Secrets Management at Scale with Vault & Rancher 24. June Robert de Bock Senior DevOps Engineer Adfinis robert.debock@adfinis.com Kapil Arora Senior Solution Engineer HashiCorp kapil@hashicorp.com Kubernetes architecture ● Controlplane: Manages the cluster and exposes an API for control ● Etcd: a key value store used as Kubernetes’ backing store for all cluster data. ● Worker: Runs workloads and Infrastructure Management (Run & Manage) GitOps Continuous Delivery Cluster Templates & Config Enforcement K8s Version Management Node Pool Management Cluster Provisioning & Lifecycle Management Platform

development. Kubernetes orchestration provides capabilities such as auto scaling, security, and management of containerized applications. A persistent and stable data store is required to run containerized can survive the lifetime of a pod or the node it is running on. SUSE Rancher is a Kubernetes management platform that simplifies the cluster installation and operations, whether they are on-premises DevOps team freedom to build and run containerized applications anywhere. The PowerFlex family offers key value propositions for traditional and cloud-native production workloads, deployment flexibility,

............................................................................ 6 1.3.3 Secret Management .............................................................................................. ......................................................................... 6 1.3.5 Container Management and Scaling ......................................................................... 6 1.3.6 .............................................................................. 7 1.3.10 Log Management ..............................................................................................

140-2 Annex C: Approved Random Number Generators 6/10/2019 [140AD] FIPS 140-2 Annex D: Approved Key Establishment Techniques 8/12/2020 [140DTR] FIPS 140-2 Derived Test Requirements 1/4/2011 [140IG] Block Cipher Modes of Operation: Methods for Key Wrapping 12/13/2012 [SP 800-56A Revised] NIST SP 800-56A Revised, Recommendation for Pair-Wise Key-Establishment Schemes Using Discrete Logarithm Cryptography 3/14/2007 [SP 800-57 P1 r5] NIST SP 800-57 Part 1 Rev. 5, Recommendation for Key Management: Part 1 – General 5/4/2020 [SP 800-67 r2] NIST SP 800-67 Rev. 2, Recommendation for the

Enterprise Kubernetes Management Platforms Red Hat OpenShift 4.9, VMware Tanzu 1.4, Google Anthos 1.10 and SUSE Rancher 2.6 A Buyer’s Guide to Enterprise Kubernetes Management Platforms Copyright ........................................ 39 A Buyer’s Guide to Enterprise Kubernetes Management Platforms Copyright © SUSE 2022 3 1 Executive Summary Organizations modernizing their infrastructure lack of central visibility, inconsistent security practices and complex management processes. Therefore, Kubernetes management platforms need to confidently deliver: • Simplified Cluster Operations:

have a fully supported setup, there are two Kubernetes clusters required. One runs SUSE Rancher Management server and the other runs the actual workload, which for the purpose of this guide is SAP Data Minimum sizing of the nodes needs to be as shown below: Server Role Count RAM CPU Disk space Management Workstation 1 16 GiB 4 >100 GiB Master Node 3 16 GiB 4 >120 GiB Worker Node 4 32 GiB 8 >120 GiB Minimum sizing of the nodes needs to be as shown below: Server Role Count RAM CPU Disk space Management Workstation 1 16 GiB 4 >100 GiB Master Node 3 16 GiB 4 >120 GiB Worker Node 4 64 GiB 16 >120

providers: - aescbc: keys: - name: key1 secret: <32-byte base64 encoded string> - identity: {} Where aescbc is the key type, and secret is populated with a 32-byte base64 base64 encoded string. Remediation Generate a key and an empty configuration file: Rancher_Hardening_Guide.md 11/30/2018 4 / 24 head -c 32 /dev/urandom | base64 -i - touch /etc/kubernetes/encryption resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: <32-byte base64 encoded string> - identity: {} Where secret is the 32-byte

Snapshot • Powering Innovation With Leadership in Linux & Kubernetes • Market Facts • Target Market • Key Benefits of SUSE Rancher for MSPs • Program Benefits for MSPs • Success Stories 2. SUSE Rancher Micro SLE Extensions SUSE Manager SUSE Linux Enterprise Compliance Security Availability Management The most adaptable Linux operating system Other Linux Datacenter Edge Block Storage Container Retail Telecom Manufacturing & Automotive Technology and other industries Copyright © SUSE 2021 Key Benefits of SUSE Rancher for MSPs Deliver Kubernetes or Rancher–as– a–Service and enable customers

file permissions are set to 644 or more restrictive (Automated) 1.1.21 Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated) 1.1.1 Ensure that the API server pod specification file is set to true (Automated) 1.2.5 Ensure that the --kubelet-client-certificate and -- kubelet-client-key arguments are set as appropriate (Automated) 1.2.6 Ensure that the --kubelet-certificate-authority --service-account-lookup argument is set to true (Automated) 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Automated) 1.2.29 Ensure that the --etcd-certfile and --etcd-keyfile

ingress: "" ingress_backend: "" metrics_server: "" windows_pod_infra_container: "" ssh_key_path: "" ssh_cert_path: "" ssh_agent_auth: false authorization: mode: "" options: {} ignore_docker_version: prefix_path: "" addon_job_timeout: 0 bastion_host: address: "" port: "" user: "" ssh_key: "" ssh_key_path: "" ssh_cert: "" Hardening Guide v2.3.5 13 ssh_cert_path: "" monitoring: provider: cloud-config is generally used in cloud infrastructure environments to allow for configuration management of compute instances. The reference config configures Ubuntu operating system level settings needed