SUSE guest blog authored by:

Adriano Pezzuto, Founder and General Manager at Clastix

In today’s competitive business landscape, companies prioritize efficiency, streamlined operations, cost savings, and security. These are different goals but with a common strategic solution: multi-tenancy. 

This post introduces Rancher Prime by SUSE with CLASTIX Kamaji, a comprehensive multi-tenant solution that centralizes Kubernetes management, optimizes resource utilization through an innovative control plane deployment, and streamlines operations. This powerful solution effectively reduces cluster sprawl, overcomes inefficiencies, and unlocks cost savings in Kubernetes deployments, all while ensuring secure access and robust isolation. 

CLASTIX is a leader in Kubernetes multi-tenancy solutions. Our products and services help organizations to overcome cloud native adoption challenges and confidently design, build, and operate digital infrastructures based on Kubernetes.  

CLASTIX’s solutions help customers eliminate cluster sprawl issues by scaling Kubernetes and radically simplifying day-2 operations. In production deployments, the multi-tenancy capabilities offered by CLASTIX have demonstrated the ability to increase efficiency by more than 60%. 

Clastix Kamaji, published in the Rancher Apps catalog, enables the deployment and operation of Kubernetes at scale, reducing the operational burden. Kamaji is unique because the control plane runs as Kubernetes pods instead of a dedicated set of virtual machines. This solution makes running multiple control planes cheaper and easier to deploy and operate. 

Rancher Prime offers a complete enterprise container management platform for Kubernetes, allowing Kubernetes to be run anywhere from the cloud to edge to on-premises data centers. It complements Kamaji by centralizing authentication and role-based access control (RBAC) for all tenant clusters, enabling global admins to control cluster access from one location. 

Rancher Prime and Kamaji provide a seamless management experience for fleets of multiple clusters: once created by Kamaji, a cluster is automatically imported into Rancher Management Server for a centralized management, so the administrators can efficiently manage and monitor all clusters from a single interface.    

The solution ensures consistency across clusters, maintaining uniform configurations and deployments, streamlines operations, enhances scalability, and improves overall cluster management efficiency.  

With Rancher Prime and Kamaji, customers get access to a powerful platform to run a managed Kubernetes service at a scale that matches hyperscalers. 

Meet us at SUSECON 2023!

As a SUSE ecosystem partner, CLASTIX will showcase the Rancher Prime + Kamaji solution at SUSECON, the annual global conference for SUSE customers, partners, and community enthusiasts. Attendees can expect insightful blog articles, a comprehensive technical guide, and a video highlighting the benefits and features of the solution. CLASTIX will also host a live demo during SUSECON, providing real-world use cases and success stories. 

We look forward to seeing you at SUSECON 2023, taking place in Munich from June 20th-22nd. Register now to secure your spot and experience the full range of benefits that CLASTIX and SUSE have to offer. Don’t miss out on the opportunity to explore innovative solutions, gain valuable insights, and connect with industry experts.  

Please contact the Clastix team to schedule an onsite meeting at SUSECON 2023. 

Continue your journey with these additional resources:  

• Rancher by SUSE Documentation
• Clastix Kamaji Documentation
• Rancher & Kamaji: Solving Multi-Tenancy Challenges in the K8s world

Author: Adriano Pezzuto, Founder and General Manager at Clastix

Adriano started his career at leading global IT companies like Siemens and CISCO. It took him to work at large networks systems, later building scalable and highly available cloud infrastructures and then being accountable for helping customers to embrace Cloud Computing. His interest has always been in cutting edge technologies, being one of the first in his country to spread the Cloud Native revolution. Today, Adriano is turning his large experience into Clastix, as a visionary founding member and General Manager. 

Organizations are concerned about the security of our SAP system, as it is the backbone of our business operations. They recognize the importance of having a secure SAP environment. However, they are unsure where to begin to achieve the goal of a more secure SAP platform. How should you design your SAP platform to guarantee a higher level of security? What are the key aspects that you need to consider? These are the crucial questions addressed in this new e-book titled “The Gorilla Guide to A Secure SAP Platform: How to Secure Your SAP Platform.” a comprehensive guide for safeguarding your SAP platform.

The e-book is a comprehensive guide for safeguarding your SAP platform. It covers the pillars of a secure SAP platform and the importance of adhering to best practices. Explaining why it is essential to have hardened systems, utilize management and monitoring tools, and continuously validate best practices when deploying secure systems to ensure the SAP platform’s effectiveness and reliability. We’ll also introduce new concepts like the patching paradox, how it affects SAP systems and solutions to overcome it. For more information on the patching paradox, check out my blog post titled “Solving the patching paradox challenge: How important is it to enforce a security policy in an SAP environment.”

We elaborate on the key topics and explain how a leading provider of enterprise-grade Linux and open-source solutions, like SUSE, helps in each subject. This guide equips you with the knowledge and tools to fortify and protect your SAP infrastructure from potential threats.

