starlingx/docs
Code Issues Proposed changes

Fix index Security guide

Browse Source 
[EAG] - Fix toctrees in wrong place
[RS]  - escape sample URLs

Change-Id: I3972bac7a0637bedfdca70a523851439d3b7ce42
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
This commit is contained in:
Suzana Fernandes 2024-11-28 15:44:14 +00:00 committed by Ron Stone
parent 90fe2ce664
commit 4b0d6f789e
30 changed files with 269 additions and 304 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
doc/source/_vendor/rl-strings.txt
View File

@ -288,12 +288,11 @@
.. |use-uefi-secure-boot| replace:: :ref:`Use UEFI Secure Boot <use-uefi-secure-boot>` .. |use-uefi-secure-boot| replace:: :ref:`Use UEFI Secure Boot <use-uefi-secure-boot>`
.. |sssd-support-5fb6c4b0320b| replace:: :ref:`SSH User Authentication using Windows Active Directory (WAD) <sssd-support-5fb6c4b0320b>` .. |sssd-support-5fb6c4b0320b| replace:: :ref:`SSH User Authentication using Windows Active Directory (WAD) <sssd-support-5fb6c4b0320b>`
.. |overview-of-uefi-secure-boot| replace:: :ref:`Overview of UEFI Secure Boot <overview-of-uefi-secure-boot>` .. |overview-of-uefi-secure-boot| replace:: :ref:`Overview of UEFI Secure Boot <overview-of-uefi-secure-boot>`
.. |password-recovery| replace:: :ref:`Keystone Password Recovery <password-recovery>` .. |keystone-passwd-recovery-ef3b3ce867b7| replace:: :ref:`Keystone Password Recovery <keystone-passwd-recovery-ef3b3ce867b7>`
.. |configure-docker-registry-certificate-after-installation-c519edbfe90a| replace:: :ref:`Configure Docker Registry Certificate <configure-docker-registry-certificate-after-installation-c519edbfe90a>` .. |configure-docker-registry-certificate-after-installation-c519edbfe90a| replace:: :ref:`Configure Docker Registry Certificate <configure-docker-registry-certificate-after-installation-c519edbfe90a>`
.. |cve-maintenance-723cd9dd54b3| replace:: :ref:`CVE Maintenance <cve-maintenance-723cd9dd54b3>` .. |cve-maintenance-723cd9dd54b3| replace:: :ref:`CVE Maintenance <cve-maintenance-723cd9dd54b3>`
.. |configure-kubernetes-client-access| replace:: :ref:`Configure Kubernetes Client Access <configure-kubernetes-client-access>` .. |configure-kubernetes-client-access| replace:: :ref:`Configure Kubernetes Client Access <configure-kubernetes-client-access>`
.. |remote-windows-active-directory-accounts| replace:: :ref:`Remote Windows Active Directory Accounts <remote-windows-active-directory-accounts>` .. |remote-windows-active-directory-accounts| replace:: :ref:`Remote Windows Active Directory Accounts <remote-windows-active-directory-accounts>`
.. |cert-manager-post-installation-setup| replace:: :ref:`Cert-Manager Post Installation Setup <cert-manager-post-installation-setup>`
.. |configure-remote-cli-access| replace:: :ref:`Configure Remote CLI Access <configure-remote-cli-access>` .. |configure-remote-cli-access| replace:: :ref:`Configure Remote CLI Access <configure-remote-cli-access>`
.. |system-local-ca-issuer-9196c5794834| replace:: :ref:`System Local CA Issuer <system-local-ca-issuer-9196c5794834>` .. |system-local-ca-issuer-9196c5794834| replace:: :ref:`System Local CA Issuer <system-local-ca-issuer-9196c5794834>`
.. |install-security-profiles-operator-1b2f9a0f0108| replace:: :ref:`Install Security Profiles Operator (SPO) <install-security-profiles-operator-1b2f9a0f0108>` .. |install-security-profiles-operator-1b2f9a0f0108| replace:: :ref:`Install Security Profiles Operator (SPO) <install-security-profiles-operator-1b2f9a0f0108>`
@ -358,7 +357,7 @@
.. |selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c| replace:: :ref:`Selectively Disable SSH for Local OpenLDAP and WAD Users <selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c>` .. |selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c| replace:: :ref:`Selectively Disable SSH for Local OpenLDAP and WAD Users <selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c>`
.. |security-cert-manager| replace:: :ref:`Cert Manager <security-cert-manager>` .. |security-cert-manager| replace:: :ref:`Cert Manager <security-cert-manager>`
.. .. |enable-pod-security-policy-checking| replace:: :ref:`Enable Pod Security Policy Checking <enable-pod-security-policy-checking>` .. .. |enable-pod-security-policy-checking| replace:: :ref:`Enable Pod Security Policy Checking <enable-pod-security-policy-checking>`
.. |starlingx-rest-api-applications-and-the-web-administration-server| replace:: :ref:`StarlingX REST API Applications and the Web Administration Server Certificate <starlingx-rest-api-applications-and-the-web-administration-server>` .. |starlingx-rest-api-applications-and-the-web-administration-server-deprecated| replace:: :ref:`StarlingX REST API Applications and the Web Administration Server Certificate <starlingx-rest-api-applications-and-the-web-administration-server-deprecated>`
.. |starlingx-openstack-kubernetes-from-stsadmin-account-login| replace:: :ref:`For StarlingX, Platform OpenStack and Kubernetes CLIs from the 'sysadmin' Linux Account Login <starlingx-openstack-kubernetes-from-stsadmin-account-login>` .. |starlingx-openstack-kubernetes-from-stsadmin-account-login| replace:: :ref:`For StarlingX, Platform OpenStack and Kubernetes CLIs from the 'sysadmin' Linux Account Login <starlingx-openstack-kubernetes-from-stsadmin-account-login>`
.. |configure-users-groups-and-authorization| replace:: :ref:`Configure Users, Groups, and Authorization <configure-users-groups-and-authorization>` .. |configure-users-groups-and-authorization| replace:: :ref:`Configure Users, Groups, and Authorization <configure-users-groups-and-authorization>`
.. |kubernetes-operator-command-logging-663fce5d74e7| replace:: :ref:`Kubernetes Operator Command Logging <kubernetes-operator-command-logging-663fce5d74e7>` .. |kubernetes-operator-command-logging-663fce5d74e7| replace:: :ref:`Kubernetes Operator Command Logging <kubernetes-operator-command-logging-663fce5d74e7>`

