SAP SAP Data Intelligence 3 on Rancher Kubernetes Engine 2 using VMware vSAN and vSphere SUSE Linux Enterprise Server 15 SP4 Rancher Kubernetes Engine 2 SAP Data Intelligence 3 Dr. Ulrich Schairer, (SUSE) 1 SAP Data Intelligence 3 on Rancher Kubernetes Engine 2 using VMware vSAN and vSphere SAP Data Intelligence 3 on Rancher Kubernetes Engine 2 using VMware vSAN and vSphere Date: 2023-07-24 SAP possi- ble errors or the consequences thereof. 2 SAP Data Intelligence 3 on Rancher Kubernetes Engine 2 using VMware vSAN and vSphere Contents 1 Introduction 4 2 Requirements 5 3 Preparations 7

gu m e n t i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u v e r i f y t h at t h e y ar e r u n n i n g w i t h t h e f ol l ow i n g op t i on s : • --streaming-connection-idle-timeout= • --authorization-mode=Webhook • --protect- gu m e n t i s n ot s e t t o AlwaysAllow ( S c or e d ) • 2. 1. 6 - E n s u r e t h at t h e --streaming-connection-idle-timeout ar gu - m e n t i s n ot s e t t o 0 ( S c or e d ) • 2. 1. 7 - E n s u

RKE CLI that provides the configuration needed to achieve a hardened install of Rancher Kubernetes Engine (RKE). Install documentation is provided with additional details about the configuration items. enable_cluster_monitoring: false enable_network_policy: true # # Rancher Config # rancher_kubernetes_engine_config: addon_job_timeout: 30 addons: |- --- apiVersion: v1 kind: Namespace e make-iptables-util-chains: 'true' protect-kernel-defaults: 'true' streaming-connection-idle-timeout: 1800s tls-cipher-suites: >- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

RKE CLI that provides the configuration needed to achieve a hardened install of Rancher Kubernetes Engine (RKE). Install documentation is provided with additional details about the configuration items. enable_cluster_monitoring: false enable_network_policy: true # # Rancher Config # rancher_kubernetes_engine_config: addon_job_timeout: 30 addons: |- --- apiVersion: v1 kind: Namespace e make-iptables-util-chains: 'true' protect-kernel-defaults: 'true' streaming-connection-idle-timeout: 1800s tls-cipher-suites: >- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

CIS benchmark, ensure the appropriate flags are passed to the Kubelet. 2.1.6 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) 2.1.7 - Ensure that the --protect-kernel-defaults Kubelet containers on all hosts and verify that they are running with the following options: --streaming-connection-idle-timeout= --protect-kernel-defaults=false --make-ipta RKE cluster.yml kubelet section under services: services: kubelet: extra_args: streaming-connection-idle-timeout: "" protect-kernel-defaults: "true" make-iptables-util-chains:

4.2.4 Ensure that the --read-only-port argument is set to 0 (Automated) 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Automated) 4.2.6 Ensure that the --protect-kernel-defaults -fC kubelet Expected Result: '' is not present OR '' is not present 4.2.5 Ensure that the --streaming- connection-idle-timeout argument is not set to 0 (Automated) Result: pass CIS 1.6 Benchmark - d/10-kubeadm.conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. -- streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl

2.1.5 - Ensure that the --streaming-connection-idle-timeout argument is not set to 0 (Scored) Audit docker inspect kubelet | jq -e '.[0].Args[] | match("--streaming-connection-idle-timeout=.*") *").string' Returned Value: --streaming-connection-idle-timeout=1800s Result: Pass 2.1.6 - Ensure that the --protect-kernel-defaults argument is set to true (Scored) Audit docker inspect kubelet

/bin/cat /var/lib/kubelet/config.yaml Expected result: '0' is equal to '0' 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Scored) Result: PASS Remediation: If using conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl Config: /bin/cat /var/lib/kubelet/config.yaml Expected result: '30m' is not equal to '0' OR '--streaming-connection-idle- timeout' is not present 4.2.6 Ensure that the --protect-kernel-defaults argument

/bin/cat /var/lib/kubelet/config.yaml Expected result: '0' is equal to '0' 4.2.5 Ensure that the --streaming-connection-idle- timeout argument is not set to 0 (Scored) Result: PASS Remediation: If using conf on each worker node and set the below parameter in KUBELET_SYSTEM_PODS_ARGS variable. --streaming-connection-idle-timeout=5m Based on your system, restart the kubelet service. For example: systemctl Config: /bin/cat /var/lib/kubelet/config.yaml Expected result: '30m' is not equal to '0' OR '--streaming-connection-idle- timeout' is not present 4.2.6 Ensure that the --protect-kernel-defaults argument

does not need Docker containers when used with distributions such as K3s and Rancher Kubernetes Engine 2 (RKE2). For installations that want an even smaller attack surface, SUSE Rancher can utilize an the hosted hyperscaler Kubernetes services. With RHACM, operators also get access to a policy engine via GitOps help manage clusters at scale. OpenShift clusters will also have full monitoring capabilities directly on vSphere-managed ESXi hosts through proprietary VMware extensions that replace the container engine and the standard Kubernetes kubelet. Tanzu can also manage non TKG clusters deployed on different