Editorial updates on Security Guide upstream
Acted on Greg's comments Patch 1: Deleted duplicated docs and corrected references to fix build failure Patch 2: Acted on Greg's and Ron's comments. Patch 3: Acted on Greg's comment. Patch 4: Acted on Mary's comments. Patch 5: Solved merge conflict. Patch 6: Worked on Mary's comments. Patch 7: Fixed build conflict. Patch 8: Worked on Mary's comments. https://review.opendev.org/c/starlingx/docs/+/792461 Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: I647711ac35f45bc9c79cc490269831770e98e2f4
This commit is contained in:
parent
b0906101ef
commit
5579744656
0
doc/source/_includes/manage-keystone-accounts.rest
Normal file
0
doc/source/_includes/manage-keystone-accounts.rest
Normal file
@ -34,10 +34,12 @@ for the external Root CA that you are using, on how to create public
|
|||||||
certificate and private key pairs, signed by an intermediate or Root CA, for
|
certificate and private key pairs, signed by an intermediate or Root CA, for
|
||||||
HTTPS.
|
HTTPS.
|
||||||
|
|
||||||
.. xreflink For lab purposes, see |sec-doc|: :ref:`Locally Creating
|
.. xreflink
|
||||||
Certificates <creating-certificates-locally-using-openssl>` to create a
|
|
||||||
Intermediate or test Root CA certificate and key, and use it to sign test
|
For lab purposes, see |sec-doc|: :ref:`Create Certificates Locally
|
||||||
certificates.
|
using openssl <create-certificates-locally-using-openssl>` to create an
|
||||||
|
Intermediate or test Root CA certificate and key, and use it to sign test
|
||||||
|
certificates.
|
||||||
|
|
||||||
Put the Privacy Enhanced Mail \(PEM\) encoded versions of the certificate and
|
Put the Privacy Enhanced Mail \(PEM\) encoded versions of the certificate and
|
||||||
key in a single file, and copy the file to the controller host.
|
key in a single file, and copy the file to the controller host.
|
||||||
|
@ -2,9 +2,9 @@
|
|||||||
.. ibp1552572465781
|
.. ibp1552572465781
|
||||||
.. _about-keystone-accounts:
|
.. _about-keystone-accounts:
|
||||||
|
|
||||||
=======================
|
=================
|
||||||
About Keystone Accounts
|
Keystone Accounts
|
||||||
=======================
|
=================
|
||||||
|
|
||||||
|prod| uses tenant accounts and user accounts to identify and manage access to
|
|prod| uses tenant accounts and user accounts to identify and manage access to
|
||||||
StarlingX resources, and images in the Local Docker Registry.
|
StarlingX resources, and images in the Local Docker Registry.
|
||||||
|
@ -2,9 +2,9 @@
|
|||||||
.. qfk1564403051860
|
.. qfk1564403051860
|
||||||
.. _add-a-trusted-ca:
|
.. _add-a-trusted-ca:
|
||||||
|
|
||||||
================
|
==============================
|
||||||
Add a Trusted CA
|
Manage Trusted CA Certificates
|
||||||
================
|
==============================
|
||||||
|
|
||||||
Generally a trusted |CA| certificate needs to be added if |prod| clients on
|
Generally a trusted |CA| certificate needs to be added if |prod| clients on
|
||||||
the hosts will be connecting to server\(s\) secured with SSL and whose
|
the hosts will be connecting to server\(s\) secured with SSL and whose
|
||||||
|
@ -0,0 +1,17 @@
|
|||||||
|
|
||||||
|
|
||||||
|
.. _cert-manager-post-installation-setup:
|
||||||
|
|
||||||
|
====================================
|
||||||
|
Cert-Manager Post Installation Setup
|
||||||
|
====================================
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 1
|
||||||
|
|
||||||
|
firewall-port-overrides
|
||||||
|
enable-public-use-of-the-cert-manager-acmesolver-image
|
||||||
|
enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace
|
||||||
|
enable-the-use-of-cert-manager-apis-by-an-arbitrary-user
|
||||||
|
|
||||||
|
|
@ -2,9 +2,9 @@
|
|||||||
.. cms1597171128588
|
.. cms1597171128588
|
||||||
.. _configure-vault-using-the-cli:
|
.. _configure-vault-using-the-cli:
|
||||||
|
|
||||||
=============================
|
===================================
|
||||||
Configure Vault Using the CLI
|
Configure Vault Using the Vault CLI
|
||||||
=============================
|
===================================
|
||||||
|
|
||||||
After Vault has been installed, you can configure Vault for use with |prod|
|
After Vault has been installed, you can configure Vault for use with |prod|
|
||||||
using the |CLI|. This section describes the minimum configuration
|
using the |CLI|. This section describes the minimum configuration
|
||||||
|
@ -2,9 +2,9 @@
|
|||||||
.. xgp1596216287484
|
.. xgp1596216287484
|
||||||
.. _configure-vault:
|
.. _configure-vault:
|
||||||
|
|
||||||
===============
|
========================================
|
||||||
Configure Vault
|
Configure Vault Using the Vault REST API
|
||||||
===============
|
========================================
|
||||||
|
|
||||||
After Vault has been installed, you can configure Vault for use by hosted
|
After Vault has been installed, you can configure Vault for use by hosted
|
||||||
Kubernetes applications on |prod|. This section describes the minimum
|
Kubernetes applications on |prod|. This section describes the minimum
|
||||||
|
@ -15,6 +15,10 @@ namespaces.
