v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.1.12 Ensure that the etcd data directory ownership Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated) 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated) (Automated) 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated) 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated)

server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the controller manager

server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the API server. All configuration manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for the controller manager

ority argument is set as appropriate (Scored) 1.4.11 - Ensure that the etcd data directory permissions are set to 700 or more-restrictive (Scored) 1.4.12 - Ensure that the etcd data directory ownership Pass 1.1.2 - Ensure that the --basic-auth-file argument is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--basic-auth-file=.*").string' Returned Value: null Result: 1.1.20 - Ensure that the --token-auth-file parameter is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--token-auth-file=.*").string' Returned Value: null Result:

Create a Kubernetes encryption configuration file on each of the RKE nodes that will be provisioned with the controlplane role: Rationale This configuration file will ensure that the Rancher RKE cluster run: stat /etc/kubernetes/encryption.yaml Ensure that: The file is present The file mode is 0600 The file owner is root:root The file contains: apiVersion: v1 kind: EncryptionConfig resources: configuration file: Rancher_Hardening_Guide.md 11/30/2018 4 / 24 head -c 32 /dev/urandom | base64 -i - touch /etc/kubernetes/encryption.yaml Set the file ownership to root:root and the permissions to 0600

installing RKE. The uid and gid for the etcd user will be used in the RKE config.yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the yaml to a file called account_update.yaml Hardening Guide v2.3.5 4 apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: false Create a bash script file called called account_update.sh. Be sure to chmod +x account_update.sh so the script has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name');

installing RKE. The uid and gid for the etcd user will be used in the RKE config.yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the following yaml to a file called account_update.yaml apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: false Create a bash script file called account_update account_update.sh. Be sure to chmod +x account_update.sh so the script has execute permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl

is complete. To execute the installation binary, operators can customize the install-config.yaml file to access additional customizations for the automated installer. Users can also install OpenShift clusters happens through the installer GUI or via command-line directives that use a YAML configuration file. Clusters can run on vSphere, Amazon, Microsoft Azure or GCP nodes if operators choose to use the OpenShift: 4 • Tanzu: 4 • Anthos: 1 3.1.10.1 SUSE Rancher SUSE Rancher uses a granular permissions scheme to grant or deny access to resources at the Global, Cluster, and Namespace levels. Users

NeonSAN, a fully self-developed production-grade distributed block storage, and a distributed file storage system available; Built-in OpenEBS to support dynamic consumption of LocalPV; integration Kubernetes RBAC for different levels, including platform, cluster, and application; custom role permissions supported; Multi-tenant (cluster, workspace, project) isolation supported for all features

PodSecurityPolicy --encryption-provider-config=/etc/kubernetes/ssl/encryption.yaml --admission-control-config-file=/etc/kubernetes/admission.yaml --audit-log-path=/var/log/kube-audit/audit-log.json --audit-log-maxage=30 --audit-log-maxage=30 --audit-log-maxbackup=10 --audit-log-maxsize=100 --audit-log-format=json --audit-policy-file=/etc/kubernetes/audit-policy.yaml --tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_E PodSecurityPolicy --encryption-provider-config=/etc/kubernetes/ssl/encryption.yaml --admission-control-config-file=/etc/kubernetes/admission.yaml --audit-log-path=/var/log/kube-audit/audit-log.json --audit-log-maxage=30