | cut -d' ' -f2) if [[ "${PERMISSION}"

namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat account_update.yaml)" done Ensure that all Namespaces have Network Policies namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl apply -f default-allow-all.yaml -n ${namespace} done Execute this script to apply the default-allow-all.yaml the permissive NetworkPolicy

namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat account_update.yaml)" done Ensure that all Namespaces have Network Policies namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl apply -f default-allow-all.yaml -n ${namespace} done Execute this script to apply the default-allow-all.yaml the permissive NetworkPolicy