From 4b0d6f789e1619e13d949ac0157e89cf60e51bd9 Mon Sep 17 00:00:00 2001 From: Suzana Fernandes Date: Thu, 28 Nov 2024 15:44:14 +0000 Subject: [PATCH] Fix index Security guide [EAG] - Fix toctrees in wrong place [RS] - escape sample URLs Change-Id: I3972bac7a0637bedfdca70a523851439d3b7ce42 Signed-off-by: Suzana Fernandes --- doc/source/_vendor/rl-strings.txt | 5 +- ...ralized-vs-distributed-oidc-auth-setup.rst | 6 +- .../cert-manager-post-installation-setup.rst | 17 -- ...idation-after-bootstrapping-the-system.rst | 2 +- ...idation-while-bootstrapping-the-system.rst | 2 +- .../create-end-users-359693b84854.rst | 4 +- ...cess-using-ssh-or-k8s-cli-2b88b1235671.rst | 2 +- .../example-common-tasks-97773f3a82f0.rst | 15 ++ .../kubernetes/https-access-overview.rst | 2 +- ...ndex-accessing-the-system-7d190226d3a5.rst | 22 -- ...ndex-example-common-tasks-97773f3a82f0.rst | 25 -- ...ication-using-ldap-server-222e1e4d7c1a.rst | 25 -- .../index-ldap-accounts-e8ee204e6092.rst | 22 -- ...index-local-ldap-accounts-2f2128fe2f49.rst | 24 -- .../index-password-rules-8429cd4ebddb.rst | 18 -- .../index-reference-material-4e1c59258fa8.rst | 24 -- .../index-remote-access-2209661be417.rst | 24 -- .../index-security-kub-81153c1254c3.rst | 225 +++++++++++++++++- ...ecret-and-data-management-050a998960d0.rst | 19 -- .../security/kubernetes/keystone-accounts.rst | 10 - ...keystone-passwd-recovery-ef3b3ce867b7.rst} | 2 +- .../kubernetes-certificates-f4196d7cae9c.rst | 9 - .../kubernetes/manage-keystone-accounts.rst | 2 +- .../overview-of-system-accounts.rst | 19 -- .../kubernetes/remote-access-2209661be417.rst | 13 + .../kubernetes/remote-access-index.rst | 11 - ...mote-windows-active-directory-accounts.rst | 5 - .../kubernetes/security-access-the-gui.rst | 9 +- ...e-web-administration-server-deprecated.rst | 8 +- ...stem-information-for-user-8502c985343d.rst | 2 +- 30 files changed, 269 insertions(+), 304 deletions(-) delete mode 100644 doc/source/security/kubernetes/cert-manager-post-installation-setup.rst create mode 100644 doc/source/security/kubernetes/example-common-tasks-97773f3a82f0.rst delete mode 100644 doc/source/security/kubernetes/index-accessing-the-system-7d190226d3a5.rst delete mode 100644 doc/source/security/kubernetes/index-example-common-tasks-97773f3a82f0.rst delete mode 100644 doc/source/security/kubernetes/index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a.rst delete mode 100644 doc/source/security/kubernetes/index-ldap-accounts-e8ee204e6092.rst delete mode 100644 doc/source/security/kubernetes/index-local-ldap-accounts-2f2128fe2f49.rst delete mode 100644 doc/source/security/kubernetes/index-password-rules-8429cd4ebddb.rst delete mode 100644 doc/source/security/kubernetes/index-reference-material-4e1c59258fa8.rst delete mode 100644 doc/source/security/kubernetes/index-remote-access-2209661be417.rst delete mode 100644 doc/source/security/kubernetes/index-vault-secret-and-data-management-050a998960d0.rst rename doc/source/security/kubernetes/{password-recovery.rst => keystone-passwd-recovery-ef3b3ce867b7.rst} (95%) create mode 100644 doc/source/security/kubernetes/remote-access-2209661be417.rst delete mode 100644 doc/source/security/kubernetes/remote-access-index.rst diff --git a/doc/source/_vendor/rl-strings.txt b/doc/source/_vendor/rl-strings.txt index aacd9a7fe..bc65c1f3b 100644 --- a/doc/source/_vendor/rl-strings.txt +++ b/doc/source/_vendor/rl-strings.txt @@ -288,12 +288,11 @@ .. |use-uefi-secure-boot| replace:: :ref:`Use UEFI Secure Boot ` .. |sssd-support-5fb6c4b0320b| replace:: :ref:`SSH User Authentication using Windows Active Directory (WAD) ` .. |overview-of-uefi-secure-boot| replace:: :ref:`Overview of UEFI Secure Boot ` -.. |password-recovery| replace:: :ref:`Keystone Password Recovery ` +.. |keystone-passwd-recovery-ef3b3ce867b7| replace:: :ref:`Keystone Password Recovery ` .. |configure-docker-registry-certificate-after-installation-c519edbfe90a| replace:: :ref:`Configure Docker Registry Certificate ` .. |cve-maintenance-723cd9dd54b3| replace:: :ref:`CVE Maintenance ` .. |configure-kubernetes-client-access| replace:: :ref:`Configure Kubernetes Client Access ` .. |remote-windows-active-directory-accounts| replace:: :ref:`Remote Windows Active Directory Accounts ` -.. |cert-manager-post-installation-setup| replace:: :ref:`Cert-Manager Post Installation Setup ` .. |configure-remote-cli-access| replace:: :ref:`Configure Remote CLI Access ` .. |system-local-ca-issuer-9196c5794834| replace:: :ref:`System Local CA Issuer ` .. |install-security-profiles-operator-1b2f9a0f0108| replace:: :ref:`Install Security Profiles Operator (SPO) ` @@ -358,7 +357,7 @@ .. |selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c| replace:: :ref:`Selectively Disable SSH for Local OpenLDAP and WAD Users ` .. |security-cert-manager| replace:: :ref:`Cert Manager ` .. .. |enable-pod-security-policy-checking| replace:: :ref:`Enable Pod Security Policy Checking ` -.. |starlingx-rest-api-applications-and-the-web-administration-server| replace:: :ref:`StarlingX REST API Applications and the Web Administration Server Certificate ` +.. |starlingx-rest-api-applications-and-the-web-administration-server-deprecated| replace:: :ref:`StarlingX REST API Applications and the Web Administration Server Certificate ` .. |starlingx-openstack-kubernetes-from-stsadmin-account-login| replace:: :ref:`For StarlingX, Platform OpenStack and Kubernetes CLIs from the 'sysadmin' Linux Account Login ` .. |configure-users-groups-and-authorization| replace:: :ref:`Configure Users, Groups, and Authorization ` .. |kubernetes-operator-command-logging-663fce5d74e7| replace:: :ref:`Kubernetes Operator Command Logging ` diff --git a/doc/source/security/kubernetes/centralized-vs-distributed-oidc-auth-setup.rst b/doc/source/security/kubernetes/centralized-vs-distributed-oidc-auth-setup.rst index 2399858f2..52f37c0d3 100644 --- a/doc/source/security/kubernetes/centralized-vs-distributed-oidc-auth-setup.rst +++ b/doc/source/security/kubernetes/centralized-vs-distributed-oidc-auth-setup.rst @@ -75,8 +75,8 @@ For a centralized |OIDC| authentication setup, use the following procedure: address as the oidc-issuer-url for all clouds. For example, - oidc-issuer-url=https://:/dex on the subcloud. + ``oidc-issuer-url=https://:/dex`` on the subcloud. For more information, see: @@ -97,7 +97,7 @@ For a centralized |OIDC| authentication setup, use the following procedure: .. note:: For IPv6 deployments, ensure that the IPv6 OAM floating address is, - https://\[\]:30556/dex (that is, in + ``https://\[\]:30556/dex`` (that is, in lower case, and wrapped in square brackets). diff --git a/doc/source/security/kubernetes/cert-manager-post-installation-setup.rst b/doc/source/security/kubernetes/cert-manager-post-installation-setup.rst deleted file mode 100644 index f63853e5d..000000000 --- a/doc/source/security/kubernetes/cert-manager-post-installation-setup.rst +++ /dev/null @@ -1,17 +0,0 @@ - - -.. _cert-manager-post-installation-setup: - -==================================== -Cert-Manager Post Installation Setup -==================================== - -.. toctree:: - :maxdepth: 1 - - firewall-port-overrides - enable-public-use-of-the-cert-manager-acmesolver-image - enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace - enable-the-use-of-cert-manager-apis-by-an-arbitrary-user - - diff --git a/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system.rst b/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system.rst index 5659866e8..f0010b543 100644 --- a/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system.rst +++ b/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system.rst @@ -44,7 +44,7 @@ you can do so at any time using service parameters. .. note:: For IPv6 deployments, ensure that the IPv6 OAM floating address - is, https://\[\]:30556/dex (that is, in lower + is, ``https://\[\]:30556/dex`` (that is, in lower case, and wrapped in square brackets). - oidc-username-claim= diff --git a/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system.rst b/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system.rst index ac88b016e..60088674a 100644 --- a/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system.rst +++ b/doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system.rst @@ -49,7 +49,7 @@ Validation after Bootstrapping the System .. note:: For IPv6 deployments, ensure that the IPv6 OAM floating address in - the **issuer_url** is, https://\[\]:30556/dex + the **issuer_url** is, ``https://\[\]:30556/dex`` (that is, in lower case, and wrapped in square brackets). diff --git a/doc/source/security/kubernetes/create-end-users-359693b84854.rst b/doc/source/security/kubernetes/create-end-users-359693b84854.rst index b724653a8..f0ea3de75 100644 --- a/doc/source/security/kubernetes/create-end-users-359693b84854.rst +++ b/doc/source/security/kubernetes/create-end-users-359693b84854.rst @@ -193,5 +193,5 @@ execute Linux commands. See section: :ref:`end-users-local-access-using-ssh-or-k .. note:: - More