From 25aae71467a7c9e5f76e9a817a2dd6ce2bf1c587 Mon Sep 17 00:00:00 2001
From: Nelson Roberts <nelson@rancher.com>
Date: Thu, 23 Jul 2020 12:39:28 -0700
Subject: [PATCH] DOCS-2368 address issues found in hardening-2.3 guide

---
 .../v2.x/en/security/hardening-2.3/_index.md   | 18 +++++++-----------
 1 file changed, 7 insertions(+), 11 deletions(-)

diff --git a/content/rancher/v2.x/en/security/hardening-2.3/_index.md b/content/rancher/v2.x/en/security/hardening-2.3/_index.md
index f237643c192..fb495c04b2a 100644
--- a/content/rancher/v2.x/en/security/hardening-2.3/_index.md
+++ b/content/rancher/v2.x/en/security/hardening-2.3/_index.md
@@ -608,22 +608,20 @@ To pass the following controls for the kube-api server ensure RKE configuration
 services:
   kube-api:
     pod_security_policy: true
+    event_rate_limit:
+      enabled: true
     extra_args:
       anonymous-auth: "false"
       profiling: "false"
       service-account-lookup: "true"
       enable-admission-plugins: "ServiceAccount,NamespaceLifecycle,LimitRanger,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,AlwaysPullImages,DenyEscalatingExec,NodeRestriction,EventRateLimit,PodSecurityPolicy"
-      encryption-provider-config: /opt/kubernetes/encryption.yaml
-      admission-control-config-file: "/opt/kubernetes/admission.yaml"
       audit-log-path: "/var/log/kube-audit/audit-log.json"
       audit-log-maxage: "5"
       audit-log-maxbackup: "5"
       audit-log-maxsize: "100"
       audit-log-format: "json"
-      audit-policy-file: /opt/kubernetes/audit.yaml
       tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
     extra_binds:
-      - "/var/log/kube-audit:/var/log/kube-audit"
       - "/opt/kubernetes:/opt/kubernetes"
 ```
 
@@ -1269,13 +1267,13 @@ services:
       generate_serving_certificate: true
   kube-api:
     pod_security_policy: true
+    event_rate_limit:
+      enabled: true
     extra_args:
       anonymous-auth: "false"
       profiling: "false"
       service-account-lookup: "true"
       enable-admission-plugins: "ServiceAccount,NamespaceLifecycle,LimitRanger,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,AlwaysPullImages,DenyEscalatingExec,NodeRestriction,EventRateLimit,PodSecurityPolicy"
-      encryption-provider-config: /opt/kubernetes/encryption.yaml
-      admission-control-config-file: "/opt/kubernetes/admission.yaml"
       audit-log-path: "/var/log/kube-audit/audit-log.json"
       audit-log-maxage: "5"
       audit-log-maxbackup: "5"
@@ -1284,7 +1282,6 @@ services:
       audit-policy-file: /opt/kubernetes/audit.yaml
       tls-cipher-suites: "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
     extra_binds:
-      - "/var/log/kube-audit:/var/log/kube-audit"
       - "/opt/kubernetes:/opt/kubernetes"
   scheduler:
     extra_args:
@@ -1438,6 +1435,7 @@ addons: |
 #
 # Cluster Config
 #
+default_pod_security_policy_template_id: restricted
 docker_root_dir: /var/lib/docker
 enable_cluster_alerting: false
 enable_cluster_monitoring: false
@@ -1500,24 +1498,22 @@ rancher_kubernetes_engine_config:
       uid: 1001
     kube_api:
       always_pull_images: false
+      event_rate_limit:
+        enabled: true
       extra_args:
-        admission-control-config-file: /opt/kubernetes/admission.yaml
         anonymous-auth: 'false'
         audit-log-format: json
         audit-log-maxage: '5'
         audit-log-maxbackup: '5'
         audit-log-maxsize: '100'
         audit-log-path: /var/log/kube-audit/audit-log.json
-        audit-policy-file: /opt/kubernetes/audit.yaml
         enable-admission-plugins: >-
           ServiceAccount,NamespaceLifecycle,LimitRanger,PersistentVolumeLabel,DefaultStorageClass,ResourceQuota,DefaultTolerationSeconds,AlwaysPullImages,DenyEscalatingExec,NodeRestriction,EventRateLimit,PodSecurityPolicy
-        encryption-provider-config: /opt/kubernetes/encryption.yaml
         profiling: 'false'
         service-account-lookup: 'true'
         tls-cipher-suites: >-
           TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256
       extra_binds:
-        - '/var/log/kube-audit:/var/log/kube-audit'
         - '/opt/kubernetes:/opt/kubernetes'
       pod_security_policy: true
       service_node_port_range: 30000-32767