|
|||||||
A cluster-admin ClusterRole is defined by default for such a user. To create
|
A cluster-admin ClusterRole is defined by default for such a user. To create
|
||||||
an admin service account with cluster-admin role, use the following procedure:
|
an admin service account with cluster-admin role, use the following procedure:
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
It is recommended that you create and manage service accounts within the
|
||||||
|
kube-system namespace.
|
||||||
|
|
||||||
.. rubric:: |proc|
|
.. rubric:: |proc|
|
||||||
|
|
||||||
#. Create the user definition.
|
#. Create the user definition.
|
||||||
@ -61,3 +65,8 @@ an admin service account with cluster-admin role, use the following procedure:
|
|||||||
access using tools such as :command:`kubectl` and :command:`helm` for a
|
access using tools such as :command:`kubectl` and :command:`helm` for a
|
||||||
service account such as this.
|
service account such as this.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|prod| can also use user accounts defined in an external Windows Active
|
||||||
|
Directory to authenticate Kubernetes API, :command:`kubectl` CLI or the
|
||||||
|
Kubernetes Dashboard. For more information, see :ref:`Configure OIDC
|
||||||
|
Auth Applications <configure-oidc-auth-applications>`.
|
@ -1,108 +0,0 @@
|
|||||||
|
|
||||||
.. qtr1594910639395
|
|
||||||
.. _creating-certificates-locally-using-cert-manager-on-the-controller:
|
|
||||||
|
|
||||||
================================================================
|
|
||||||
Create Certificates Locally using cert-manager on the Controller
|
|
||||||
================================================================
|
|
||||||
|
|
||||||
You can use :command:`cert-manager` to locally create certificates suitable for
|
|
||||||
use in a lab environment.
|
|
||||||
|
|
||||||
.. rubric:: |proc|
|
|
||||||
|
|
||||||
#. Create a Root |CA| Certificate and Key.
|
|
||||||
|
|
||||||
#. Create a self-signing issuer.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ echo "
|
|
||||||
apiVersion: cert-manager.io/v1alpha2
|
|
||||||
kind: Issuer
|
|
||||||
metadata:
|
|
||||||
name: my-selfsigning-issuer
|
|
||||||
spec:
|
|
||||||
selfSigned: {}
|
|
||||||
" | kubectl apply -f -
|
|
||||||
|
|
||||||
#. Create a Root |CA| certificate and key.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ echo "
|
|
||||||
apiVersion: cert-manager.io/v1alpha2
|
|
||||||
kind: Certificate
|
|
||||||
metadata:
|
|
||||||
name: my-rootca-certificate
|
|
||||||
spec:
|
|
||||||
secretName: my-rootca-certificate
|
|
||||||
commonName: "my-rootca"
|
|
||||||
isCA: true
|
|
||||||
issuerRef:
|
|
||||||
name: my-selfsigning-issuer
|
|
||||||
kind: Issuer
|
|
||||||
" | kubectl apply -f -
|
|
||||||
|
|
||||||
#. Create a Root |CA| Issuer.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ echo "
|
|
||||||
apiVersion: cert-manager.io/v1alpha2
|
|
||||||
kind: Issuer
|
|
||||||
metadata:
|
|
||||||
name: my-rootca-issuer
|
|
||||||
spec:
|
|
||||||
ca:
|
|
||||||
secretName: my-rootca-certificate
|
|
||||||
" | kubectl apply -f -
|
|
||||||
|
|
||||||
|
|
||||||
#. Create files for the Root |CA| certificate and key.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem
|
|
||||||
$ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem
|
|
||||||
|
|
||||||
|
|
||||||
#. Create and sign a Server certificate and key
|
|
||||||
|
|
||||||
#. Create the Server certificate and key.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ echo "
|
|
||||||
apiVersion: cert-manager.io/v1alpha2
|
|
||||||
kind: Certificate
|
|
||||||
metadata:
|
|
||||||
name: my-server-certificate
|
|
||||||
spec:
|
|
||||||
secretName: my-server-certificate
|
|
||||||
duration: 2160h # 90d
|
|
||||||
renewBefore: 360h # 15d
|
|
||||||
organization:
|
|
||||||
- WindRiver
|
|
||||||
commonName: 1.1.1.1
|
|
||||||
dnsNames:
|
|
||||||
- myserver.wrs.com
|
|
||||||
ipAddresses:
|
|
||||||
- 1.1.1.1
|
|
||||||
issuerRef:
|
|
||||||
name: my-rootca-issuer
|
|
||||||
kind: Issuer
|
|
||||||
" | kubectl apply -f -
|
|
||||||
|
|
||||||
#. Create the |PEM| files for Server certificate and key.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem
|
|
||||||
$ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pem
|
|
||||||
|
|
||||||
#. Combine the server certificate and key in a single file.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ cat my-server-cert.pem my-server-key.pem > my-server.pem
|
|
@ -1,64 +0,0 @@
|
|||||||
|
|
||||||
.. rmn1594906401238
|
|
||||||
.. _creating-certificates-locally-using-openssl:
|
|
||||||
|
|
||||||
=========================================
|
|
||||||
Create Certificates Locally using openssl
|
|
||||||
=========================================
|
|
||||||
|
|
||||||
You can use :command:`openssl` to locally create certificates suitable for use
|
|
||||||
in a lab environment.
