v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.1.12 Ensure that the etcd data directory ownership ownership is set to etcd:etcd (Automated) 1.1.19 Ensure that the Kubernetes PKI directory and file ownership is set to root:root (Automated) 1.1.20 Ensure that the Kubernetes PKI certificate file permissions root:root (Automated) 1.1.7 Ensure that the etcd pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root

Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security that the etcd pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for etcd. All configuration configuration is passed in as arguments at container run time. 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Scored) Result: Not Applicable CIS Benchmark Rancher Self-Assessment

Master Node Configuration Files 1.2 API Server 1.3 Controller Manager 1.4 Scheduler 2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security that the etcd pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration file for etcd. All configuration configuration is passed in as arguments at container run time. 1.1.8 Ensure that the etcd pod specification file ownership is set to root:root (Scored) Result: Not Applicable CIS 1.5 Benchmark - Self-Assessment

© XXX Page 1 of 30 Curve元数据节点高可用© XXX Page 2 of 30 1. 需求 2. 技术选型 3. etcd clientv3的concurrency介绍 3.1 etcd clientV3的concurrency模块构成 3.2 Campaign的流程 3.2.1 代码流程说明 3.2.2 举例说明Campagin流程 3.3 Observe的流程 Curve中MDS的选举过程 4.2 图示说明选举流程 4.2.1 正常流程 4.2.2 异常情况1：MDS1退出，可以正常处理 4.2.3 异常情况2：Etcd集群的leader发生重新选举，MDS1未受影响，可以正常处理 4.2.4 异常情况3：Etcd的leader发生重新选举，MDS1受到影响退出，不一定可以正常处理。 4.2.4.1 LeaseTIme < ElectionTime的情况 4 ElectionTime 4.2.4.3 MDS1、MDS2、MDS3的租约全部过期 4.2.4.4 总结 4.2.5 异常情况四: Etcd集群与MDS1(当前leader)出现网络分区 4.2.5.1 事件一先发生 4.2.5.2 事件二先发生 4.2.6 异常情况4：Etcd集群的follower节点异常 4.2.7 各情况汇总 1. 需求 mds是元数据节点，负责空间分配，集群状态监控，集群

4.11 - Ensure that the etcd data directory permissions are set to 700 or more-restrictive (Scored) 1.4.12 - Ensure that the etcd data directory ownership is set to etcd:etcd (Scored) 2.1.8 - Ensure Ensure that the --etcd-certfile and --etcd-keyfile arguments are set as appropriate (Scored) Audit ( --etcd-certfile ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--etcd-certfile=.*") Value: --etcd-certfile=/etc/kubernetes/ssl/kube-node.pem Audit ( --etcd-keyfile ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--etcd-keyfile=.*").string' Returned Value: --etcd-keyfi

the kubernetes API server: export KUBECONFIG=/snap/microk8s/current/client.config Install etcd Install etcd as a StatefulSet into your new Kubernetes cluster. kubectl create -f https://raw.githubusercontent Self-Managed Kubernetes Installa�on using kubeadm Standard Installa�on Installa�on with external etcd Installation using kubeadm Instruc�ons about installing Cilium on Kubernetes cluster deployed by Kubernetes using the cilium-etcd-operator. The cilium-etcd-operator replaces the requirement for an external kvstore. You can learn more about it in the sec�on What is the cilium-etcd-operator? It is suitable

Observing Flows with Hubble Observing flows with Hubble Relay Connectivity Problems Policy Troubleshooting etcd (kvstore) Symptom Library Useful Scripts Reporting a problem Community Weekly Community Meeting Deploy Cilium This is the same helm command as from Install Cilium. However we’re enabling managed etcd and setting both cluster-name and cluster-id for each cluster. Make sure context is set to kind-cluster2 enabled=true \ --set nodePort.enabled=true \ --set hostPort.enabled=true \ --set etcd.enabled=true \ --set etcd.managed=true \ --set identityAllocationMode=kvstore \ --set cluster.name=cluster2

kvstore (etcd). Please refer to the section Installation with external etcd for details on when etcd is required. Quick Installation Installation with managed etcd Installation with external etcd Quick kvstore set up is required which can be set up using an Installation with external etcd or using the Installation with managed etcd. Should you encounter any issues during the installation, please refer to the 75s probe-866bb6f696-tb926 1/1 Running 0 75s Installation with managed etcd The standard Quick Installation guide will set up Cilium to use Kubernetes CRDs to store and propagate

Deploy Cilium This is the same helm command as from Install Cilium. However we’re enabling managed etcd and setting both cluster-name and cluster-id for each cluster. Make sure context is set to kind-cluster2 nodePort.enabled=true \ --set global.hostPort.enabled=true \ --set global.etcd.enabled=true \ --set global.etcd.managed=true \ --set global.identityAllocationMode=kvstore \ --set global nodePort.enabled=true \ --set global.hostPort.enabled=true \ --set global.etcd.enabled=true \ --set global.etcd.managed=true \ --set global.identityAllocationMode=kvstore \ --set global

Observing Flows with Hubble Observing flows with Hubble Relay Connectivity Problems Policy Troubleshooting etcd (kvstore) Symptom Library Useful Scripts Reporting a problem Community Weekly Community Meeting Deploy Cilium This is the same helm command as from Install Cilium. However we’re enabling managed etcd and setting both cluster-name and cluster-id for each cluster. Make sure context is set to kind-cluster2 nodePort.enabled=true \ --set global.hostPort.enabled=true \ --set global.etcd.enabled=true \ --set global.etcd.managed=true \ --set global.identityAllocationMode=kvstore \ --set global