Kubernetes Benchmark - Rancher v2.5.4 with Kubernetes v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) Ensure that the --bind-address argument is set to 127.0.0.1 (Automated) 2 Etcd Node Configuration Files 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate (Automated) CIS Ensure that the audit policy covers key security concerns (Manual) 4.1 Worker Node Configuration Files 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated)

Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies 5.3 Network Policies and CNI defined by arguments passed to the container at the time of initialization, not via configuration files. CIS Benchmark Rancher Self-Assessment Guide - v2.4 4 Where control audits differ from the original

Configuration 1.1 Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies CIS 1.5 Benchmark - Self-Assessment defined by arguments passed to the container at the time of initialization, not via configuration files. CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 4 Where control audits differ from the

disclosing the secrets in the definition files that define containers/clusters, Kubernetes encodes them in Secret objects for later referral in the definition files. 1.3.4 Application Health Long-running Dashboard, click on “Create” and upload the newlymodified service file. Similarly also deploy other .yml files in the guestbook directory. After you have created all Services and RCs, you will see the complete Git repo into that directory. Especially useful when you want to fetch configuration or standard files from a repo. Secret Secrets can be mounted as volumes (for example for passwords). downloadAPI

defined by arguments passed to the container at the time of initialization, not via configuration files. Scoring the commands is different in Rancher Labs than in the CIS Benchmark. Where the commands requires setting the --admission-control-config-file option and configuring details in the following files: /etc/kubernetes/admission.yaml /etc/kubernetes/event.yaml See Host Configuration for details \\.0\\.0\\.1").string' Returned Value: --address=127.0.0.1 Result: Pass 1.4 - Configuration Files 1.4.1 - Ensure that the API server pod specification file permissions are set to 644 or more restrictive

Workstation VM where RKE binary exists to create an SSH key pair: $ ssh-keygen The following files are created after SSH key pairing: $HOME/.ssh/id_rsa (SSH private key, keep this secure) $HOME/ CIDR [10.42.0.0/16]: [+] Cluster DNS Service IP [10.43.0.10]: [+] Add addon manifest URLs or YAML files [no]: $ Installation of the SUSE Rancher Kubernetes cluster 18 SUSE install CSI drives for PowerFlex 1. Run the following command to download the installation source files from GitHub: $ git clone https://github.com/dell/csi-vxflexos 2. Run the following command to create

supported; User role permission configurations supported via YAML files; Project quota configurations supported via YAML files; Two built-in management roles: administrator and developer; Management

uid and gid for the etcd user will be used in the RKE config.yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the etcd group run --gid 52034 etcd - useradd --comment "etcd service account" --uid 52034 -- gid 52034 etcd write_files: - path: /etc/sysctl.d/kubelet.conf owner: root:root permissions: "0644" content:

uid and gid for the etcd user will be used in the RKE config.yml to set the proper permissions for files and directories during installation time. create etcd user and group To create the etcd group run --gid 52034 etcd - useradd --comment "etcd service account" --uid 52034 -- gid 52034 etcd write_files: - path: /etc/sysctl.d/kubelet.conf owner: root:root permissions: "0644" content:

66005f41fbc3529ffe8d007708756720529da20d.tar.xz The set of files specified in the archive constitutes the complete set of source files of the validated module. There shall be no additions, deletions