The guide will provide actionable insights, expert advice, and real-world examples to empower you to secure your SAP platform effectively. With “The Gorilla Guide to A Secure SAP Platform,” you’ll gain the knowledge to mitigate risks, protect your critical business data, and ensure the integrity of your SAP operations.

We emphasize the importance of the SAP platform and show you solutions to issues as well as some tricks and tips. Of course, we include how to have an OS endorsed by SAP, like SUSE Linux Enterprise Server for SAP applications, which is the platform’s foundation.
Here’s a glimpse into the chapters covered in “The Gorilla Guide to A Secure SAP Platform”:

• Chapter 1 – Introduction to SAP security: Gain a solid foundation in SAP security by understanding the security pyramid, exploring the various components of SAP security, and identifying the top threats to your SAP platform.
• Chapter 2 – Building Blocks for a Secure SAP Platform: Learn about the crucial building blocks that form the foundation of a secure SAP platform, including platform security, compliance, and reliability, with insights and solutions from SUSE.
• Chapter 3 – Keeping Up with Patches and Updates: Discover the importance of regular patching and updates, and establish effective policies to ensure the timely application of necessary fixes, including best practices provided by SUSE.
• Chapter 4 – Vulnerability Management: Understand the difference between patches and vulnerabilities, explore the characteristics of vulnerabilities, and learn how to catalog and remediate them efficiently, leveraging SUSE’s expertise.
• Chapter 5 – Improving on Limited Visibility: Enhance your visibility into SAP configurations, performance, and infrastructure changes to detect and address potential security gaps with insights from SUSE’s innovative solutions.
• Chapter 6 – Secure SAP Best Practices: Implement best practices for minimizing the attack surface, deploying firewalls, enabling data encryption, and adopting effective patching and live patching strategies, leveraging SUSE’s comprehensive security solutions.
• Chapter 7 – The Role of Management and Automation Tools: Discover the crucial role of management and automation tools in ensuring server lifecycle management, security management, and SAP performance monitoring, with insights and solutions provided by SUSE like SUSE Manager and projects like Trento.
• Chapter 8 – Challenges of a Secure SAP Environment in Public Clouds: Navigate the specific challenges of securing an SAP environment in popular public cloud platforms such as Microsoft Azure, Amazon Web Services, and Google Cloud Platform, with guidance from SUSE’s cloud security solutions.
• Chapter 9 – SAP Hardening Guidelines: Explore comprehensive hardening guidelines for SAP HANA® systems, including security settings, firewalls, disk encryption, package selection, and container security, with expertise and solutions from SUSE.
• Chapter 10 – Next Steps: Wrap up your journey through this guide with practical recommendations for the next steps to strengthen your SAP platform security, including further collaboration with SUSE.

This guide will provide you with a better understanding of the importance of maintaining a secure SAP platform and how OS like SUSE Linux Enterprise Server for SAP applications and management tools like SUSE Manager can help achieve this goal. Read more about how to have a more secure sap platform on www.suse.com/secure-sap and download the guide here: more.suse.com/Secure_SAP_Guide

SUSE guest blog authored by:
Don Boxley, Co-Founder and CEO, DH2i

SQL Server holds an organization’s most business-critical data assets. Therefore, maximum uptime and security are among the top priorities for the IT teams that manage them. However, industry pressures have these IT pros adding another imperative task to their to-do list: SQL Server modernization.

A full-on SQL Server modernization initiative is a terrifying prospect for most organizations, and understandably so. These critical relational database management systems can be absolute behemoths with a massive price tag associated with downtime. Thankfully, a new hero has emerged within the IT landscape to help make modernization more easily attainable than ever before.

Containers

Containers are lightweight, isolated software packages that encapsulate an application and its dependencies, allowing developers to package, deploy, and run applications consistently across different environments. They have evolved to be the perfect answer to SQL Server modernization challenges. This is a direct result of the innovation in the surrounding technology ecosystem. With the ability to now ensure near-zero downtime and Zero Trust security, containerization has become a viable deployment method for even the most critical SQL Server production workloads.

DH2i’s DxEnterprise (DxE) Smart High Availability Clustering software and Rancher by SUSE have led the charge in unlocking the SQL Server modernization benefits of containers. These two technologies enable users to migrate physical and virtual SQL Server databases to availability groups in Kubernetes in literal minutes.

What Makes the DH2i and SUSE Solution so Uniquely Powerful?

DxEnterprise and Rancher by SUSE unlock simplistic and efficient SQL Server modernization. DxE accomplishes this with unparalleled cluster flexibility and capability that brings the following proprietary advantages to the table:

• Clustering for native instances and containers in the same Availability Group (AG)
• Mixed Windows and Linux clusters and AGs
• Sidecar container deployment for clusterware and application isolation

To make deployment and migration even easier, SUSE’s Rancher offers a streamlined web interface to deploy highly available SQL Server AGs in Kubernetes using a Helm chart. This makes a complex deployment achievable in only a few clicks with a single line of code. Once deployed, DxE can easily pull instances and containers into the same cluster and Availability Group, and easily facilitate migration using database mirroring.