|
|
||||||
|
|
||||||
.. rubric:: |proc|
|
|
||||||
|
|
||||||
.. _creating-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb:
|
|
||||||
|
|
||||||
#. Create a Root |CA| Certificate and Key
|
|
||||||
|
|
||||||
#. Create the Root |CA| private key.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ openssl genrsa -out my-root-ca-key.pem 2048
|
|
||||||
|
|
||||||
#. Generate the Root |CA| x509 certificate.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ openssl req -x509 -new -nodes -key my-root-ca-key.pem -days 1024 -out my-root-ca-cert.pem -outform PEM
|
|
||||||
|
|
||||||
|
|
||||||
#. Create and sign a server certificate and key.
|
|
||||||
|
|
||||||
#. Create the server private key.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ openssl genrsa -out my-server-key.pem 2048
|
|
||||||
|
|
||||||
#. Create the Server certificate signing request \(csr\).
|
|
||||||
|
|
||||||
Specify CN=<WRCP-OAM-Floating-IP> and do **not** specify a challenge
|
|
||||||
password.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ openssl req -new -key my-server-key.pem -out my-server.csr
|
|
||||||
|
|
||||||
#. Create the |SANs| list.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ echo subjectAltName = IP:<WRCP-OAM-Floating-IP>,DNS:registry.local,DNS:registry.central > extfile.cnf
|
|
||||||
|
|
||||||
#. Use the my-root-ca to sign the server certificate.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ openssl x509 -req -in my-server.csr -CA my-root-ca-cert.pem -CAkey my-root-ca-key.pem -CAcreateserial -out my-server-cert.pem -days 365 -extfile extfile.cnf
|
|
||||||
|
|
||||||
#. Put the server certificate and key in a single file.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
$ cat my-server-cert.pem my-server-key.pem > my-server.pem
|
|
@ -14,19 +14,10 @@ These include:
|
|||||||
|
|
||||||
.. _https-access-overview-ul-eyn-5ln-gjb:
|
.. _https-access-overview-ul-eyn-5ln-gjb:
|
||||||
|
|
||||||
- |prod| REST API applications and the |prod| web administration server
|
|
||||||
|
|
||||||
- Kubernetes API
|
|
||||||
|
|
||||||
- Local Docker registry
|
|
||||||
|
|
||||||
.. contents::
|
.. contents::
|
||||||
:local:
|
:local:
|
||||||
:depth: 1
|
:depth: 1
|
||||||
|
|
||||||
You can also add a trusted Certificate Authority \(CA\) for the |prod| system.
|
|
||||||
|
|
||||||
|
|
||||||
.. _https-access-overview-section-N10048-N10024-N10001:
|
.. _https-access-overview-section-N10048-N10024-N10001:
|
||||||
|
|
||||||
-------------------------------------------------------
|
-------------------------------------------------------
|
||||||
|
@ -7,57 +7,13 @@ System Accounts
|
|||||||
***************
|
***************
|
||||||
|
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 2
|
||||||
|
|
||||||
types-of-system-accounts
|
types-of-system-accounts
|
||||||
overview-of-system-accounts
|
overview-of-system-accounts
|
||||||
kube-service-account
|
kube-service-account
|
||||||
keystone-accounts
|
keystone-accounts
|
||||||
remote-windows-active-directory-accounts
|
remote-windows-active-directory-accounts
|
||||||
|
|
||||||
Linux User Accounts
|
|
||||||
*******************
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
the-sysadmin-account
|
|
||||||
local-ldap-linux-user-accounts
|
|
||||||
create-ldap-linux-accounts
|
|
||||||
remote-access-for-linux-accounts
|
|
||||||
password-recovery-for-linux-user-accounts
|
|
||||||
establish-keystone-credentials-from-a-linux-account
|
|
||||||
estabilish-credentials-for-linux-user-accounts
|
|
||||||
starlingx-openstack-kubernetes-from-stsadmin-account-login
|
|
||||||
kubernetes-cli-from-local-ldap-linux-account-login
|
|
||||||
|
|
||||||
Kubernetes Service Accounts
|
|
||||||
***************************
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
kubernetes-service-accounts
|
|
||||||
create-an-admin-type-service-account
|
|
||||||
|
|
||||||
Keystone Accounts
|
|
||||||
*****************
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
about-keystone-accounts
|
|
||||||
keystone-account-authentication
|
|
||||||
manage-keystone-accounts
|
|
||||||
configure-the-keystone-token-expiration-time
|
|
||||||
password-recovery
|
|
||||||
|
|
||||||
Password Rules
|
|
||||||
**************
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
starlingx-system-accounts-system-account-password-rules
|
starlingx-system-accounts-system-account-password-rules
|
||||||
|
|
||||||
*****************
|
*****************
|
||||||
@ -70,9 +26,6 @@ Access the System
|
|||||||
configure-local-cli-access
|
configure-local-cli-access
|
||||||
remote-access-index
|
remote-access-index
|
||||||
security-access-the-gui
