SUSE Harvester is a leap in 100% open source cloud native virtualization, seamlessly blending virtual machine (VM) management with container orchestration to offer unprecedented operational flexibility and efficiency. Skyrocketing virtualization costs can introduce infrastructure complexity and reduced agility. Harvester addresses these critical issues with its unified HCI platform by enhancing resource utilization, reducing costs and simplifying operations. Harvester serves traditional virtualization and transformations to modern cloud native technology designed for highly constrained cases in the data center, AI optimized workloads and the edge.

Dive deeper into how SUSE’s cloud native HCI solution empowers enterprises to optimize their VM workloads.

Cost reduction and future-proofed virtualization

Harvester eliminates the traditional barriers associated with hypervisor-based environments. It’s not just about coexisting VMs and containers; it’s about integrating them in a way that drives down costs and simplifies processes. By leveraging the robustness of Kubernetes along with proven technologies like SUSE Enterprise Linux and KVM (Kernel-based Virtual Machine), Harvester offers a future-proof solution that avoids vendor lock-in and paves the way for a truly flexible and scalable infrastructure.

With Harvester, enterprises can achieve significant cost savings by optimizing resource utilization and reducing overhead. The platform’s intuitive, web-based user interface simplifies the management of complex, hybrid environments, allowing businesses to focus on innovation rather than maintenance. Whether it’s deploying new containerized applications or migrating existing VMs, Harvester ensures that each step is efficient, secure and aligned with modern cloud native practices.

From virtualization to Kubernetes—A seamless transition

The journey from traditional virtualization to Kubernetes-centric environments encapsulates the evolution of IT infrastructure. Initially popularized by systems like IBM’s CP/CMS and VMware/Broadcom, virtualization allowed multiple virtual machines (VMs) to operate on a single physical host, maximizing resource utilization and reducing costs. However, the rise of containers brought a more granular level of resource management and performance boosts, needing a robust orchestrator — enter Kubernetes.

Harvester: A deep dive into Cloud Native virtualization

Harvester redefines infrastructure management by integrating VMs and containerized workloads within a single platform, offering unparalleled flexibility and control. By leveraging open source technologies like Linux and KVM, Harvester provides a robust foundation for both data center and edge computing environments.

Key features of Harvester

• Zero Downtime VM Migration: Harvester facilitates live VM migration, ensuring continuous operations without downtime.
• Intuitive Web-Based UI: The user-friendly interface makes it straightforward to deploy and manage VMs and containers.
• Advanced Data Protection: Implement backup and restore functionalities for VMs using NFS, S3, or NAS, enhancing data resilience.

Enhancing security and efficiency

Harvester ensures top-tier security with features like RBAC, support for external authentication providers, and secure communication channels. Regular updates maintain compliance and protect against vulnerabilities.

Harvester in action: Real-world Success Stories

Today, Harvester propels some of the world’s largest organizations towards operational excellence. Discover how leading enterprises leverage Harvester to streamline operations, enhance security and drive significant cost efficiencies.

With Harvester, Arm has scaled its DevOps processes to support 2,500 engineers, significantly enhancing productivity and simplifying its cloud native transformation. Explore Arm’s journey here.

Empowering Enterprises with Harvester

Harvester’s cloud native approach enhances current infrastructures and also sets a foundation for future innovations. As enterprises like Arm demonstrate, Harvester drives significant cost savings and operational efficiencies, making it an indispensable tool for modernizing IT landscapes.

Harvester by SUSE stands at the forefront of the virtualization domain, merging the best of Kubernetes automation with the robustness of traditional VM management. Embrace the next level of enterprise virtualization with Harvester — where technology meets strategy to unlock new realms of possibilities.

Join Us at SUSECON 2024

We are thrilled to announce that Harvester is being prominently featured at SUSECON 2024. This premier event is the perfect opportunity to see Harvester in action and learn more about its new features directly from our experts. Be sure to attend our sessions and visit our demo booths to get hands-on experience and deeper insights into the advancements of Harvester.

Don’t Miss These Exciting SUSECON Sessions:

• SUSE Enterprise Container Management Roadmap: Review the future of Rancher Manager, NeuVector, Harvester, Longhorn and more.
• Leveraging Power of SUSE Harvester & Dell PowerFlex: Explore how Dell PowerFlex and Harvester offer a unified solution for modern enterprises.
• Migrating from VMware to Harvester: Learn how a German university transitioned to Harvester, creating a cutting-edge HCI environment.
• Harvester for ARM Environments: Discover the technical preview of ARM-based virtualization support in Harvester.
• Deploying RKE2 Clusters on Harvester: Hands-on session showcasing Rancher’s support for Cluster API with Harvester and RKE2.
• Hyperconverged Infrastructure Solutions: Overview of SUSE’s Harvester HCI solution, exploring scalability and flexibility.

Learn more about Harvester

• Cloud Native Virtualization: Seamlessly Manage VMs, Containers, and edge workloads: Fully embracing a cloud native future

• Arm deploys Rancher Prime stack to 2,500 engineers for companywide DevOps productivity: Reduced DevOps complexity processes through repeatable processes.

• Absa: Driving Scale and Innovation in African Banking: Absa experiencing a 75% reduction in overhead costs

• ECKD reforms church and charity IT with SUSE: Reduced deployment time by up to 95%.

Synopsis.

Generative AI (gen AI) is taking the enterprise by storm.  Sample use cases include content creation, product design development, and customer service to name a few.  Businesses stand to achieve increased efficiencies and productivity, enhanced creativity and innovation, improved customer experience, and reduced development costs.

SUSE’s Enterprise Container Management (ECM) Products (Rancher Prime, Rancher Kubernetes Engine 2, Longhorn, and NeuVector), combined with NVIDIA NIM inference microservices, enables joint partners and customers alike to accelerate the adoption of gen AI with faster development cycles, efficient resource utilization, and easier scaling.

SUSE Enterprise Container Management Stack.