6
doc/source/security/kubernetes/centralized-vs-distributed-oidc-auth-setup.rst
View File

@ -75,8 +75,8 @@ For a centralized |OIDC| authentication setup, use the following procedure:
address as the oidc-issuer-url for all clouds. address as the oidc-issuer-url for all clouds.
For example, For example,
oidc-issuer-url=https://<central-cloud-floating-ip>:<oidc-auth-apps-dex ``oidc-issuer-url=https://<central-cloud-floating-ip>:<oidc-auth-apps-dex
-service-NodePort>/dex on the subcloud. -service-NodePort>/dex`` on the subcloud.
For more information, see: For more information, see:
@ -97,7 +97,7 @@ For a centralized |OIDC| authentication setup, use the following procedure:
.. note:: .. note::
For IPv6 deployments, ensure that the IPv6 OAM floating address is, For IPv6 deployments, ensure that the IPv6 OAM floating address is,
https://\[<central-cloud-floating-ip>\]:30556/dex (that is, in ``https://\[<central-cloud-floating-ip>\]:30556/dex`` (that is, in
lower case, and wrapped in square brackets). lower case, and wrapped in square brackets).

17
doc/source/security/kubernetes/cert-manager-post-installation-setup.rst
View File

@ -1,17 +0,0 @@
.. _cert-manager-post-installation-setup:
====================================
Cert-Manager Post Installation Setup
====================================
.. toctree::
:maxdepth: 1
firewall-port-overrides
enable-public-use-of-the-cert-manager-acmesolver-image
enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace
enable-the-use-of-cert-manager-apis-by-an-arbitrary-user

2
doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system.rst
View File

@ -44,7 +44,7 @@ you can do so at any time using service parameters.
.. note:: .. note::
For IPv6 deployments, ensure that the IPv6 OAM floating address For IPv6 deployments, ensure that the IPv6 OAM floating address
is, https://\[<oam-floating-ip>\]:30556/dex (that is, in lower is, ``https://\[<oam-floating-ip>\]:30556/dex`` (that is, in lower
case, and wrapped in square brackets). case, and wrapped in square brackets).
- oidc-username-claim=<email> - oidc-username-claim=<email>

2
doc/source/security/kubernetes/configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system.rst
View File

@ -49,7 +49,7 @@ Validation after Bootstrapping the System
.. note:: .. note::
For IPv6 deployments, ensure that the IPv6 OAM floating address in For IPv6 deployments, ensure that the IPv6 OAM floating address in
the **issuer_url** is, https://\[<oam-floating-ip>\]:30556/dex the **issuer_url** is, ``https://\[<oam-floating-ip>\]:30556/dex``
(that is, in lower case, and wrapped in square brackets). (that is, in lower case, and wrapped in square brackets).