|
security-access-the-gui
|
||||||
configure-http-and-https-ports-for-horizon-using-the-cli
|
|
||||||
configure-horizon-user-lockout-on-failed-logins
|
|
||||||
install-the-kubernetes-dashboard
|
|
||||||
security-rest-api-access
|
security-rest-api-access
|
||||||
connect-to-container-registries-through-a-firewall-or-proxy
|
connect-to-container-registries-through-a-firewall-or-proxy
|
||||||
|
|
||||||
@ -129,21 +82,18 @@ Firewall Options
|
|||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
security-firewall-options
|
|
||||||
security-default-firewall-rules
|
security-default-firewall-rules
|
||||||
|
security-firewall-options
|
||||||
|
|
||||||
*************************
|
*************************
|
||||||
Secure HTTPS Connectivity
|
Secure HTTPS Connectivity
|
||||||
*************************
|
*************************
|
||||||
|
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 2
|
||||||
|
|
||||||
https-access-overview
|
https-access-overview
|
||||||
starlingx-rest-api-applications-and-the-web-administration-server
|
starlingx-rest-api-applications-and-the-web-administration-server
|
||||||
enable-https-access-for-starlingx-rest-and-web-server-endpoints
|
|
||||||
install-update-the-starlingx-rest-and-web-server-certificate
|
|
||||||
secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm
|
|
||||||
kubernetes-root-ca-certificate
|
kubernetes-root-ca-certificate
|
||||||
security-install-update-the-docker-registry-certificate
|
security-install-update-the-docker-registry-certificate
|
||||||
add-a-trusted-ca
|
add-a-trusted-ca
|
||||||
@ -157,17 +107,7 @@ Cert Manager
|
|||||||
|
|
||||||
security-cert-manager
|
security-cert-manager
|
||||||
the-cert-manager-bootstrap-process
|
the-cert-manager-bootstrap-process
|
||||||
|
cert-manager-post-installation-setup
|
||||||
Post Installation Setup
|
|
||||||
***********************
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
firewall-port-overrides
|
|
||||||
enable-public-use-of-the-cert-manager-acmesolver-image
|
|
||||||
enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace
|
|
||||||
enable-the-use-of-cert-manager-apis-by-an-arbitrary-user
|
|
||||||
|
|
||||||
******************************
|
******************************
|
||||||
Portieris Admission Controller
|
Portieris Admission Controller
|
||||||
@ -178,8 +118,8 @@ Portieris Admission Controller
|
|||||||
|
|
||||||
portieris-overview
|
portieris-overview
|
||||||
install-portieris
|
install-portieris
|
||||||
remove-portieris
|
|
||||||
portieris-clusterimagepolicy-and-imagepolicy-configuration
|
portieris-clusterimagepolicy-and-imagepolicy-configuration
|
||||||
|
remove-portieris
|
||||||
|
|
||||||
********************************
|
********************************
|
||||||
Vault Secret and Data Management
|
Vault Secret and Data Management
|
||||||
@ -190,16 +130,9 @@ Vault Secret and Data Management
|
|||||||
|
|
||||||
security-vault-overview
|
security-vault-overview
|
||||||
install-vault
|
install-vault
|
||||||
remove-vault
|
|
||||||
|
|
||||||
Configure Vault
|
|
||||||
***************
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
configure-vault
|
configure-vault
|
||||||
configure-vault-using-the-cli
|
configure-vault-using-the-cli
|
||||||
|
remove-vault
|
||||||
|
|
||||||
**************************************
|
**************************************
|
||||||
Encrypt Kubernetes Secret Data at Rest
|
Encrypt Kubernetes Secret Data at Rest
|
||||||
@ -227,8 +160,6 @@ Operator Command Logging
|
|||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
operator-command-logging
|
operator-command-logging
|
||||||
operator-login-authentication-logging
|
|
||||||
operator-command-logging
|
|
||||||
|
|
||||||
****************
|
****************
|
||||||
UEFI Secure Boot
|
UEFI Secure Boot
|
||||||
@ -240,15 +171,6 @@ UEFI Secure Boot
|
|||||||
overview-of-uefi-secure-boot
|
overview-of-uefi-secure-boot
|
||||||
use-uefi-secure-boot
|
use-uefi-secure-boot
|
||||||
|
|
||||||
***********************
|
|
||||||
Trusted Platform Module
|
|
||||||
***********************
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
tpm-configuration-considerations
|
|
||||||
|
|
||||||
***********************************
|
***********************************
|
||||||
Authentication of Software Delivery
|
Authentication of Software Delivery
|
||||||
***********************************
|
***********************************
|
||||||
@ -267,16 +189,6 @@ Security Feature Configuration for Spectre and Meltdown
|
|||||||
|
|
||||||
security-feature-configuration-for-spectre-and-meltdown
|
security-feature-configuration-for-spectre-and-meltdown
