Secrets Management at Scale with Vault & Rancher 24. June Robert de Bock Senior DevOps Engineer Adfinis robert.debock@adfinis.com Kapil Arora Senior Solution Engineer HashiCorp kapil@hashicorp.com Infrastructure Management (Run & Manage) GitOps Continuous Delivery Cluster Templates & Config Enforcement K8s Version Management Node Pool Management Cluster Provisioning & Lifecycle Management Platform Amazon EKS Azure AKS Google GKE Cloud Datacenter Edge Branch Dev Secret Management in Kubernetes 16 17 18 Secret Management Challenges ● Secrets sprawl ● Secrets rotation ● X.509 certificates, SSH

Enterprise Kubernetes Management Platforms Red Hat OpenShift 4.9, VMware Tanzu 1.4, Google Anthos 1.10 and SUSE Rancher 2.6 A Buyer’s Guide to Enterprise Kubernetes Management Platforms Copyright ........................................ 39 A Buyer’s Guide to Enterprise Kubernetes Management Platforms Copyright © SUSE 2022 3 1 Executive Summary Organizations modernizing their infrastructure lack of central visibility, inconsistent security practices and complex management processes. Therefore, Kubernetes management platforms need to confidently deliver: • Simplified Cluster Operations:

............................................................. 13 PowerFlex Container Storage Interface driver .......................................................................... 25 Steps to development. Kubernetes orchestration provides capabilities such as auto scaling, security, and management of containerized applications. A persistent and stable data store is required to run containerized can survive the lifetime of a pod or the node it is running on. SUSE Rancher is a Kubernetes management platform that simplifies the cluster installation and operations, whether they are on-premises

Cryptography 3/14/2007 [SP 800-57 P1 r5] NIST SP 800-57 Part 1 Rev. 5, Recommendation for Key Management: Part 1 – General 5/4/2020 [SP 800-67 r2] NIST SP 800-67 Rev. 2, Recommendation for the Triple Definitions Term Definition AES Advanced Encryption Standard API Application Programming Interface CAVP Cryptographic Algorithm Validation Program CKG Cryptographic Key Generation CMVP Cryptographic .........................................................9 7 Cryptographic Algorithms & Key Management ................................................................10 7.1 Approved Cryptographic

............................................................................ 6 1.3.3 Secret Management .............................................................................................. ......................................................................... 6 1.3.5 Container Management and Scaling ......................................................................... 6 1.3.6 .............................................................................. 7 1.3.10 Log Management ..............................................................................................

Cloud Native Contrail Networking Installation and Life Cycle Management Guide for Rancher RKE2 Published 2023-09-08 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 this publication without notice. Cloud Native Contrail Networking Installation and Life Cycle Management Guide for Rancher RKE2 Copyright © 2023 Juniper Networks, Inc. All rights reserved. The information Amazon EKS • Rancher RKE2 Contrail Networking is an SDN solution that automates the creation and management of virtualized networks to connect, isolate, and secure cloud workloads and services seamlessly

Application Template ※※※※ ※※※※※ ※※※※ CI/CD Pipeline ※※※※※ ※※※※※ ※※※ Application Lifecycle Management ※※※※※ ※ ※ Metering & Billing ※※※※※ ※ ※ Grayscale Release ※※※※※ ※※※ ※※※ 4 Traffic Governance Multi-cluster Management ※※※※ ※※※ ※※※※※ Edge Computing ※※※※※ ※※ ※※※※※ Network ※※※※※ ※※※※※ ※※※※ Storage ※※※※※ ※※※※※ ※※※※※ Network Policy and Management ※※※※※ ※※※※※ ※※※ Multi-tenant Management ※※※※ manual configurations required for Kibana to visualize records Auditing Built-in visual interface that supports auditing logs retrieval in multiple dimensions of cluster, platform, and application

1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual) 1.1.10 Ensure that the Container Network Interface file ownership is set to root:root (Manual) (Manual) 5.3.2 Ensure that all Namespaces have Network Policies defined (Automated) 5.4 Secrets Management 5.4.1 Prefer using secrets as files over secrets as environment variables (Manual) 5.4.2 Consider stat -c %U:%G /etc/kubernetes/manifests/etcd.yaml; fi' 1.1.9 Ensure that the Container Network Interface file permissions are set to 644 or more restrictive (Manual) Result: warn Remediation: Run the

into and out of the pods in that namespace. To enforce network policies, a CNI (container network interface) plugin must be enabled. This guide uses canal to provide the policy enforcement. Additional information specify flannel interface Hardening Guide v2.3.5 18 # # network: # plugin: flannel # flannel_network_provider: # iface: eth1 # # # To specify flannel interface for canal plugin cloud-config is generally used in cloud infrastructure environments to allow for configuration management of compute instances. The reference config configures Ubuntu operating system level settings needed

into and out of the pods in that namespace. To enforce network policies, a CNI (container network interface) plugin must be enabled. This guide uses canal to provide the policy enforcement. Additional information # # # To specify flannel interface # # network: # plugin: flannel # flannel_network_provider: # iface: eth1 # # # To specify flannel interface for canal plugin # # network: cloud-config is generally used in cloud infrastructure environments to allow for configuration management of compute instances. The reference config configures Ubuntu operating system level settings needed