SUSE Rancher and RKE Kubernetes cluster using CSI Driver on DELL EMC PowerFlex September 2021 H18899 White Paper Abstract This white paper describes the deployment of a SUSE Rancher Kubernetes Kubernetes Cluster on the Dell EMC PowerFlex family and the integration of PowerFlex CSI driver 1.4 for persistent volume, for customers requiring an on-premises container platform solution. This white paper Engineering Validated Copyright 2 SUSE Rancher and RKE Kubernetes cluster using CSI Driver on DELL EMC PowerFlex White Paper The information in this publication is provided as is.

vsphere cluster as dedicated nodes for the RKE 2 cluster Creating the configuration of the vsphere CPI/CSI drivers for the use with RKE 2 Installing RKE 2 Kubernetes cluster on the dedicated nodes Deploying vsphere CPI and CSI provider and to access the resources in the vSphere installation. To use the vSphere CPI and CSI, RKE2 must be configured to use the rancher-vsphere cloud provider. $ sudo mkdir -p /etc/rancher/rke2 $ sudo echo "cloud-provider-name: rancher-vsphere" > /etc/rancher/rke2/config.yaml" This enables the deployment of the vSphere CPI and CSI from pre-packaged Helm charts in RKE 2

for public and private cloud providers, along with guides for bare metal and "any other provider." Cloud provider installers require administrator access to the environment to create the resources but deploying Kubernetes clusters. It offers full lifecycle management across the major public cloud provider’s distributions, including EKS, AKS and GKE as well as RKE, RKE2 and K3s or any CNCF-conformant DigitalOcean and Tencent. If a user wishes to deploy a cluster with a new provider, they can import a driver for that provider directly from the UI. With EKS, GKE and AKS, SUSE Rancher can now import

authentication for Vault Vault typically uses an authentication provider, like Active Directory or GitHub. K8s is also an authentication provider. This makes Vault quite easy to integrate. Let’s review https://www com/tutorials/vault/kubernetes-sidecar Vault CSI (Container Storage Interface) A Vault secret shows as a file in a mount. https://www.vaultproject.io/docs/platform/k8s/csi Vault & Kubernetes Summary ● Vault Vault Agent container to manage these secrets ● Mount Vault secrets as volume using secrets store CSI driver Conclusion • Vault is a logical component in Ranchers K8s clusters. • It’s easy to install

webhook supported Notification Manager, a self-developed open-source tool that supports cloud provider SMS, DingTalk, and WeCom Pagerduty supported Pagerduty, Microsoft teams, DingTalk, and WeCom OpenEBS to support dynamic consumption of LocalPV; integration with major distributed storage via CSI, including Ceph, GlusterFS, and NFS; Volume snapshots, capacity management, monitoring, and Custom SDS solution based on Rook Ceph and NooBaa; Integration with major distributed storage via CSI, including Ceph, GlusterFS, and NFS; Underlying container storage available via Longhorn, the

the --etcd-cafile argument is set as appropriate (Automated) 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Automated) 1.2.34 Ensure that encryption providers are appropriately maxsize=100 --audit-log-format=json --requestheader-allowed- names=kube-apiserver-proxy-client --cloud-provider= --etcd- prefix=/registry --proxy-client-key-file=/etc/kubernetes/ssl/ kube-apiserver-proxy-client-key / kube-ca.pem --tls-private-key-file=/etc/kubernetes/ssl/kube- apiserver-key.pem --encryption-provider-config=/etc/ kubernetes/ssl/encryption.yaml --requestheader-extra-headers- prefix=X-Remote-Extra-

ogr ap h i c C i p h e r s ( Not S c or e d ) • 1. 1. 34 - E n s u r e t h at t h e --encryption-provider-config ar gu m e n t i s s e t as ap p r op r i at e ( S c or e d ) • 1. 1. 35 - E n s u r e t AlwaysPullImages,DenyEscalatingExec,NodeRestriction,EventRateLimit,PodSecurityPolicy --encryption-provider-config=/etc/kubernetes/ssl/encryption.yaml --admission-control-config-file=/etc/kubernetes/admission ogr ap h i c C i p h e r s ( Not S c or e d ) • 1. 1. 34 - E n s u r e t h at t h e --encryption-provider-config ar gu m e n t i s s e t as ap p r op r i at e ( S c or e d ) • 1. 1. 35 - E n s u r e t

kernel.panic_on_oops=1 Run sysctl -p to enable the settings. 1.1.2 - Install the encryption provider configuration on all control plane nodes Profile Applicability Level 1 Description Rancher_Hardening_Guide 1.34 - Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored) 1.1.35 - Ensure that the encryption provider is set to aescbc (Scored) Audit On the control 1.34 - Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored) 1.1.35 - Ensure that the encryption provider is set to aescbc (Scored) 1.1.36 - Ensure that the

the policy enforcement. Additional information about CNI providers can be found here Once a CNI provider is enabled on a cluster a default network policy can be applied. For reference purposes a permissive authorization: mode: "" options: {} ignore_docker_version: false private_registries: [] ingress: provider: "" options: {} node_selector: {} extra_args: {} dns_policy: "" extra_envs: [] ssh_key_path: "" ssh_cert: "" Hardening Guide v2.3.5 13 ssh_cert_path: "" monitoring: provider: "" options: {} node_selector: {} restore: restore: false snapshot_name: "" dns: null

the policy enforcement. Additional information about CNI providers can be found here Once a CNI provider is enabled on a cluster a default network policy can be applied. For reference purposes a permissive {} ignore_docker_version: false private_registries: [] Hardening Guide v2.4 13 ingress: provider: "" options: {} node_selector: {} extra_args: {} dns_policy: "" extra_envs: [] user: "" ssh_key: "" ssh_key_path: "" ssh_cert: "" ssh_cert_path: "" monitoring: provider: "" options: {} node_selector: {} restore: restore: false snapshot_name: "" dns: null