|
||||||
|
|
||||||
***************************
|
|
||||||
Locally Create Certificates
|
|
||||||
***************************
|
|
||||||
|
|
||||||
.. toctree::
|
|
||||||
:maxdepth: 1
|
|
||||||
|
|
||||||
create-certificates-locally-using-openssl
|
|
||||||
create-certificates-locally-using-cert-manager-on-the-controller
|
|
||||||
|
|
||||||
*****************************
|
*****************************
|
||||||
Security Hardening Guidelines
|
Security Hardening Guidelines
|
||||||
*****************************
|
*****************************
|
||||||
@ -318,11 +230,11 @@ Security Features
|
|||||||
isolate-starlingx-internal-cloud-management-network
|
isolate-starlingx-internal-cloud-management-network
|
||||||
|
|
||||||
***************************************
|
***************************************
|
||||||
Appendix: Locally creating certifciates
|
Appendix: Locally creating certificates
|
||||||
***************************************
|
***************************************
|
||||||
|
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
|
||||||
creating-certificates-locally-using-cert-manager-on-the-controller
|
create-certificates-locally-using-openssl
|
||||||
creating-certificates-locally-using-openssl
|
create-certificates-locally-using-cert-manager-on-the-controller
|
@ -2,9 +2,9 @@
|
|||||||
.. law1570030645265
|
.. law1570030645265
|
||||||
.. _install-update-the-starlingx-rest-and-web-server-certificate:
|
.. _install-update-the-starlingx-rest-and-web-server-certificate:
|
||||||
|
|
||||||
=================================================================
|
============================================================
|
||||||
Install/Update the StarlingX Rest and Web Server Certificate
|
Install/Update the StarlingX Rest and Web Server Certificate
|
||||||
=================================================================
|
============================================================
|
||||||
|
|
||||||
Use the following procedure to install or update the certificate for the REST
|
Use the following procedure to install or update the certificate for the REST
|
||||||
API application endpoints \(Keystone, Barbican and StarlingX\) and the web
|
API application endpoints \(Keystone, Barbican and StarlingX\) and the web
|
||||||
@ -18,12 +18,10 @@ Intermediate or Root |CA| that you are using, on how to create public
|
|||||||
certificate and private key pairs, signed by intermediate or a Root |CA|, for
|
certificate and private key pairs, signed by intermediate or a Root |CA|, for
|
||||||
HTTPS.
|
HTTPS.
|
||||||
|
|
||||||
.. xbooklink
|
For lab purposes, see :ref:`Create Certificates Locally using openssl
|
||||||
|
<create-certificates-locally-using-openssl>` for how to create a test
|
||||||
For lab purposes, see :ref:`Locally Creating Certificates
|
intermediate or Root |CA| certificate and key, and use it to sign test
|
||||||
<creating-certificates-locally-using-openssl>` for how to create a test
|
certificates.
|
||||||
intermediate or Root |CA| certificate and key, and use it to sign test
|
|
||||||
certificates.
|
|
||||||
|
|
||||||
Put the |PEM| encoded versions of the certificate and key in a single file,
|
Put the |PEM| encoded versions of the certificate and key in a single file,
|
||||||
and copy the file to the controller host.
|
and copy the file to the controller host.
|
||||||
|
@ -10,5 +10,13 @@ Keystone Accounts
|
|||||||
StarlingX REST APIs, the |CLI|, the Horizon Web interface and the Local Docker
|
StarlingX REST APIs, the |CLI|, the Horizon Web interface and the Local Docker
|
||||||
Registry. |prod|'s Keystone uses the default local SQL Backend.
|
Registry. |prod|'s Keystone uses the default local SQL Backend.
|
||||||
|
|
||||||
See :ref:`About Keystone Accounts <about-keystone-accounts>` for more details.
|
See :ref:`Keystone Accounts <about-keystone-accounts>` for more details.
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 1
|
||||||
|
|
||||||
|
about-keystone-accounts
|
||||||
|
keystone-account-authentication
|
||||||
|
manage-keystone-accounts
|
||||||
|
configure-the-keystone-token-expiration-time
|
||||||
|
password-recovery
|
@ -9,6 +9,7 @@ Kubernetes Service Accounts
|
|||||||
|prod| uses Kubernetes service accounts and |RBAC| policies for authentication
|
|prod| uses Kubernetes service accounts and |RBAC| policies for authentication
|
||||||
and authorization of users of the Kubernetes API, |CLI|, and Dashboard.
|
and authorization of users of the Kubernetes API, |CLI|, and Dashboard.
|
||||||
|
|
||||||
See :ref:`Kubernetes Service Accounts <kubernetes-service-accounts>` for more
|
.. toctree::
|
||||||
details.