The rest of this document will focus on:

• Establishing a base definition of generative AI for this document.
• The current state of generative AI usage in the enterprise.
  • Needs (requirements) and challenges impacting generative AI deployments.
• How the combination of SUSE’s ECM stack and NVIDIA NIM help address said needs and challenges.
• The Future – What we see as the next steps with SUSE ECM products and NVIDIA NIM.

What is Generative AI – Base Definition.

“Generative AI is a type of artificial intelligence technology that can produce various types of content, including text, imagery, audio, and synthetic data”^[1].  You can think of it as “a machine learning model that is trained to create new data, rather than make a prediction about a specific dataset.  A generative AI system is one that learns to generate more objects that look like the data it was trained on”^[2].

The Current State of Generative AI in the Enterprise.

It’s fair to state that generative AI is in a state of rapid growth within the enterprise, but it’s still in early stages of adoption.

According to Deloitte in their Q2 Generative AI Report^[3], “organizations are prioritizing value creation and demanding tangible results from their generative AI initiatives.  This requires them to scale up their generative AI deployments – advancing beyond experimentation, pilots, and proof of concept”. Two of the most critical challenges are building trust (in terms of making generative AI both more trusted and trustworthy) and evolving the workforce (addressing generative AI’s potentially massive impact on worker skills, roles and headcount).

Early use cases involve areas such as:

• Content Creation: Generative AI can create marketing copy, social media posts, product descriptions, or even scripts based on provided prompts and style guidelines.
• Product Design and Development: AI can generate new product ideas, variations, or mockups based on existing data and user preferences.
• Customer Service Chatbots: AI chatbots that handle routine custom inquiries, freeing up human agents for more complex issues.

There are also two more technical areas:

• Data augmentation: Generative AI creates synthetic data to train machine learning models in situations where real data might be scarce or sensitive.
• Drug Discovery and Material Science: Generative models can design new molecules for drugs or materials with specific properties, reducing research and development time.

When we combine the business priorities as outlined in Deloitte’s report with the early use cases, we can come up with the following requirements and challenges.

Requirements:

• Fast development and deployment of generative AI models to accelerate value creation and deliver tangible results.
• Simplified integration that allows them to integrate AI models into their existing applications.
• Enhanced security and data privacy that allows enterprises to keep their data secure.
• Scalability on demand as needs fluctuate.
• Ability to customize the model with the inclusion of enterprise proprietary data.

Challenges:

• Technical expertise: Implementing and maintaining generative AI models requires specialized skills and resources that may not be available in all enterprises.
• Data Quality and Bias: Generative models are only as good as the data they are trained on.  Ensuring high-quality, unbiased data is crucial to avoid generating misleading or offensive outputs.
• Explainability and Trust: Understanding how generative models arrive at their outputs can be challenging.  This can raise concerns about trust and transparency, especially in critical applications.
• Security and Control: Mitigating potential security risks associated with generative AI models, such as the creation of deep fakes or malicious content, is an ongoing concern.

Addressing Enterprise Generative AI Requirements with the SUSE ECM Stack and NVIDIA NIM.

Deploying NVIDIA NIM combined with the SUSE Enterprise Container Management stack provides an ideal DevOps mix for both the development and production deployment of generative AI applications.

NVIDIA NIM and NVIDIA AI Enterprise.

NVIDIA NIM is available through the NVIDIA AI Enterprise software platform. These prebuilt containers support a broad spectrum of AI models — from open-source community models to NVIDIA AI Foundation models, as well as custom AI models. NIM microservices are deployed with a single command for easy integration into enterprise-grade AI applications using standard APIs and just a few lines of code. Built on robust foundations, including inference engines like NVIDIA Triton Inference Server, NVIDIA TensorRT, NVIDIA TensorRT-LLM, and PyTorch, NIM is engineered to facilitate seamless AI inferencing at scale, ensuring users can deploy AI applications anywhere with confidence. Whether on premises or in the cloud, NIM is the fastest way to achieve accelerated generative AI inference at scale.

When it comes to addressing the challenges:

SUSE Enterprise Container Management Stack.

The SUSE Enterprise Container Management Stack is well-known in the industry.  These are some of the potential benefits when deploying NVIDIA NIM with the Rancher Prime, Rancher Kubernetes Engine 2 (RKE2), Longhorn, and NeuVector Prime combination.

• Rancher Prime is an enterprise Kubernetes management platform that simplifies the deployment and management of Kubernetes clusters:
  • Its centralized management provides a single pane of glass to manage multiple Kubernetes clusters, ensuring consistent configuration and policy enforcement across different environments.
  • Rancher Prime facilitates the scaling of Kubernetes cluster to meet the demands of large-scale AI workloads, such as those that could be run with NVIDIA NIM.
  • Multi-Cluster Support allows deployment across cloud providers and on-premise environments, providing flexibility and redundancy.
• RKE2 is a lightweight, certified Kubernetes distribution that is optimized for production environments.
  • Offers a streamlined installation and configuration process, making it easier to deploy and manage NIM.
  • Supports out-of-the-box security features such as CIS Benchmark and SELinux (on nodes).
• Longhorn is a cloud-native distributed block storage solution for Kubernetes.
  • It provides highly-available and replicated storage for data, such as the one needed for the AI model, ensuring data durability and fault tolerance.
  • Easily scales to meet the storage demands of growing AI workload, supporting large datasets typically used by generative AI.
• NeuVector is a Kubernetes-native security platform that provides comprehensive container security.
  • Runtime Security for running container monitoring for threats and anomalies in AI workloads.
  • Provides advanced network segmentation and firewall capabilities, securing the communication between different components of the infrastructure.
  • Helps maintain compliance with security standards by providing visibility and control over container activities.
  • Scans for vulnerabilities in container images, ensuring that only secure images are deployed.

