Balancing ✔ Overlay Networking ✔ Network Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control DEV DATA CENTER CLOUD BRANCH 5G / EDGE ✔ Common Balancing ✔ Overlay Networking ✔ Network Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control ✔ Common API & Packaging ✔ Health Checks/HA ✔ Balancing ✔ Overlay Networking ✔ Network Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control Common compute platform across any infrastructure

Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes supporting a rich SDN feature set that can meet the requirements of enterprises and service providers alike. Enterprises and service providers can now manage Contrail using simplified and familiar DevOps tools Contrail resources. It watches the kube- apiserver for changes to regular Kubernetes resources such as service and namespace and acts on any changes that affect the networking resources. In a single-cluster

......... 33 7.2. 镜像仓库 ................................................. 33 7.3. Kubernetes(k8s) .......................................... 33 1. 概要 1.1. 环境说明 系统相关的登录账号、密码信息如下： 访问地址 iptables 规则来转发数据； b) Hostport： 类似于 docker -p 的方式映射的端口，只有 Pod 所在的节点 IP+端口才可以访问； c) ClusterIP： 为 service 配置 cluster IP 地址； d) L4 负载均衡： 此功能对应公有云的负载均衡器，内网环境或自定义云主机安装的集群请不要使用。 Page 18 环境变量 式输入，或者直接复制粘贴多行； 引用其他资源： 目前通过 UI 可以引用密文\配置映射，Field\Resource 可通过编辑 yaml 应用； 主机调度 根据应用的需要配置相应的调度规则，默认按照 K8S 自动调度,可通过在主机上设置标签， 通过标签来选择主机部署 POD。 健康检查 为应用配置健康检查，不健康的 Pod 将自动重建，保证服务的可用性。健康检查包含就绪 检查和存活检查： a)

for MSPs • Success Stories 2. SUSE Rancher Use Cases • SUSE Rancher Service Models • SUSE Rancher Solution Stacks • Other Service Examples 3. Next Steps Copyright © SUSE 2021 3 SUSE – COMPANY SNAPSHOT and Inhibitors Driver: Public Cloud Adoption “Eventually, container infrastructure software as a service may become an expected functionality” Revenue Growth 2022 to 2025 Cloud +$778.9M, 25% CAGR On-Prem/Other Copyright © SUSE 2021 Key Benefits of SUSE Rancher for MSPs Deliver Kubernetes or Rancher–as– a–Service and enable customers to build faster Increase operational efficiency when managing multiple workloads

and Scaling ......................................................................... 6 1.3.6 Service Registry and Discovery ......................................................................... .........24 3 Deploying a Multi-Service Application .............................................................................26 3.1 Defining Multi-Service Application ....................... ........................................................26 3.2 Designing a Kubernetes service for an Application .....................................................26 3.3 Load Balancing using Rancher

set as appropriate (Automated) 1.2.27 Ensure that the --service-account-lookup argument is set to true (Automated) 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Automated) set to false (Automated) 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated) 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate Configuration Files 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated) 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)

Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies 5.3 Network Policies and CNI CIS Benchmark Rancher Self-Assessment Benchmark Rancher Self-Assessment Guide - v2.4 18 1.2.14 Ensure that the admission control plugin Service Account is set (Scored) Result: PASS Remediation: Follow the documentation and create ServiceAccount '--request-timeout' is not present OR '--request-timeout' is present 1.2.27 Ensure that the --service-account-lookup argument is set to true (Scored) Result: PASS Remediation: Edit the API server pod

Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 2 Benchmark - Self-Assessment Guide - Rancher v2.5 18 1.2.14 Ensure that the admission control plugin Service Account is set (Scored) Result: PASS Remediation: Follow the documentation and create ServiceAccount '--request-timeout' is not present OR '--request-timeout' is present 1.2.27 Ensure that the --service-account-lookup argument is set to true (Scored) Result: PASS Remediation: Edit the API server pod

4 3 2 2 Import Existing Clusters 4 3 3 3 Centralized Audit 4 3 3 2 Cluster Self-Service Provisioning 4 4 4 1 Private Registry & Image Management 3 4 4 2 Cluster Upgrades & 4 3 2 External Log Shipping 4 4 2 3 Windows Container Support 4 4 1 2 Integrated Service Mesh Support 4 3 1 4 Enterprise SLA 4 4 4 2 Community Traction 4 3 3 0 Please note if you use AWS, Azure or GCP. On top of this, there is an additional fee for the connectivity service that provides communication among on- premises and cloud. 3.1.2 Intuitive UI • SUSE Rancher:

e n t i s s e t as ap p r o- p r i at e ( S c or e d ) • 1. 1. 23 - E n s u r e t h at t h e --service-account-lookup ar gu m e n t i s s e t t o t r u e ( S c or e d ) 7 • 1. 1. 24 - E n s u r e t t h e c om m an d s e c t i on of t h e ou t p u t : --anonymous-auth=false --profiling=false --service-account-lookup=true --enable-admission-plugins=ServiceAccount,NamespaceLifecycle,LimitRanger,PersistentVolumeLabel on u n d e r services: services: kube_api: always_pull_images: true pod_security_policy: true service_node_port_range: 30000-32767 event_rate_limit: enabled: true 8 audit_log: enabled: true sec