Use-Case: Migrating a Database from a Windows Virtual Machine to Kubernetes

The value containers hold for modernizing SQL Server is understood universally across industries. DH2i has customers all over the world in financial services, manufacturing, legal, all levels of government, and many more. One characteristic that unifies many of them is that they started their journey to containers from a largely virtualized state.

Our engineering team set up a demonstration to show exactly how DxEnterprise and Rancher can be used to facilitate a virtual machine to container migration. In this example, we start with a standalone Windows instance running in a virtual machine on our engineer’s local workstation in Portland, OR—a totally separate network from the rest of the demo system. Ultimately, a SQL Server database is migrated from our standalone Windows VM to a new Kubernetes container environment. You can watch the brief demonstration right here: SQL Server Database on Windows VM to Kubernetes

Summary

The above demonstration shows a single use-case of migrating a SQL Server database in a Windows VM to Kubernetes. However, the same 3 steps shown in this demonstration can be used to easily facilitate the migration of any physical, virtual, or cloud deployment into a Kubernetes cluster using DxEnterprise and Rancher:

1. Deploy your new Availability Group in Kubernetes using Rancher Helm chart.
2. Add your starting node to your newly created Availability Group.
3. Use SQL Server database mirroring to migrate database(s) from existing infrastructure to new containerized deployment.

Modernizing SQL Server with containers can help future-proof your organization and maintain competitive advantage by unlocking ongoing benefits such as:

• Faster deployment and scaling of new applications.Maximum portability across any mix of infrastructure.
• Peak resource utilization and performance.
• Cost savings on infrastructure and management expense.

DH2i’s DxEnterprise and Rancher by SUSE truly unlock the most streamlined SQL Server modernization process ever. Leveraging on the ease of use of Rancher’s streamlined interface for deploying Helm charts, and DxEnterprise’s clustering flexibility, any SQL Server database—Windows or Linux—can be migrated to Kubernetes in mere minutes.

To learn more about how DH2i and Rancher by SUSE can help you modernize your SQL Server environment, get signed up for a free personalized demo and consultation.

Check the DH2i certification entry in SUSE Partner Certification & Solutions Catalog.

If you are interested in having your solution available to be deployed in the SUSE Rancher marketplace by packaging it in a Helm chart, see the SUSE process here.

Besides Trento’s existing cluster and cloud best practices validations, Trento 2.0 highlights streamlining the implementation requirements and enables integration. With a new engine that addresses one of the main concerns of security teams, the requirement of an SSH connection to the SAP systems. And the addition of API versioning capabilities to enable the integration of Trento with SAP customers’ tools.  This blog will explain how Trento 2.0 announcement improves SAP platform reliability.

With the announcement SUSE’s commitment to delivering innovative solutions for SAP businesses remains unwavering. The Trento project has become crucial to ensure a secure SAP platform. It empowers organizations to run SAP operations confidently, implementing SAP platform Best Practices as a Code. In this way, SUSE is bringing to the SAP customers exciting features to reduce risks and ensure a reliable SAP platform demonstrating SUSE’s dedication to minimizing operational complexities and providing a robust SAP foundation.

A More Secure SAP Platform with Trento 2.0

A secure SAP platform needs to be founded on a reliable platform as the only way to ensure SAP operation. Therefore, keeping the SAP platform aligned with best practices is critical to achieving that goal. This alignment can be complex to track, mainly when a reliable SAP environment includes clusters to avoid unplanned downtimes and cloud environments that add multiple variables and dependencies. Trento addresses the challenges and risks associated with SAP platform configurations and operations, aiming to reduce potential pitfalls and streamline maintenance processes.

SUSE understands the complexities of SAP landscapes. With Trento SUSE Linux Enterprise Server for SAP applications (SLES for SAP) offers enterprise-supported capabilities to avoid best practices drift, avoiding error-prone configurations to simplify the management processes. By minimizing manual interventions and reducing the likelihood of errors or system downtime, Trento 2.0, and its premium content delivered into SLES for SAP, enables organizations to mitigate risks, enhance operational stability, and improve overall efficiency. To find out what Trento 1.0 had to offer you could refer to the blog Safeguard Your SAP S/4HANA deployment with SUSE Trento

Ensuring Reliability and Performance

A reliable SAP platform is crucial for businesses to deliver consistent performance and meet operational demands. SLES for SAP provides a solid foundation for SAP operations, ensuring high availability, scalability, and resilience. The solution incorporates intelligent monitoring and proactive maintenance features that enable businesses to identify and address potential issues before they impact critical processes. By ensuring a reliable SAP platform, Trento empowers organizations to provide uninterrupted services to their customers, drive productivity, and achieve their business objectives.

Enhancing Security and Compliance

While reducing risks and ensuring reliability are primary objectives of Trento 2.0, security remains a fundamental aspect of it. SLES for SAP incorporates its robust security capabilities, Trento support with premium content checks, and SUSE Manager, to protect SAP deployments against potential vulnerabilities and ensure compliance with industry regulations. By prioritizing security, SUSE enables organizations to safeguard their critical data, protect against unauthorized access, and meet stringent compliance requirements.