When we combine the elements of the SUSE Enterprise Container Management (ECM) Stack with NVIDIA NIM, joint customers stand to benefit from:

• Enhanced Security – With RKE2’s secure configuration, NeuVector’s runtime security, and vulnerability management, the AI environment is well-protected against threats and unauthorized access.
• High Availability and Reliability – Longhorn ensures the storage is highly available and reliable, preventing data loss and downtime.
• Scalability: Rancher Prime and Longhorn provide the scalability needed across clusters should NIM requirements demand that level of scale in the enterprise.
• Simplified Management: Rancher Prime offers a centralized Kubernetes management platform, making it easier to scale clusters and ensure consistent policies and configurations.
• Performance – RKE2 and Longhorn are optimized for high performance, ensuring that NIM runs efficiently and can handle intensive AI tasks.
• Flexibility and Compatibility: The SUSE ECM stack is compatible with Kubernetes, allowing integration with a wide range of tools and services, providing flexibility in deployment options.

In summary, the SUSE ECM stack provides a robust, secure, and scalable infrastructure for NVIDIA NIM.  The combined stack enhances the security, manageability, and performance of generative AI deployments, ensuring that NIM can be deployed and operated efficiently in production environments.

The Future – Putting it all together in easy-to-use configurations.

We plan to provide an NVIDIA NIM on SUSE Enterprise Container Management Guide in the near future, documenting how to put the components together to empower customers and partners alike. The document will show how to build the Rancher cluster, install and deploy RKE2, Longhorn, and NeuVector, and deploy NVIDIA AI Enterprise and NIM as workloads.  Stay tuned via SUSE blogs or social media for further availability announcements.

[1] https://www.techtarget.com/searchenterpriseai/definition/generative-AI

[2] https://news.mit.edu/2023/explained-generative-ai-1109

[3] https://www2.deloitte.com/content/dam/Deloitte/us/Documents/consulting/us-state-of-gen-ai-report-q2.pdf

The future of open source is now, and with good reason. More and more organizations, including SAP, are relying on open source software for innovation and operational excellence, and SUSE is the leader in providing enterprise-grade open source solutions. 

SUSE has a particularly deep relationship with SAP and, importantly, we are the leading open source provider for organizations that have adopted SAP Enterprise Cloud Services, which is commonly known as RISE with SAP.

RISE with SAP is a complete offering of ERP software, industry practices, and outcome-driven services that help organizations successfully transform their business processes. All with less risk, and without compromise. It is one of the largest private cloud deployments and the flagship SAP solution with more than 100,000 servers running at scale.

Watch this video from Lalit Patil, Chief Technology Officer of SAP Enterprise Cloud Services to gain insights into RISE with SAP, and how it ensures delivery of important business benefits to its users with scalability and security.

SAP launched RISE with SAP two years ago to deliver the benefits of Business Transformation-As-A-Service. Its success relies on the robust infrastructure behind it, as the underlying platform needs to be equally scalable, secure, and compatible with all the major hyperscalers. SUSE effectively supports the scale at which RISE with SAP runs, including best-in-class security and reference architecture that enables customers to move to the cloud quickly and seamlessly.

Today, more than 6,000 customers have adopted RISE with SAP powered by SUSE. In fact, most of the RISE with SAP infrastructure — over 100,000 servers — runs on SUSE products. SUSE-based reference architecture helps customers transition to the cloud quickly and smoothly, providing exceptional scalability and helping achieve Zero Trust security.

SAP and SUSE are a formidable combination. Whether you’re well along your digital transformation journey or just getting started, SUSE will help ensure your experience is smooth and trouble-free.

Learn more about RISE with SAP and the SAP and SUSE partnership.

As we gear up for SUSECON 2024 in Berlin from June 17 to 19, we at SUSE are thrilled to welcome Portworx by Pure Storage as a Gold Sponsor for this event in the world of open-source innovation and enterprise technology. Our partnership has enabled them to drive forward the capabilities of container data management solutions, and we are excited to share their latest advancements and success stories with the SUSECON community.

With Portworx, Rancher users gain all the benefits of the leading container data management platform, allowing them to unlock the value of Kubernetes data at enterprise scale. Portworx provides self-service high performance storage that is optimized for the enterprise, helping platform teams see operational efficiencies across the application lifecycle. Enterprises running mission-critical applications on Kubernetes can also ensure business continuity through high availability and disaster recovery. Finally, both Rancher Prime and Portworx enable enterprises to build in hybrid and multi-cloud environments, providing consistent and centralized management of Kubernetes clusters no matter where they’re located.

To learn more about our partnership in person, you can see Portworx at SUSECON not only at their booth, but by joining them for two sessions that showcase our collaboration and highlight the real-world applications of our joint solutions. We invite you to join us to learn more about how Portworx and Rancher Prime are empowering enterprises at scale.

Building a Container-as-a-Service Platform on RKE2

In this session, Portworx will delve into a compelling case study of a European asset management company that revolutionized its infrastructure. By building a container-as-a-service platform on Rancher RKE2, the company achieved a seamless migration to containers, modernizing their IT landscape. They will explore how Portworx by Pure Storage integrated with Rancher RKE2 to provide seamless management of big data and infrastructure applications, thereby future-proofing their architecture. Attendees will gain insights into the practical steps and strategic decisions involved in this transformation journey.

Simplified Day 2 Operations on Rancher Prime

Transitioning to stateful applications on Rancher Prime is just the beginning. Day 2 operations present unique challenges such as capacity management, noisy neighbor issues, and data loss. This session will demonstrate how Portworx, in conjunction with Rancher Prime, addresses these challenges head-on. With Portworx AutoPilot, you can automate the management of storage pools and PVC capacity using Rancher’s built-in monitoring tools. Additionally, their App I/O Control feature ensures optimal performance by regulating volume IOPS or bandwidth usage. The Portworx trash can feature adds an extra layer of protection against accidental deletions, safeguarding your data.

Visit Them at the Portworx Booth

Stop by the Portworx booth to engage with their experts to discover how Portworx can help automate, protect, and unify modern applications across hybrid and multi-cloud environments. See demos of their integrations with Rancher Prime and learn more about their latest product updates and future roadmap.

We look forward to connecting with you at SUSECON 2024 and exploring how we can support your journey towards a more modern and resilient infrastructure. Stay tuned for more updates and detailed session schedules on our social media channels and learn more about Rancher by SUSE and Portworx by joining us at SUSECON!