|
:maxdepth: 1
|
||||||
|
|
||||||
|
create-an-admin-type-service-account
|
@ -14,11 +14,9 @@ It is recommended that you update the Kubernetes Root |CA| and with a custom
|
|||||||
Root |CA| certificate and key, generated by yourself, and trusted by external
|
Root |CA| certificate and key, generated by yourself, and trusted by external
|
||||||
servers connecting to the |prod|'s Kubernetes API endpoint.
|
servers connecting to the |prod|'s Kubernetes API endpoint.
|
||||||
|
|
||||||
.. xbooklink
|
See :ref:`Create Certificates Locally using openssl
|
||||||
|
<create-certificates-locally-using-openssl>` for how to create a private Root
|
||||||
See :ref:`Locally Creating Certificates
|
|CA| certificate and key.
|
||||||
<creating-certificates-locally-using-openssl>` for how to create a
|
|
||||||
private Root |CA| certificate and key.
|
|
||||||
|
|
||||||
.. caution::
|
.. caution::
|
||||||
The default duration for the generated Kubernetes Root CA certificate is 10
|
The default duration for the generated Kubernetes Root CA certificate is 10
|
||||||
@ -41,16 +39,23 @@ certificate and key for the Kubernetes root |CA|.
|
|||||||
Specifies the certificate for the Kubernetes root |CA|. The
|
Specifies the certificate for the Kubernetes root |CA|. The
|
||||||
<k8s\_root\_ca\_cert> value is the absolute path of the certificate
|
<k8s\_root\_ca\_cert> value is the absolute path of the certificate
|
||||||
file. The certificate must be in |PEM| format and the value must be
|
file. The certificate must be in |PEM| format and the value must be
|
||||||
provided as part of a pair with <k8s\_root\_ca\_key>. The playbook will
|
provided as part of a pair with <k8s\_root\_ca\_key>.
|
||||||
not proceed if only one value is provided.
|
|
||||||
|
|
||||||
**<k8s\_root\_ca\_key>**
|
**<k8s\_root\_ca\_key>**
|
||||||
|
|
||||||
Specifies the key for the Kubernetes root |CA|. The <k8s\_root\_ca\_key>
|
Specifies the key for the Kubernetes root |CA|. The <k8s\_root\_ca\_key>
|
||||||
value is the absolute path of the certificate file. The certificate
|
value is the absolute path of the certificate file. The certificate
|
||||||
must be in |PEM| format and the value must be provided as part of a pair
|
must be in |PEM| format and the value must be provided as part of a pair
|
||||||
with <k8s\_root\_ca\_cert>. The playbook will not proceed if only one
|
with <k8s\_root\_ca\_cert>.
|
||||||
value is provided.
|
|
||||||
|
For example:
|
||||||
|
|
||||||
|
.. code-block:: none
|
||||||
|
|
||||||
|
k8s_root_ca_cert: /home/sysadmin/mystarlingx-k8s-rootca-certificate.pem
|
||||||
|
k8s_root_ca_key: /home/sysadmin/mystarlingx-k8s-rootca-certificate-key.pem
|
||||||
|
|
||||||
|
The playbook will not proceed if only one value is provided.
|
||||||
|
|
||||||
.. caution::
|
.. caution::
|
||||||
The default duration for the generated Kubernetes Root |CA|
|
The default duration for the generated Kubernetes Root |CA|
|
||||||
|
@ -1,27 +0,0 @@
|
|||||||
|
|
||||||
.. oud1564679022947
|
|
||||||
.. _kubernetes-service-accounts:
|
|
||||||
|
|
||||||
===========================
|
|
||||||
Kubernetes Service Accounts
|
|
||||||
===========================
|
|
||||||
|
|
||||||
|prod| uses Kubernetes service accounts and Kubernetes |RBAC| policies to
|
|
||||||
identify and manage remote access to Kubernetes resources using the
|
|
||||||
Kubernetes API, kubectl CLI or the Kubernetes Dashboard.
|
|
||||||
|
|
||||||
.. note::
|
|
||||||
|prod| can also use user accounts defined in an external Windows Active
|
|
||||||
Directory to authenticate Kubernetes API, :command:`kubectl` CLI or the
|
|
||||||
Kubernetes Dashboard. For more information, see :ref:`Configure OIDC
|
|
||||||
Auth Applications <configure-oidc-auth-applications>`.
|
|
||||||
|
|
||||||
You can create and manage Kubernetes service accounts using
|
|
||||||
:command:`kubectl` as shown below.
|
|
||||||
|
|
||||||
.. note::
|
|
||||||
It is recommended that you create and manage service accounts within the
|
|
||||||
kube-system namespace. See :ref:`Create an Admin Type Service
|
|
||||||
Account <create-an-admin-type-service-account>`
|
|
||||||
|
|
||||||
|
|
@ -9,42 +9,13 @@ Manage Keystone Accounts
|
|||||||
See
|
See
|
||||||
`https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html
|
`https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html
|
||||||
<https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html>`_
|
<https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html>`_
|
||||||
_ for details on managing Keystone projects, users, and roles.