Leverage existing SAP customers’ management and monitoring tools with Trento APIs

When we look deeper into the new functionalities, new API versioning in Trento is excellent news for IT Managers. Integrating API capabilities into existing management and monitoring tools gives SAP customers a powerful way to leverage their current infrastructure. By seamlessly integrating APIs, organizations can tap into the vast potential of their SAP systems and leverage valuable data. This integration adds Trento’s intelligence and provides valuable information on the SAP platform and cluster health, enhancing operational efficiency and providing deeper insights into critical metrics to enhance operational efficiency. With API integration, businesses can bridge the gap between SAP platform status and their management and monitoring tools, enabling customers to monitor, analyze, and optimize their SAP landscape using familiar interfaces. This unified approach simplifies the management and monitoring of SAP systems and empowers businesses to mitigate the risks and keep the service uptime.

Removing security and network requirements

One challenge that every company faces when needs to deploy a new tool is the network and connection requirements. Each requirement needs the attention of the security and network teams. And opening an SSH connection with a user with elevated privileges from an external tool in a critical environment like SAP is something that can’t be done without consideration and triggers endless discussions that delay and sometimes stop the implementation. And with this spirit to simplify the adoption of Trento, SUSE has been working to remove implementation requirements.
There it is where the new engine, Wanda, shows its capabilities to reduce the complexity of the Trento implementation, removing the need for an SSH connection and the security concerns associated with the networking and security requirements.

Trento 2.0 check Engine workflow for the SAP platform

Other relevant changes

The Trento 2.0 announcement includes other relevant changes, including adding new platform support.

Fast deployment

Another significant change is the deployment. Trento 2.0 installs over any CNCF-certified Kubernetes running on x86_64 architecture, including Rancher RKE1, RKE2, and K3s, in very few steps (When to use K3s and RKE2). The best example is the default installation method provisioning a minimal, single node, K3S Kubernetes cluster for running its components in Linux containers. Check Trento’s documentation for more info.

Trento 2.0 adds virtualization support.

Additionally, Trento 2.0 adds VMware to the current list of known platforms, along with Azure, AWS, GCP, and on-premise bare metal, which mainly covers most of the SAP customers’ environments and platforms, enabling Trento to implement specific checks for this platform. With this change, customers running SAP in these virtualization environments will have a better experience with deeper insights about the platform.

Conclusion

Trento 2.0 announcement improves SAP platform reliability. New engine and APIs versioning are mayor updates that enable customers to leverage all Trento potential. SUSE’s Trento 2.0 release marks a significant advancement in reducing risks and ensuring a reliable SAP platform for businesses. By simplifying deployment and management processes, minimizing operational complexities, and providing robust security measures, Trento Premium empowers organizations to run SAP operations efficiently and with peace of mind. As businesses strive for digital transformation and operational excellence, they can rely on SLES for SAP and SUSE’s expertise to reduce risks, ensure reliability, and optimize their SAP landscapes.
For more information on enhancing the security of your SAP platform, visit www.suse.com/secure-sap

Organizations today are facing a myriad of challenges. An uncertain macroeconomic climate, rising capital costs, the continued increase in global cybersecurity threats, supply chain issues, and skill shortages all impact their ability to innovate. For over 20 years, SAP and SUSE have delivered innovative business-critical solutions on open-source platforms, enabling organizations to improve operations, increase security, and become industry leaders. Today, the vast majority of SAP customers run their SAP and SAP S/4HANA environments on SUSE.

Meet the SUSE team.

SUSE is a Platinum Plus sponsor. Take advantage of one-on-one time with SUSE experts and subject matter experts to share your needs and learn how we can help. Don’t hesitate to visit SUSE booth # 7,901.

Topics include:

• Security – Secure your SAP infrastructure with built-in security features for on-premises, hybrid, and cloud environments.
• Cloud Migration – Let us help you navigate the decision-making process of migrating to the cloud, even if you haven’t decided to move yet.
• Automation – Learn how you can leverage automated management of your data center at a massive scale.
• High Availability – See how SUSE helps you achieve near-100% uptime for your SAP HANA systems with our tailored SAP solutions.

SUSE Session:  How to drive resilience and innovation during uncertain economic times (114118)

Wednesday, May 24, 2023, 04:00 p.m. – 04:20 p.m.

An increase in global cybersecurity threats and uncertain macroeconomics reduces the ability of companies to keep innovating. Learn how innovative technologies can accelerate cloud deployments, remove security threats, and leverage SAP S/4HANA with the goal to drive business transformation and increase resilience.

Ivo Totev – Chief Innovation Officer, SUSE

Let’s get together and have some fun.

Interested in an exceptional evening event where you can continue making meaningful connections with your peers and enjoy drinks in a unique bar decorated with ice blocks & sculptures, plus a terrace? Come to the  SUSE booth #7,901 and register for a celebration night in the Ice Bar.