In the coming months, tens of thousands of businesses and organizations across Europe will be required to comply with the new EU Network and Information Security Directive (NIS2). SUSE can help you achieve full NIS2 compliance in time. With our solutions, you can increase the security and reliability of your IT, gain greater visibility, and achieve higher levels of compliance faster.

Implementation of NIS2 is moving forward. And while it is not certain that the new cybersecurity directive will go into effect in all EU countries as planned on October 17, 2024, business and IT managers should take the necessary technical and organizational steps now. Not only does NIS2 increase the requirements for network and information security, but it also significantly increases the threat of penalties for violations. In addition, managers are personally liable for implementing  the prescribed measures. These regulations have a much greater potential for disruption than the GDPR.

Affected organizations and their executives would be well advised to take the requirements of the NIS2 directive seriously and implement effective strategies and solutions to secure their IT infrastructure in order to avoid executive liability.

How SUSE is helping to prepare for NIS2

SUSE is helping organizations and government agencies meet the requirements of NIS2 in a number of ways. In particular, our solutions have been proven to strengthen the security of IT infrastructures in six areas, making it easier for organizations to comply with the new standards.

1. Supply chain security: NIS2 requires all affected organizations to continuously assess potential cyber risks in their supply chain and take appropriate security measures. However, it is almost impossible for software users to perform an independent assessment of the entire software supply chain. The time required for this would be enormous – at the same time, there would always be the risk of being held liable for an overlooked security vulnerability.
   SUSE simplifies this process for all SUSE Linux Enterprise Server (SLES) based solutions: The operating system is Common Criteria EAL 4+ certified by Germany’s Federal Office for Information Security (BSI). This makes SUSE the only vendor of a current general-purpose operating system to have successfully passed a comprehensive evaluation of its product, development and security update processes. With this officially recognized certification, companies can avoid the hassle of conducting their own evaluation and can demonstrate at any time that the supply chain security of their operating system has been verified by an independent body.
   Rancher Prime, SUSE’s enterprise container management platform, also helps secure the software supply chain. The solution was recently certified against the Supply-chain Levels for Software Artifacts (SLSA). This framework, developed by Google, is designed to ensure the integrity of software as it is built into binaries. Measures such as an automated build process and complete Software Bill of Material (SBOM) documentation protect software from tampering and provide a secure traceability of the source code.
2. Encryption: Another important aspect of NIS2 is cryptography. Article 21 of the directive requires all affected organizations to use up-to-date encryption technologies to ensure the security and integrity of sensitive data. SUSE helps organizations implement this by following the U.S. government’s Federal Information Processing Standards (FIPS) 140-2 and 140-3, which define the security requirements that cryptographic modules must meet in U.S. government agencies.
   SLES 15 SP2 is FIPS 140-2 validated, providing a secure foundation for encrypted communications and data storage. The certified cryptographic modules can also be used in SP3. The cryptographic modules in SLES 15 SP4 are currently undergoing certification to the successor standard, FIPS 140-3. Once the National Institute of Standards and Technology has completed its review, modules such as the Kernel Crypto API, GnuTLS, libgcrypt, mozilla-nss, and OpenSSL will be certified to this standard.
3. High availability: To comply with NIS2 and DORA (Digital Operational Resilience Act), many organizations need to improve the resilience of their IT infrastructure and take additional measures to ensure business continuity. SUSE offers solutions that maximize system availability and minimize downtime. One such solution is the SUSE Linux Enterprise High Availability Extension. With features such as geo-clustering, multi-site data replication and rules-based failover, organizations can ensure that their most critical IT applications are always available-and that they can quickly recover from unforeseen events.
4. Edge computing and IoT security: NIS2 affects all operators of critical infrastructure in sectors such as energy, manufacturing, telecommunications, transportation, and logistics. Today, these organizations often use edge and IoT devices to control their infrastructure. These devices and the applications running in edge environments also need to be protected from potential cyber threats.
   SUSE Edge 3.0 can help. The technology stack, based on Rancher, NeuVector and SLE Micro, not only simplifies the management of distributed devices, but also provides comprehensive security for edge infrastructures of all sizes. With NeuVector, for example, security policies can be enforced pervasively and attacks on edge environments can be blocked in real time. SLE Micro enhances the security of edge devices with the pre-installed SELinux security framework and an immutable file system. In addition, the OS provides the ability to enable a FIPS mode to ensure strict compliance with NIST-validated cryptographic modules and applying system hardening best practices.
5. Vulnerability and risk management for containers and Kubernetes: Many organizations today are modernizing their application landscape and increasingly relying on cloud-native applications that are agilely developed and highly dynamically deployed. This needs to be considered when planning a NIS 2 strategy. SUSE NeuVector provides end-to-end vulnerability management, automated CI/CD pipeline security, complete run-time security, and protection against zero-day and insider threats in the Kubernetes environment. At the same time, the container security solution performs checks and access controls during the development, testing and deployment of new applications. SUSE NeuVector scans containers, hosts and orchestration platforms at runtime and verifies host and container security. All of these features help organizations to comply with the required cybersecurity risk-management measures of NIS 2 directive for modern cloud-native applications.
6. Enhanced incident reporting: The NIS 2 policy also includes enhanced security incident reporting requirements. Affected organizations must report incidents to the appropriate government agencies within 24 hours. Within 72 hours, they must submit a comprehensive report. SUSE makes this requirement easier to meet: Products such as SUSE Manager, Rancher and NeuVector provide comprehensive monitoring and reporting capabilities. These tools can help you monitor the health of your IT infrastructure in real time, detect anomalies, quickly identify security incidents and automate the processes involved. They can also help you gather the information you need to investigate an incident and report it to the authorities.

At SUSECON 2024 (June 17-19 in Berlin, Germany), we had a session how SUSE supports compliance with standards such as the NIS2 directive and the EU Cyber Resilience Act (CRA). Our experts François-Xavier Houard and Knut Trepte discussed compliance and supply chain security from the operating system to the container level.

