alerting, and centralized audit. Security, policy, and user management SUSE Rancher lets you automate processes and applies a consistent set of user access and security policies to all your clusters, no on the node. 3. Run the following command to create a Linux user account on every node: $ useradd -m -G docker <user_name> $ su - <user_name> $ mkdir $HOME/.ssh $ chmod 600 $HOME/.ssh $ touch $HOME/ replacing the 'hostname' with each of the Kubernetes nodes IP or hostname: $ ssh -i $HOME/.ssh/id_rsa <user_name>@ docker version Installation of the SUSE Rancher Kubernetes cluster

simplified cluster operations • Consistent Security Policy and User Management: best-practice security policy enforcement and advanced user management on any infrastructure • Access to Shared Tools and Rancher 2.6 is a showcase of the acquisition’s success and includes a new user experience designed for the enterprise user, full lifecycle management across the three major hyperscalers and a strengthened 3 Security Policy and User Management A key benefit of deploying a Kubernetes Management Platform is implementing best practice security policy enforcement and advanced user management on any infrastructure

library which provides FIPS 140-2 approved cryptographic algorithms to serve BoringSSL and other user-space applications. The Module is classified by FIPS 140-2 as a software module, multi-chip standalone approved operating system manages processes and threads in a logically separated manner. The module’s user is considered the owner of the calling application that instantiates the module. The Module conforms Services The cryptographic module implements both User and Crypto Officer (CO) roles. The module does not support user authentication. The User and CO roles are implicitly assumed by the entity accessing

when using '!' set -H USER_INPUT=$1 if [[ "${USER_INPUT}" == "" ]]; then CIS 1.6 Benchmark - Self-Assessment Guide - Rancher v2.5.4 13 echo "false" exit fi if [[ -d ${USER_INPUT} ]]; then PATTERN="${USER_INPUT}/*" else PATTERN="${USER_INPUT}" fi PERMISSION="" if [[ "$2" != "" ]]; then PERMISSION=$2 fi FILES_PERMISSIONS=$(stat -c %n\ %a ${PATTERN}) while read -r fileInfo; do using '!' set -H USER_INPUT=$1 if [[ "${USER_INPUT}" == "" ]]; then echo "false" exit fi if [[ -d ${USER_INPUT} ]]; then PATTERN="${USER_INPUT}/*" else PATTERN="${USER_INPUT}" fi PERMISSION=""

..................................................... 9 2.4 How Rancher Extends Kubernetes for User-Friendly Container Management ............14 2.4.1 Infrastructure Visibility ................. components listed for master as shown in the above diagram, there are optional components such as: user interface, container resource monitoring and logging-related components. 1.5 Summary Kubernetes in the Kubernetes ingress to a load balancer in Rancher. 2.4 How Rancher Extends Kubernetes for User-Friendly Container Management As you might have noticed in previous section, launching Kubernetes

at i on • O n t h e e t c d s e r v e r n od e ( s ) ad d t h e etcd u s e r : useradd -c "Etcd user" -d /var/lib/etcd etcd R e c or d t h e u i d /gi d : id etcd • Ad d t h e f ol l ow i n g t o cluster.yml e t c d s e c t i on u n d e r services: services: etcd: uid: user uid recorded previously> gid: user gid recorded previously> 2 . 1 - R a nche r H A K ube r ne t e s C l us t e r r e q u i r e ad m i n i s t r at i v e p r i v i l e ge s . An y r ol e t h at i s n ot admin or user s h ou l d b e au d i t e d i n t h e R B AC s e c t i on of t h e UI t o e n s u r e t h at t h e

for troubleshooting and debugging; however, if the local cluster is enabled in the Rancher UI, a user has access to all elements of the system, including the Rancher management server itself. Disabling authentication system to simplify user and group access in the Rancher cluster. Doing so assures that access control follows the organization's change management process for user accounts. Audit In the Rancher responsible for managing and operating the Rancher server. Rationale The admin privilege level gives the user the highest level of access to the Rancher server and all attached clusters. This privilege should

1 3 3 4 5 6 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing RKE. The uid and gid for the etcd user will be used in the RKE config yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the etcd group run the following console commands. addgroup --gid 52034 etcd

1 3 4 4 5 7 14 21 Contents Overview Configure Kernel Runtime Parameters Configure etcd user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing RKE. The uid and gid for the etcd user will be used in the RKE config yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the etcd group run the following console commands. groupadd --gid 52034 etcd

does not store the kubernetes default kubeconfig credentials file on the nodes. It’s presented to user where RKE is run. We recommend that this kube_config_cluster.yml file be kept in secure store. CIS does not store the kubernetes default kubeconfig credentials file on the nodes. It’s presented to user where RKE is run. We recommend that this kube_config_cluster.yml file be kept in secure store. 1 using '!' set -H USER_INPUT=$1 if [[ "${USER_INPUT}" == "" ]]; then echo "false" exit fi if [[ -d ${USER_INPUT} ]]; then PATTERN="${USER_INPUT}/*" else PATTERN="${USER_INPUT}" fi PERMISSION=""