setup is required for end user to use remote CLIs/GUIs, see sections - :ref:`index-remote-access-2209661be417`. + More setup is required for end user to use remote CLIs/GUIs, see section + :ref:`remote-access-2209661be417`. diff --git a/doc/source/security/kubernetes/end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671.rst b/doc/source/security/kubernetes/end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671.rst index fdb71323d..a13eee5ad 100644 --- a/doc/source/security/kubernetes/end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671.rst +++ b/doc/source/security/kubernetes/end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671.rst @@ -91,4 +91,4 @@ and linux access. .. rubric:: |postreq| -Setup remote access for any end users requiring remote access. See :ref:`index-remote-access-2209661be417`. +Setup remote access for any end users requiring remote access. See :ref:`remote-access-2209661be417`. diff --git a/doc/source/security/kubernetes/example-common-tasks-97773f3a82f0.rst b/doc/source/security/kubernetes/example-common-tasks-97773f3a82f0.rst new file mode 100644 index 000000000..10dc7cc20 --- /dev/null +++ b/doc/source/security/kubernetes/example-common-tasks-97773f3a82f0.rst @@ -0,0 +1,15 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _example-common-tasks-97773f3a82f0: + +======================================== +Examples of User Management Common Tasks +======================================== + +This section provides a set of common tasks related to the user management of +both system administrations and general end users, to set up unique users for +your system. + + + diff --git a/doc/source/security/kubernetes/https-access-overview.rst b/doc/source/security/kubernetes/https-access-overview.rst index e07fd877e..d0aac9ee7 100644 --- a/doc/source/security/kubernetes/https-access-overview.rst +++ b/doc/source/security/kubernetes/https-access-overview.rst @@ -139,7 +139,7 @@ expired certificates and certificates that will expire soon, see The following sections provide details on managing these certificates: -- :ref:`StarlingX REST API Applications and the Web Administration Server Certificate ` +- :ref:`starlingx-rest-api-applications-and-the-web-administration-server-deprecated` - :ref:`Kubernetes Certificates ` diff --git a/doc/source/security/kubernetes/index-accessing-the-system-7d190226d3a5.rst b/doc/source/security/kubernetes/index-accessing-the-system-7d190226d3a5.rst deleted file mode 100644 index 048c8f613..000000000 --- a/doc/source/security/kubernetes/index-accessing-the-system-7d190226d3a5.rst +++ /dev/null @@ -1,22 +0,0 @@ -.. WARNING: Add no lines of text between the label immediately following -.. and the title. - -.. _index-accessing-the-system-7d190226d3a5: - -================= -Access the System -================= - -.. Uncomment topic-a etc. below and replace with the names of your topics, - excluding the .rst extension - -.. toctree:: - :maxdepth: 2 - - configure-local-cli-access - remote-access-index - security-access-the-gui - security-rest-api-access - connect-to-container-registries-through-a-firewall-or-proxy - - diff --git a/doc/source/security/kubernetes/index-example-common-tasks-97773f3a82f0.rst b/doc/source/security/kubernetes/index-example-common-tasks-97773f3a82f0.rst deleted file mode 100644 index cea8940aa..000000000 --- a/doc/source/security/kubernetes/index-example-common-tasks-97773f3a82f0.rst +++ /dev/null @@ -1,25 +0,0 @@ -.. WARNING: Add no lines of text between the label immediately following -.. and the title. - -.. _index-example-common-tasks-97773f3a82f0: - -======================================== -Examples of User Management Common Tasks -======================================== - -This section provides a set of common tasks related to the user management of -both system administrations and general end users, to set up unique users for -your system. - -.. toctree:: - :maxdepth: 3 - - configure-oidc-ldap-authentication-for-k8s-user-authentication-8cea26362167 - create-first-system-administrator-1775e1b20941 - system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936 - create-other-system-administrators-97b99bb94430 - create-end-users-359693b84854 - end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671 - index-remote-access-2209661be417 - - diff --git a/doc/source/security/kubernetes/index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a.rst b/doc/source/security/kubernetes/index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a.rst