Configure CN2 by using custom resource definitions (CRDs). 2 • Upgrade CN2 software by applying updated manifests. • Uninstall CN2 by deleting Contrail namespaces and resources (where supported). More plane interacts with Kubernetes control plane components to manage all CN2 resources. You configure CN2 resources using custom resource definitions (CRDs). Network data plane The network data plane resides • The network configuration plane refers to the functionality that enables CN2 to manage its resources and interact with the rest of the Kubernetes control plane. • The network control plane represents

............................................................................62 6 Additional Resources ............................................................................................... names given to resources to classify them, and are always a key pair of name and value. The key-value pairs can be used to filter, organize and perform mass operations on a set of resources. Think of labels like US, EU, APAC, etc. If done in the right manner, labels can act as a powerful way to classify resources of various types. ©Rancher Labs 2017. All rights Reserved. 5 DEPLOYING AND SCALING

project that anyone can use, and as the commercially supported SUSE Rancher. With the additional resources and extended leadership that SUSE has brought, Rancher’s growth has accelerated, with downloads provider." Cloud provider installers require administrator access to the environment to create the resources but can operate without administrative access once installation is complete. To execute the installation environment that consumes a small blueprint of resources. Users can also install SUSE Rancher on a Single Node using Docker requiring minimal resources to operate and run at edge locations. SUSE Edge

setup when only public IP is provided when registering custom nodes. This functionality requires a private IP to be provided when registering the custom nodes. When setting the default_pod_security_policy_template_id: Kubernetes in an air-gapped environment, # please consult the documentation on how to configure custom RKE images. kubernetes_version: "v1.15.9-rancher1-1" enable_network_policy: true default_po ingress-nginx rules: - apiGroups: - extensions resourceNames: - default-psp resources: - podsecuritypolicies verbs: - use --- apiVersion: rbac.authorization.k8s

The PowerFlex family provides a foundation that combines compute and high-performance storage resources in a managed, unified fabric. PowerFlex delivers transformational value • Delivers stringent advances in industry- standard hardware and deliver extreme SLA outcomes. PowerFlex aggregates resources across a broad set of nodes, unlocking massive input, output, and throughput performance while compute, and hyperconverged nodes in a dynamic deployment, allowing you to scale storage and compute resources together or independently, one node at a time as per your requirements. • Shared platform for

Observability Monitoring Built-in metrics for multi-tenant and multi-dimensional monitoring; built-in custom monitoring dashboards Simple metrics displayed only; Grafana and Prometheus required for of multi-dimensional resources in clusters and workspaces Not supported Not supported Billing Monitoring dashboards available for billing of multi-dimensional resources in clusters and workspaces NFS; Volume snapshots, capacity management, monitoring, and other O&M features supported; Custom SDS solution based on Rook Ceph and NooBaa; Integration with major distributed storage via

The file owner is root:root The file contains: apiVersion: v1 kind: EncryptionConfig resources: - resources: - secrets providers: - aescbc: keys: - name: key1 /etc/kubernetes/encryption.yaml Set the contents to: apiVersion: v1 kind: EncryptionConfig resources: - resources: - secrets providers: - aescbc: keys: - name: key1 ingress-nginx rules: - apiGroups: - extensions resourceNames: - default-psp resources: - podsecuritypolicies verbs: - use --- apiVersion: rbac.authorization.k8s

Kubernetes in an air-gapped environment, # please consult the documentation on how to configure custom RKE images. Hardening Guide v2.3.5 6 kubernetes_version: "v1.15.9-rancher1-1" enable_network_policy: ingress-nginx rules: - apiGroups: - extensions resourceNames: - default-psp resources: - podsecuritypolicies verbs: Hardening Guide v2.3.5 8 - use --- apiVersion: cattle-system rules: - apiGroups: - extensions resourceNames: - default-psp resources: - podsecuritypolicies verbs: - use Hardening Guide v2.3.5 9 --- apiVersion:

admission controller (Manual) 5.7 General Policies 5.7.1 Create administrative boundaries between resources using namespaces (Manual) 5.7.2 Ensure that the seccomp profile is set to docker/ default in your ${count_sa} -gt 0 ]]; then echo "false" exit fi for ns in $(kubectl get ns --no-headers -o custom-columns=":me tadata.name") do for result in $(kubectl get clusterrolebinding,rolebinding resource_count=$(kubectl get $kind $name -n $ns -o json | jq -r '.rules[] | select(.resources[] != "podsecuritypolicies")' | wc -l) if [[ ${resource_count} -gt 0 ]]; then

Ensure that namespaces are created to allow for appropriate segregation of Kubernetes resources and that all new resources are created in a specific namespace. Audit Script: 5.6.4.sh #!/bin/bash -e export Guide - v2.4 53 if [[ $? -gt 0 ]]; then echo "fail: kubectl failed" exit 1 fi default_resources=$(kubectl get all -o json | jq --compact- output '.items[] | select((.kind == "Service") and "kubernetes") and (.metadata.namespace == "default") | not)' | wc -l) echo "--count=${default_resources}" Audit Execution: ./5.6.4.sh Expected result: '0' is equal to '0' CIS Benchmark Rancher Self-Assessment