Kubernetes cluster using CSI Driver on DELL EMC PowerFlex September 2021 H18899 White Paper Abstract This white paper describes the deployment of a SUSE Rancher Kubernetes Cluster on the Dell PowerFlex Engineering Validated Copyright 2 SUSE Rancher and RKE Kubernetes cluster using CSI Driver on DELL EMC PowerFlex White Paper The information in this publication is provided is subject to change without notice. Contents 3 SUSE Rancher and RKE Kubernetes cluster using CSI Driver on DELL EMC PowerFlex White Paper Contents Executive Summary ........

management platforms need to confidently deliver: • Simplified Cluster Operations: improved DevOps efficiencies with simplified cluster operations • Consistent Security Policy and User Management: Cloud portfolio. Their initial go-to-market strategy saw a high premium for an immature multi-cluster platform. In 2020, Google introduced a new pay-as-you-go pricing model and invested heavily in developing Management Platforms: Red Hat OpenShift Container Platform 4.9 (OpenShift/OCP4) with Red Hat Advanced Cluster Management for Kubernetes (RHACM), VMware Tanzu Mission Control with Tanzu Kubernetes Grid Integrated

Copyright © SUSE 2021 SUSE Rancher MSP Use Cases & Enablement APRIL 2022 Managed Services Providers Copyright © SUSE 2021 Agenda Acquired Rancher in 2020 1. Company Snapshot • Powering Innovation Inhibitor: Scarcity of expertise While an inhibitor to software sales, this is a Driver of demand for managed and professional services 0 1000 2000 3000 4000 2022 2023 2024 2025 Worldwide Container Infrastructure Kubernetes Cluster as a Service Product Qty Nodes Rancher Management Server 1 0 Rancher Nodes 18 18 Customer A Cluster 1 Node Rancher Management Server Cluster Customer B Cluster 1 Node Node

needs robust cluster management capabilities that can handle scheduling, service discovery, load balancing, resource monitoring and isolation, and more. For years, Google has used a cluster manager called Kubernetes terminology: Cluster A cluster is a set of machines (physical or virtual) on which your applications are managed and run. For Kubernetes, all machines are managed as a cluster (or set of clusters topology used). Node A logical machine unit (physical or virtual), which is part of a larger cluster on which you can run your applications. Pod A co-located group of containers and their storage

August 2019 Authors Taylor Price Overview The following document scores a Kubernetes 1.13.x RKE cluster provisioned according to the Rancher v2.2.x hardening guide against the CIS 1.4.0 Kubernetes benchmark and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the benchmark. Because Rancher and RKE install Kubernetes services as Docker This admission controller should only be used where Pod Security Policies cannot be used on the cluster, as it can interact poorly with certain Pod Security Policies Several system services (such as

Models | 11 Single Cluster Deployment | 11 Multi-Cluster Deployment | 12 System Requirements | 15 2 Install Overview | 17 Before You Install | 18 Install Single Cluster CN2 on Rancher RKE2 19 Install Single Cluster CN2 on Rancher RKE2 Running Kernel Mode Data Plane | 21 Install Single Cluster CN2 on Rancher RKE2 Running DPDK Data Plane | 24 Install Multi-Cluster CN2 on Rancher RKE2 Manage Single Cluster CN2 | 45 Overview | 45 Run Preflight and Postflight Checks | 45 Upgrade CN2 | 47 Uninstall CN2 | 48 Manage Multi-Cluster CN2 | 49 Attach a Workload Cluster | 50 Detach

of Strong Cryptographic Ciphers (Automated) 5.1 RBAC and Service Accounts 5.1.1 Ensure that the cluster-admin role is only used where required (Manual) 5.1.2 Minimize access to secrets (Manual) 5.1.3 Rancher, and this benchmark guide is meant to help you evaluate the level of security of the hardened cluster against each control in the benchmark. This guide corresponds to specific versions of the hardening permissions are set to 644 or more restrictive (Automated) Result: notApplicable Remediation: Cluster provisioned by RKE doesn't require or maintain a configuration file for kube-apiserver. All configuration

u n t u cloud-config E x am p l e . . . . . . . . 26 1 Ap p e n d i x B - C om p l e t e R K E cluster.yml E x am p l e . . . . . . . . . . 27 Ap p e n d i x C - C om p l e t e R K E T e m p l at e E /var/lib/etcd etcd R e c or d t h e u i d /gi d : id etcd • Ad d t h e f ol l ow i n g t o t h e R K E cluster.yml e t c d s e c t i on u n d e r services: services: etcd: uid: s C l us t e r C o nfig ur a t i o n v i a R K E ( S e e Ap p e n d i x B . f or f u l l R K E cluster.yml e x am p l e ) 2. 1. 1 - C on fi gu r e k u b e l e t op t i on s P r ofi l e A p p l i c ab

performance of the technology Authors Jason Greathouse Bill Maxwell 1.1 - Rancher HA Kubernetes cluster host configuration 1.1.1 - Configure default sysctl settings on all hosts Profile Applicability with the controlplane role: Rationale This configuration file will ensure that the Rancher RKE cluster encrypts secrets at rest, which Kubernetes does not do by default. This supports the following encryption provider is set to aescbc (Scored) Audit On the control plane hosts for the Rancher HA cluster run: stat /etc/kubernetes/encryption.yaml Ensure that: The file is present The file mode is

user and group Ensure that all Namespaces have Network Policies defined Reference Hardened RKE cluster.yml configuration Reference Hardened RKE Template configuration Hardened Reference Ubuntu 18.04 for Information Security (CIS). This hardening guide describes how to secure the nodes in your cluster, and it is recommended to follow this guide before installing Kubernetes. This hardening guide is controls from the Center for Information Security (CIS). For more detail about evaluating a hardened cluster against the official CIS benchmark, refer to the CIS Benchmark Rancher Self-Assessment Guide - Rancher