deleted file mode 100644 index eea08ae09..000000000 --- a/doc/source/security/kubernetes/index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a.rst +++ /dev/null @@ -1,25 +0,0 @@ -.. WARNING: Add no lines of text between the label immediately following -.. and the title. - -.. _index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a: - -==================================================== -Kubernetes API User Authentication Using LDAP Server -==================================================== - -.. Uncomment topic-a etc. below and replace with the names of your topics, - excluding the .rst extension - -.. toctree:: - :maxdepth: 2 - - overview-of-ldap-servers - centralized-vs-distributed-oidc-auth-setup - configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system - configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system - configure-oidc-auth-applications - configure-users-groups-and-authorization - configure-kubernetes-client-access - deprovision-ldap-server-authentication - - diff --git a/doc/source/security/kubernetes/index-ldap-accounts-e8ee204e6092.rst b/doc/source/security/kubernetes/index-ldap-accounts-e8ee204e6092.rst deleted file mode 100644 index 605192be5..000000000 --- a/doc/source/security/kubernetes/index-ldap-accounts-e8ee204e6092.rst +++ /dev/null @@ -1,22 +0,0 @@ -.. WARNING: Add no lines of text between the label immediately following -.. and the title. - -.. _index-ldap-accounts-e8ee204e6092: - -============= -LDAP Accounts -============= - -.. Uncomment topic-a etc. below and replace with the names of your topics, - excluding the .rst extension - -.. toctree:: - :maxdepth: 2 - - index-local-ldap-accounts-2f2128fe2f49 - remote-windows-active-directory-accounts - selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c - manage-local-ldap-39fe3a85a528 - index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a - - diff --git a/doc/source/security/kubernetes/index-local-ldap-accounts-2f2128fe2f49.rst b/doc/source/security/kubernetes/index-local-ldap-accounts-2f2128fe2f49.rst deleted file mode 100644 index 282411aa7..000000000 --- a/doc/source/security/kubernetes/index-local-ldap-accounts-2f2128fe2f49.rst +++ /dev/null @@ -1,24 +0,0 @@ -.. WARNING: Add no lines of text between the label immediately following -.. and the title. - -.. _index-local-ldap-accounts-2f2128fe2f49: - -=================== -Local LDAP Accounts -=================== - -.. Uncomment topic-a etc. below and replace with the names of your topics, - excluding the .rst extension - -.. toctree:: - :maxdepth: 2 - - local-ldap-linux-user-accounts - create-ldap-linux-accounts - create-ldap-linux-groups-4c94045f8ee0 - delete-ldap-linux-accounts-7de0782fbafd - remote-access-for-linux-accounts - password-recovery-for-linux-user-accounts - local-ldap-user-password-expiry-mechanism-eba5d34abbd4 - estabilish-credentials-for-linux-user-accounts - manage-local-ldap-39fe3a85a528 \ No newline at end of file diff --git a/doc/source/security/kubernetes/index-password-rules-8429cd4ebddb.rst b/doc/source/security/kubernetes/index-password-rules-8429cd4ebddb.rst deleted file mode 100644 index 859dbc9b7..000000000 --- a/doc/source/security/kubernetes/index-password-rules-8429cd4ebddb.rst +++ /dev/null @@ -1,18 +0,0 @@ -.. WARNING: Add no lines of text between the label immediately following -.. and the title. - -.. _index-password-rules-8429cd4ebddb: - -============== -Password Rules -============== - -.. Uncomment topic-a etc. below and replace with the names of your topics, - excluding the .rst extension - -.. toctree:: - :maxdepth: 2 - - starlingx-system-accounts-system-account-password-rules - linux-accounts-password-3dcad436dce4 - diff --git a/doc/source/security/kubernetes/index-reference-material-4e1c59258fa8.rst b/doc/source/security/kubernetes/index-reference-material-4e1c59258fa8.rst deleted file mode 100644 index 0e0dc9163..000000000 --- a/doc/source/security/kubernetes/index-reference-material-4e1c59258fa8.rst +++ /dev/null @@ -1,24 +0,0 @@ -.. WARNING: Add no lines of text between the label immediately following -.. and the title. - -.. _index-reference-material-4e1c59258fa8: - -================== -Reference Material -================== - -.. Uncomment topic-a etc. below and replace with the names of your topics, - excluding the .rst extension -.. toctree:: - :maxdepth: 4 - - the-sysadmin-account - types-of-system-accounts - overview-of-system-accounts - keystone-accounts - index-ldap-accounts-e8ee204e6092 - index-password-rules-8429cd4ebddb - index-accessing-the-system-7d190226d3a5 - private-namespace-and-restricted-rbac - resource-management - pod-security-admission-controller-8e9e6994100f diff --git a/doc/source/security/kubernetes/index-remote-access-2209661be417.rst b/doc/source/security/kubernetes/index-remote-access-2209661be417.rst deleted file mode 100644 index 28021ffdc..000000000 --- a/doc/source/security/kubernetes/index-remote-access-2209661be417.rst +++ /dev/null @@ -1,24 +0,0 @@ -.. WARNING: Add no lines of text between the label immediately following -.. and the title. - -.. _index-remote-access-2209661be417: - -============= -Remote Access -============= - -This section provides a procedure for a system administrator to collect system -and user information required for a user to connect remotely to |prod|. -It also provides procedures for system administrators and end users to remotely -connect to |prod| CLIs, kubernetes CLIs and GUIs. - - -.. toctree:: - :maxdepth: 2 - - system-administrator-collect-system-information-for-user-8502c985343d - system-administrator-access-system-horizon-gui-a4a95fe70ef9 - system-administrator-configure-system-remote-cli-and-7b814d8937df - system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87 - end-user-configure-k8s-remote-cli-fad235bb7a18 - end-user-access-k8s-remote-cli-7bb5b71ed604 diff --git a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst index f16038295..6e367b842 100644 --- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst +++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst @@ -39,6 +39,10 @@ Certificate Management utility-script-to-display-certificates etcd-certificates-c1fc943e4a9c kubernetes-certificates-f4196d7cae9c + kubernetes-root-ca-certificate + update-renew-kubernetes-certificates-52b00bd0bdae + manual-kubernetes-root-ca-certificate-update-8e9df2cd7fb9 + kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d system-local-ca-issuer-9196c5794834 local-ldap-certificates-4e1df1e39341 configure-rest-api-apps-and-web-admin-server-certs-after-inst-6816457ab95f @@ -60,22 +64,212 @@ Cert Manager security-cert-manager the-cert-manager-bootstrap-process - cert-manager-post-installation-setup + + +Cert-Manager Post Installation Setup +==================================== + +.. toctree:: + :maxdepth: 1 + + firewall-port-overrides + enable-public-use-of-the-cert-manager-acmesolver-image + enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace + enable-the-use-of-cert-manager-apis-by-an-arbitrary-user *************** User Management *************** .. toctree:: - :maxdepth: 5 + :maxdepth: 3 introduction-to-user-management-6c0b13c6d325 - index-example-common-tasks-97773f3a82f0 - index-reference-material-4e1c59258fa8 + +Examples of User Management Common Tasks +======================================== + +.. toctree:: + :maxdepth: 2 + + example-common-tasks-97773f3a82f0 + configure-oidc-ldap-authentication-for-k8s-user-authentication-8cea26362167 + create-first-system-administrator-1775e1b20941 + system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936 + create-other-system-administrators-97b99bb94430 + create-end-users-359693b84854 + end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671 + + +Remote Access +------------- + +.. toctree:: + :maxdepth: 1 + + remote-access-2209661be417 + system-administrator-collect-system-information-for-user-8502c985343d + system-administrator-access-system-horizon-gui-a4a95fe70ef9 + system-administrator-configure-system-remote-cli-and-7b814d8937df + system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87 + end-user-configure-k8s-remote-cli-fad235bb7a18 + end-user-access-k8s-remote-cli-7bb5b71ed604 + + +Reference Material +================== + +.. toctree:: + :maxdepth: 2 + + the-sysadmin-account + types-of-system-accounts + + +Linux User Accounts +------------------- + +.. toctree:: + :maxdepth: 2 + + overview-of-system-accounts + establish-keystone-credentials-from-a-linux-account + starlingx-openstack-kubernetes-from-stsadmin-account-login + kubernetes-cli-from-local-ldap-linux-account-login + add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1 + + +Keystone Accounts +----------------- + +.. toctree:: + :maxdepth: 1 + + keystone-accounts + about-keystone-accounts + keystone-account-authentication + keystone-account-roles-64098d1abdc1 + manage-keystone-accounts + configure-the-keystone-token-expiration-time + keystone-passwd-recovery-ef3b3ce867b7 + keystone-security-compliance-configuration-b149adca6a7f + + +LDAP Accounts +------------- + +Local LDAP Accounts +^^^^^^^^^^^^^^^^^^^ + +.. toctree:: + :maxdepth: 2 + + local-ldap-linux-user-accounts + create-ldap-linux-accounts + create-ldap-linux-groups-4c94045f8ee0 + delete-ldap-linux-accounts-7de0782fbafd + remote-access-for-linux-accounts + password-recovery-for-linux-user-accounts + local-ldap-user-password-expiry-mechanism-eba5d34abbd4 + estabilish-credentials-for-linux-user-accounts + manage-local-ldap-39fe3a85a528 + +Remote Windows Active Directory accounts +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. toctree:: + :maxdepth: 1 + + remote-windows-active-directory-accounts + sssd-support-5fb6c4b0320b + +Selectively Disable SSH for Local LDAP and WAD Users +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. toctree:: + :maxdepth: 1 + + selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c + +Manage Composite Local LDAP Accounts at Scale +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. toctree:: + :maxdepth: 1 + + manage-local-ldap-39fe3a85a528 + +Kubernetes API User Authentication Using LDAP Server +^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ + +.. toctree:: + :maxdepth: 2 + + overview-of-ldap-servers + centralized-vs-distributed-oidc-auth-setup + configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system + configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system + configure-oidc-auth-applications + configure-users-groups-and-authorization + configure-kubernetes-client-access + deprovision-ldap-server-authentication + +Password Rules +-------------- + +.. toctree:: + :maxdepth: 2 + + starlingx-system-accounts-system-account-password-rules + linux-accounts-password-3dcad436dce4 + +Access the System +----------------- + +.. toctree:: + :maxdepth: 2 + + configure-local-cli-access + configure-remote-cli-access + security-configure-container-backed-remote-clis-and-clients + using-container-backed-remote-clis-and-clients + security-install-kubectl-and-helm-clients-directly-on-a-host + security-access-the-gui + configure-http-and-https-ports-for-horizon-using-the-cli + configure-horizon-user-lockout-on-failed-logins + install-the-kubernetes-dashboard + security-rest-api-access + connect-to-container-registries-through-a-firewall-or-proxy + +Private Namespace and Restricted RBAC +------------------------------------- + +.. toctree:: + :maxdepth: 1 + + private-namespace-and-restricted-rbac + +Resource Management +------------------- + +.. toctree:: + :maxdepth: 1 + + resource-management + +Pod Security Admission Controller +--------------------------------- + +.. toctree:: + :maxdepth: 1 + + pod-security-admission-controller-8e9e6994100f + ******** Auditing ******** + .. toctree:: :maxdepth: 1 @@ -103,6 +297,7 @@ Container Image Integrity (Signature Validation) ************************** Container AppArmor Profile ************************** + .. toctree:: :maxdepth: 1 @@ -118,16 +313,34 @@ Container AppArmor Profile *********************** Encrypting Data at Rest *********************** + .. toctree:: :maxdepth: 1 partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c encrypt-kubernetes-secret-data-at-rest - index-vault-secret-and-data-management-050a998960d0 + +Vault Secret and Data Management +================================ + +.. _vault-secret-and-data-management-050a998960d0: +.. _vault-secret-and-data-management-security-index: + +.. toctree:: + :maxdepth: 2 + + security-vault-overview + install-vault + configure-vault + configure-vault-using-the-cli + remove-vault + + *************************** Software Delivery Integrity *************************** + .. toctree:: :maxdepth: 1 @@ -173,6 +386,8 @@ Deprecated Functionality :maxdepth: 1 starlingx-rest-api-applications-and-the-web-administration-server-deprecated + enable-https-access-for-starlingx-rest-and-web-server-endpoints + install-update-the-starlingx-rest-and-web-server-certificate *************************************** diff --git a/doc/source/security/kubernetes/index-vault-secret-and-data-management-050a998960d0.rst b/doc/source/security/kubernetes/index-vault-secret-and-data-management-050a998960d0.rst deleted file mode 100644 index 2c522763c..000000000 --- a/doc/source/security/kubernetes/index-vault-secret-and-data-management-050a998960d0.rst +++ /dev/null @@ -1,19 +0,0 @@ -.. WARNING: Add no lines of text between the label immediately following -.. and the title. - -.. _index-vault-secret-and-data-management-050a998960d0: -.. _vault-secret-and-data-management-security-index: - -================================ -Vault Secret and Data Management -================================ - -.. toctree:: - :maxdepth: 2 - - security-vault-overview - install-vault - configure-vault - configure-vault-using-the-cli - remove-vault - diff --git a/doc/source/security/kubernetes/keystone-accounts.rst b/doc/source/security/kubernetes/keystone-accounts.rst index f22cbdb21..d0584d1e9 100644 --- a/doc/source/security/kubernetes/keystone-accounts.rst +++ b/doc/source/security/kubernetes/keystone-accounts.rst @@ -12,13 +12,3 @@ Registry. |prod|'s Keystone uses the default local SQL Backend. See :ref:`Keystone Accounts ` for more details. -.. toctree:: - :maxdepth: 1 - - about-keystone-accounts - keystone-account-authentication - keystone-account-roles-64098d1abdc1 - manage-keystone-accounts - configure-the-keystone-token-expiration-time - password-recovery - keystone-security-compliance-configuration-b149adca6a7f \ No newline at end of file diff --git a/doc/source/security/kubernetes/password-recovery.rst b/doc/source/security/kubernetes/keystone-passwd-recovery-ef3b3ce867b7.rst similarity index 95% rename from doc/source/security/kubernetes/password-recovery.rst rename to doc/source/security/kubernetes/keystone-passwd-recovery-ef3b3ce867b7.rst index 03fe7c2cd..991c6bfa4 100644 --- a/doc/source/security/kubernetes/password-recovery.rst +++ b/doc/source/security/kubernetes/keystone-passwd-recovery-ef3b3ce867b7.rst @@ -1,6 +1,6 @@ .. not1578924824783 -.. _password-recovery: +.. _keystone-passwd-recovery-ef3b3ce867b7: ========================== Keystone Password Recovery diff --git a/doc/source/security/kubernetes/kubernetes-certificates-f4196d7cae9c.rst b/doc/source/security/kubernetes/kubernetes-certificates-f4196d7cae9c.rst index a7f8a85b3..316ef578e 100644 --- a/doc/source/security/kubernetes/kubernetes-certificates-f4196d7cae9c.rst +++ b/doc/source/security/kubernetes/kubernetes-certificates-f4196d7cae9c.rst @@ -170,12 +170,3 @@ APIserver). The ``front-proxy`` Root |CA| certificate. front-proxy certificates are required only if you run ``kube-proxy`` to support an extension API server. - -.. toctree:: - :maxdepth: 1 - :hidden: - - kubernetes-root-ca-certificate - update-renew-kubernetes-certificates-52b00bd0bdae - manual-kubernetes-root-ca-certificate-update-8e9df2cd7fb9 - kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d diff --git a/doc/source/security/kubernetes/manage-keystone-accounts.rst b/doc/source/security/kubernetes/manage-keystone-accounts.rst index b9b3ae184..eeb44fa63 100644 --- a/doc/source/security/kubernetes/manage-keystone-accounts.rst +++ b/doc/source/security/kubernetes/manage-keystone-accounts.rst @@ -15,7 +15,7 @@ See: `_ for details on managing Keystone projects, users, and roles. -:ref:`Password Recovery ` for details on how to change or +:ref:`keystone-passwd-recovery-ef3b3ce867b7` for details on how to change or reset a Keystone user password. :ref:`System Account Password Rules ` diff --git a/doc/source/security/kubernetes/overview-of-system-accounts.rst b/doc/source/security/kubernetes/overview-of-system-accounts.rst index 50e8fbc3f..5bc58a3f3 100644 --- a/doc/source/security/kubernetes/overview-of-system-accounts.rst +++ b/doc/source/security/kubernetes/overview-of-system-accounts.rst @@ -8,7 +8,6 @@ Linux User Accounts A brief description of the system accounts available in a |prod| system. - **Sysadmin Local Linux Account** This is a local, per-host, sudo-enabled account created automatically when a new host is provisioned. It is used by the primary system administrator @@ -37,21 +36,3 @@ A brief description of the system accounts available in a |prod| system. For more information, refer to the following: -.. toctree:: - :maxdepth: 1 - - the-sysadmin-account - local-ldap-linux-user-accounts - create-ldap-linux-accounts - create-ldap-linux-groups-4c94045f8ee0 - delete-ldap-linux-accounts-7de0782fbafd - remote-access-for-linux-accounts - password-recovery-for-linux-user-accounts - local-ldap-user-password-expiry-mechanism-eba5d34abbd4 - estabilish-credentials-for-linux-user-accounts - establish-keystone-credentials-from-a-linux-account - starlingx-openstack-kubernetes-from-stsadmin-account-login - kubernetes-cli-from-local-ldap-linux-account-login - manage-local-ldap-39fe3a85a528 - selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c - add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1 diff --git a/doc/source/security/kubernetes/remote-access-2209661be417.rst