In the dynamic realm of IT infrastructure, Kubernetes has solidified its status as a pivotal force behind containerized environments, offering unparalleled capabilities in the deployment, management, and scaling of application containers across host clusters. As an influential open-source system, Kubernetes simplifies the complexities of managing containerized applications, promoting operational efficiency and resilience. This orchestration prowess has transformed operational paradigms, elevating the agility and scalability of applications to meet the demands of the modern digital landscape, thereby rendering Kubernetes an essential asset for businesses seeking competitive advantage.

Yet, the advantages of Kubernetes come with inherent security responsibilities. While beneficial for scalability and efficiency, the platform’s flexible and distributed architecture also presents a spectrum of security challenges. These challenges are increasingly exploited by adversaries aiming to infiltrate containerized applications and compromise sensitive data. In light of these challenges, prioritizing these new paradigms of security for Kubernetes deployments transcends traditional best practices—it becomes imperative. Adhering to Kubernetes-specific best practices is crucial for maintaining the security and integrity of applications and the data they handle. This article explores essential strategies for securing your Kubernetes environment, ensuring a robust defense against potential threats.

Understanding Kubernetes Security Risks

Kubernetes, while transformative in the world of container orchestration, introduces a complex security landscape that requires meticulous attention. This complexity is not just theoretical; it is reflected in the array of security challenges that can jeopardize Kubernetes environments. Among these challenges, several stand out due to their prevalence and potential impact.

Misconfigurations are perhaps the most ubiquitous security risk. The flexibility of Kubernetes often leads to complex configurations, and it’s alarmingly easy for administrators to inadvertently leave the door open to attackers. Whether it’s exposed dashboard interfaces, unnecessary privileges, or default settings left unchanged, such oversights can serve as entry points for malicious activities.

Vulnerabilities in container images and runtime represent another significant risk. Containers often rely on external images that may contain known vulnerabilities or be outdated. Without rigorous scanning and management, these vulnerabilities can be exploited by attackers to compromise the container and, potentially, the entire cluster.

Insufficient network policies can lead to unauthorized access and lateral movement within the cluster. Kubernetes’ default settings allow broad internal communication, which, if not correctly restricted by robust network policies, can enable attackers to exploit one vulnerable component to compromise others.

Lack of access controls is a critical issue. Kubernetes environments can be complex, with various roles requiring different levels of access. Without proper role-based access control (RBAC) configurations, there’s a risk of overprivileged accounts that, if compromised, can lead to significant breaches.

The impact of these security breaches on organizations can be profound. Beyond the immediate operational disruptions and potential data loss, the reputational damage can have long-lasting effects on customer trust and business viability. Regulatory implications may also arise, with breaches involving sensitive data leading to significant fines under laws like GDPR.

In summary, understanding and mitigating the security risks in Kubernetes environments is not just about protecting IT assets; it’s about safeguarding the organization’s reputation, customer trust, and regulatory compliance.

Core Principles of Kubernetes Security

To navigate the intricate security landscape of Kubernetes, adhering to core principles is essential. These foundational strategies are designed to bolster the security posture of Kubernetes deployments, ensuring the safeguarding of both the infrastructure and the applications running within.

Least Privilege Access

The principle of Least Privilege Access is paramount in Kubernetes security. This approach entails granting users, services, and applications the minimal level of access—or privileges—necessary for their function. By implementing Role-Based Access Control (RBAC) effectively, organizations can minimize the risk associated with overprivileged accounts, which, if compromised, could lead to extensive system breaches. Tailoring permissions closely to the needs of each entity significantly reduces the attack surface, making it a critical first line of defense.

Defense in Depth

Defense in Depth is a multi-layered se

curity strategy that ensures if one security control fails, others are in place to thwart an attack. In the context of Kubernetes, this might involve securing the container images, enforcing network policies to restrict traffic flow, and isolating workloads to prevent lateral movement by attackers. By layering security measures, organizations create a more resilient defense against both external and internal threats.

Regular Auditing and Monitoring

Continuous Regular Auditing and Monitoring form the backbone of an effective Kubernetes security strategy. Monitoring in real-time allows for the immediate detection of suspicious activities and anomalies, while regular audits of configurations and permissions help identify and rectify potential vulnerabilities before they can be exploited. Embracing Kubernetes monitoring best practices ensures that the infrastructure remains secure and compliant over time.

Implementing these core principles of Kubernetes security is not a one-time task but an ongoing commitment. As Kubernetes environments evolve, so too must the strategies used to secure them. By prioritizing least-privilege access, adopting a defense-in-depth approach, and committing to regular auditing and monitoring, organizations can significantly enhance the security of their Kubernetes deployments.

Best Practices for Kubernetes Security

Securing a Kubernetes environment requires a multifaceted approach, embracing practices that span from the individual node and pod level to the overarching cluster management. This section delves into a series of best practices designed to fortify Kubernetes deployments against the myriad of security threats they face.

Securing the Kubernetes API

• Role-Based Access Control (RBAC): RBAC is crucial for defining who can access the Kubernetes API and what actions they can perform. By applying the least privilege principle, administrators can minimize the risk associated with overly broad permissions.
• Authentication and Authorization Mechanisms: Ensuring robust authentication and authorization mechanisms for the Kubernetes API protects against unauthorized access. Integrating with existing identity providers can streamline this process, leveraging tokens, certificates, or external auth services.

Network Policies and Segmentation

• Implementing Namespace Strategies: Namespaces allow for the segmentation of resources within a Kubernetes cluster, providing a scope for allocating permissions and applying policies.
• Using Network Policies to Restrict Traffic: Network policies are vital for controlling the flow of traffic between pods and namespaces, preventing unauthorized access, and ensuring that pods communicate only as intended.

Node Security

• Keeping Kubernetes and Its Components Up to Date: Regular updates are essential for addressing security vulnerabilities in Kubernetes and its components. Staying current with the latest versions can protect against known exploits.
• Hardening Node Configurations: Nodes should be hardened according to industry standards and best practices, including disabling unnecessary services and applying security patches.

