6 Deployment Models | 11 Single Cluster Deployment | 11 Multi-Cluster Deployment | 12 System Requirements | 15 2 Install Overview | 17 Before You Install | 18 Install Single Cluster Contrail Networking Overview | 2 Terminology | 4 CN2 Components | 6 Deployment Models | 11 System Requirements | 15 Cloud-Native Contrail Networking Overview SUMMARY Learn about Cloud-Native clusters. The only requirement is that the data plane components are reachable. 14 System Requirements Table 3: System Requirements for Rancher RKE2 Installation with CN2 Machine CPU RAM Storage Notes

Description Configure a restrictive pod security policy (PSP) as the default and create role bindings for system level services to use the less restrictive default PSP. Rationale To address the following controls restrictive default PSP needs to be applied as the default. Role bindings need to be in place to allow system services to still function. 1.7.1 - Do not admit privileged containers (Not Scored) 1.7.2 - Do cattle-system namespace exists: kubectl get ns |grep cattle Verify that the roles exist: kubectl get role default-psp-role -n ingress-nginx kubectl get role default-psp-role -n cattle-system kubectl

root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G restrictive (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions 600 (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, CIS Benchmark Rancher Self-Assessment Guide - v2.4 13 chmod

root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G restrictive (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/kubernetes/ssl Audit Script: check_files_permissions 600 (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 13

command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd A system service account is required for etcd data directory ownership. Refer to Rancher's hardening guide (Automated) Result: pass Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root / etc/kubernetes/pki/ Audit: check_files_owner_in_dir Guide - Rancher v2.5.4 12 Remediation: Run the below command (based on the file location on your system) on the master node. For example, chmod -R 644 /etc/ kubernetes/pki/*.crt Audit: check_files_permissions

name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- apiVersion: v1 kind: Namespace metadata: name: cattle-system authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: - extensions resourceNames: - default-psp resources: cattle-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts

rbac.authorization.k8s.io kind: Group name: system:serviceaccounts - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- Hardening Guide v2.4 9 apiVersion: metadata: name: cattle-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: cattle-system roleRef: apiGroup: rbac.authorization.k8s.io kind: Role name: default-psp-role subjects: - apiGroup: rbac.authorization.k8s.io kind: Group name: system:serviceaccounts

Driver on DELL EMC PowerFlex White Paper Term Definition DD Data Domain DNS Domain Name System DDVE PowerProtect DD Virtual Edition FQDN Fully Qualified Domain Name MDM Meta Data Manager architecture eliminates any hotspots and ensures consistency and simplicity over time. You can scale the system while linearly scaling performance from a minimum of four nodes to thousands of nodes, on-demand option to meet their exact requirements. PowerFlex rack PowerFlex rack is a fully engineered system, with integrated networking that enables the customers to simplify deployments and accelerate time

an ge r ou s c ap ab i l i t i e s ( Not S c or e d ) A u d i t • Ve r i f y t h at t h e cattle-system n am e s p ac e e x i s t s : kubectl get ns |grep cattle • Ve r i f y t h at t h e r ol e s e : kubectl get role default-psp-role -n ingress-nginx kubectl get role default-psp-role -n cattle-system kubectl get clusterrole restricted-clusterrole • Ve r i f y t h e b i n d i n gs ar e s e t c or kubectl get rolebinding -n ingress-nginx default-psp-rolebinding kubectl get rolebinding -n cattle-system default-psp-rolebinding kubectl get clusterrolebinding restricted-clusterrolebinding • Ve r i f

For installations that want an even smaller attack surface, SUSE Rancher can utilize an operating system such as SLE Micro to help run Kubernetes in the most efficient way possible. Kubernetes from SUSE can be used across any platform where GKE or Anthos clusters can run, providing a unified access system for all the clusters. However, the RBAC will be local for each cluster depending on the permissions with any external Helm repository, giving users the means to install applications from either system. Helm 3.0 is required for inclusion in SUSE Rancher's application catalog. 3.3.1.2 OpenShift