4
doc/source/security/kubernetes/create-end-users-359693b84854.rst
View File

@ -193,5 +193,5 @@ execute Linux commands. See section: :ref:`end-users-local-access-using-ssh-or-k
.. note:: .. note::
More setup is required for end user to use remote CLIs/GUIs, see sections More setup is required for end user to use remote CLIs/GUIs, see section
:ref:`index-remote-access-2209661be417`. :ref:`remote-access-2209661be417`.

2
doc/source/security/kubernetes/end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671.rst
View File

@ -91,4 +91,4 @@ and linux access.
.. rubric:: |postreq| .. rubric:: |postreq|
Setup remote access for any end users requiring remote access. See :ref:`index-remote-access-2209661be417`. Setup remote access for any end users requiring remote access. See :ref:`remote-access-2209661be417`.

15
doc/source/security/kubernetes/example-common-tasks-97773f3a82f0.rst Normal file
View File

@ -0,0 +1,15 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _example-common-tasks-97773f3a82f0:
========================================
Examples of User Management Common Tasks
========================================
This section provides a set of common tasks related to the user management of
both system administrations and general end users, to set up unique users for
your system.

2
doc/source/security/kubernetes/https-access-overview.rst
View File

@ -139,7 +139,7 @@ expired certificates and certificates that will expire soon, see
The following sections provide details on managing these certificates: The following sections provide details on managing these certificates:
- :ref:`StarlingX REST API Applications and the Web Administration Server Certificate <starlingx-rest-api-applications-and-the-web-administration-server>` - :ref:`starlingx-rest-api-applications-and-the-web-administration-server-deprecated`
- :ref:`Kubernetes Certificates <kubernetes-certificates-f4196d7cae9c>` - :ref:`Kubernetes Certificates <kubernetes-certificates-f4196d7cae9c>`

22
doc/source/security/kubernetes/index-accessing-the-system-7d190226d3a5.rst
View File

@ -1,22 +0,0 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-accessing-the-system-7d190226d3a5:
=================
Access the System
=================
.. Uncomment topic-a etc. below and replace with the names of your topics,
excluding the .rst extension
.. toctree::
:maxdepth: 2
configure-local-cli-access
remote-access-index
security-access-the-gui
security-rest-api-access
connect-to-container-registries-through-a-firewall-or-proxy

25
doc/source/security/kubernetes/index-example-common-tasks-97773f3a82f0.rst
View File

@ -1,25 +0,0 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-example-common-tasks-97773f3a82f0:
========================================
Examples of User Management Common Tasks
========================================
This section provides a set of common tasks related to the user management of
both system administrations and general end users, to set up unique users for
your system.
.. toctree::
:maxdepth: 3
configure-oidc-ldap-authentication-for-k8s-user-authentication-8cea26362167
create-first-system-administrator-1775e1b20941
system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936
create-other-system-administrators-97b99bb94430
create-end-users-359693b84854
end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671
index-remote-access-2209661be417

25
doc/source/security/kubernetes/index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a.rst
View File

@ -1,25 +0,0 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a:
====================================================
Kubernetes API User Authentication Using LDAP Server
====================================================
.. Uncomment topic-a etc. below and replace with the names of your topics,
excluding the .rst extension
.. toctree::
:maxdepth: 2
overview-of-ldap-servers
centralized-vs-distributed-oidc-auth-setup
configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system
configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system
configure-oidc-auth-applications
configure-users-groups-and-authorization
configure-kubernetes-client-access
deprovision-ldap-server-authentication

22
doc/source/security/kubernetes/index-ldap-accounts-e8ee204e6092.rst
View File

@ -1,22 +0,0 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-ldap-accounts-e8ee204e6092:
=============
LDAP Accounts
=============
.. Uncomment topic-a etc. below and replace with the names of your topics,
excluding the .rst extension
.. toctree::
:maxdepth: 2
index-local-ldap-accounts-2f2128fe2f49
remote-windows-active-directory-accounts
selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c
manage-local-ldap-39fe3a85a528
index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a

