and advanced user management on any infrastructure • Access to Shared Tools and Services: a high level of reliability with easy, consistent access to shared tools and services Given the transformative differentiated itself by leveraging Project Pacific, a re-architecture of vSphere with Kubernetes as its control plane. While there are other smaller players in the market, the scope of this guide is limited (OpenShift/OCP4) with Red Hat Advanced Cluster Management for Kubernetes (RHACM), VMware Tanzu Mission Control with Tanzu Kubernetes Grid Integrated Edition (collectively referred to as Tanzu in this guide)

that the kubelet initially attempts to change can be set manually. This supports the following control: 2.1.7 - Ensure that the --protect-kernel-defaults argument is set to true (Scored) Audit Verify sysctl -p to enable the settings. 1.1.2 - Install the encryption provider configuration on all control plane nodes Profile Applicability Level 1 Description Rancher_Hardening_Guide.md 11/30/2018 (Scored) 1.1.35 - Ensure that the encryption provider is set to aescbc (Scored) Audit On the control plane hosts for the Rancher HA cluster run: stat /etc/kubernetes/encryption.yaml Ensure that:

(VM) workloads, across multi-cluster compute and storage environments, all from a central point of control. It supports hard multi-tenancy for single or multi-cluster environments shared across many tenants The CN2 implementation consists of a set of Contrail controllers that reside on either Kubernetes control plane nodes or worker nodes depending on distribution. The Contrail controllers manage a distributed available and resilient network controller overseeing all aspects of the network configuration and control planes • Analytics services using telemetry and industry standard monitoring and presentation tools

........................................19 2.4.4 Usingkubectl - Credential Management and Web Access .......................................23 2.4.5 Manage Kubernetes Namespaces................. Deployments are a fairly recent addition to the project, but provide a powerful and declarative way to control how service updates are performed and is recommended over rolling- updates. 1.3.9 Resource Monitoring allows users to control its features through a simple and intuitive UI. Kubernetes can be launched in a matter of minutes with a single click through Rancher. Multiple teams and access policies for their

the admission control plugin EventRateLimit is set (Automated) 1.2.11 Ensure that the admission control plugin AlwaysAdmit is not set (Automated) 1.2.12 Ensure that the admission control plugin AlwaysPullImages (Manual) 1.2.13 Ensure that the admission control plugin SecurityContextDeny is set if PodSecurityPolicy is not used (Manual) 1.2.14 Ensure that the admission control plugin ServiceAccount is set (Automated) the admission control plugin NamespaceLifecycle is set (Automated) 1.2.16 Ensure that the admission control plugin PodSecurityPolicy is set (Automated) 1.2.17 Ensure that the admission control plugin NodeRestriction

security of the hardened cluster against each control in the benchmark. Because Rancher and RKE install Kubernetes services as Docker containers, many of the control verification checks in the CIS Kubernetes will need access to the Docker command line on the hosts of all three RKE roles. The commands also make use of the the jq command to provide human- readable formatting. Known Scored Control Failures flag was removed in 1.14, so it cannot be set. Result: Pass 1.1.10 - Ensure that the admission control plugin AlwaysAdmit is not set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[]

and security with easy access to open-source tools Opportunity to build a new innovative revenue streams with "Open" approach 7 Maintain customer satisfaction with access to deep expertise from SUSE’s on usage • Backed by SUSE/Rancher -all products come with SUSE/Rancher L1, L2, and L3 support • Access to enterprise grade open-source software – no vendor lock-in • More than just subscriptions • FREE Copyright © SUSE 2021 SunnyVision can now leverage the native Kubernetes way to store and access secrets in a safe way Business Outcomes Major efficiencies achieved: — Protect Customers’ Sensitive

Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control DEV DATA CENTER CLOUD BRANCH 5G / EDGE ✔ Common API & Packaging ✔ Health Checks/HA ✔ Load Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control ✔ Common API & Packaging ✔ Health Checks/HA ✔ Load Balancing ✔ Overlay Networking ✔ Network Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control Common compute platform across any infrastructure & a consistent set of infrastructure capabilities

for example https://documenta- tion.suse.com/sbp/all/single-html/SBP-Private-Registry/index.html Access to a storage solution providing dynamically physical volumes If it is planned to use Vora’s streaming store is needed If it is planned to enable backup of SAP Data Intelligence 3.3 during installation access to an S3-compatible object store is needed 6 SAP Data Intelligence 3 on Rancher Kubernetes Engine Enterprise Server 15 SP4. Check the storage requirements. Create a or get access to a private container registry. Get an SAP S-user to access software and documentation by SAP. Read the relevant SAP documentation:

Demand APEX Flex on Demand allows you to pay for technology as you use it and provides immediate access to buffer capacity. Your payment adjusts to match your usage. APEX Datacenter Utility APEX Datacenter clusters from data center to cloud and edge and unites them with centralized authentication, access control, and observability. SUSE Rancher lets you streamline cluster deployment on bare metal, edge and user management SUSE Rancher lets you automate processes and applies a consistent set of user access and security policies to all your clusters, no matter where they are running. Shared tools and