NIST National Institute of Standards and Technology OE Operating Environment OS Operating System PCT Pairwise Consistency Test RSA Rivest, Shamir, Adleman algorithm SHA/SHS Secure Hash Algorithm/Standard general-purpose computer (GPC) platforms detailed below: Table 1 - Tested Configurations # Operating System Processor Platform Compiler 1 CentOS 7.8 Intel® Xeon® Silver 4214R with PAA Dell PowerEdge conforms to [140IG] 6.1 Single Operator Mode and Concurrent Operators. Each approved operating system manages processes and threads in a logically separated manner. The module’s user is considered the owner

............................................................... 5 1.3.1 Co-Locating Related Processes ............................................................................... 5 1.3.2 Data ............................................................................56 4.8 Kubernetes System Stack Upgrades in Rancher ........................................................57 5 Managing of containers and their storage is called a pod. For example, it makes sense to have database processes and data containers as close as possible - ideally they should be in same pod. Label Labels

plagued by a lack of central visibility, inconsistent security practices and complex management processes. Therefore, Kubernetes management platforms need to confidently deliver: • Simplified Cluster For installations that want an even smaller attack surface, SUSE Rancher can utilize an operating system such as SLE Micro to help run Kubernetes in the most efficient way possible. Kubernetes from SUSE Control can be upgraded through that interface. 3.1.12.4 Anthos Anthos has different upgrade processes for their clusters depending on where clusters are hosted. Anthos in VMware clusters need to upgrade

Driver on DELL EMC PowerFlex White Paper Term Definition DD Data Domain DNS Domain Name System DDVE PowerProtect DD Virtual Edition FQDN Fully Qualified Domain Name MDM Meta Data Manager architecture eliminates any hotspots and ensures consistency and simplicity over time. You can scale the system while linearly scaling performance from a minimum of four nodes to thousands of nodes, on-demand option to meet their exact requirements. PowerFlex rack PowerFlex rack is a fully engineered system, with integrated networking that enables the customers to simplify deployments and accelerate time

cannot be used on the cluster, as it can interact poorly with certain Pod Security Policies Several system services (such as nginx-ingress ) utilize SecurityContext to switch users and assign capabilities option to map the audit log to the host filesystem. Audit logs should be collected and shipped off-system to guarantee their integrity. Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match is set to 30 or as appropriate (Scored) Notes Audit logs should be collected and shipped off-system to guarantee their integrity. Rancher Labs recommends setting this argument to a low value to prevent

the virtual machines for the RKE 2 cluster with SUSE Linux Enterprise Server 15 SP4 as operating system in the vSphere environment. Make sure these virtual machines are sized according to the recommendations io/v1 kind: HelmChartConfig metadata: name: rancher-vsphere-cpi labels: namespace: kube-system spec: valuesContent: |- vCenter: host: "vcenterhostname" datacenters: "datacentername" helm.cattle.io/v1 kind: HelmChartConfig metadata: name: rancher-vsphere-csi namespace: kube-system spec: valuesContent: |- vCenter: host: "vcenter host" datacenters: "datacenter"

6 Deployment Models | 11 Single Cluster Deployment | 11 Multi-Cluster Deployment | 12 System Requirements | 15 2 Install Overview | 17 Before You Install | 18 Install Single Cluster Contrail Networking Overview | 2 Terminology | 4 CN2 Components | 6 Deployment Models | 11 System Requirements | 15 Cloud-Native Contrail Networking Overview SUMMARY Learn about Cloud-Native Enterprises and service providers can now manage Contrail using simplified and familiar DevOps tools and processes without needing to learn a new life cycle management (LCM) paradigm. Benefits of Cloud-Native Contrail

Description Configure a restrictive pod security policy (PSP) as the default and create role bindings for system level services to use the less restrictive default PSP. Rationale To address the following controls restrictive default PSP needs to be applied as the default. Role bindings need to be in place to allow system services to still function. 1.7.1 - Do not admit privileged containers (Not Scored) 1.7.2 - Do cattle-system namespace exists: kubectl get ns |grep cattle Verify that the roles exist: kubectl get role default-psp-role -n ingress-nginx kubectl get role default-psp-role -n cattle-system kubectl

root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G restrictive (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions 600 (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, CIS Benchmark Rancher Self-Assessment Guide - v2.4 13 chmod

root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G restrictive (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions 600 (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 13