24
doc/source/security/kubernetes/index-local-ldap-accounts-2f2128fe2f49.rst
View File

@ -1,24 +0,0 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-local-ldap-accounts-2f2128fe2f49:
===================
Local LDAP Accounts
===================
.. Uncomment topic-a etc. below and replace with the names of your topics,
excluding the .rst extension
.. toctree::
:maxdepth: 2
local-ldap-linux-user-accounts
create-ldap-linux-accounts
create-ldap-linux-groups-4c94045f8ee0
delete-ldap-linux-accounts-7de0782fbafd
remote-access-for-linux-accounts
password-recovery-for-linux-user-accounts
local-ldap-user-password-expiry-mechanism-eba5d34abbd4
estabilish-credentials-for-linux-user-accounts
manage-local-ldap-39fe3a85a528

18
doc/source/security/kubernetes/index-password-rules-8429cd4ebddb.rst
View File

@ -1,18 +0,0 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-password-rules-8429cd4ebddb:
==============
Password Rules
==============
.. Uncomment topic-a etc. below and replace with the names of your topics,
excluding the .rst extension
.. toctree::
:maxdepth: 2
starlingx-system-accounts-system-account-password-rules
linux-accounts-password-3dcad436dce4

24
doc/source/security/kubernetes/index-reference-material-4e1c59258fa8.rst
View File

@ -1,24 +0,0 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-reference-material-4e1c59258fa8:
==================
Reference Material
==================
.. Uncomment topic-a etc. below and replace with the names of your topics,
excluding the .rst extension
.. toctree::
:maxdepth: 4
the-sysadmin-account
types-of-system-accounts
overview-of-system-accounts
keystone-accounts
index-ldap-accounts-e8ee204e6092
index-password-rules-8429cd4ebddb
index-accessing-the-system-7d190226d3a5
private-namespace-and-restricted-rbac
resource-management
pod-security-admission-controller-8e9e6994100f

24
doc/source/security/kubernetes/index-remote-access-2209661be417.rst
View File

@ -1,24 +0,0 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-remote-access-2209661be417:
=============
Remote Access
=============
This section provides a procedure for a system administrator to collect system
and user information required for a user to connect remotely to |prod|.
It also provides procedures for system administrators and end users to remotely
connect to |prod| CLIs, kubernetes CLIs and GUIs.
.. toctree::
:maxdepth: 2
system-administrator-collect-system-information-for-user-8502c985343d
system-administrator-access-system-horizon-gui-a4a95fe70ef9
system-administrator-configure-system-remote-cli-and-7b814d8937df
system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87
end-user-configure-k8s-remote-cli-fad235bb7a18
end-user-access-k8s-remote-cli-7bb5b71ed604

