For installations that want an even smaller attack surface, SUSE Rancher can utilize an operating system such as SLE Micro to help run Kubernetes in the most efficient way possible. Kubernetes from SUSE Rancher and Kubernetes. The SUSE Rancher Hosted team manages all aspects from uptime, monitoring, logging and security to backups, restores and upgrades and enables teams to focus on business continuity SUSE Rancher SUSE Rancher has updated its logging capabilities and now utilizes Banzai Cloud Logging operator to power logging across the platform. Logging is easily deployed across each cluster in

............................................................................50 4.6 Container Logging................................................................................................. ............................................................................56 4.8 Kubernetes System Stack Upgrades in Rancher ........................................................57 5 Managing containers. This data can be fed to an ELK (Elasticsearch, Logstash and Kibana) stack or Google Cloud logging for further analysis and visualization. 1.4 Kubernetes Components Kubernetes works in a master-node

Place the configuration file for Kubernetes audit logging on each of the control plane nodes in the cluster. Rationale The Kubernetes API has audit logging capability that is the best way to track actions Description Configure a restrictive pod security policy (PSP) as the default and create role bindings for system level services to use the less restrictive default PSP. Rationale To address the following controls restrictive default PSP needs to be applied as the default. Role bindings need to be in place to allow system services to still function. 1.7.1 - Do not admit privileged containers (Not Scored) 1.7.2 - Do

2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes corresponding section of the CIS Kubernetes Benchmark v1.5. You can download the benchmark after logging in to CISecurity.org. Testing controls methodology Rancher and RKE install Kubernetes services root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G

2 Etcd Node Configuration 2 Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes corresponding section of the CIS Kubernetes Benchmark v1.5. You can download the benchmark after logging in to CISecurity.org. Testing controls methodology Rancher and RKE install Kubernetes services root:root (Scored) Result: PASS Remediation: Run the below command (based on the file location on your system) on the master node. For example, chown -R root:root /etc/kubernetes/ssl Audit: stat -c %U:%G

Comparison 1.1 Features Benchmarking Features KubeSphere OpenShift Rancher Monitoring ※※※※※ ※※※※ ※※※ Logging ※※※※※ ※※※ ※※※ Events ※※※※※ ※※※※ ※※※ Auditing ※※※※※ ※※※※ ※※※ Alerting ※※※※ ※※※※※ ※※※※ Notification easy-to-use installation tool RancherD, an easy-to-use installation tool, available Operating system support All major Linux operating systems supported Coupled to Red Hat underlying infrastructure Grafana and Prometheus required for displaying complex metrics Logging Built-in multi-tenant and multi-dimensional log retrieval system that supports on-disk log collection and provides flexibility

Authorization 3.1.1 Client certificate authentication should not be used for users (Manual) 3.2 Logging 3.2.1 Ensure that a minimal audit policy is created (Automated) 3.2.2 Ensure that the audit policy corresponding section of the CIS Kubernetes Benchmark 1.6. You can download the benchmark after logging in to CISecurity.org. Testing controls methodology Rancher and RKE install Kubernetes services command (based on the etcd data directory found above). For example, chown etcd:etcd /var/lib/etcd A system service account is required for etcd data directory ownership. Refer to Rancher's hardening guide

Driver on DELL EMC PowerFlex White Paper Term Definition DD Data Domain DNS Domain Name System DDVE PowerProtect DD Virtual Edition FQDN Fully Qualified Domain Name MDM Meta Data Manager architecture eliminates any hotspots and ensures consistency and simplicity over time. You can scale the system while linearly scaling performance from a minimum of four nodes to thousands of nodes, on-demand option to meet their exact requirements. PowerFlex rack PowerFlex rack is a fully engineered system, with integrated networking that enables the customers to simplify deployments and accelerate time

corresponding section of the CIS Kubernetes Benchmark v1.4.0. You can download the benchmark after logging in to CISecurity.org. Testing controls methodology Rancher and RKE install Kubernetes services cannot be used on the cluster, as it can interact poorly with certain Pod Security Policies Several system services (such as nginx-ingress ) utilize SecurityContext to switch users and assign capabilities option to map the audit log to the host filesystem. Audit logs should be collected and shipped off-system to guarantee their integrity. Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match

Linux Enterprise Compliance Security Availability Management The most adaptable Linux operating system Other Linux Datacenter Edge Block Storage Container Security I.a.a.S Copyright © SUSE 2021 5 Node 64 GB 16VCPU Node 64 GB 16VCPU NS: Customer 2 Website 1 (4GB 2vCPU) NS: Customer 1 – Logging System (16GB 4vCPU) Customer 4 Wordpress Admin NS: Customer 4 Wordpress (4GB 2vCPU) https://Wordpress