t y or p e r f or m an c e of t h e t e c h n ol ogy 2 1 . 1 - R a nche r R K E K ube r ne t e s cl us t e r ho s t co nfig ur a t i o n ( S e e Ap p e n d i x A. f or f u l l u b u n t u cloud-config 1. 15 - E n s u r e t h at t h e --audit-log-path ar gu m e n t i s s e t as ap p r op r i at e ( S c or e d ) • 1. 1. 16 - E n s u r e t h at t h e --audit-log-maxage ar gu m e n t i s s e t as ap p r 17 - E n s u r e t h at t h e --audit-log-maxbackup ar gu m e n t i s s e t as ap - p r op r i at e ( S c or e d ) • 1. 1. 18 - E n s u r e t h at t h e --audit-log-maxsize ar gu m e n t i s s e t as ap

identification purposes only and may be trademarks of their respective holder(s). Information is subject to change without notice. © 2017 Rancher Labs, Inc. All rights reserved. March 2017. 1 ©Rancher ..................................................................................... 7 1.3.10 Log Management ....................................................................................... visualization. 1.3.10 Log Management Fetching and analyzing log data is critical to understanding what is happening with a given cluster. Internal Kubernetes components use log library to log data; kubectl

kubelet with the --protect-kernel-defaults option. The settings that the kubelet initially attempts to change can be set manually. This supports the following control: 2.1.7 - Ensure that the --protect-kernel-defaults secret is the 32-byte base64-encoded string generated in the first step. 1.1.3 - Install the audit log configuration on all control plane nodes. Profile Applicability Level 1 Description Place the configuration that the --audit-log-path argument is set as appropriate (Scored) 1.1.16 - Ensure that the --audit-log-maxage argument is as appropriate (Scored) 1.1.17 - Ensure that the --audit-log-maxbackup argument

no responsibility for any inaccuracies in this document. Juniper Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. Cloud Native Contrail Networking that you'll use as cluster nodes. Ensure the OS and kernel versions on the cluster nodes are on the list of supported OSes and kernels (see the CN2 Tested Integrations matrix at https://www.juniper.net/ preventing the node from reaching the Juniper Networks repository. Here is an example of a DNS problem. Log in to each node having a problem and check name resolution for enterprise-hub.juniper.net. For example:

Solutions 3 4 2 4 Advanced Monitoring 4 4 3 2 Alerts and Notifications 4 4 3 2 External Log Shipping 4 4 2 3 Windows Container Support 4 4 1 2 Integrated Service Mesh Support 4 features are only available on a small list of "approved" cluster types. RKE, one of SUSE's CNCF-certified Kubernetes distributions, is included in this list. 3.1.9 Centralized Audit • SUSE Rancher: supports the standard API logging available from Kubernetes. 3.1.9.2 OpenShift OpenShift can log all interactions with the OCP API, including request and response body and metadata. OpenShift collect

information in this document is accurate as of its publication date. The information is subject to change without notice. Contents 3 SUSE Rancher and RKE Kubernetes cluster using CSI Driver the following steps to deploy an RKE Kubernetes cluster using the SUSE Rancher Server UI: 1. Log in to the Rancher Server from the browser. 2. Click Add Cluster to create a cluster 3. In as a best practice reference architecture. RKE supports x509 authentication strategy, and also a list of SANs can be defined to add to the Kubernetes API Server PKI certificates. The optional load balancer

Conformance Certification Yes Yes Yes Trusted Cloud Yes Yes Yes 6 Certification Kubernetes-native No change to Kubernetes code Deep customization Official Kubernetes distribution, RKE, recommended multi-tenant and multi-dimensional log retrieval system that supports on-disk log collection and provides flexibility to integrate multiple external log receivers Third-party ELK required for

Node 3 16 GiB 4 >120 GiB Worker Node 4 64 GiB 16 >120 GiB 2.2 Software requirements The following list contains the software components needed to install SAP Data Intelligence 3.3 on RKE 2: SUSE Linux Kuber- netes nodes. 5.1.1 Creating namespace for SAP Data Intelligence 3.3 in the Kubernetes cluster Log in to your management workstation and create the namespace in the Kubernetes cluster where DI 3.3 of DI 3.3, for example to enable backup. If you forgot to note it down, the following command will list the service port: $ kubectl -n sap-slcbridge get svc 12 SAP Data Intelligence 3 on Rancher Kubernetes

argument is set to false (Automated) 1.2.22 Ensure that the --audit-log-path argument is set (Automated) 1.2.23 Ensure that the --audit-log-maxage argument is set to 30 or as appropriate (Automated) CIS 1 83 83 83 85 85 1.2.24 Ensure that the --audit-log-maxbackup argument is set to 10 or as appropriate (Automated) 1.2.25 Ensure that the --audit-log-maxsize argument is set to 100 or as appropriate (Automated) --tls-cert-file=/etc/kubernetes/ssl/kube- apiserver.pem --authorization-mode=Node,RBAC --audit-log- maxsize=100 --audit-log-format=json --requestheader-allowed- names=kube-apiserver-proxy-client --cloud-provider=

--audit-log-path argument is set as appropriate (Scored) Notes This path is the path inside of the container. It's combined with the RKE cluster.yml extra- binds: option to map the audit log to the match("--audit-log-path=/var/log/kube-audit/audit-log.json").string' Returned Value: --audit-log-log=/var/log/kube-audit/audit-log.json Result: Pass 1.1.16 - Ensure that the --audit-log-maxage argument kube-apiserver | jq -e '.[0].Args[] | match("--audit-log-maxage=\\d+").string' Returned Value: --audit-log-maxage=5 Result: Pass 1.1.17 - Ensure that the --audit-log-maxbackup argument is set to 10 or as