file called account_update.yaml Hardening Guide v2.3.5 4 apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: false Create a bash script file called account_update permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat account_update.yaml)" not recommended for production use --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-allow-all spec: podSelector: {} policyTypes: - Ingress - Egress

Save the following yaml to a file called account_update.yaml apiVersion: v1 kind: ServiceAccount metadata: name: default automountServiceAccountToken: false Create a bash script file called account_update permissions. #!/bin/bash -e for namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl patch serviceaccount default -n ${namespace} -p "$ (cat account_update.yaml)" not recommended for production use --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-allow-all spec: podSelector: {} ingress: - {} egress: - {}

Reserved. 20 DEPLOYING AND SCALING KUBERNETES WITH RANCHER apiVersion: v1 kind: Service metadata: name: frontend labels: app: guestbook tier: frontend spec: # if your cluster You can also add namespaces with simple YAML configuration: apiVersion: v1 kind: Namespace metadata: name: test-namespace ©Rancher Labs 2017. All rights Reserved. 26 DEPLOYING and look at some important aspects of how it affects behavior. apiVersion: v1 kind: Service metadata: name: frontend labels: name: frontend spec: type: NodePort ports: - port:

root:root The file contains: apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: - level: Metadata Remediation On nodes with the controlplane role: Generate an empty configuration file: touch t.yaml Set the contents to: apiVersion: audit.k8s.io/v1beta1 kind: Policy rules: - level: Metadata 1.1.4 - Place Kubernetes event limit configuration on each control plane host Rancher_Hardening_Guide following options are set: addons: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx rules: - apiGroups: - extensions

items[] | select(.metadata.name=="default") | select((.automountServiceAccountToken == null) or (.automountServiceAccountToken == true)) | "fail \ (.metadata.name) \(.metadata.namespace)"')" if select(.subjects[].kind=="ServiceAccount" and .subjects[].name=="default" and .metadata.name=="default").metadata.uid' | wc -l)" if [[ "${default_binding}" -gt 0 ]]; then echo "fail: default null) or CIS Benchmark Rancher Self-Assessment Guide - v2.4 50 (.spec.hostPID == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' Expected result: 1 is greater than 0 5.2.3 Minimize

items[] | select(.metadata.name=="default") | select((.automountServiceAccountToken == null) or (.automountServiceAccountToken == true)) | "fail \ (.metadata.name) \(.metadata.namespace)"')" if select(.subjects[].kind=="ServiceAccount" and .subjects[].name=="default" and .metadata.name=="default").metadata.uid' | wc -l)" if [[ "${default_binding}" -gt 0 ]]; then echo "fail: default json | jq .items[] | jq -r 'select((.spec.hostPID == null) or (.spec.hostPID == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' Expected result: 1 is greater than 0 5.2.3 Minimize

ow i n g op t i on s ar e s e t : addons: | apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx rules: - apiGroups: - extensions resourceNames: podsecuritypolicies verbs: - use --- apiVersion: rbac.authorization.k8s.io/v1 kind: RoleBinding metadata: name: default-psp-rolebinding 12 namespace: ingress-nginx roleRef: apiGroup: rbac.authorization system:authenticated --- apiVersion: v1 kind: Namespace metadata: name: cattle-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: cattle-system rules:

ERR count_sa=$(kubectl get serviceaccounts --all-namespaces -o json | jq -r '.items[] | select(.metadata.name=="default") | select((.automountServiceAccountToken == null) or CIS 1.6 Benchmark - Self-Assessment Self-Assessment Guide - Rancher v2.5.4 119 (.automountServiceAccountToken == true))' | jq .metadata.names pace | wc -l) if [[ ${count_sa} -gt 0 ]]; then echo "false" exit fi for ns in $(kubectl json | jq .items[] | jq -r 'select((.spec.h ostPID == null) or (.spec.hostPID == false))' | jq .metadata.n ame | wc -l | xargs -I {} echo '--count={}' Expected Result: 1 is greater than 0 Returned

using VMware vSAN and vSphere $ cat < apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata: name: rancher-vsphere-cpi labels: namespace: kube-system spec: valuesContent: |- anifests/rancher-vsphere-csi-config.yaml apiVersion: helm.cattle.io/v1 kind: HelmChartConfig metadata: name: rancher-vsphere-csi namespace: kube-system spec: valuesContent: |- vCenter: Intelligence installation: $ cat < ingress.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/force-ssl-redirect:

configuration. The logging operator utilizes Fluent Bit to query the Kubernetes API and enriches logs with metadata on pods. Fluentd then filters, transfers and logs to multiple outputs. SUSE Rancher also supports OpenShift can log all interactions with the OCP API, including request and response body and metadata. OpenShift collect logs from applications, infrastructure and audit logs. This information can source backup solution maintained by VMware. Operators can install Velero and back up cluster metadata, workload configuration and workload data. These backups can be restored into a new cluster. For