set as appropriate (Automated) 1.2.27 Ensure that the --service-account-lookup argument is set to true (Automated) 1.2.28 Ensure that the --service-account-key-file argument is set as appropriate (Automated) set to false (Automated) 1.3.3 Ensure that the --use-service-account-credentials argument is set to true (Automated) 1.3.4 Ensure that the --service-account-private-key-file argument is set as appropriate Configuration Files 4.1.1 Ensure that the kubelet service file permissions are set to 644 or more restrictive (Automated) 4.1.2 Ensure that the kubelet service file ownership is set to root:root (Automated)

and Scaling ......................................................................... 6 1.3.6 Service Registry and Discovery ......................................................................... .........24 3 Deploying a Multi-Service Application .............................................................................26 3.1 Defining Multi-Service Application ....................... ........................................................26 3.2 Designing a Kubernetes service for an Application .....................................................26 3.3 Load Balancing using Rancher

Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies 5.3 Network Policies and CNI CIS Benchmark Rancher Self-Assessment Benchmark Rancher Self-Assessment Guide - v2.4 18 1.2.14 Ensure that the admission control plugin Service Account is set (Scored) Result: PASS Remediation: Follow the documentation and create ServiceAccount '--request-timeout' is not present OR '--request-timeout' is present 1.2.27 Ensure that the --service-account-lookup argument is set to true (Scored) Result: PASS Remediation: Edit the API server pod

Configuration 4.1 Worker Node Configuration Files 4.2 Kubelet 5 Kubernetes Policies 5.1 RBAC and Service Accounts 5.2 Pod Security Policies CIS 1.5 Benchmark - Self-Assessment Guide - Rancher v2.5 2 Benchmark - Self-Assessment Guide - Rancher v2.5 18 1.2.14 Ensure that the admission control plugin Service Account is set (Scored) Result: PASS Remediation: Follow the documentation and create ServiceAccount '--request-timeout' is not present OR '--request-timeout' is present 1.2.27 Ensure that the --service-account-lookup argument is set to true (Scored) Result: PASS Remediation: Edit the API server pod

4 3 2 2 Import Existing Clusters 4 3 3 3 Centralized Audit 4 3 3 2 Cluster Self-Service Provisioning 4 4 4 1 Private Registry & Image Management 3 4 4 2 Cluster Upgrades & 4 3 2 External Log Shipping 4 4 2 3 Windows Container Support 4 4 1 2 Integrated Service Mesh Support 4 3 1 4 Enterprise SLA 4 4 4 2 Community Traction 4 3 3 0 Please note if you use AWS, Azure or GCP. On top of this, there is an additional fee for the connectivity service that provides communication among on- premises and cloud. 3.1.2 Intuitive UI • SUSE Rancher:

for MSPs • Success Stories 2. SUSE Rancher Use Cases • SUSE Rancher Service Models • SUSE Rancher Solution Stacks • Other Service Examples 3. Next Steps Copyright © SUSE 2021 3 SUSE – COMPANY SNAPSHOT and Inhibitors Driver: Public Cloud Adoption “Eventually, container infrastructure software as a service may become an expected functionality” Revenue Growth 2022 to 2025 Cloud +$778.9M, 25% CAGR On-Prem/Other Copyright © SUSE 2021 Key Benefits of SUSE Rancher for MSPs Deliver Kubernetes or Rancher–as– a–Service and enable customers to build faster Increase operational efficiency when managing multiple workloads

Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered marks, or registered service marks are the property of their respective owners. Juniper Networks assumes supporting a rich SDN feature set that can meet the requirements of enterprises and service providers alike. Enterprises and service providers can now manage Contrail using simplified and familiar DevOps tools Contrail resources. It watches the kube- apiserver for changes to regular Kubernetes resources such as service and namespace and acts on any changes that affect the networking resources. In a single-cluster

e n t i s s e t as ap p r o- p r i at e ( S c or e d ) • 1. 1. 23 - E n s u r e t h at t h e --service-account-lookup ar gu m e n t i s s e t t o t r u e ( S c or e d ) 7 • 1. 1. 24 - E n s u r e t t h e c om m an d s e c t i on of t h e ou t p u t : --anonymous-auth=false --profiling=false --service-account-lookup=true --enable-admission-plugins=ServiceAccount,NamespaceLifecycle,LimitRanger,PersistentVolumeLabel on u n d e r services: services: kube_api: always_pull_images: true pod_security_policy: true service_node_port_range: 30000-32767 event_rate_limit: enabled: true 8 audit_log: enabled: true sec

Pass 1.1.23 Ensure that the --service-account-lookup argument is set to true (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--service-account-lookup=true").string' Returned Returned Value: --service-account-lookup=true Result: Pass 1.1.24 - Ensure that the admission control plugin PodSecurityPolicy is set (Scored) Audit docker inspect kube-apiserver | jq -e '.[0] 1.1.25 - Ensure that the --service-account-key-file argument is set as appropriate (Scored) Audit docker inspect kube-apiserver | jq -e '.[0].Args[] | match("--service-account-key-file=.*").string'

the default service accounts. The CIS 1.5 5.1.5 check requires the default service accounts have no roles or cluster roles bound to it apart from the defaults. In addition the default service accounts • • • Hardening Guide v2.4 3 should be configured such that it does not provide a service account token and does not have any explicit rights assignments. Configure Kernel Runtime Parameters The conf to enable the settings. Configure etcd user and group A user account and group for the etcd service is required to be setup prior to installing RKE. The uid and gid for the etcd user will be used in