--enable-v2=true --initial- cluster=etcd-cis-aio-0=https://192.168.1.225:2380 --trusted- ca-file=/etc/kubernetes/ssl/kube-ca.pem --peer-trusted-ca- file=/etc/kubernetes/ssl/kube-ca.pem --client-cert-auth=true --enable-v2=true --initial- cluster=etcd-cis-aio-0=https://192.168.1.225:2380 --trusted- ca-file=/etc/kubernetes/ssl/kube-ca.pem --peer-trusted-ca- file=/etc/kubernetes/ssl/kube-ca.pem --client-cert-auth=true --enable-v2=true --initial- cluster=etcd-cis-aio-0=https://192.168.1.225:2380 --trusted- ca-file=/etc/kubernetes/ssl/kube-ca.pem --peer-trusted-ca- file=/etc/kubernetes/ssl/kube-ca.pem --client-cert-auth=true

discreet CA. Notes --trusted-ca-file is set and different from the --client-ca-file used by kube-apiserver . Audit docker inspect etcd | jq -e '.[0].Args[] | match("--trusted-ca-file=(?:(?!/etc/k

scalability & productivity HashiCorp Vault Provides the foundation for cloud security that leverages trusted sources of identity to keep secrets and application data secure ● Secrets management to centrally

Supported by all versions Certifications CNCF Kubernetes Conformance Certification Yes Yes Yes Trusted Cloud Yes Yes Yes 6 Certification Kubernetes-native No change to Kubernetes code Deep customization

Copyright © SUSE 2022 39 7 Legal Statements 7.1 Copyright Notice This document and its content are copyright of SUSE © 2022. All rights reserved. Any redistribution or reproduction of part or a local hard disk extracts for your personal and non- commercial use only • you may copy the content to individual third parties for their personal use, but only if you acknowledge the source of the You may not, except with our express written permission, distribute or commercially exploit the content. Nor may you transmit it or store it in any other website or other form of electronic retrieval

ot/ contrail/workload-cluster-kubeconfig c. Create the kubemanager manifest with the following content. Choose a meaningful name for the manifest (for example, kubemanager-cluster1.yaml). apiVersion: node as the root user. 59 2. Create a config.yaml file at /etc/rancher/rke2 with the following content. cni: - none 3. Install, enable, and start the rke2-server service. a. Download the RKE2 installation the root user. 2. Create a config.yaml file in the /etc/rancher/rke2 directory with the following content: server: https://:9345 token: The server_node_IP is the IP

o Redis Master o Redis Slave Open the “frontend-service.yaml” and uncomment the line with content “type: LoadBalancer”, after changes the code should look like: ©Rancher Labs 2017. All rights persists beyond the lifetime of the container. gitRepo Mounts an empty directory and then clones the content of a Git repo into that directory. Especially useful when you want to fetch configuration or standard

write_files: - path: /etc/sysctl.d/kubelet.conf owner: root:root permissions: "0644" content: | vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 Hardening

write_files: - path: /etc/sysctl.d/kubelet.conf owner: root:root permissions: "0644" content: | vm.overcommit_memory=1 kernel.panic=10 kernel.panic_on_oops=1 Hardening

settings on all hosts - path: /etc/sysctl.d/90-kubelet.conf owner: root:root permissions: '0644' content: | vm.overcommit_memory=1 vm.panic_on_oom=0 kernel.panic=10 kernel.panic_on_oops=1 kernel.keys.root_maxkeys=1000000