• May 24, Celebration Night
• Where: Icebar Barcelona, entrada por la playa, C/ de Ramon Trias Fargas, 2, 08005 Barcelona, Spain
• When: 8:00 p.m. – 11 p.m.

We are looking forward to meeting you.

SUSE Linux Enterprise Server for SAP applications is endorsed by SAP

The idea behind Endorsed Apps is to make it super easy for SAP customers to get up and running with SAP. It helps to easily identify the top-rated partners and apps that are verified to deliver outstanding value. These solutions are tested and premium certified by SAP with added security, in-depth testing, and measurements against benchmark results.

Find more information on the SAP Store

Contact Us

If you have any additional questions, please don’t hesitate to contact us: at sapalliance@suse.com

We look forward to seeing you at SAP Sapphire on May 24–25, 2023.

Non-Hosted KMPs

This article is the second in a series covering Kubernetes Management Platforms (KMPs). In the first article, we analyzed hosted KMPs, exploring their potential benefits and customer base. This blog will examine non-hosted KMPs and the organizational customer profiles that can benefit the most from this solution.

After the first article, you may think that hosted KMPs are the way to go, but there are many things to consider before deciding. In this blog post, we want to help you to choose the best option for your use case and needs, so let’s start analyzing the pros and cons for each one.

Before jumping on the pros and cons of non-hosted KMPs, let’s give some context about the market and why non-hosted KMPs are the preferred option for most prominent organizations worldwide. Some of the most widely used KMPs in the market include Rancher Prime and Red Hat Advanced Cluster Management. These platforms are known for simplifying the deployment, scaling, and management of Kubernetes clusters and offering a centralized control plane for managing clusters at scale and easy integration with other technologies. Additionally, these platforms provide security features and automatic updates to ensure that clusters are highly available and secure.

However, the main reason for their popularity among organizations is their level of control and adaptability. Despite their differences, these platforms give organizations full control over their clusters, security, configuration, applications, and any other Kubernetes-related matter and adapt to any architecture used within the organization. This means you have the power and the responsibility to manage the platform with all that implies.

You can consult the Rancher by SUSE buyer’s guide If you are eager to know more about the differences between these solutions and others.

Advantages of non-hosted KMPs:

• Greater flexibility:
  • Non-hosted platforms offer more flexibility in terms of customization and configuration options, which can benefit complex environments.
• Hybrid cloud or multi-cloud:
  • Non-hosted KMPs have an on-premises focus without crippling the possibilities to use and expand your environments using public cloud providers and managed services.
• EDGE architectures:
  • Solutions like Rancher Prime are developed to integrate EDGE deployments into your management layer without disrupting your tools and processes.
• More control and security:
  • In a non-hosted Kubernetes management platform, your operators control what’s happening and decide which security measures and tools are better for your applications and your concrete requirements. It’s the way to go for industries that require strict compliance or are highly regulated.
• Cost-effective:
  • Non-hosted platforms are more cost-effective than hosted platforms, especially for large-scale deployments.
• Community:
  • Kubernetes management platforms like Rancher are open source and have built a community over the years. Open source communities have proven crucial in driving innovation and helping projects become global solutions, like Kubernetes.

Disadvantages of non-hosted KMPs:

• More complex:
  • Non-hosted platforms may be more challenging to set up and manage than hosted platforms, which can require more technical expertise.
• Responsibility:
  • Users are responsible for the security, configuration, maintenance, data security, and updates of the Kubernetes cluster, which can be time-consuming and require high expertise and more resources.

The user profiles

The advantages of non-hosted KMPs require, in most cases, a team of operators and SREs. Not all organizations have the resources to manage Kubernetes, even having a KMP to simplify their job and ease operations.

• Large enterprises:
  • These organizations typically have a dedicated IT infrastructure and IT staff and may prefer to manage their KMPs in-house to maintain full control and visibility over their cloud infrastructure.
• Companies with compliance requirements:
  • Some companies may have specific regulatory or data privacy requirements that cannot be met by hosted KMPs, making non-hosted KMPs a more suitable option.
• DevOps teams:
  • DevOps teams highly skilled in cloud infrastructure and Kubernetes may prefer the added control and customization options offered by non-hosted KMPs.
• Organizations with multiple cloud deployments:
  • Companies with numerous cloud deployments may find it more cost-effective to manage their KMPs in-house instead of paying for multiple hosted KMPs from different providers.

Conclusion

Non-hosted platforms require higher expertise, but they also offer greater flexibility in terms of use cases, such as hybrid cloud, EDGE, and on-premises deployments. They can also accommodate multi-cloud use cases without a problem. Non-hosted solutions are widely used in the market because they provide almost all the benefits of a hosted solution through automation while offering the advantages of non-hosted solutions.

Choosing the right platform is fundamental to helping your organization adapt and grow quickly to meet your business needs. If you need to scale rapidly and want the support of a highly skilled team, Rancher Prime Hosted may be the solution for you. It includes all the features of Rancher Prime but eliminates the burden of administrative tasks for your operations team.

Enterprises adopting Kubernetes and utilizing Rancher Prime have seen substantial economic benefits, which you can learn more about in Forrester’s ‘Total Economic Impact’ Report on Rancher Prime. 