225
doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
View File

@ -39,6 +39,10 @@ Certificate Management
utility-script-to-display-certificates utility-script-to-display-certificates
etcd-certificates-c1fc943e4a9c etcd-certificates-c1fc943e4a9c
kubernetes-certificates-f4196d7cae9c kubernetes-certificates-f4196d7cae9c
kubernetes-root-ca-certificate
update-renew-kubernetes-certificates-52b00bd0bdae
manual-kubernetes-root-ca-certificate-update-8e9df2cd7fb9
kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d
system-local-ca-issuer-9196c5794834 system-local-ca-issuer-9196c5794834
local-ldap-certificates-4e1df1e39341 local-ldap-certificates-4e1df1e39341
configure-rest-api-apps-and-web-admin-server-certs-after-inst-6816457ab95f configure-rest-api-apps-and-web-admin-server-certs-after-inst-6816457ab95f
@ -60,22 +64,212 @@ Cert Manager
security-cert-manager security-cert-manager
the-cert-manager-bootstrap-process the-cert-manager-bootstrap-process
cert-manager-post-installation-setup
Cert-Manager Post Installation Setup
====================================
.. toctree::
:maxdepth: 1
firewall-port-overrides
enable-public-use-of-the-cert-manager-acmesolver-image
enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace
enable-the-use-of-cert-manager-apis-by-an-arbitrary-user
*************** ***************
User Management User Management
*************** ***************
.. toctree:: .. toctree::
:maxdepth: 5 :maxdepth: 3
introduction-to-user-management-6c0b13c6d325 introduction-to-user-management-6c0b13c6d325
index-example-common-tasks-97773f3a82f0
index-reference-material-4e1c59258fa8 Examples of User Management Common Tasks
========================================
.. toctree::
:maxdepth: 2
example-common-tasks-97773f3a82f0
configure-oidc-ldap-authentication-for-k8s-user-authentication-8cea26362167
create-first-system-administrator-1775e1b20941
system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936
create-other-system-administrators-97b99bb94430
create-end-users-359693b84854
end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671
Remote Access
-------------
.. toctree::
:maxdepth: 1
remote-access-2209661be417
system-administrator-collect-system-information-for-user-8502c985343d
system-administrator-access-system-horizon-gui-a4a95fe70ef9
system-administrator-configure-system-remote-cli-and-7b814d8937df
system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87
end-user-configure-k8s-remote-cli-fad235bb7a18
end-user-access-k8s-remote-cli-7bb5b71ed604
Reference Material
==================
.. toctree::
:maxdepth: 2
the-sysadmin-account
types-of-system-accounts
Linux User Accounts
-------------------
.. toctree::
:maxdepth: 2
overview-of-system-accounts
establish-keystone-credentials-from-a-linux-account
starlingx-openstack-kubernetes-from-stsadmin-account-login
kubernetes-cli-from-local-ldap-linux-account-login
add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1
Keystone Accounts
-----------------
.. toctree::
:maxdepth: 1
keystone-accounts
about-keystone-accounts
keystone-account-authentication
keystone-account-roles-64098d1abdc1
manage-keystone-accounts
configure-the-keystone-token-expiration-time
keystone-passwd-recovery-ef3b3ce867b7
keystone-security-compliance-configuration-b149adca6a7f
LDAP Accounts
-------------
Local LDAP Accounts
^^^^^^^^^^^^^^^^^^^
.. toctree::
:maxdepth: 2
local-ldap-linux-user-accounts
create-ldap-linux-accounts
create-ldap-linux-groups-4c94045f8ee0
delete-ldap-linux-accounts-7de0782fbafd
remote-access-for-linux-accounts
password-recovery-for-linux-user-accounts
local-ldap-user-password-expiry-mechanism-eba5d34abbd4
estabilish-credentials-for-linux-user-accounts
manage-local-ldap-39fe3a85a528
Remote Windows Active Directory accounts
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. toctree::
:maxdepth: 1
remote-windows-active-directory-accounts
sssd-support-5fb6c4b0320b
Selectively Disable SSH for Local LDAP and WAD Users
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. toctree::
:maxdepth: 1
selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c
Manage Composite Local LDAP Accounts at Scale
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. toctree::
:maxdepth: 1
manage-local-ldap-39fe3a85a528
Kubernetes API User Authentication Using LDAP Server
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
.. toctree::
:maxdepth: 2
overview-of-ldap-servers
centralized-vs-distributed-oidc-auth-setup
configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system
configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system
configure-oidc-auth-applications
configure-users-groups-and-authorization
configure-kubernetes-client-access
deprovision-ldap-server-authentication
Password Rules
--------------
.. toctree::
:maxdepth: 2
starlingx-system-accounts-system-account-password-rules
linux-accounts-password-3dcad436dce4
Access the System
-----------------
.. toctree::
:maxdepth: 2
configure-local-cli-access
configure-remote-cli-access
security-configure-container-backed-remote-clis-and-clients
using-container-backed-remote-clis-and-clients
security-install-kubectl-and-helm-clients-directly-on-a-host
security-access-the-gui
configure-http-and-https-ports-for-horizon-using-the-cli
configure-horizon-user-lockout-on-failed-logins
install-the-kubernetes-dashboard
security-rest-api-access
connect-to-container-registries-through-a-firewall-or-proxy
Private Namespace and Restricted RBAC
-------------------------------------
.. toctree::
:maxdepth: 1
private-namespace-and-restricted-rbac
Resource Management
-------------------
.. toctree::
:maxdepth: 1
resource-management
Pod Security Admission Controller
---------------------------------
.. toctree::
:maxdepth: 1
pod-security-admission-controller-8e9e6994100f
******** ********
Auditing Auditing
******** ********
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
@ -103,6 +297,7 @@ Container Image Integrity (Signature Validation)
************************** **************************
Container AppArmor Profile Container AppArmor Profile
************************** **************************
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
@ -118,16 +313,34 @@ Container AppArmor Profile
*********************** ***********************
Encrypting Data at Rest Encrypting Data at Rest
*********************** ***********************
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c
encrypt-kubernetes-secret-data-at-rest encrypt-kubernetes-secret-data-at-rest
index-vault-secret-and-data-management-050a998960d0
Vault Secret and Data Management
================================
.. _vault-secret-and-data-management-050a998960d0:
.. _vault-secret-and-data-management-security-index:
.. toctree::
:maxdepth: 2
security-vault-overview
install-vault
configure-vault
configure-vault-using-the-cli
remove-vault
*************************** ***************************
Software Delivery Integrity Software Delivery Integrity
*************************** ***************************
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
@ -173,6 +386,8 @@ Deprecated Functionality
:maxdepth: 1 :maxdepth: 1
starlingx-rest-api-applications-and-the-web-administration-server-deprecated starlingx-rest-api-applications-and-the-web-administration-server-deprecated
enable-https-access-for-starlingx-rest-and-web-server-endpoints
install-update-the-starlingx-rest-and-web-server-certificate
*************************************** ***************************************

