Cloud Native Contrail Networking Installation and Life Cycle Management Guide for Rancher RKE2 Published 2023-09-08 Juniper Networks, Inc. 1133 Innovation Way Sunnyvale, California 94089 USA 408-745-2000 modify, transfer, or otherwise revise this publication without notice. Cloud Native Contrail Networking Installation and Life Cycle Management Guide for Rancher RKE2 Copyright © 2023 Juniper Networks terms and conditions of that EULA. ii Table of Contents 1 Introduction Cloud-Native Contrail Networking Overview | 2 Terminology | 4 CN2 Components | 6 Deployment Models | 11 Single Cluster

Containers are great……..but Containers are great……..but How about managing many? How do we address: Networking, Security, Scheduling, Automation, etc? 6 Why Kubernetes ? Common compute platform across any Health Checks/HA ✔ Load Balancing ✔ Overlay Networking ✔ Network Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control DEV DATA CENTER CLOUD Health Checks/HA ✔ Load Balancing ✔ Overlay Networking ✔ Network Security Policies ✔ Backup and Recovery ✔ Autoscaling ✔ Service Discovery ✔ Networking ✔ RBAC & Access Control ✔ Common API & Packaging

integration of PowerFlex CSI driver 1.4 for persistent volume, for customers requiring an on-premises container platform solution. This white paper also explains how to protect the above Kubernetes workloads Kubernetes cluster .............................................................. 13 PowerFlex Container Storage Interface driver ...................................................................... RKE Kubernetes cluster using CSI Driver on DELL EMC PowerFlex White Paper Executive Summary Container technologies enable development teams to quickly provision isolated applications. Customers who

................................................................................... 6 1.3.5 Container Management and Scaling ........................................................................ .................................... 9 2.4 How Rancher Extends Kubernetes for User-Friendly Container Management ............14 2.4.1 Infrastructure Visibility .................................. .......................................................................................34 4 Container Operations ....................................................................................

relationships with global enterprises, Red Hat has been successful 1 “The Forrester Wave™: Multicloud Container Development Platforms, Q3 2020” by Dave Bartoletti, Charlie Dai with Lauren Nelson, Duncan Dietz Bill Nagel, Forrester – Download Report 2 "Gartner Forecasts Strong Revenue Growth for Global Container Management Software and Services Through 2024” by Susan Moore, Gartner – View Press Release A comparing the capabilities of the four leading Kubernetes Management Platforms: Red Hat OpenShift Container Platform 4.9 (OpenShift/OCP4) with Red Hat Advanced Cluster Management for Kubernetes (RHACM),

will be allowed into and out of the pods in that namespace. To enforce network policies, a CNI (container network interface) plugin must be enabled. This guide uses canal to provide the policy enforcement Hardening Guide v2.3.5 5 This NetworkPolicy is not recommended for production use --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-allow-all spec: podSelector: {} extra_binds: [] extra_env: [] cluster_domain: "" Hardening Guide v2.3.5 7 infra_container_image: "" cluster_dns_server: "" fail_swap_on: false generate_serving_certificate:

will be allowed into and out of the pods in that namespace. To enforce network policies, a CNI (container network interface) plugin must be enabled. This guide uses canal to provide the policy enforcement the Kubernetes site. This NetworkPolicy is not recommended for production use --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: default-allow-all spec: podSelector: {} TLS_RSA_WITH_AES_128 _GCM_SHA256" extra_binds: [] extra_env: [] cluster_domain: "" infra_container_image: "" cluster_dns_server: "" fail_swap_on: false kubeproxy: image: ""

Kubernetes services via Docker containers. Configuration is defined by arguments passed to the container at the time of initialization, not via configuration files. Scoring the commands is different in --audit-log-path argument is set as appropriate (Scored) Notes This path is the path inside of the container. It's combined with the RKE cluster.yml extra- binds: option to map the audit log to the host maintain a configuration file for kube-apiserver. All configuration is passed in as arguments at container run time. Result: Pass (Not Applicable) 1.4.2 - Ensure that the API server pod specification file

Kubernetes services via Docker containers. Configuration is defined by arguments passed to the container at the time of initialization, not via configuration files. CIS Benchmark Rancher Self-Assessment maintain a configuration file for the API server. All configuration is passed in as arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root maintain a configuration file for the API server. All configuration is passed in as arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to

Kubernetes services via Docker containers. Configuration is defined by arguments passed to the container at the time of initialization, not via configuration files. CIS 1.5 Benchmark - Self-Assessment maintain a configuration file for the API server. All configuration is passed in as arguments at container run time. 1.1.2 Ensure that the API server pod specification file ownership is set to root:root maintain a configuration file for the API server. All configuration is passed in as arguments at container run time. 1.1.3 Ensure that the controller manager pod specification file permissions are set to