Copyright © SUSE 2021 SUSE Rancher MSP Use Cases & Enablement APRIL 2022 Managed Services Providers Copyright © SUSE 2021 Agenda Acquired Rancher in 2020 1. Company Snapshot • Powering Innovation for MSPs • Success Stories 2. SUSE Rancher Use Cases • SUSE Rancher Service Models • SUSE Rancher Solution Stacks • Other Service Examples 3. Next Steps Copyright © SUSE 2021 3 SUSE – COMPANY SNAPSHOT and Inhibitors Driver: Public Cloud Adoption “Eventually, container infrastructure software as a service may become an expected functionality” Revenue Growth 2022 to 2025 Cloud +$778.9M, 25% CAGR On-Prem/Other

set as appropriate (Automated) 1.2.27 Ensure that the --service-account-lookup argument is set to true (Automated) 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Automated) the --etcd-cafile argument is set as appropriate (Automated) 1.2.33 Ensure that the --encryption-provider-config argument is set as appropriate (Automated) 1.2.34 Ensure that encryption providers are appropriately set to false (Automated) 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated) 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate

e n t i s s e t as ap p r o- p r i at e ( S c or e d ) • 1. 1. 23 - E n s u r e t h at t h e --service-account-lookup ar gu m e n t i s s e t t o t r u e ( S c or e d ) 7 • 1. 1. 24 - E n s u r e t ogr ap h i c C i p h e r s ( Not S c or e d ) • 1. 1. 34 - E n s u r e t h at t h e --encryption-provider-config ar gu m e n t i s s e t as ap p r op r i at e ( S c or e d ) • 1. 1. 35 - E n s u r e t t h e c om m an d s e c t i on of t h e ou t p u t : --anonymous-auth=false --profiling=false --service-account-lookup=true --enable-admission-plugins=ServiceAccount,NamespaceLifecycle,LimitRanger,PersistentVolumeLabel

4 3 2 2 Import Existing Clusters 4 3 3 3 Centralized Audit 4 3 3 2 Cluster Self-Service Provisioning 4 4 4 1 Private Registry & Image Management 3 4 4 2 Cluster Upgrades & 4 3 2 External Log Shipping 4 4 2 3 Windows Container Support 4 4 1 2 Integrated Service Mesh Support 4 3 1 4 Enterprise SLA 4 4 4 2 Community Traction 4 3 3 0 Please note for public and private cloud providers, along with guides for bare metal and "any other provider." Cloud provider installers require administrator access to the environment to create the resources but

kernel.panic_on_oops=1 Run sysctl -p to enable the settings. 1.1.2 - Install the encryption provider configuration on all control plane nodes Profile Applicability Level 1 Description Rancher_Hardening_Guide 1.34 - Ensure that the --experimental-encryption-provider-config argument is set as appropriate (Scored) 1.1.35 - Ensure that the encryption provider is set to aescbc (Scored) Audit On the control Rancher_Hardening_Guide.md 11/30/2018 9 / 24 Ensure the RKE configuration is set to deploy the kube-api service with the options required for controls. Rationale To pass the following controls for the kube-api

the default service accounts. The CIS 1.5 5.1.5 check requires the default service accounts have no roles or cluster roles bound to it apart from the defaults. In addition the default service accounts • • • Hardening Guide v2.4 3 should be configured such that it does not provide a service account token and does not have any explicit rights assignments. Configure Kernel Runtime Parameters The conf to enable the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing RKE. The uid and gid for the etcd user will be used in

conf to enable the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing RKE. The uid and gid for the etcd user will be used in etcd group run the following console commands. addgroup --gid 52034 etcd useradd --comment "etcd service account" --uid 52034 --gid 52034 etcd Update the RKE config.yml with the uid and gid of the etcd automountServiceAccountToken to false for defau lt service accounts Kubernetes provides a default service account which is used by cluster workloads where no specific service account is assigned to the pod. Where

Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies 5.3 Network Policies and CNI CIS Benchmark Rancher Self-Assessment Benchmark Rancher Self-Assessment Guide - v2.4 18 1.2.14 Ensure that the admission control plugin Service Account is set (Scored) Result: PASS Remediation: Follow the documentation and create ServiceAccount '--request-timeout' is not present OR '--request-timeout' is present 1.2.27 Ensure that the --service-account-lookup argument is set to true (Scored) Result: PASS Remediation: Edit the API server pod

Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 2 Benchmark - Self-Assessment Guide - Rancher v2.5 18 1.2.14 Ensure that the admission control plugin Service Account is set (Scored) Result: PASS Remediation: Follow the documentation and create ServiceAccount '--request-timeout' is not present OR '--request-timeout' is present 1.2.27 Ensure that the --service-account-lookup argument is set to true (Scored) Result: PASS Remediation: Edit the API server pod

Pass 1.1.23 Ensure that the --service-account-lookup argument is set to true (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--service-account-lookup=true").string' Returned Returned Value: --service-account-lookup=true Result: Pass 1.1.24 - Ensure that the admission control plugin PodSecurityPolicy is set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0] 1.1.25 - Ensure that the --service-account-key-file argument is set as appropriate (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--service-account-key-file=.*").string'