Hosted KMPs

This is the first article of a series of two covering the advantages and disadvantages of hosted and non-hosted Kubernetes management platforms. First, let’s introduce hosted what is hosted Kubernetes management platform (KMP) and provide a broader view of hosted KMPs.

A hosted Kubernetes management platform is a service provided by a third-party vendor that manages the deployment and operation of Kubernetes clusters for you or helps you to do so. It abstracts away the underlying infrastructure and provides a convenient, user-friendly interface for managing your applications and services running on the cluster. The vendor typically takes care of tasks such as cluster provisioning, scaling, monitoring, and maintenance, freeing you to focus on developing and deploying applications. While the idea may seem appealing, it’s important to carefully assess various factors before making a decision. For instance, we should evaluate the specific environment and applications we’ll be working with, consider the platform’s costs, and explore its capabilities and integrations. It’s worth noting that many hosted KMPs heavily prioritize Kubernetes services on public clouds, which may result in limited capabilities and integrations in on-premises or edge environments.

Organizations may choose hosted Kubernetes management platforms for various reasons, including simplifying the management of complex underlying infrastructure, automatic scaling to meet business needs without additional investment in infrastructure and staff, and access to expert technical support. These benefits make hosted solutions particularly well-suited for startups or growing organizations that may not have the resources to invest in infrastructure and Kubernetes professionals in a concrete moment.

In this blog post series, I want to provide information and perspective to help you to choose the best option for your use case and needs, so let’s start analyzing the pros and cons of hosted KMPs.

Hosted KMPs have multiple advantages, such as:

• Ease of use: Hosted platforms typically provide a user-friendly interface and are SaaS-based tools, making it easy for users to deploy and manage their Kubernetes clusters.
• Automatic updates and upgrades: Hosted platforms handle the updates and upgrades of the Kubernetes cluster, which can save operators time and effort.
• Expertise: Vendors that provide hosted Kubernetes management platforms have expertise in deploying and operating Kubernetes clusters and can provide support and troubleshooting assistance to their customers.
• Scalability: Hosted platforms can automatically scale the underlying infrastructure, making it easier to accommodate growth in the number of applications and users.
• Simplified security: Hosted platforms typically provide out-of-the-box basic security features such as built-in authentication and authorization, network segmentation, CVE scanning, and automatic backups.
• Focus on application development: With the operational overhead of managing a Kubernetes cluster handled by a third party, you can focus on developing and deploying your applications on the cluster without worrying about infrastructure management.

Disadvantages of hosted Kubernetes management platforms:

• Cost: Hosted platforms are more expensive than non-hosted platforms, especially for large-scale deployments. They are SaaS tools running on hyperscalers. While there are different licensing or subscription models available, in the end, hosted platform providers charge for both their costs and the service they provide. These costs include the cloud provider bill, which can make the overall price of these services more expensive. The pricing for hosted solutions is usually complex to understand, making cost analysis difficult.
• Limited flexibility: Hosted platforms may have limitations in terms of customization and configuration options compared to non-hosted platforms. Additionally, they may not be well-suited for on-premises environments. As an organization’s resource and capacity needs grow, they may reach the maximum capacity offered by the hosted services provider, potentially limiting further growth.
• Lack of Community: The hosted Kubernetes platforms or Kubernetes management platforms usually are not open source, or even if part of their code is open source, they don’t have a community behind them.
• Dependence on the provider: Users may depend on the provider to ensure the platform is available and running smoothly, which can be an issue if the provider experiences an outage or other problems. As they usually run on the public cloud, there are two sources of uncertainty, the public cloud provider infra and the software company providing the service.
• EDGE Architecture: As stated before, the best option depends on the user’s concrete use case and circumstances. However, you may want smaller deployments (including management) to implement a most distributed architecture in different locations. In that case, the hosted platforms won’t be the best option, but they can be a good fit if you plan a centralized management architecture and they have the capacity.
• Data Security: Data and who has access to it are always a concern for any organization. When you provide access to a third-party company to your clusters, you still have the responsibility over the data managed by your company, but there is a new source of potential troubles. Many companies have been hacked through third-party companies providing software or services.

The user profiles

Once we have reviewed the pros and cons and have introduced the potential benefits of this type of solution are a good moment to elaborate on the different user profiles that would benefit from a hosted KMP service. Here, you’ll find some of them:

• Startups: Hosted platforms can provide a cost-effective and scalable solution for startups looking to deploy and manage applications on a Kubernetes cluster quickly.
• Small to medium-sized businesses (SMBs): SMBs can benefit from the expertise and support a hosted platform provides with outsourcing infrastructure management.
• Developer teams: Hosted platforms can help DevOps teams focus on developing and deploying applications rather than spending time managing the underlying infrastructure and the platform.
• Heavy public cloud users: Most hosted KMPs focus on Kubernetes-managed services like AKS, EKS or GKE. Organizations who have invested in the public cloud find that managed services fit very well with their strategy.

