metadata: name: default-psp-role namespace: ingress-nginx rules: - apiGroups: - extensions resourceNames: - default-psp resources: - podsecuritypolicies verbs: metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: - extensions resourceNames: - default-psp Rancher_Hardening_Guide.md 11/30/2018 15 / 24 resources: rbac.authorization.k8s.io kind: Group name: system:authenticated --- apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restricted spec: requiredDropCapabilities:

metadata: name: default-psp-role namespace: ingress-nginx rules: - apiGroups: - extensions resourceNames: - default-psp resources: - podsecuritypolicies verbs: metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: - extensions resourceNames: - default-psp resources: - podsecuritypolicies verbs: io/v1 kind: ClusterRole metadata: name: psp:restricted rules: - apiGroups: - extensions resourceNames: - restricted resources: - podsecuritypolicies verbs:

metadata: name: default-psp-role namespace: ingress-nginx rules: - apiGroups: - extensions resourceNames: - default-psp resources: - podsecuritypolicies verbs: metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: - extensions resourceNames: - default-psp resources: - podsecuritypolicies verbs: io/v1 kind: ClusterRole metadata: name: psp:restricted rules: - apiGroups: - extensions resourceNames: - restricted resources: - podsecuritypolicies verbs:

deploy non-conformant Pods directly on vSphere-managed ESXi hosts through proprietary VMware extensions that replace the container engine and the standard Kubernetes kubelet. Tanzu can also manage non TKGI uses Antrea (default) or Flannel for networking. Antrea has its own advanced network policy extensions but also supports Kubernetes Network Policies. A Buyer’s Guide to Enterprise Kubernetes Management RBAC entities. Clusters deployed by Tanzu (TKG) support the standard Kubernetes entities with extensions that tie back to vCenter Single Sign-On users or the configured OIDC connector for the cluster

keep a tab open with kubectl command console to monitor things as they happen. apiVersion: extensions/v1beta1 kind: Deployment metadata: name: nginx-deployment spec: replicas: 3 template: have to use kubectl command line. A sample ingress definition looks like this: apiVersion: extensions/v1beta1 kind: Ingress metadata: name: simplelb spec: rules: - host: ingress.example not specified, it defaults to an asterisk “*” and the path defaults to root path. apiVersion: extensions/v1beta1 kind: Ingress metadata: name: simplelb spec: backend: serviceName: nginx-service

io/v1 kind: Role metadata: name: default-psp-role namespace: ingress-nginx rules: - apiGroups: - extensions resourceNames: - default-psp resources: - podsecuritypolicies verbs: - use --- apiVersion: rbac io/v1 kind: Role metadata: name: default-psp-role namespace: cattle-system rules: - apiGroups: - extensions resourceNames: - default-psp resources: - podsecuritypolicies verbs: - use --- apiVersion: rbac - apiGroup: rbac.authorization.k8s.io kind: Group name: system:authenticated --- apiVersion: extensions/v1beta1 kind: PodSecurityPolicy metadata: name: restricted-psp spec: requiredDropCapabilities:

distributions Linux SLE Desktop / POS SLE Server SLES for SAP Applications SLES for HPC SLE Micro SLE Extensions SUSE Manager SUSE Linux Enterprise Compliance Security Availability Management The most adaptable

Ingress to access the SAP Data Intelligence installation: $ cat < ingress.yaml apiVersion: extensions/v1beta1 kind: Ingress metadata: annotations: kubernetes.io/ingress.class: nginx