|
for details on managing Keystone projects, users, and roles.
|
||||||
|
|
||||||
|
|
||||||
All Kubernetes accounts are subject to system password rules. For complete
|
All Kubernetes accounts are subject to system password rules. For complete
|
||||||
details on password rules, see :ref:`System Account Password Rules
|
details on password rules, see :ref:`System Account Password Rules
|
||||||
<starlingx-system-accounts-system-account-password-rules>`.
|
<starlingx-system-accounts-system-account-password-rules>`.
|
||||||
|
|
||||||
If you are using when changing the keystone 'admin' user password, you must:
|
.. only:: partner
|
||||||
|
|
||||||
.. _managing-keystone-accounts-ol-wyq-l4d-mmb:
|
.. include:: /_includes/manage-keystone-accounts.rest
|
||||||
|
|
||||||
#. If the **deployment-config.yaml** file has been moved off-box for security
|
|
||||||
reasons, upload the file back to the system to be updated.
|
|
||||||
|
|
||||||
.. warning::
|
|
||||||
The **deployment-config.yaml** file includes sensitive information
|
|
||||||
\(including system credentials and passwords\). For increased security,
|
|
||||||
it is recommended to store the **deployment-config.yaml** in a safe
|
|
||||||
location off-box. Upload the file to the system only when it is
|
|
||||||
required \(during initial configuration, and when reapplying an updated
|
|
||||||
configuration\).
|
|
||||||
|
|
||||||
#. Update the password in the 'system-endpoint' secret in the 's
|
|
||||||
deployment-config.yaml file, with the new keystone 'admin' user password.
|
|
||||||
Make this change to the OS\_PASSWORD value. It must be base64 encoded. For
|
|
||||||
example:
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
OS_PASSWORD: U3Q4cmxpbmdYKg==
|
|
||||||
|
|
||||||
#. Apply the updated deployment configuration.
|
|
||||||
|
|
||||||
.. code-block:: none
|
|
||||||
|
|
||||||
kubectl apply -f deployment-config.yaml
|
|
||||||
|
|
||||||
#. \(Optional\) For security reasons, copy the updated
|
|
||||||
**deployment-config.yaml** file off-box and delete it from the system.
|
|
@ -2,9 +2,9 @@
|
|||||||
.. lgd1552571882796
|
.. lgd1552571882796
|
||||||
.. _overview-of-system-accounts:
|
.. _overview-of-system-accounts:
|
||||||
|
|
||||||
==================
|
===================
|
||||||
Linux UserAccounts
|
Linux User Accounts
|
||||||
==================
|
===================
|
||||||
|
|
||||||
A brief description of the system accounts available in a |prod| system.
|
A brief description of the system accounts available in a |prod| system.
|
||||||
|
|
||||||
@ -33,3 +33,18 @@ A brief description of the system accounts available in a |prod| system.
|
|||||||
For security reasons, it is recommended that ONLY admin level users be
|
For security reasons, it is recommended that ONLY admin level users be
|
||||||
allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
|
allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
|
||||||
strictly use remote |CLIs| or remote web GUIs.
|
strictly use remote |CLIs| or remote web GUIs.
|
||||||
|
|
||||||
|
For more information, refer to the following:
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 1
|
||||||
|
|
||||||
|
the-sysadmin-account
|
||||||
|
local-ldap-linux-user-accounts
|
||||||
|
create-ldap-linux-accounts
|
||||||
|
remote-access-for-linux-accounts
|
||||||
|
password-recovery-for-linux-user-accounts
|
||||||
|
estabilish-credentials-for-linux-user-accounts
|
||||||
|
establish-keystone-credentials-from-a-linux-account
|
||||||
|
starlingx-openstack-kubernetes-from-stsadmin-account-login
|
||||||
|
kubernetes-cli-from-local-ldap-linux-account-login
|
@ -2,9 +2,9 @@
|
|||||||
.. not1578924824783
|
.. not1578924824783
|
||||||
.. _password-recovery:
|
.. _password-recovery:
|
||||||
|
|
||||||
=================
|
==========================
|
||||||
Password Recovery
|
Keystone Password Recovery
|
||||||
=================
|
==========================
|
||||||
|
|
||||||
.. rubric:: |context|
|
.. rubric:: |context|
|
||||||
|
|
||||||
|
@ -37,10 +37,8 @@ re-installed, in order to update the new standby controller's |TPM| device.
|
|||||||
public certificate and private key pairs, signed by an intermediate or
|
public certificate and private key pairs, signed by an intermediate or
|
||||||
Root-signed |CA|, for HTTPS.
|
Root-signed |CA|, for HTTPS.
|
||||||
|
|
||||||
.. xbooklink
|
For lab purposes, see :ref:`Create Certificates Locally using openssl
|
||||||
|
<create-certificates-locally-using-openssl>` for details on how to create
|
||||||
For lab purposes, see :ref:`Locally Creating Certificates
|
|
||||||
<creating-certificates-locally-using-openssl>` for details on how to create
|
|
||||||
a test intermediate or Root |CA| certificate and key, and use it to sign
|
a test intermediate or Root |CA| certificate and key, and use it to sign
|
||||||
test certificates.