Conclusion

Hosted Kubernetes management platforms are a good option if you are starting with Kubernetes and do not need to manage a large number of clusters and applications. They can also be a good choice when the cost is not a significant concern and you want your operations team to focus on innovation instead of maintenance tasks. However, when security is a high priority, or when EDGE or on-premises deployments are the focus of your IT strategy, there may be better options than hosted services.

At SUSE, we offer Rancher Prime Hosted, which has the same features as Rancher but with a different approach. With Rancher Prime Hosted, you can easily create and manage Kubernetes clusters, streamline your deployment workflows, and monitor the performance of your applications. It also includes built-in security features to help protect your applications from potential threats. In addition, Rancher Prime Hosted provides a user-friendly interface that simplifies the management of your containerized applications and allows you to scale your infrastructure when your business demands it. Whether using a multi-cloud, EDGE, on-premises, or hybrid-cloud strategy, Rancher Prime Hosted can support your needs. By removing the burden of operating your Kubernetes management platform, your teams can focus on getting the most value out of your cloud native investment with a hosted Kubernetes management platform like Rancher Prime Hosted.

Spring is here, and so are the latest G2 Badges! I’m happy to share that G2 has awarded 15 badges to SUSE in its 2023 spring report, plus the overarching ‘Users Love Us’ badge (again). G2, the world’s largest and most trusted tech marketplace, recognized Rancher, SLE Desktop, SLE Real Time, SLES and SUSE Manager as High Performers and Momentum Leaders. G2 also awarded the openSUSE Tumbleweed Linux distribution.

Building off the momentum from our latest badge report, we received Here’s a rundown of all of them, including a newly recognized APJ badge for SLED.

• Rancher was recognized as an overall High Performer and Easiest Admin for Mid-Market companies
• SLE Desktop was recognized as a High Performer in the following categories: Small Business, Mid-Market, Enterprise and High Performer Asia Pacific
• SLE Real Time was recognized as an overall High Performer
• SLES was recognized as Momentum Leader, High Performer (overall and Mid Market), Leader
• SUSE Manager was recognized as Best Meets
• Tumbleweed was recognized as High Performer

Customer testimonials:

Why users love Rancher

“It was pretty simple to set up and very easy to deploy. Very different from other container solutions. When we needed technical support, they solved our problems very quickly in a very short time. It was quite successful in our automation problems.”

Their web GUI simplifies many daunting tasks for users new to Kubernetes.”

“We have been able to introduce a modern application delivery and automate their testing and deployment. Rancher has also allowed us to offer applications to end users that otherwise would be pushed to the “cloud.””

Why users love SLE Real Time

“Although all flavors of Linux are perfect for enterprise-grade DB hosting, SUSE comes on top in terms of flexibility and ease of management. Especially if you are running SAP.”

Why users love SLES (SUSE Linux Enterprise Server)

“It is simple to deploy, configure, and maintain since it has a comprehensive set of system administration, monitoring, and automation tools.”

Why users love SUMA (SUSE Manager)

“Orchestration and management of multiple distributions in a physical datcenter. Eliminating the need to access different OS and install the patches and software updates separately.”

“With SUSE Manager, I can easily manage all operating systems with linux distribution. This leaves me a lot of time. It is very successful on the automation side. Our patch management works never stop. If we have a problem, the suse technical support team can produce a solution immediately.”

A secure SAP platform can’t be understood without a patched and updated SAP environment. Vulnerabilities pose a significant risk to an organization’s operations, and patching is crucial to maintain system security and stability, so patching and updating software is always a top priority. However, the reality of patching complex systems like SAP differs from patching less complex software that isn’t mission-critical. The patch of the system may mean service downtime and a complex operation that could directly impact a company’s business, creating a paradox.

After defining the paradox and understanding why it occurs in the SAP platform, we will see how SUSE Linux Enterprise Server for SAP Applications, SUSE Live Patching and SUSE Manager can help to navigate this challenge by implementing a dual patching policy by providing seamless, continuous system updates without the need for downtime, minimizing disruption and enabling a more efficient approach to maintain the SAP environment.

The Paradox of Patching

The more critical a system is and the more it needs to be available, the less likely it is to be patched.

That patching paradox is one of the main security challenges that SAP environments face. And the result of the paradox is reflected in reports like SAPInsider’s cybersecurity research, which states that most SAP customers consider unpatched systems a major security threat and “Keeping Up with Patches and Updates” the most significant challenge related to cybersecurity. This is because patching and updating software can be complex, especially for mission-critical systems like SAP S/4HANA^®, where a simple reboot of a large SAP HANA^® database can take hours. If something goes wrong, it could result in a significant outage. Although the patch goes as planned, negotiating a maintenance window involving multiple teams and departments further complicates the process.

But on the other side, keeping systems unpatched for a long time is not an option. An unpatched system is vulnerable to cyberattacks and could have bugs that create system instability resulting in data loss. One example is the recent bug on the glibc library that resulted in a random HANA database crash.

The paradox of patching highlights the need to enforce a Day-1 patching policy with a more straightforward patching process that requires neither service downtime nor more maintenance windows.

