for the Kubernetes cluster. Minimum sizing of the nodes needs to be as shown below: Server Role Count RAM CPU Disk space Management Workstation 1 16 GiB 4 >100 GiB Master Node 3 16 GiB 4 >120 GiB Worker for the Kubernetes cluster. Minimum sizing of the nodes needs to be as shown below: Server Role Count RAM CPU Disk space Management Workstation 1 16 GiB 4 >100 GiB Master Node 3 16 GiB 4 >120 GiB Worker printed book. We recommend this License principally for works whose purpose is instruction or reference. 1. APPLICABILITY AND DEFINITIONS This License applies to any manual or other work, in any medium

validated in engineering lab using two-layer PowerFlex system with VMware vSphere environment, but the reference architecture and the best practices that are demonstrated in this white paper are applicable to follows: Table 2. Requirements for RKE cluster on PowerFlex family Name Version Description Reference SUSE Rancher server 2.5.7 SUSE Rancher server is used from Workstation VM. https://releases Edit myvalues.yaml to set the parameters like file system types, volume name prefix, and controller count, for the installation. 6. Create a config.json for driver configuration. This file contains information

suggests, the admin has all the privileges associated with the environment, whereas users can be split further into specific roles (the same user can have different roles). The following table explains SkyDNS service is built-in with Kubernetes environment (and briefly discussed in section Error! Reference source not found.). New records are created in DNS when new services and pods are started, and

Audit Script: #!/bin/bash set -eE handle_error() { echo "false" } trap 'handle_error' ERR count_sa=$(kubectl get serviceaccounts --all-namespaces -o json | jq -r '.items[] | select(.metadata.name=="default") 5.4 119 (.automountServiceAccountToken == true))' | jq .metadata.names pace | wc -l) if [[ ${count_sa} -gt 0 ]]; then echo "false" exit fi for ns in $(kubectl get ns --no-headers -o custom-columns=":me $result) resource_count=$(kubectl get $kind $name -n $ns -o json | jq -r '.rules[] | select(.resources[] != "podsecuritypolicies")' | wc -l) if [[ ${resource_count} -gt 0 ]]; then

Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration Reference Hardened RKE Template configuration Hardened Reference Ubuntu 18.04 LTS cloud-config: Hardening Guide here Once a CNI provider is enabled on a cluster a default network policy can be applied. For reference purposes a permissive example is provide below. If you want to allow all traffic to all pods in default-allow-all.yaml the permissive NetworkPolicy to all namespaces. Reference Hardened RKE cluster.yml configuration The reference cluster.yml is used by the RKE CLI that provides the configuration needed

Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration Reference Hardened RKE Template configuration Hardened Reference Ubuntu 18.04 LTS cloud-config: Hardening Guide here Once a CNI provider is enabled on a cluster a default network policy can be applied. For reference purposes a permissive example is provide below. If you want to allow all traffic to all pods in default-allow-all.yaml the permissive NetworkPolicy to all namespaces. Reference Hardened RKE cluster.yml configuration The reference cluster.yml is used by the RKE CLI that provides the configuration needed

Guide - v2.4 50 (.spec.hostPID == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' Expected result: 1 is greater than 0 5.2.3 Minimize the admission of containers wishing to hostIPC == null) or (.spec.hostIPC == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' Expected result: 1 is greater than 0 5.2.4 Minimize the admission of containers wishing to == null) or (.spec.hostNetwork == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' CIS Benchmark Rancher Self-Assessment Guide - v2.4 51 Expected result: 1 is greater than 0

hostPID == null) or (.spec.hostPID == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' Expected result: 1 is greater than 0 5.2.3 Minimize the admission of containers wishing to hostIPC == null) or (.spec.hostIPC == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' Expected result: 1 is greater than 0 5.2.4 Minimize the admission of containers wishing to Rancher v2.5 51 (.spec.hostNetwork == false))' | jq .metadata.name | wc -l | xargs -I {} echo '--count={}' Expected result: 1 is greater than 0 5.2.5 Minimize the admission of containers with allowP

configure the audit log settings. The instructions for doing so can be found in the reference section below. Reference https://rancher.com/docs/rancher/v2.x/en/installation/ha/helm-rancher/chart-optio your Rancher installation according to the documentation found at the link in the reference section below. Reference Rancher_Hardening_Guide.md 11/30/2018 20 / 24 https://rancher.com/docs/rancher/v2

existing manifests to the new manifests, and then applying the new manifests. All CN2 manifests must reference the same software version. NOTE: Before you upgrade, check to make sure that each node has at least The deployer provides life cycle management for the CN2 components. This manifest includes a reference to the central-kubeconfig secret you created in the previous substep. kubectl apply -f manifes