Hardening Guide Rancher v2.1.x Version: 0.1.0 - November 26th 2018 Overview This document provides prescriptive guidance for hardening a production installation of Rancher v2.1.x. It outlines the configurations doing so can be found in the reference section below. Reference https://rancher.com/docs/rancher/v2.x/en/installation/ha/helm-rancher/chart-options/#advanced-options 3.2 - Rancher Management Control Plane below. Reference Rancher_Hardening_Guide.md 11/30/2018 20 / 24 https://rancher.com/docs/rancher/v2.x/en/admin-settings/authentication/ 3.3 - Rancher Management Control Plane RBAC 3.3.1 - Ensure that

Management in Kubernetes 16 17 18 Secret Management Challenges ● Secrets sprawl ● Secrets rotation ● X.509 certificates, SSH and Cloud access ● Encryption ● Multi-platform and multi-cloud ● Central control Secrets (Versioned) Crypto as a Service LDAP/AD OIDC JWT Github MFA/Radius Okta AWS Azure GCP AliCloud Kubernetes Cloud Foundry AppRole Databases Public Cloud Consul / Nomad X.509 Certs RabbitMQ SSH

of 16 6 Roles, Authentication and Services The cryptographic module implements both User and Crypto Officer (CO) roles. The module does not support user authentication. The User and CO roles are implicitly automatically when the module is initialized. All power-on self-tests must be passed before a User/Crypto Officer can perform services. The power-on self-tests can be run on demand by power-cycling the

ernetes/ssl/kube- service-account-token-key.pem --insecure-port=0 -- requestheader-group-headers=X-Remote-Group --secure-port=6443 --enable-admission- plugins=NamespaceLifecycle,LimitRanger,ServiceAccount --requestheader-extra-headers- prefix=X-Remote-Extra- --profiling=false --kubelet-client- key=/etc/kubernetes/ssl/kube-apiserver-key.pem -- requestheader-username-headers=X-Remote-User 1.2.2 Ensure that the ernetes/ssl/kube- service-account-token-key.pem --insecure-port=0 -- requestheader-group-headers=X-Remote-Group --secure-port=6443 --enable-admission- plugins=NamespaceLifecycle,LimitRanger,ServiceAccount

e n d i x A - C om p l e t e u b u n t u cloud-config E x am p l e . . . . . . . . 26 1 Ap p e n d i x B - C om p l e t e R K E cluster.yml E x am p l e . . . . . . . . . . 27 Ap p e n d i x C - C om om p l e t e R K E T e m p l at e E x am p l e . . . . . . . . . . . . 36 Har d e n i n g G u i d e f or R an c h e r 2. 3. 3+ w i t h K u b e r n e t e s 1. 16 C l i c k h e r e t o d ow n l oad a P e p t - ab l e m ar gi n L e v e l 2 I t e m s i n t h i s p r ofi l e e x t e n d t h e “Le v e l 1” p r ofi l e an d e x h i b i t on e or m or e of t h e f ol l ow i n g c h ar ac t e r i s t i c

for attachment to Kubernetes pods. The PowerFlex SDC component is installed into the VMware ESXi 7.x hypervisor running on the three compute-only nodes, this provides access to volumes created within Docker 19.03.1 5 Docker is installed on each SLES node. #SUSEConnect -p sle- module- containers/15.2/x86_64 #zypper install docker SLES15 SP2 nodes SLES15 SP2 Ensure that the nodes are accessed using following command to activate the containers module: $ SUSEConnect -p sle-module-containers/15.2/x86_64 2. Run the following commands to Install the docker, enable and start the docker service:

Rancher v2.2.x Version 1.1.0 - August 2019 Authors Taylor Price Overview The following document scores a Kubernetes 1.13.x RKE cluster provisioned according to the Rancher v2.2.x hardening guide guide against the CIS 1.4.0 Kubernetes benchmark. This document is a companion to the Rancher v2.2.x security hardening guide. The hardening guide provides prescriptive guidance for hardening a production --experimental-encryption-provider-config argument is set as appropriate (Scored) Notes In Kubernetes 1.13.x this flag is --encryption-provider-config Audit docker inspect kube-apiserver | jq -e '.[0].Args[]

Kubernetes Cluster Control Plane Worker Node etcd Node Node Node Node Customer A Customer C 10 x Node Rancher Management Server (RMS) Cluster All-in-one nodes Node Node Node Node Node (cp/etcd/worker) Management Server (RMS) Cluster All-in-one nodes Node Node Node Node Node (cp/etcd/worker) 25 x Node 3 x Node Product Qty Nodes Rancher Management Server 3 0 Rancher Nodes 53 53 ITOps Admin: End Service (PaaS) — Security as a Service (SCEaaS) Copyright © SUSE 2021 Copyright © SUSE 2021 MSP X as a Service Examples 18 Copyright © SUSE 2021 K8s Backup as a Service Rancher Management Server

IP assurance and indemnification and is available in configurable packages for business hours or 24x7 support. In addition, SUSE Rancher’s subscription is priced by node, independent of the number OpenShift Red Hat provides support for OpenShift and the Red Hat software stack in two levels, 12x5 and 24x7. However, many of the OpenShift components cannot be modified or used outside Red Hat's parameters Account Manager (TAM) for "faster resolution and technical guidance." Premium Support includes 24x7 access for Severity 1 issues. 3.3.9.4 Anthos Google has support tiers that range from community

automountServiceAccountToken: false Create a bash script file called account_update.sh. Be sure to chmod +x account_update.sh so the script has execute permissions. #!/bin/bash -e for namespace in $(kubectl - Egress Create a bash script file called apply_networkPolicy_to_all_ns.sh. Be sure to chmod +x apply_networkPolicy_to_all_ns.sh so the script has execute permissions. #!/bin/bash -e for namespace