The Need to Enforce Security Patching Policies

Organizations should define and implement a patching policy that outlines when to apply patches, factors to consider, and time windows for patching once a vulnerability is discovered.

The patching policy should address both Day-1 vulnerability patching and regularly scheduled updates. Day-1 patching applies when a serious vulnerability or system bug is discovered, and a patch must be applied immediately rather than waiting for a maintenance window.

That requires a clear workflow and synchronization between the involved organization’s teams, so enforcing these policies in an SAP environment is not just a matter of the security team. It needs the commitment of multiple departments, from SAP BASIS to infrastructure teams, and the acknowledgment of the line of business in case a service downtime is needed. And each team has priorities, so patching a system is neither a simple nor short process that includes tasks like testing the patches and patch staging that can require multiple systems reboots.

There is where SUSE Live Patching becomes a requirement. Live Patching allows customers to patch critical vulnerabilities and severe bugs on their OS without service downtime or reboot, reducing the number of maintenance windows and allowing them to patch immediately.

Live Patching

SUSE’s Live Patching technology allows customers to apply patches to the SAP systems without requiring a reboot or SAP service downtime. By using Live Patching, organizations will reduce the complexity of the process and the internal cost of patching, besides the reduction of maintenance windows. All of them minimize the impact on the organization’s operations while maintaining the security of the systems.

But having the technology to provide “live” patches is not enough to implement a patching policy It also necessitates a long-term commitment from the OS provider to consistently release “live” patches for all high-severity issues affecting the Linux kernel and libraries, thereby reducing the frequency of maintenance windows.

Efficiently addressing the majority of vulnerabilities and bugs requires not only kernel patches but also patches for user-space code, particularly for essential security libraries such as OpenSSL and glibc. Applications like the SAP HANA database depend on these libraries, and extending Live Patching coverage to include them eliminates the need for restarting SAP-related applications, further enhancing system stability and reducing downtime.

Ultimately, “live” patches for critical bugs are also essential, as preventing crashes and data loss in the OS and applications connected to affected libraries is a vital aspect of maintaining a secure SAP platform. In this regard, Live Patching can be considered a proactive tool for addressing potential incidents before they surface, thereby enhancing overall system stability and security.

SUSE’s unique commitment to deliver kernel and user-space live patching for a whole year allows customers to implement a truly agile patching policy, ensuring the availability of critical patches to guarantee that both applications and OS don’t need to be restarted for longer periods of time.

SUSE Linux Enterprise Live Patching offers a dedicated repository containing security and critical bug patches, streamlining the patching process. SLE Live Patching is especially beneficial for mission-critical systems like SAP that demand high availability and minimal downtime. This approach also mitigates the risk of exploits and simplifies overall operations, contributing to a more secure and stable environment.

Implementing Dual Patching Policies with patch management tools

A dual patching policy defines two patching workflows: An immediate remediation patching workflow and a regular maintenance patching workflow. With this approach, SUSE’s Live Patching will address critical vulnerabilities and bugs without having to implement costly maintenance windows. At the same time, regular planned maintenance windows can be scheduled with a lower frequency, reducing the burden on IT teams and minimizing the disruption to the organization’s operations.

Click here to enlarge the video

In such situations, a vulnerability and patch management tool like SUSE Manager is essential for simplifying policy implementation and harnessing the potential of patch workflow automation. Patch workflow automation significantly decreases the risks associated with patching and alleviates the burden on IT teams. Automating processes like SAP HANA cluster patching (learn more here) and defining patch lifecycle management workflows (watch the video), which include testing patches before applying them to production, minimizes misconfigurations and mitigates error-prone processes. Moreover, SUSE Manager enhances security visibility within the system by assisting in cataloging patches and identifying system vulnerabilities.

As stated, by enforcing a dual patching policy, organizations can ensure the patching process is reliable and secure, even for mission-critical systems like SAP.

Conclusion

The patching paradox underscores the difficulties organizations encounter when updating complex systems like SAP. Understanding why critical systems tend to be less patched, despite the priority of securing the platform and ensuring these systems are up-to-date, is crucial for addressing security and stability concerns and circumventing the paradox. Recognizing and overcoming these challenges helps create a more robust and secure environment for mission-critical systems.

In summary, organizations can alleviate IT burden, minimize downtime, and mitigate the risk of exploits and system bugs causing data loss by establishing patching policies with a comprehensive organizational commitment and implementing a dual workflow that incorporates Live Patching and patch management tools.

SUSE Linux Enterprise Live Patching technology is the only supported solution that allows SAP customers to patch critical vulnerabilities on both OS kernel and key user-space libraries without SAP services downtime or reboots. Coupled with SUSE Manager’s comprehensive support for automating the live patching of your SUSE Linux Enterprise for SAP Applications servers, SUSE delivers all the necessary capabilities for effortlessly implementing a consistent dual patching policy.

For more information on enhancing the security of your SAP platform and exploring Live Patching technology, visit www.suse.com/secure-sap.