H a r d e n i n g G u i d e - R a n c h e r v 2 . 3 . 3 + C o nt e nt s Har d e n i n g G u i d e f or R an c h e r 2. 3. 3+ w i t h K u b e r n e t e s 1. 16 . . . 2 O v e r v i e w . . . . . . . . r n e t e s c l u s t e r h os t c on fi gu r at i on . . . . . . . 3 1. 1. 1 - C on fi gu r e d e f au l t s y s c t l s e t t i n gs on al l h os t s . . . . . . . . 3 1. 4. 11 E n s u r e t h at t - C h an ge t h e l oc al ad m i n p as s w or d f r om t h e d e f au l t v al u e . 17 3. 2. 2 - C on fi gu r e an I d e n t i t y P r ov i d e r f or Au t h e n t i c at i on . . . . . 17 3. 3 - R

Create the cluster with no CNI plug-in. 2. Apply the Contrail deployer manifest. kubectl apply -f manifests/single_cluster_deployer_example.yaml It may take a few minutes for the nodes and pods to 12h 172.16.0.12 rke2-a1 cert-manager cert-manager-cainjector-6f96556ddf-spqpb 1/1 Running 0 12h 172.16.0.13 rke2-a2 contrail-k8s-deployer-f8cd78888-pmgpl 1/1 Running 1 (15h ago) 15h 172.16.0.11 rke2-s1 contrail-system contrail-k8s-apiserver-5d458f8d69-7s9nb

notes/2589449) Installation Guide at help.sap.com (https://help.sap.com/viewer/a8d90a56d61a49718e- bcb5f65014bbe7/3.2.latest/en-US) 4 Installation of RKE 2 on top of VMware vSphere and VMware vSAN 4.1 Prerequisites: com/#/notes/2589449 . via https://help.sap.com/viewer/a8d90a56d61a49718ebcb5f65014bbe7/3.3.latest/en- US/8ae38791d71046fab1f25ee0f682dc4c.html . Download the SLC Bridge software to the management workstation with SLC Bridge in a Cluster with Internet Access (https://help.sap.com/viewer/a8d90a56d61a49718ebcb5f65014bbe7/3.3.lat- est/en-US/7e4847e241c340b3a3c50a5db11b46e2.html) of the SAP Data Intelligence 3

Block Cipher Modes of Operation: Galois/Counter Mode (GCM) and GMAC 11/28/2007 [SP 800-38F] NIST SP 800-38F, Recommendation for Block Cipher Modes of Operation: Methods for Key Wrapping 12/13/2012 software module, multi-chip standalone module embodiment. The validated version of the library is 66005f41fbc3529ffe8d007708756720529da20d. The cryptographic module was tested on the following operational 192, 256 CBC, ECB, CTR 128, 256 GCM Encryption, Decryption, Authentication A865 KTS [SP 800-38F] 128, 256 AES-KW Key Wrapping, Key Unwrapping A865 CVL [SP 800-135 r1] TLS 1.0/1.1 and 1.2

namespace for certificate manager as cert-manager: $ kubectl create ns cert-manager $ kubectl apply -f https://github.com/jetstack/cert- manager/releases/download/v1.2.0/cert-manager.crds.yaml 4. Run READY STATUS RESTARTS AGE cert-manager-75cf57777c-ztw9f 1/1 Running 0 2m2s cert-manager-cainjector-f54c57bf8-wkc2z 1/1 Running 0 2m2s cert-manag Rancher with Helm: $ helm install rancher rancher-stable/rancher -n cattle- system –-version v2.5.7 -f rancher-values.yaml NAME: rancher LAST DEPLOYED: Tue Mar 16 11:05:11 2021 NAMESPACE: cattle-system

${INPUT_DIR}/*) while read -r statInfoLine; do f=$(echo ${statInfoLine} | cut -d' ' -f1) p=$(echo ${statInfoLine} | cut -d' ' -f2) if [[ $(basename "$f" .pem) == "kube-etcd-"* ]]; then if [[ "$p" FILES_PERMISSIONS=$(stat -c %n\ %a ${PATTERN}) while read -r fileInfo; do p=$(echo ${fileInfo} | cut -d' ' -f2) if [[ "${PERMISSION}" != "" ]]; then if [[ "$p" != "${PERMISSION}" ]]; then echo "false" FILES_PERMISSIONS=$(stat -c %n\ %a ${PATTERN}) while read -r fileInfo; do p=$(echo ${fileInfo} | cut -d' ' -f2) if [[ "${PERMISSION}" != "" ]]; then if [[ "$p" != "${PERMISSION}" ]]; then echo "false"

*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %a Audit Execution: ./1.1.11.sh etcd Expected result: '700' is equal to '700' *%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %U:%G Audit Execution: ./1.1.12.sh etcd Expected result: 'etcd:etcd' is present FILES_PERMISSIONS=$(stat -c %n\ %a ${PATTERN}) while read -r fileInfo; do p=$(echo ${fileInfo} | cut -d' ' -f2) if [[ "${PERMISSION}" != "" ]]; then if [[ "$p" != "${PERMISSION}" ]]; then echo "false"

*%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %a Audit Execution: ./1.1.11.sh etcd Expected result: '700' is equal to '700' *%\1%') docker inspect etcd | jq -r '.[].HostConfig.Binds[]' | grep "$ {test_dir}" | cut -d ":" -f 1 | xargs stat -c %U:%G Audit Execution: ./1.1.12.sh etcd Expected result: 'etcd:etcd' is present FILES_PERMISSIONS=$(stat -c %n\ %a ${PATTERN}) while read -r fileInfo; do p=$(echo ${fileInfo} | cut -d' ' -f2) if [[ "${PERMISSION}" != "" ]]; then if [[ "$p" != "${PERMISSION}" ]]; then echo "false"

"cluster_name" : "myesdb", "version" : { "number" : "1.7.1", "build_hash" : "b88f43fc40b0bcd7f173a1f9ee2e97816de80b19", "build_timestamp" : "2015-07-29T09:54:16Z", "build_snapshot" yml and we can override that by using a custom values.yml file. helm install --name jenkins-r1 -f values.yaml stable/jenkins ©Rancher Labs 2017. All rights Reserved. 65 DEPLOYING AND

namespace in $(kubectl get namespaces -A -o json | jq -r '.items[].metadata.name'); do kubectl apply -f default-allow-all.yaml -n ${namespace} done Execute this script to apply the default-allow-all.yaml