19
doc/source/security/kubernetes/index-vault-secret-and-data-management-050a998960d0.rst
View File

@ -1,19 +0,0 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-vault-secret-and-data-management-050a998960d0:
.. _vault-secret-and-data-management-security-index:
================================
Vault Secret and Data Management
================================
.. toctree::
:maxdepth: 2
security-vault-overview
install-vault
configure-vault
configure-vault-using-the-cli
remove-vault

10
doc/source/security/kubernetes/keystone-accounts.rst
View File

@ -12,13 +12,3 @@ Registry. |prod|'s Keystone uses the default local SQL Backend.
See :ref:`Keystone Accounts <about-keystone-accounts>` for more details. See :ref:`Keystone Accounts <about-keystone-accounts>` for more details.
.. toctree::
:maxdepth: 1
about-keystone-accounts
keystone-account-authentication
keystone-account-roles-64098d1abdc1
manage-keystone-accounts
configure-the-keystone-token-expiration-time
password-recovery
keystone-security-compliance-configuration-b149adca6a7f

2
doc/source/security/kubernetes/password-recovery.rst → doc/source/security/kubernetes/keystone-passwd-recovery-ef3b3ce867b7.rst
View File

@ -1,6 +1,6 @@
.. not1578924824783 .. not1578924824783
.. _password-recovery: .. _keystone-passwd-recovery-ef3b3ce867b7:
========================== ==========================
Keystone Password Recovery Keystone Password Recovery

9
doc/source/security/kubernetes/kubernetes-certificates-f4196d7cae9c.rst
View File

@ -170,12 +170,3 @@ APIserver).
The ``front-proxy`` Root |CA| certificate. front-proxy certificates are The ``front-proxy`` Root |CA| certificate. front-proxy certificates are
required only if you run ``kube-proxy`` to support an extension API server. required only if you run ``kube-proxy`` to support an extension API server.
.. toctree::
:maxdepth: 1
:hidden:
kubernetes-root-ca-certificate
update-renew-kubernetes-certificates-52b00bd0bdae
manual-kubernetes-root-ca-certificate-update-8e9df2cd7fb9
kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d

2
doc/source/security/kubernetes/manage-keystone-accounts.rst
View File

@ -15,7 +15,7 @@ See:
<https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html>`_ <https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html>`_
for details on managing Keystone projects, users, and roles. for details on managing Keystone projects, users, and roles.
:ref:`Password Recovery <password-recovery>` for details on how to change or :ref:`keystone-passwd-recovery-ef3b3ce867b7` for details on how to change or
reset a Keystone user password. reset a Keystone user password.
:ref:`System Account Password Rules <starlingx-system-accounts-system-account-password-rules>` :ref:`System Account Password Rules <starlingx-system-accounts-system-account-password-rules>`

