SUSE Rancher for AWS Administrator Reference

Overview

This document provides a quick reference for SUSE Rancher for AWS (SRFA) system administrators managing organization-wide settings, monitoring activity, and configuring advanced features.

Permission Tiers

Administrator

Full system access and all admin features.

Standard User

Create and manage clusters, and deploy apps.

Base User

Read-only cluster access.

Access: SUSE Rancher for AWS Administration menu > https://localhost:8005/mcmAdmin/c/_/insights

Feature Summary

Feature Purpose When to Use

Audit Logs

Track user actions and system events

Security audits, troubleshooting, compliance

Node Size Presets

Standardize cluster node configurations

Enforce standards, simplify provisioning

Data Export

Backup SUSE Rancher for AWS configuration

Disaster recovery, migration, compliance

Q Index Configuration

AI assistant integration

Enable contextual help and doc search

AI Assistant

AI-powered help

Quick answers, troubleshooting guidance

1. Audit Logs

Purpose: Security auditing, compliance reporting, troubleshooting, and performance analysis.

Access: /mcmAdmin/c/_/AuditLog

Filtering

Filter Options Default

Time Range

Start/End date-time picker

Last 24 hours

Record Limit

1-1000 records

50

Actions: Apply filters, Reset to defaults.

Table Columns

Column Details Visual Indicators

Timestamp

When action occurred

Sortable

User

Username (hyperlinked)

-

Method

HTTP method

Green=GET, Blue=POST, Yellow=PUT/PATCH, Red=DELETE

Request URI

API endpoint

Full path

Status

HTTP status code

Green=200-299 (success), Red=400-599 (errors)

Duration

Request time (ms)

Highlights slow requests

Detailed View

Expand a row to see the following:

  • Request headers and body (JSON)

  • Response body (JSON)

  • Full URI with query parameters

  • Client IP and User Agent

Common Use Cases

Security Audit:      Method=DELETE, Status=200 (review deletions)
User Troubleshooting: User=<name>, Status=400-599 (find errors)
Compliance Report:   Last 30 days, All methods (export activity)
Performance Check:   Duration >5000ms (identify slow requests)

Best Practices

  • Weekly: Review DELETE operations and failed authentication attempts.

  • Monthly: Full review of errors and performance.

  • Quarterly: Export for compliance and long-term storage.

  • Monitor 4xx and 5xx status codes for patterns.

  • Investigate slow requests.

2. Node Size Presets

Purpose: Standardize node configs, simplify provisioning, enforce budgets, and enable non-AWS experts.

Access: /mcmAdmin/c/_/NodeSizePresets

Preset Display

Each preset shows:

  • Size badge (S, M, L, XL, GPU)

  • SPOT badge (if enabled)

  • Display name and use case

  • vCPU, RAM, GPU specs

  • Monthly cost range

  • Edit/Delete actions

Default Presets

Preset Instance vCPU/RAM Nodes Disk Spot

Small (S)

t3.medium

2/4GB

1-2

20GB

Yes

Medium (M)

m5.large

2/8GB

2-3

50GB

Yes

GPU

g4dn.xlarge

4/16GB + 1xT4

1-1

20GB

No

Default presets cannot be deleted, but can be edited.

Creating and Editing Presets

Basic Information:

Field Required Notes

Display Name

Yes

Max 50 characters, user-facing

Badge

No

Max 10 characters (S, L, PROD, DB)

Description

No

Max 200 characters, full use case

Use Case

No

Max 100 characters, one-liner

Instance Configuration:

Field Required Details

Instance Type

Yes

Dropdown grouped by family (General Purpose, Compute, Memory, GPU)

Disk Size

Yes

20-1000 GB EBS volume per node

Node Group Configuration:

Field Required Validation

Minimum Size

Yes

>= 1

Desired Size

Yes

min ⇐ desired ⇐ max

Maximum Size

Yes

>= desired

Typical Configs:

  • Dev/Test: min=1, desired=1, max=2

  • Staging: min=2, desired=2, max=4

  • Production: min=3, desired=3, max=10

Spot Instances:

When to Enable When to Avoid

Dev/test environments

Production databases

Fault-tolerant workloads

Stateful applications

Batch processing

Critical services

Spot instances provide cost savings but carry interruption risks.

Cost Preview:

  • Automatically calculates the monthly cost range (min-max nodes) and hourly per-instance rate.

  • Note: This does NOT include the base EKS control plane cost.

  • Spot savings are shown if enabled.

Deletion

  • Custom presets can be deleted.

  • Default presets cannot be deleted.

  • Existing clusters using a deleted preset continue working.