Workload and Pod Security

• Secure Container Images: Utilizing secure and trusted container images is the foundation of pod security. This includes using trusted base images and scanning images for vulnerabilities to prevent the introduction of security flaws into the environment.
• Managing Secrets Securely: Kubernetes Secrets should be used for managing sensitive data within the cluster. It’s important to encrypt these secrets both at rest and in transit to protect them from unauthorized access.
• Implementing Pod Security Policies: Pod security policies enable administrators to enforce rules on the pod level, such as restricting privileged access and limiting resource usage to prevent denial-of-service (DoS) attacks.

Monitoring and Auditing

• Logging and Monitoring Strategies: Effective logging and monitoring are critical for detecting and responding to security incidents. Collecting logs from Kubernetes components and employing tools for real-time monitoring can provide insights into suspicious activities.
• Auditing Cluster Activities: Configuring audit logs allows for a detailed record of actions performed within the cluster, aiding in forensic analysis and compliance monitoring.
• Using Third-Party Tools for Enhanced Auditing Capabilities: To augment Kubernetes’ native capabilities, third-party tools can offer advanced features for monitoring, alerting, and auditing, providing a comprehensive view of the cluster’s security posture.

By adhering to these best practices for Kubernetes security, organizations can create a robust defense against the diverse array of threats targeting containerized environments. From securing the API and implementing network policies to hardening nodes and securing workloads, each measure plays a critical role in protecting the Kubernetes ecosystem. Continuous monitoring and auditing further ensure that the incident response teams can react to incidents to safeguard the integrity, confidentiality, and availability of applications and data.

Advanced Kubernetes Security Techniques

As Kubernetes environments grow in complexity and scale, leveraging advanced security techniques becomes essential to protect against sophisticated threats. Among these advanced methods, the implementation of a service mesh represents a significant leap forward in securing containerized applications.

Service Mesh for Enhanced Security

A service mesh is a dedicated infrastructure layer that facilitates service-to-service communication in a secure, fast, and reliable manner. It operates at the application level, providing a comprehensive way to manage how different parts of an application share data with one another.

The core advantage of a service mesh lies in its ability to enforce policies and provide insights across all traffic. It ensures that communication between services is secure, authenticated, and authorized. This level of control and visibility is vital in a microservices architecture, where applications consist of many loosely coupled services.

Implementing Secure Communications with mTLS

Mutual TLS (mTLS) is a cornerstone security fea

ture of service meshes. It automatically encrypts data in transit, ensuring that both parties in a communication are authenticated and authorized to talk to each other. mTLS provides a much-needed security assurance for intra-cluster communications, protecting against eavesdropping, tampering, and forgery.

Integrating with External Security Tools and Platforms

Service meshes can seamlessly integrate with external security tools and platforms, extending their capabilities to include threat detection, intrusion prevention, and more. This integration allows for a unified security posture that covers not only the infrastructure but also the application layer, offering a holistic approach to Kubernetes security.

Adopting a service mesh enhances Kubernetes security by providing an additional layer of control and visibility over service-to-service communications. Its ability to implement mTLS and integrate with other security solutions transforms the way security is managed within containerized environments, paving the way for more secure and resilient applications.

Maintaining Kubernetes Security

In the dynamic and ever-evolving landscape of Kubernetes, maintaining a strong security posture is an ongoing challenge that requires constant vigilance and proactive measures. As the Kubernetes ecosystem continues to grow, so too does the sophistication of threats targeting it. This necessitates a disciplined approach to security maintenance, underpinned by several key practices.

• Regular Vulnerability Scanning and Patch Management: Continuous vulnerability scanning of container images, Kubernetes codebase, and its dependencies is critical. Identifying vulnerabilities early allows for timely patching or mitigation, significantly reducing the window of opportunity for attackers. Coupled with effective patch management processes, this ensures that security flaws are addressed before they can be exploited.
• Continuous Security Assessment and Improvement: Security is not a one-time effort but a continuous cycle of assessment, improvement, and reinforcement. Regular security assessments—ranging from penetration testing to configuration audits—help identify potential weaknesses and areas for enhancement, enabling organizations to stay ahead of emerging threats.
• Staying Updated with Kubernetes Security Advisories and Updates: Keeping abreast of the latest security advisories and updates from the Kubernetes community is essential. These advisories provide critical information on vulnerabilities, patches, and best practices for securing Kubernetes environments. By staying informed, organizations can take swift action to apply updates and harden their clusters against known threats.

By embracing these practices, organizations can ensure that their Kubernetes deployments remain secure against the backdrop of an ever-changing threat landscape. Regularly scanning for vulnerabilities, continuously assessing and improving security measures, and staying updated with the latest advisories are pivotal steps in maintaining the integrity and resilience of Kubernetes environments.

Final Thoughts

The journey through Kubernetes security best practices underscores the critical nature of safeguarding containerized environments in an era where digital threats are constantly evolving. This exploration has illuminated the multi-faceted approach required to protect Kubernetes deployments—from securing the API and implementing robust access controls to adopting advanced security techniques and maintaining vigilance with regular updates and assessments.

As Kubernetes continues to play a pivotal role in the infrastructure of modern applications, the importance of adhering to these security best practices cannot be overstated. To navigate these complexities and ensure your Kubernetes environments are secure and resilient, consider leveraging the expertise and solutions offered by SUSE Rancher. With a strong commitment to open-source innovation and comprehensive security, SUSE Rancher provides the tools and support necessary to protect your containerized applications against the evolving threat landscape.

Explore SUSE Rancher’s Kubernetes solutions today and take the next step in securing your containerized infrastructure.

Frequently Asked Questions (FAQs)

How can I prevent unauthorized access to my Kubernetes API?

Preventing unauthorized access to your Kubernetes API involves a combination of configuring Role-Based Access Control (RBAC), enabling API authentication mechanisms, and using network policies to restrict access. RBAC allows you to define who can access the Kubernetes API and what they can do with it. Ensuring that API authentication is robustly configured helps verify the identities of users and services, while network policies limit the traffic to and from resources within the cluster, providing an additional layer of security.