b/doc/source/security/kubernetes/remote-access-2209661be417.rst new file mode 100644 index 000000000..13def9839 --- /dev/null +++ b/doc/source/security/kubernetes/remote-access-2209661be417.rst @@ -0,0 +1,13 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _remote-access-2209661be417: + +============= +Remote Access +============= + +This section provides a procedure for a system administrator to collect system +and user information required for a user to connect remotely to |prod|. +It also provides procedures for system administrators and end users to remotely +connect to |prod| CLIs, kubernetes CLIs and GUIs. diff --git a/doc/source/security/kubernetes/remote-access-index.rst b/doc/source/security/kubernetes/remote-access-index.rst deleted file mode 100644 index 208ba4347..000000000 --- a/doc/source/security/kubernetes/remote-access-index.rst +++ /dev/null @@ -1,11 +0,0 @@ -================= -Remote CLI Access -================= - -.. toctree:: - :maxdepth: 1 - - configure-remote-cli-access - security-configure-container-backed-remote-clis-and-clients - using-container-backed-remote-clis-and-clients - security-install-kubectl-and-helm-clients-directly-on-a-host diff --git a/doc/source/security/kubernetes/remote-windows-active-directory-accounts.rst b/doc/source/security/kubernetes/remote-windows-active-directory-accounts.rst index 48e63c500..9f28e298d 100644 --- a/doc/source/security/kubernetes/remote-windows-active-directory-accounts.rst +++ b/doc/source/security/kubernetes/remote-windows-active-directory-accounts.rst @@ -12,10 +12,5 @@ authorization of users of the Kubernetes API, |CLI|, and Dashboard. .. _user-authentication-using-windows-active-directory-security-index: -.. toctree:: - :maxdepth: 1 - - sssd-support-5fb6c4b0320b - See :ref:`Overview of LDAP Servers ` for more details. diff --git a/doc/source/security/kubernetes/security-access-the-gui.rst b/doc/source/security/kubernetes/security-access-the-gui.rst index db9ee9ea3..0782fd133 100644 --- a/doc/source/security/kubernetes/security-access-the-gui.rst +++ b/doc/source/security/kubernetes/security-access-the-gui.rst @@ -47,9 +47,8 @@ from a browser. For more information, refer to the following: -.. toctree:: - :maxdepth: 1 +- :ref:`configure-http-and-https-ports-for-horizon-using-the-cli` - configure-http-and-https-ports-for-horizon-using-the-cli - configure-horizon-user-lockout-on-failed-logins - install-the-kubernetes-dashboard \ No newline at end of file +- :ref:`configure-horizon-user-lockout-on-failed-logins` + +- :ref:`install-the-kubernetes-dashboard` \ No newline at end of file diff --git a/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-administration-server-deprecated.rst b/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-administration-server-deprecated.rst index 3b7eeb1da..f9bbba91b 100644 --- a/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-administration-server-deprecated.rst +++ b/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-administration-server-deprecated.rst @@ -1,6 +1,6 @@ .. xlb1552573425956 -.. _starlingx-rest-api-applications-and-the-web-administration-server: +.. _starlingx-rest-api-applications-and-the-web-administration-server-deprecated: ============================================================================= StarlingX REST API Applications and the Web Administration Server Certificate @@ -44,8 +44,6 @@ hosts. For more details, refer to: -.. toctree:: - :maxdepth: 1 +- :ref:`enable-https-access-for-starlingx-rest-and-web-server-endpoints` - enable-https-access-for-starlingx-rest-and-web-server-endpoints - install-update-the-starlingx-rest-and-web-server-certificate +- :ref:`install-update-the-starlingx-rest-and-web-server-certificate` diff --git a/doc/source/security/kubernetes/system-administrator-collect-system-information-for-user-8502c985343d.rst b/doc/source/security/kubernetes/system-administrator-collect-system-information-for-user-8502c985343d.rst index b2d8e48b3..7d3b70b92 100644 --- a/doc/source/security/kubernetes/system-administrator-collect-system-information-for-user-8502c985343d.rst +++ b/doc/source/security/kubernetes/system-administrator-collect-system-information-for-user-8502c985343d.rst @@ -116,4 +116,4 @@ For any user requiring remote access: - securely send them the ``stx-remote-access-info.tar`` file. -- have them follow the procedures for setting up remote access. See :ref:`index-remote-access-2209661be417`. +- have them follow the procedures for setting up remote access. See :ref:`remote-access-2209661be417`.