Best Practices

Preset Strategy:

  • Create presets for common workload types (General, Database, Cache, Batch, GPU-ML, GPU-Inference).

  • Use clear names: "Large - Production Web (HA)" vs "m5.xlarge config".

  • Include cost in descriptions.

  • Enable spot for dev/test presets.

Maintenance:

  • Quarterly: Review AWS instance types, update to latest generation, adjust pricing.

  • Audit usage and remove unused presets.

  • Gather user feedback on missing presets.

3. Data Export

Purpose: Disaster recovery, migration, compliance, configuration history.

Access: /mcmAdmin/c/_/DataExport

Export Process

  1. Click Download Latest Backup.

  2. S3 presigned URL is generated.

  3. Auto-download starts.

  4. File is saved as srfa-backup-{date}-{time}.tar.gz.

Backup Contents

Included:

  • Cluster configurations (all EKS clusters, network settings, labels)

  • Cloud credentials (encrypted, IAM role ARNs)

  • User accounts and RBAC

  • Node size presets

  • SUSE Rancher for AWS settings (Q Index config)

  • Audit log metadata (recent entries)

NOT Included:

  • Kubernetes workloads and deployments

  • Persistent volume data

  • Container images

  • Application data

  • Full audit logs

Use Velero for Kubernetes workload backups.

Backup Schedule

Type Frequency Retention Access

Automatic

Daily at midnight UTC

30 days

Latest via Data Export page

On-Demand

Unlimited

User-managed

Immediate download

Error Handling

Error Cause Resolution

"Backup not found"

No backup available yet, or daily backup running

Wait and retry

"Access denied"

Insufficient permissions, or S3 policy issue

Verify admin role, or contact support

"S3 error"

AWS service issue, or network problem

Retry, or check connection

"Invalid presigned URL"

URL expired

Retry download

Restoration

You cannot self-restore via the UI. Restoration requires SUSE support.

Process:

  1. Contact SUSE support and attach the backup file or state the target date.

  2. SUSE provisions or restores the instance.

  3. Verify clusters are visible, credentials work, and user access is correct.

Use Cases: Disaster recovery, migration to a new AWS account/region, configuration rollback.

Best Practices

Backup Schedule:

  • Before major changes: Kubernetes upgrades, RBAC changes, mass deletions, Q Index changes.

  • Monthly: Download and archive backup.

  • Quarterly: Test restore process with SUSE.

  • Annually: Full DR drill.

Storage:

  • Encrypt at rest (contains sensitive configuration data).

  • Store off-site (separate from SUSE Rancher for AWS).

  • Use secure cloud storage (S3 encrypted, GCS, Azure Blob).

  • Document backup locations and retention policy.

4. Q Index Configuration

Purpose: Enable Amazon Q Business integration for AI-assisted help, doc search, and troubleshooting.

Access: /mcmAdmin/c/_/Config

Tenant Information (Read-Only)

Reference values for AWS Q setup:

Field Use

Tenant UID

Unique identifier for SUSE Rancher for AWS instance

Environment

Environment name (latest-dev, production)

AWS Identity

Rancher IAM role ARN (for trust relationship)

Configuration Fields

Enable Integration: Checkbox - shows or hides config fields when toggled.

Field Format Where to Find

IDC Application ARN

arn:aws:sso::123456789012:application/ssoins-xxxxx/apl-xxxxx

AWS Console > IAM Identity Center > Applications > Application ARN

Q Business Application Region

us-east-1, us-west-2, etc.

AWS region where Q Business is deployed

IAM Identity Center Region

us-east-1, us-west-2, etc.

Usually matches Q Business region

Q Business Retriever ID

UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

AWS Console > Amazon Q Business > Retrievers > Retriever ID

Q Business Application ID

UUID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

AWS Console > Amazon Q Business > Application ID

All fields are required when integration is enabled.

Prerequisites

Before configuring Q Index integration, ensure the following AWS Q Business setup is complete:

1. AWS Q Business Subscription

  • Active AWS Q Business subscription in your AWS account.

  • Per-user licensing configured.

2. IAM Identity Center

  • AWS IAM Identity Center configured and operational.

  • User directory connected (AWS Directory Service, Active Directory, or external IdP).

  • Users provisioned and able to authenticate.

3. Q Business Application

  1. Navigate to AWS Console > Amazon Q Business.

  2. Create a new application or select an existing one.

  3. Configure application settings: Name and description, IAM Identity Center connection, Data source connectors.

  4. Note the Application ID (UUID format).

4. Retriever Configuration

  1. Within the Q Business application, navigate to Retrievers.

  2. Create a retriever for your data sources.

  3. Configure and start indexing.

  4. Wait for initial index completion.

  5. Note the Retriever ID (UUID format).

5. SSO Application

  1. Navigate to IAM Identity Center > Applications.

  2. Create customer managed application.

  3. Configure trust relationship with SUSE Rancher for AWS tenant.

  4. Note the Application ARN (arn:aws:sso::…​).

6. Network Access

  • Ensure SUSE Rancher for AWS instance can reach AWS Q Business API endpoints.

