v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.1.12 Ensure that the etcd data directory ownership ownership is set to etcd:etcd (Automated) 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated) 1.1.20 Ensure that the Kubernetes PKI certificate file permissions root:root (Automated) 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root

Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security that the etcd pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for etcd. All configuration configuration is passed in as arguments at container run time. 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Scored) Result: Not Applicable CIS Benchmark Rancher Self-Assessment

Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security that the etcd pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for etcd. All configuration configuration is passed in as arguments at container run time. 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Scored) Result: Not Applicable CIS 1.5 Benchmark - Self-Assessment

4.11 - Ensure that the etcd data directory permissions are set to 700 or more-restrictive (Scored) 1.4.12 - Ensure that the etcd data directory ownership is set to etcd:etcd (Scored) 2.1.8 - Ensure Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored) Audit ( --etcd-certfile ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--etcd-certfile=.*") Value: --etcd-certfile=/etc/kubernetes/ssl/kube-node.pem Audit ( --etcd-keyfile ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--etcd-keyfile=.*").string' Returned Value: --etcd-keyfi

the kubernetes API server: export KUBECONFIG=/snap/microk8s/current/client.config Install etcd Install etcd as a StatefulSet into your new Kubernetes cluster. kubectl create -f https://raw.githubusercontent Self-Managed Kubernetes Installa�on using kubeadm Standard Installa�on Installa�on with external etcd Installation using kubeadm Instruc�ons about installing Cilium on Kubernetes cluster deployed by Kubernetes using the cilium-etcd-operator. The cilium-etcd-operator replaces the requirement for an external kvstore. You can learn more about it in the sec�on What is the cilium-etcd-operator? It is suitable

Observing Flows with Hubble Observing flows with Hubble Relay Connectivity Problems Policy Troubleshooting etcd (kvstore) Symptom Library Useful Scripts Reporting a problem Community Weekly Community Meeting Deploy Cilium This is the same helm command as from Install Cilium. However we’re enabling managed etcd and setting both cluster-name and cluster-id for each cluster. Make sure context is set to kind-cluster2 enabled=true \ --set nodePort.enabled=true \ --set hostPort.enabled=true \ --set etcd.enabled=true \ --set etcd.managed=true \ --set identityAllocationMode=kvstore \ --set cluster.name=cluster2

kvstore (etcd). Please refer to the section Installation with external etcd for details on when etcd is required. Quick Installation Installation with managed etcd Installation with external etcd Quick kvstore set up is required which can be set up using an Installation with external etcd or using the Installation with managed etcd. Should you encounter any issues during the installation, please refer to the 75s probe-866bb6f696-tb926 1/1 Running 0 75s Installation with managed etcd The standard Quick Installation guide will set up Cilium to use Kubernetes CRDs to store and propagate

Deploy Cilium This is the same helm command as from Install Cilium. However we’re enabling managed etcd and setting both cluster-name and cluster-id for each cluster. Make sure context is set to kind-cluster2 nodePort.enabled=true \ --set global.hostPort.enabled=true \ --set global.etcd.enabled=true \ --set global.etcd.managed=true \ --set global.identityAllocationMode=kvstore \ --set global nodePort.enabled=true \ --set global.hostPort.enabled=true \ --set global.etcd.enabled=true \ --set global.etcd.managed=true \ --set global.identityAllocationMode=kvstore \ --set global

Observing Flows with Hubble Observing flows with Hubble Relay Connectivity Problems Policy Troubleshooting etcd (kvstore) Symptom Library Useful Scripts Reporting a problem Community Weekly Community Meeting Deploy Cilium This is the same helm command as from Install Cilium. However we’re enabling managed etcd and setting both cluster-name and cluster-id for each cluster. Make sure context is set to kind-cluster2 nodePort.enabled=true \ --set global.hostPort.enabled=true \ --set global.etcd.enabled=true \ --set global.etcd.managed=true \ --set global.identityAllocationMode=kvstore \ --set global

Observing Flows with Hubble Observing flows with Hubble Relay Connectivity Problems Policy Troubleshooting etcd (kvstore) Cluster Mesh Troubleshooting Symptom Library Useful Scripts Reporting a problem Community platforms. For the standard installation path, see Quick Installation. Installation with external etcd Installation on OpenShift OKD Getting Started Using K3s Getting Started Using Kind CNI Chaining External Engine Installation with external etcd This guide walks you through the steps required to set up Cilium on Kubernetes using an external etcd. Use of an external etcd provides better performance and is