What is the best way to manage secrets in Kubernetes?

The best way to manage secrets in Kubernetes is by using Kubernetes Secrets for storing sensitive data, such as passwords, tokens, and keys. Best practices include limiting access to Secrets using RBAC, avoiding hard-coding secrets into application code, and using tools or add-ons to encrypt Secrets at rest and in transit. Additionally, regularly rotating secrets and auditing access to them can significantly enhance security.

How can I ensure my container images are secure?

Ensuring container images are secure involves using trusted base images from reputable sources, scanning images for vulnerabilities regularly, and keeping images up-to-date to avoid security issues. Automated tools can help identify known vulnerabilities in container images, allowing you to address potential security issues before deploying them into production.

What are pod security policies, and why are they important?

Pod security policies are a Kubernetes feature that allows you to control the security specifications pods must comply with to run in your cluster. They are important because they limit the actions that pods can perform, reducing the risk of malicious behavior. Implementing pod security policies helps enforce best practices, such as preventing pods from running as root, limiting access to host filesystems, and restricting the use of privileged containers.

How do I monitor my Kubernetes environment for security threats?

Monitoring your Kubernetes environment for security threats involves implementing logging and monitoring strategies that provide visibility into your cluster’s operations. Collecting and analyzing logs from Kubernetes components, coupled with the use of tools for real-time monitoring and alerting, can help identify suspicious activities. This proactive approach allows you to detect and respond to security incidents promptly.

Can network policies enhance the security of my Kubernetes cluster?

Yes, network policies can significantly enhance the security of your Kubernetes cluster. They play a crucial role in implementing a zero-trust network model by segmenting traffic between pods and namespaces, effectively limiting who can communicate with whom. This segmentation helps prevent unauthorized access and lateral movement within the cluster, offering a robust mechanism to enforce your security policies at the network level.

K3s is one of the most popular open source CNCF projects and continues to be the most widely adopted Kubernetes distribution in the world due to its simplicity and efficiency. As a lightweight Kubernetes solution, K3s is uniquely positioned to meet the demands of edge computing and Kubernetes deployments in diverse environments, excelling where other Kubernetes distributions struggle or fail.

K3s at a Glance

With millions of downloads and tens of thousands of new installations each week, K3s is the preferred lightweight Kubernetes distribution on the planet. K3s is a lightweight, easy-to-install Kubernetes distribution specifically designed to run on resource-constrained environments and IoT devices, making it ideal for edge computing scenarios. K3s benefits from robust community support, with over 26.5k stars on GitHub and contributions from more than 1,855 active members. These figures not only reflect its popularity but also ensure that K3s remains on the cutting edge of technology advancements.

Key Benefits of K3s

• Scalability: Manage thousands of clusters effortlessly with Rancher Prime and K3s, while ensuring unmatched scalability, openness and control.
• Lightweight and performant: Install anywhere to get the most out of your infrastructure and apps.
• Optimized for edge: K3s is certified for production workloads in unattended, resource-constrained, remote locations or inside micro edge devices.
• Resilience: Provides high availability and consistent performance, crucial in environments like The Home Depot where downtime is not an option.
• Simplicity: Facilitates easy setup and management, making Kubernetes accessible to teams of varying technical levels.
• Flexibility: Adapts to a wide range of use cases, from development to production, across different industries.
• Multi-Architecture Support: K3s offers extensive support for both ARM64 and ARMv7 architectures, enhancing versatility across various hardware platforms.

First Native Edge in Space: Kratos

Kratos Defense & Security Solutions is pioneering the digital transformation of satellite communications. By leveraging K3s, Kratos has shifted from reliance on proprietary hardware to a dynamic, software-defined approach. This agility allows Kratos to remotely rebuild satellite functionalities swiftly in response to changing demands on the ground — a critical advantage in the satellite industry.

• Digital Transformation: Kratos uses K3s to virtualize network functions on satellites, enabling rapid reconfiguration of satellite platforms.
• Edge Innovation: Running on SUSE Linux Enterprise Micro and K3s, Kratos’ OpenSpace Platform exemplifies the cutting-edge application of Kubernetes at the far edge of network operations.

The Home Depot: Enhancing Retail Operations with K3s

At The Home Depot, K3s drives the edge computing strategy, managing applications across 2,200 U.S. stores. This extensive deployment underscores K3s’ ability to streamline operations and support scalable solutions, ensuring reliable performance even in disconnected environments and meeting diverse technical needs from QA to full-scale production workloads.

Arm: Empowering Engineers with K3s

Arm expanded its use of the Rancher Prime technology stack to include K3s, scaling its deployment to 2,500 engineers. This scale-up highlights K3s’ ability to simplify complex DevOps processes and reduce operational complexity, efficiently supporting a vast scale of enterprise engineering needs.

Looking Ahead

K3s integrates cutting-edge technologies such as edge, IoT, AI and machine learning to address evolving business needs. As organizations like Kratos, The Home Depot and Arm continue to innovate, K3s is a critical component of their technology strategies, driving efficiency and innovation.

K3s is not merely a tool; it’s a pivotal technology that empowers businesses to harness the full potential of Kubernetes without the typical associated complexities of larger deployments. Its significant impact on companies like The Home Depot and Arm showcases its capacity to revolutionize industries by making edge computing more accessible and manageable.

By adopting K3s, enterprises aren’t just choosing a technology; they’re embracing a future where flexibility, scalability and reliability are readily achievable.

Learn more about K3s and SUSE:

• K3s: Kubernetes at the Edge
• K3s CNCF project website
• Explore K3s Support: Dive deeper into how SUSE’s Customer Services enhance your K3s experience with expert guidance and proactive solutions
• How the cloud native Edge is transforming business at The Home Depot
• Kratos revolutionizes satellite communications, transforming proprietary hardware into virtualized network functions

For almost 25 years, SAP and SUSE have delivered innovative business-critical solutions on open-source platforms, enabling organizations to achieve operational excellence, anticipate requirements, and become industry leaders. Today, the vast majority of SAP customers securely run their SAP and SAP S/4HANA environments on SUSE.  