  • Verify security groups allow outbound HTTPS (443) to AWS services.

Documentation: AWS Q Business Admin Guide

Verification Checklist:

  • Q Business subscription active.

  • IAM Identity Center users can authenticate.

  • Data sources configured and indexed.

  • Application ID and Retriever ID available.

  • SSO application created with correct trust policy.

  • Network connectivity verified.

Testing

  1. Save Q Index configuration.

  2. Navigate to the AI Assistant card.

  3. Ask test questions (for example, "What is Rancher for AWS?" or "How do I create a cluster?").

  4. Verify contextual responses with source citations.

Troubleshooting

Issue Resolution

Invalid ARN format

Copy full ARN from AWS Console

Connection errors

Verify regions match, Q Business active, network connectivity

Authorization errors

Check IAM permissions, trust relationships, SSO app access policies

No/irrelevant AI responses

Verify data sources configured, indexing complete, re-index if stale

Save fails

Validate UUID formats, verify region names, check network access to AWS

Best Practices

Setup:

  • Copy values directly from the AWS Console to avoid typos.

  • Verify regions match across all fields.

  • Test immediately after configuration.

Maintenance:

  • Monthly: Test AI Assistant with common questions.

  • Quarterly: Review Q Business data sources, update docs, re-index, verify IAM permissions.

  • Collect user feedback, identify knowledge gaps.

5. AI Assistant

Purpose: Instant answers, contextual guidance, troubleshooting, interactive learning.

Prerequisites:

  • Q Index configured and enabled.

  • AWS Q Business operational.

Access: From Administration Hub > AI Assistant card.

Functionality

  • Natural language Q&A with follow-up support.

  • Documentation references and code examples.

  • Error interpretation and resolution guides.

  • Context-aware suggestions and best practices.

Example Questions:

  • "How do I create an EKS cluster?"

  • "Why is my cluster stuck provisioning?"

  • "How do I enable Pod Identity?"

Quality depends on Q Business data sources and training.

Permission Model

Access Matrix

Feature Administrator Standard User Base User

SUSE Rancher for AWS Administration Hub

Yes

No

No

Audit Logs

Yes

No

No

Node Size Presets

Yes (edit)

No

No

Data Export

Yes

No

No

Q Index Config

Yes

No

No

Create Clusters

Yes

Yes

No

Manage Own Clusters

Yes

Yes

No

View Clusters

Yes

Yes

Yes (read-only)

Manage Cloud Credentials

Yes

Yes (own)

No

Download kubeconfig

Yes

Yes

No

Assignment

Via Rancher User Management:

  1. Navigate to User Management (global settings).

  2. Create/edit user.

  3. Assign global role: Administrator, Standard User, or Base User (restricted-admin).

  4. Assign cluster-specific roles as needed.

Best Practices:

  • Follow the least privilege principle.

  • Use groups for permission management.

  • Regular permission audits.

  • Revoke access on role changes.

Administrator Best Practices

Regular Tasks

Weekly:

  • Review audit logs for critical operations (DELETE, cluster changes).

  • Check for unusual activity or failed requests.

Monthly:

  • Download and archive backup.

  • Full audit log review (user activity, errors, performance).

  • Test Q Index/AI Assistant.

  • Monitor cluster creation trends and costs.

Quarterly:

  • Review/update node size presets (AWS instance types, pricing).

  • Export audit logs for compliance.

  • Test Q Business data sources and re-index.

  • Verify IAM permissions for Q Index.

  • Backup restore test with SUSE support.

Annually:

  • Full disaster recovery drill.

  • Comprehensive security audit.

  • Review and update documentation.

Documentation

What to Document:

  • Custom preset rationale and use cases.

  • Q Index setup steps and values.

  • RBAC customizations.

  • Integration configurations.

  • Troubleshooting runbooks.

Where:

  • Internal wiki/docs system.

  • Git repository README.

  • Operations team runbooks.

Communication

Notify Users About:

  • New/changed node size presets.

  • Q Index availability.

  • System maintenance windows.

  • Best practices updates.

Channels:

  • Email announcements.

  • Slack/Teams channels.

  • Internal documentation.

  • In-app notifications.

Timing:

  • 1 week advance notice for breaking changes.

  • Immediate for new features.

  • Monthly newsletter for regular updates.