• Manage CN2 using standard Kubernetes and third-party tools. • Scale CN2 by adding or removing nodes. • Configure CN2 by using custom resource definitions (CRDs). 2 • Upgrade CN2 software by applying phases, scaling to thousands of nodes. The CN2 implementation consists of a set of Contrail controllers that reside on either Kubernetes control plane nodes or worker nodes depending on distribution. The only one Contrail controller, a typical deployment contains multiple controllers running on multiple nodes. When there are multiple Contrail controllers, the controllers keep in synchronization by using iBGP

Product Qty Nodes Rancher Management Server 1 0 Rancher Nodes 18 18 Customer A Cluster 1 Node Rancher Management Server Cluster Customer B Cluster 1 Node Node Control Plane Worker etcd Node Node Node Node Node Node Node Node All-in-one nodes (cp/etcd/worker) Node Node Node Node Node Node Node Node Node Node Node Control Plane Worker etcd MSP Admin Customer B DevOps: End user Customer Cluster All-in-one nodes (cp/etcd/worker) Node Node Node Namespace as a Service Managed Shared Kubernetes Cluster 1 Node Node Node Node 64 GB 16VCPU Worker Master Nodes Node 64 GB 16VCPU

VxFlex to PowerFlex as per new rebranding guidelines June 2021 Leveraging SUSE Enterprise Linux RKE nodes September 2021 Updated data protection for Rancher Kubernetes cluster using Dell EMC PowerProtect hardware and deliver extreme SLA outcomes. PowerFlex aggregates resources across a broad set of nodes, unlocking massive input, output, and throughput performance while minimizing the latency. Its self-balancing time. You can scale the system while linearly scaling performance from a minimum of four nodes to thousands of nodes, on-demand and without any disruption. And with its self-healing architecture, PowerFlex

cluster as dedicated nodes for the RKE 2 cluster Creating the configuration of the vsphere CPI/CSI drivers for the use with RKE 2 Installing RKE 2 Kubernetes cluster on the dedicated nodes Deploying SAP requirements for a generic SAP Data Intelligence 3 deployment: At least 7 nodes are needed for the Kubernetes cluster. Minimum sizing of the nodes needs to be as shown below: Server Role Count RAM CPU Disk space space Management Workstation 1 16 GiB 4 >100 GiB Master Node 3 16 GiB 4 >120 GiB Worker Node 4 32 GiB 8 >120 GiB 5 SAP Data Intelligence 3 on Rancher Kubernetes Engine 2 using VMware vSAN and vSphere

l = “R K E y am l f or k 8s 1. 14” % }} nodes: - address: 18.191.190.205 internal_address: 172.31.24.213 user: ubuntu role: [ "controlplane", "etcd", "worker" ] - address: 18.191.190.203 internal_address: ubuntu role: [ "controlplane", "etcd", "worker" ] - address: 18.191.190.10 27 internal_address: 172.31.24.244 user: ubuntu role: [ "controlplane", "etcd", "worker" ] addon_job_timeout: 30 authentication: supported. # # To disable ingress controller, set `provider: none` # # To enable ingress on specific nodes, use the node_selector, eg: # provider: nginx # node_selector: # app: ingress # ingress: provider:

all nodes: vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 Run sysctl -p to enable the settings. 1.1.2 - Install the encryption provider configuration on all control plane nodes Profile Rancher_Hardening_Guide.md 11/30/2018 3 / 24 Create a Kubernetes encryption configuration file on each of the RKE nodes that will be provisioned with the controlplane role: Rationale This configuration file will ensure configuration on all control plane nodes. Profile Applicability Level 1 Description Place the configuration file for Kubernetes audit logging on each of the control plane nodes in the cluster. Rationale

Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Applicable Remediation: RKE does not store the kubernetes default kubeconfig credentials file on the nodes. It’s presented to user where RKE is run. We recommend that this kube_config_cluster.yml file be kept Applicable Remediation: RKE does not store the kubernetes default kubeconfig credentials file on the nodes. It’s presented to user where RKE is run. We recommend that this kube_config_cluster.yml file be kept

Etcd Node Configuration Files 3 Control Plane Configuration 3.2 Logging 4 Worker Node Security Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Applicable Remediation: RKE does not store the kubernetes default kubeconfig credentials file on the nodes. It’s presented to user where RKE is run. We recommend that this kube_config_cluster.yml file be kept Applicable Remediation: RKE does not store the kubernetes default kubeconfig credentials file on the nodes. It’s presented to user where RKE is run. We recommend that this kube_config_cluster.yml file be kept

that use a YAML configuration file. Clusters can run on vSphere, Amazon, Microsoft Azure or GCP nodes if operators choose to use the bring your own host feature (BYOH). Tanzu’s BYOH feature allows operators 3.1.5.4 Anthos The Anthos edge story used to revolve around 5G connectivity to Google-managed nodes in a telco facility, but they stopped promoting this in early 2021. Instead, they now direct users and manage their own connectivity and backhaul. Although Anthos can run on small form-factor nodes such as an Intel NUC, the bare- metal requirement for Internet connectivity rules out resource-constrained

Make sure nodes with role:controlplane are on the same local network as your nodes with role:worker . Use network ACLs to restrict connections to the kubelet port (10250/tcp) on worker nodes, only permitting permitting it from controlplane nodes. Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--kubelet-certificate-authority=.*").string' Returned Value: none Result: Fail (See Mitigation) restrictive (Scored) Notes RKE does not store the kubernetes default kubeconfig credentials file on the nodes. It's presented to user where RKE is run. We recommend that this kube_config_cluster.yml file be