Meet the Experts.

Pre-book your meeting via the event website or just come by our SUSE booth #346 and take advantage of one-on-one conversations with SUSE experts to share your needs and learn how we can help.

Converse with subject matter experts from our partners Google, Intel, and Dell, and watch their short presentations at our booth.

Schedule

Tuesday, June 4

12:15 – 12:30 pm
Google: PayPal: Transform Your SAP Workloads with Google Cloud & SUSE

12:30  – 12:45 pm
Intel:

1. Cost & Power Efficient SAP HANA and SAP Application Platform (Intel Xeon 6 for SAP powered by SUSE SLES 15 SP6)
2. Virtualized SAP HANA Landscape on SUSE SLES 15 powered by Intel architecture.

Wednesday, June 5

12:15 – 12:30 pm
Google: Cardinal Health: Transform Your SAP Workloads with Google Cloud & SUSE

12:30 – 12:45 pm
Dell: RISE + Trento + AI = Your recipe for Success

Join our SUSE CTO Brent Schroeder and SAP’s Udo Paltzer, Product Manager for SAP Integration Suite, and learn more about the questions to consider before implementing the Edge Integration Cell runtime

(PAR211, SUSE Session)

Tuesday, June 4, 2024, 1:30 p.m. – 1:50 p.m.

On-premise integration of cloud solutions from SAP requires a new infrastructure to run containerized components. Listen as SUSE explores the following questions: Can it be secure and business-critical ready? Why have a Kubernetes environment dedicated to SAP software? How can you minimize the impact on your project and its operation?

Breakfast roundtable with Lenovo, SUSE and Intel – June 5th 

On Wednesday morning,  we start with a roundtable discussion on the Future of the SAP Environment.

SAP Integration Suite and Edge Integration Cell are hot topics for customers, who need to process certain data onsite and the data cannot be pushed to the cloud immediately.
SAP is looking at cloud-native innovations/infrastructure that are ahead for the customers journey.

Join us at the Hyatt Regency hotel at 7:45 a.m. when we discuss the topic and enjoy a hot breakfast along the way.

Please register for the event either at the Lenovo booth #341 or at our SUSE booth #346 to reserve your seat.

Learn more about SUSE’s solutions for SAP:

• RISE with SAP – Learn how you can integrate your on-premise infrastructure into the SAP Cloud with Edge Integration Cell.
• Security – Secure your SAP infrastructure with built-in security features for on-premises, hybrid, and cloud environments.
• Cloud Migration – Let us help you navigate the decision-making process of migrating to the cloud, whether you will run it natively in an IaaS environment, or in RISE.
• Automation – Learn how you can leverage automated management of your data center at a massive scale.
• High Availability – See how SUSE helps you achieve near-100% uptime for your SAP HANA systems with our tailored SAP solutions.

SUSE Linux Enterprise Server for SAP applications is endorsed by SAP

The idea behind Endorsed Apps is to make it super easy for SAP customers to get up and running with SAP. It helps to easily identify the top-rated partners and apps that are verified to deliver outstanding value. These solutions are tested and premium certified by SAP with added security, in-depth testing, and measurements against benchmark results. 

Find more information on the SAP Store 

Contact Us

If you have any additional questions, please don’t hesitate to contact us @ sapalliance@suse.com  

We look forward to seeing you at SAP Sapphire on June 3-5, 2024.

SAP customers are increasingly shifting applications to the cloud to take advantage of its superior scalability, flexibility and cost savings. But not every application can run seamlessly and securely in the cloud. Some contain sensitive data such as social security numbers, medical records or payroll data that organizations need to keep on-premises for security reasons. Others have latency issues, preventing them from being completely cloud-native. And some applications are prevented from running completely in the cloud because of jurisdictional laws and regulations relating to the data.

But just because you can’t run all your SAP applications in the cloud doesn’t mean you have to avoid the cloud completely. The SAP Integration Suite enables you to integrate applications, processes and data across and beyond your organization, including those that require both cloud and on-premises landscapes.

Run mission-critical SAP solutions across on-premise and cloud environments

An important component of the suite is SAP Edge Integration Cell, a hybrid integration runtime that connects your on-premises applications and data with the cloud, all within the secure confines of your data center. The solution safeguards confidential data by avoiding direct connections between your cloud and on-premises data and processes.

With SAP Edge Integration Cell, you can run applications where data is sensitive or mission-critical, ensuring the data is managed and controlled inside the enterprise’s firewall. It also enables you to design and monitor integration content in the cloud, but deploy and run scenarios exclusively in your private landscapes. Edge Integration Cell delivers some other important benefits:

• ‘Hybrid’ deployment at the speed of cloud
• Governance and lifecycle based on customer needs
• Incorporates APIs, events, and integrations
• Boosts performance by reducing network latency

SAP Edge Integration Cell is designed to operate in a Kubernetes-based container environment. Kubernetes offers a powerful platform for handling containerized applications on a large scale. It enhances scalability, ensures high availability, optimizes resource use, and has self-healing features.

SUSE unlocks the benefits of Edge Integration Cell

Edge Integration Cell requires a robust, enterprise-grade Kubernetes solution to run your mission-critical components, and most don’t fit the bill. That’s why SAP chose SUSE’s Rancher Kubernetes as the first platform to run Edge Integration Cell.

SUSE’s Rancher solution gives you the tools and support to deploy, manage, and secure your SAP environment, and gain the benefits of Edge Integration Cell. You’ll ensure business continuity, conform to industry standards and best practices, and meet all the SLAs required for your SAP operations.

SUSE is synonymous with SAP excellence. For over two decades, we have been a trusted open-source platform for SAP customers seeking to drive innovation and improve operational efficiency. Our SUSE Linux Enterprise Server for SAP Applications has supported SAP HANA for years. And now our Rancher Kubernetes platform enables organizations to connect SAP cloud and on-premises data through SAP Edge Integration Cell, with the same level of enterprise resiliency and support you’ve come to expect from us.

Click here to learn more about SAP Edge Integration Cell.