Terminology | 4 CN2 Components | 6 Deployment Models | 11 Single Cluster Deployment | 11 Multi-Cluster Deployment | 12 System Requirements | 15 2 Install Overview | 17 Before You Install Plane | 21 Install Single Cluster CN2 on Rancher RKE2 Running DPDK Data Plane | 24 Install Multi-Cluster CN2 on Rancher RKE2 | 28 Install Contrail Tools | 29 Install ContrailReadiness Controller 45 Run Preflight and Postflight Checks | 45 Upgrade CN2 | 47 Uninstall CN2 | 48 Manage Multi-Cluster CN2 | 49 Attach a Workload Cluster | 50 Detach a Workload Cluster | 55 Uninstall

................24 3 Deploying a Multi-Service Application .............................................................................26 3.1 Defining Multi-Service Application ................ review capabilities of Kubernetes, deploy Kubernetes with Rancher, then deploy and scale some sample multi-tier applications. But before we dive into details, let’s first cover the general capabilities and Cluster A cluster is a set of machines (physical or virtual) on which your applications are managed and run. For Kubernetes, all machines are managed as a cluster (or set of clusters, depending on

power their digital transformation. As they move away from their legacy environments to hybrid, multi-cloud stacks, enterprises are creating new opportunities to unify their IT operations with containers Google Cloud portfolio. Their initial go-to-market strategy saw a high premium for an immature multi-cluster platform. In 2020, Google introduced a new pay-as-you-go pricing model and invested heavily Install and Operations 4 3 3 2 Intuitive UI 4 3 3 3 Hosted & Managed Services 3 3 1 2 Multi-Cluster Management 4 3 2 2 Edge Support 4 3 2 1 Integrated Public Cloud Support 4 2

※※※ ※※※※※ Multi-cluster Management ※※※※ ※※※ ※※※※※ Edge Computing ※※※※※ ※※ ※※※※※ Network ※※※※※ ※※※※※ ※※※※ Storage ※※※※※ ※※※※※ ※※※※※ Network Policy and Management ※※※※※ ※※※※※ ※※※ Multi-tenant Details Version compared 3.1.1 4.8 V2.5.9 Observability Monitoring Built-in metrics for multi-tenant and multi-dimensional monitoring; built-in custom monitoring dashboards Simple metrics displayed only; Grafana and Prometheus required for displaying complex metrics Logging Built-in multi-tenant and multi-dimensional log retrieval system that supports on-disk log collection and provides flexibility

Networking ✔ RBAC & Access Control Common compute platform across any infrastructure & a consistent set of infrastructure capabilities Kubernetes architecture ● Controlplane: Manages the cluster and Secrets sprawl ● Secrets rotation ● X.509 certificates, SSH and Cloud access ● Encryption ● Multi-platform and multi-cloud ● Central control and management ● Auditing ● Compliance & Hardware Security Module

that the --kubelet-certificate-authority argument is set as appropriate (Scored) 1.4.11 - Ensure that the etcd data directory permissions are set to 700 or more-restrictive (Scored) 1.4.12 - Ensure Ensure that the etcd data directory ownership is set to etcd:etcd (Scored) 2.1.8 - Ensure that the --hostname-override argument is not set (Scored) Controls 1 - Master Node Security Configuration 1.1 - API Server 1.1.1 - Ensure that the --anonymous-auth argument is set to false (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--anonymous-auth=false").string' Returned

and other user-space applications. The Module is classified by FIPS 140-2 as a software module, multi-chip standalone module embodiment. The validated version of the library is 66005f41fbc3529ffe8d the following command to create a CMake toolchain file to specify the use of Clang: ● printf "set(CMAKE_C_COMPILER \"clang\")\nset(CMAKE_CXX_COMPILER \"clang++\")\n" > ${HOME}/toolchain The FIPS tar.xz The set of files specified in the archive constitutes the complete set of source files of the validated module. There shall be no additions, deletions, or alterations of this set as used during

• No upfront investment required • Simple Contract and on-boarding • Pay As You Go, Annual and Multi-year purchase options • Royalty-based monthly reporting and invoicing based on usage • Backed by Customers’ Sensitive Data with Enhanced Kubernetes Security — Segregation of the encryption keys in our multi- tenant environment — The Ondat data platform is used by SunnyVision as the basis for its database

Ensure that the etcd data directory permissions are set to 700 or more restrictive (Automated) 1.1.12 Ensure that the etcd data directory ownership is set to etcd:etcd (Automated) 1.1.19 Ensure that the Kubernetes Kubernetes PKI directory and file ownership is set to root:root (Automated) 1.1.20 Ensure that the Kubernetes PKI certificate file permissions are set to 644 or more restrictive (Automated) 1.1.21 Ensure Ensure that the Kubernetes PKI key file permissions are set to 600 (Automated) 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Automated) 1.1.2 Ensure

Node Configuration Files 1.1.1 Ensure that the API server pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain a configuration container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to 644 or more restrictive (Scored) Result: Not Applicable Remediation: RKE doesn’t require or maintain