19
doc/source/security/kubernetes/overview-of-system-accounts.rst
View File

@ -8,7 +8,6 @@ Linux User Accounts
A brief description of the system accounts available in a |prod| system. A brief description of the system accounts available in a |prod| system.
**Sysadmin Local Linux Account** **Sysadmin Local Linux Account**
This is a local, per-host, sudo-enabled account created automatically when This is a local, per-host, sudo-enabled account created automatically when
a new host is provisioned. It is used by the primary system administrator a new host is provisioned. It is used by the primary system administrator
@ -37,21 +36,3 @@ A brief description of the system accounts available in a |prod| system.
For more information, refer to the following: For more information, refer to the following:
.. toctree::
:maxdepth: 1
the-sysadmin-account
local-ldap-linux-user-accounts
create-ldap-linux-accounts
create-ldap-linux-groups-4c94045f8ee0
delete-ldap-linux-accounts-7de0782fbafd
remote-access-for-linux-accounts
password-recovery-for-linux-user-accounts
local-ldap-user-password-expiry-mechanism-eba5d34abbd4
estabilish-credentials-for-linux-user-accounts
establish-keystone-credentials-from-a-linux-account
starlingx-openstack-kubernetes-from-stsadmin-account-login
kubernetes-cli-from-local-ldap-linux-account-login
manage-local-ldap-39fe3a85a528
selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c
add-ldap-users-to-linux-groups-using-pamcconfiguration-d31d95e255e1

13
doc/source/security/kubernetes/remote-access-2209661be417.rst Normal file
View File

@ -0,0 +1,13 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _remote-access-2209661be417:
=============
Remote Access
=============
This section provides a procedure for a system administrator to collect system
and user information required for a user to connect remotely to |prod|.
It also provides procedures for system administrators and end users to remotely
connect to |prod| CLIs, kubernetes CLIs and GUIs.

11
doc/source/security/kubernetes/remote-access-index.rst
View File

@ -1,11 +0,0 @@
=================
Remote CLI Access
=================
.. toctree::
:maxdepth: 1
configure-remote-cli-access
security-configure-container-backed-remote-clis-and-clients
using-container-backed-remote-clis-and-clients
security-install-kubectl-and-helm-clients-directly-on-a-host

5
doc/source/security/kubernetes/remote-windows-active-directory-accounts.rst
View File

@ -12,10 +12,5 @@ authorization of users of the Kubernetes API, |CLI|, and Dashboard.
.. _user-authentication-using-windows-active-directory-security-index: .. _user-authentication-using-windows-active-directory-security-index:
.. toctree::
:maxdepth: 1
sssd-support-5fb6c4b0320b
See :ref:`Overview of LDAP Servers <overview-of-ldap-servers>` for more details. See :ref:`Overview of LDAP Servers <overview-of-ldap-servers>` for more details.

9
doc/source/security/kubernetes/security-access-the-gui.rst
View File

@ -47,9 +47,8 @@ from a browser.
For more information, refer to the following: For more information, refer to the following:
.. toctree:: - :ref:`configure-http-and-https-ports-for-horizon-using-the-cli`
:maxdepth: 1
configure-http-and-https-ports-for-horizon-using-the-cli - :ref:`configure-horizon-user-lockout-on-failed-logins`
configure-horizon-user-lockout-on-failed-logins
install-the-kubernetes-dashboard - :ref:`install-the-kubernetes-dashboard`

8
doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-administration-server-deprecated.rst
View File

@ -1,6 +1,6 @@
.. xlb1552573425956 .. xlb1552573425956
.. _starlingx-rest-api-applications-and-the-web-administration-server: .. _starlingx-rest-api-applications-and-the-web-administration-server-deprecated:
============================================================================= =============================================================================
StarlingX REST API Applications and the Web Administration Server Certificate StarlingX REST API Applications and the Web Administration Server Certificate
@ -44,8 +44,6 @@ hosts.
For more details, refer to: For more details, refer to:
.. toctree:: - :ref:`enable-https-access-for-starlingx-rest-and-web-server-endpoints`
:maxdepth: 1
enable-https-access-for-starlingx-rest-and-web-server-endpoints - :ref:`install-update-the-starlingx-rest-and-web-server-certificate`
install-update-the-starlingx-rest-and-web-server-certificate

2
doc/source/security/kubernetes/system-administrator-collect-system-information-for-user-8502c985343d.rst
View File

@ -116,4 +116,4 @@ For any user requiring remote access:
- securely send them the ``stx-remote-access-info.tar`` file. - securely send them the ``stx-remote-access-info.tar`` file.
- have them follow the procedures for setting up remote access. See :ref:`index-remote-access-2209661be417`. - have them follow the procedures for setting up remote access. See :ref:`remote-access-2209661be417`.