.............................................................. 6 1.3.6 Service Registry and Discovery ................................................................................ 6 1.3.7 Load using Rancher Load Balancing services ............................................27 3.4 Service Discovery ............................................................................................... microservices, one needs robust cluster management capabilities that can handle scheduling, service discovery, load balancing, resource monitoring and isolation, and more. For years, Google has used a cluster

Overlay Networking ✔ Network Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control DEV DATA CENTER CLOUD BRANCH 5G / EDGE ✔ Common API & Overlay Networking ✔ Network Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control ✔ Common API & Packaging ✔ Health Checks/HA ✔ Load Balancing Overlay Networking ✔ Network Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control Common compute platform across any infrastructure & a consistent

........................................................................................ 5 3 Feature Analysis ....................................................................................... automating cluster operations, Kubernetes Management Platforms seek to improve DevOps efficiencies. Feature SUSE Rancher OpenShift Tanzu Anthos Install and Operations 4 3 3 2 Intuitive UI 4 best practice security policy enforcement and advanced user management on any infrastructure. Feature SUSE Rancher OpenShift Tanzu Anthos Active Directory and LDAP Support 4 4 4 2 Pod

containerized applications within a Kubernetes cluster, that can survive the lifetime of a pod or the node it is running on. SUSE Rancher is a Kubernetes management platform that simplifies the cluster dynamic deployment, allowing you to scale storage and compute resources together or independently, one node at a time as per your requirements. • Shared platform for heterogeneous workloads The platform compute-only nodes. Figure 3. Logical architecture of RKE cluster In this example, each storage-only node includes two Intel Xeon Scalable 12-core processors, 224 GB RAM, and eight 1.92 TB SSDs. From the

supported Deployment on physical machines Supported Supported Supported Deployment on single node Supported by all versions Supported by v4.8 only Supported by all versions Certifications CNCF deployment App Store available to support Helm Chart and application repository configurations Operator Hub and Helm Chart supported; application repository configurations supported App Store 17 applications available, including NGINX, Tomcat, and Redis 13 Helm applications and 492 operator applications available by default 34 applications available, including Longhorn and openEBS

Rancher RKE2 Cluster | 59 Configure a Server Node | 59 Configure an Agent Node | 63 Configure Repository Credentials | 66 Prepare a Cluster Node for DPDK | 67 Juniper CN2 Technology Previews seamlessly across private and public clouds. Cloud-Native Contrail Networking (CN2) brings this rich SDN feature set natively to Kubernetes as a networking platform and container network interface (CNI) plug-in controllers manage a distributed set of data planes implemented by a CNI plug-in and vRouter on every node. Integrating a full-fledged vRouter alongside the workloads provides CN2 the flexibility to support

维度的监控指标，并通过Prometheus支持的数据格式暴露出来， Prometheus定期拉取数据并用Grafana展现，异常情况 使用AlertManager告警。 常用的一些exporter： • node_exporter • jmx_exporter • mysqld_exporter • redis_exporter • elasticsearch_exporter • …… 注： Confidential 应用调度抢占优先级 Kubernetes支持多种资源调度模式，基于nodeName和nodeSelector的服务器资源调度，称其为用户绑定策略；基于 PriorityClass的同一Node下不同Pod资源的优先级调度，称其为抢占式调度策略。 Step 1：定义PriorityClass Step 2：资源对象绑定相应优先级 © Copyright 2020 Rancher Labs 注：对于一般的比较简单的有状态应用，可以通过StatefulSet方式来部署， 但对于复杂的场景，还需要提供自动备份、故障检测、恢复自愈等自动化 运维能力时，建议通过Operator方式来部署管理，例如Etcd Operator © Copyright 2020 Rancher Labs. All Rights Reserved. Confidential 实践：容器化部署Spring Petclinic项目

Contents CIS 1.6 Kubernetes Benchmark - Rancher v2.5.4 with Kubernetes v1.18 Controls 1.1 Etcd Node Configuration Files 1.1.11 Ensure that the etcd data directory permissions are set to 700 or more is not set to AlwaysAllow (Automated) 1.2.8 Ensure that the --authorization-mode argument includes Node (Automated) 1.2.9 Ensure that the --authorization-mode argument includes RBAC (Automated) 1.2.10 Ensure (Automated) 1.4.2 Ensure that the --bind-address argument is set to 127.0.0.1 (Automated) 2 Etcd Node Configuration Files 2.1 Ensure that the --cert-file and --key-file arguments are set as appropriate

--protect-kernel-defaults=true • --make-iptables-util-chains=true • --event-qps=0 • --anonymous-auth=false • --feature-gates="RotateKubeletServerCertificate=true" • --tls-cipher-suites="TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 t i on u n d e r services: services: kubelet: generate_serving_certificate: true extra_args: feature-gates: "RotateKubeletServerCertificate=true" protect-kernel-defaults: "true" tls-cipher-suites: d e r services: services: kube_api: always_pull_images: true pod_security_policy: true service_node_port_range: 30000-32767 event_rate_limit: enabled: true 8 audit_log: enabled: true secrets_encryption_config:

2.1.8 - Ensure that the --hostname-override argument is not set (Scored) Controls 1 - Master Node Security Configuration 1.1 - API Server 1.1.1 - Ensure that the --anonymous-auth argument is set inspect kube-apiserver | jq -e '.[0].Args[] | match("--authorization-mode=(Node|RBAC|,)+" Returned Value: --authorization-mode=Node,RBAC Result: Pass 1.1.20 - Ensure that the --token-auth-file parameter /kube-node.pem Audit ( --etcd-keyfile ) docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--etcd-keyfile=.*").string' Returned Value: --etcd-keyfile=/etc/kubernetes/ssl/kube-node-key.pem