Secrets Management at Scale with Vault & Rancher 24. June Robert de Bock Senior DevOps Engineer Adfinis robert.debock@adfinis.com Kapil Arora Senior Solution Engineer HashiCorp kapil@hashicorp.com Infrastructure Management (Run & Manage) GitOps Continuous Delivery Cluster Templates & Config Enforcement K8s Version Management Node Pool Management Cluster Provisioning & Lifecycle Management Platform Google GKE Cloud Datacenter Edge Branch Dev Secret Management in Kubernetes 16 17 18 Secret Management Challenges ● Secrets sprawl ● Secrets rotation ● X.509 certificates, SSH and Cloud access

............................................................................ 6 1.3.3 Secret Management .............................................................................................. ......................................................................... 6 1.3.5 Container Management and Scaling ......................................................................... 6 1.3.6 .............................................................................. 7 1.3.10 Log Management ..............................................................................................

Micro SLE Extensions SUSE Manager SUSE Linux Enterprise Compliance Security Availability Management The most adaptable Linux operating system Other Linux Datacenter Edge Block Storage Container provisioning time - from hours to minutes — 35% reduction in cloud costs — 35% reduction in management time “Provisioning a new environment now takes a matter of minutes, whereas before it would take Copyright © SUSE 2021 SunnyVision can now leverage the native Kubernetes way to store and access secrets in a safe way Business Outcomes Major efficiencies achieved: — Protect Customers’ Sensitive Data

Ensure that the cluster-admin role is only used where required (Manual) 5.1.2 Minimize access to secrets (Manual) 5.1.3 Minimize wildcard use in Roles and ClusterRoles (Manual) 5.1.4 Minimize access to that all Namespaces have Network Policies defined (Automated) 5.4 Secrets Management 5.4.1 Prefer using secrets as files over secrets as environment variables (Manual) 5.4.2 Consider external secret storage cluster-admin role : kubectl delete clusterrolebinding [name] Audit: 5.1.2 Minimize access to secrets (Manual) Result: warn Remediation: Where possible, remove get, list and watch access to secret

Enterprise Kubernetes Management Platforms Red Hat OpenShift 4.9, VMware Tanzu 1.4, Google Anthos 1.10 and SUSE Rancher 2.6 A Buyer’s Guide to Enterprise Kubernetes Management Platforms Copyright ........................................ 39 A Buyer’s Guide to Enterprise Kubernetes Management Platforms Copyright © SUSE 2022 3 1 Executive Summary Organizations modernizing their infrastructure lack of central visibility, inconsistent security practices and complex management processes. Therefore, Kubernetes management platforms need to confidently deliver: • Simplified Cluster Operations:

controlplane role: Rationale This configuration file will ensure that the Rancher RKE cluster encrypts secrets at rest, which Kubernetes does not do by default. This supports the following controls: 1.1.34 root:root The file contains: apiVersion: v1 kind: EncryptionConfig resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: <32-byte base64 Set the contents to: apiVersion: v1 kind: EncryptionConfig resources: - resources: - secrets providers: - aescbc: keys: - name: key1 secret: <32-byte base64

services: etcd: uid: 52034 gid: 52034 kube-api: pod_security_policy: true secrets_encryption_config: enabled: true audit_log: enabled: true admission_configuration: enabled: true event_rate_limit: enabled: true pod_security_policy: true secrets_encryption_config: enabled: true service_node_port_range: 30000-32767 kube_controller: cloud-config is generally used in cloud infrastructure environments to allow for configuration management of compute instances. The reference config configures Ubuntu operating system level settings needed

services: etcd: uid: 52034 gid: 52034 kube-api: pod_security_policy: true secrets_encryption_config: enabled: true audit_log: enabled: true admission_configuration: enabled: true event_rate_limit: enabled: true pod_security_policy: true secrets_encryption_config: enabled: true service_node_port_range: 30000-32767 kube_controller: cloud-config is generally used in cloud infrastructure environments to allow for configuration management of compute instances. The reference config configures Ubuntu operating system level settings needed

development. Kubernetes orchestration provides capabilities such as auto scaling, security, and management of containerized applications. A persistent and stable data store is required to run containerized can survive the lifetime of a pod or the node it is running on. SUSE Rancher is a Kubernetes management platform that simplifies the cluster installation and operations, whether they are on-premises systems, hypervisors, and container platforms with a unified underlying infrastructure platform and management. It can also support heterogeneous workloads with varying requirements on a flexible shared infrastructure

Cloud Native Contrail Networking Installation and Life Cycle Management Guide for Rancher RKE2 Published 2023-09-08 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 this publication without notice. Cloud Native Contrail Networking Installation and Life Cycle Management Guide for Rancher RKE2 Copyright © 2023 Juniper Networks, Inc. All rights reserved. The information Amazon EKS • Rancher RKE2 Contrail Networking is an SDN solution that automates the creation and management of virtualized networks to connect, isolate, and secure cloud workloads and services seamlessly