|
test certificates.
|
||||||
|
|
||||||
|
@ -44,3 +44,12 @@ from a browser.
|
|||||||
<install-the-kubernetes-dashboard>` for information on how to install
|
<install-the-kubernetes-dashboard>` for information on how to install
|
||||||
the Kubernetes Dashboard and create a Kubernetes service account for
|
the Kubernetes Dashboard and create a Kubernetes service account for
|
||||||
the admin user to use the dashboard.
|
the admin user to use the dashboard.
|
||||||
|
|
||||||
|
For more information, refer to the following:
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 1
|
||||||
|
|
||||||
|
configure-http-and-https-ports-for-horizon-using-the-cli
|
||||||
|
configure-horizon-user-lockout-on-failed-logins
|
||||||
|
install-the-kubernetes-dashboard
|
@ -2,9 +2,9 @@
|
|||||||
.. zlk1582057887959
|
.. zlk1582057887959
|
||||||
.. _security-firewall-options:
|
.. _security-firewall-options:
|
||||||
|
|
||||||
================
|
=======================
|
||||||
Firewall Options
|
Modify Firewall Options
|
||||||
================
|
=======================
|
||||||
|
|
||||||
|prod| incorporates a default firewall for the |OAM| network. You can configure
|
|prod| incorporates a default firewall for the |OAM| network. You can configure
|
||||||
additional Kubernetes Network Policies in order to augment or override the
|
additional Kubernetes Network Policies in order to augment or override the
|
||||||
|
@ -2,11 +2,11 @@
|
|||||||
.. vri1561486014514
|
.. vri1561486014514
|
||||||
.. _security-install-update-the-docker-registry-certificate:
|
.. _security-install-update-the-docker-registry-certificate:
|
||||||
|
|
||||||
==============================================
|
=================================
|
||||||
Install/Update the Docker Registry Certificate
|
Local Docker Registry Certificate
|
||||||
==============================================
|
=================================
|
||||||
|
|
||||||
The local docker registry provides secure HTTPS access using the registry API.
|
The local Docker registry provides secure HTTPS access using the registry API.
|
||||||
|
|
||||||
.. rubric:: |context|
|
.. rubric:: |context|
|
||||||
|
|
||||||
@ -33,8 +33,10 @@ intermediate or Root |CA|. Refer to the documentation for the external Root
|
|||||||
|CA| that you are using, on how to create public certificate and private key
|
|CA| that you are using, on how to create public certificate and private key
|
||||||
pairs, signed by an intermediate or Root |CA|, for HTTPS.
|
pairs, signed by an intermediate or Root |CA|, for HTTPS.
|
||||||
|
|
||||||
For lab purposes, see Appendix A for how to create a test intermediate or Root
|
For lab purposes, see :ref:`Create Certificates Locally using openssl
|
||||||
|CA| certificate and key, and use it to sign test certificates.
|
<create-certificates-locally-using-openssl>` for how to create a test
|
||||||
|
intermediate or Root |CA| certificate and key, and use it to sign test
|
||||||
|
certificates.
|
||||||
|
|
||||||
Put the |PEM| encoded versions of the certificate and key in a single file,
|
Put the |PEM| encoded versions of the certificate and key in a single file,
|
||||||
and copy the file to the controller host.
|
and copy the file to the controller host.
|
||||||
@ -47,9 +49,9 @@ above certificate.
|
|||||||
|
|
||||||
.. _security-install-update-the-docker-registry-certificate-d527e71:
|
.. _security-install-update-the-docker-registry-certificate-d527e71:
|
||||||
|
|
||||||
#. In order to enable internal use of the docker registry certificate,
|
#. In order to enable internal use of the Docker registry certificate,
|
||||||
update the trusted |CA| list for this system with the Root |CA| associated
|
update the trusted |CA| list for this system with the Root |CA| associated
|
||||||
with the docker registry certificate.
|
with the Docker registry certificate.
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
@ -58,15 +60,15 @@ above certificate.
|
|||||||
|
|
||||||
where:
|
where:
|
||||||
|
|
||||||
**<pathTocertificate>**
|
``<pathTocertificate>``
|
||||||
is the path to the intermediate or Root |CA| certificate associated
|
is the path to the intermediate or Root |CA| certificate associated
|
||||||
with the docker registry's intermediate or Root |CA|-signed
|
with the Docker registry's intermediate or Root |CA|-signed
|
||||||
certificate.
|
certificate.
|
||||||
|
|
||||||
#. Update the docker registry certificate using the
|
#. Update the Docker registry certificate using the
|
||||||
:command:`certificate-install` command.
|
:command:`certificate-install` command.
|
||||||
|
|
||||||
Set the mode \(-m or --mode\) parameter to docker\_registry.
|
Set the ``mode (-m or --mode)`` parameter to ``docker_registry``.
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
@ -75,8 +77,8 @@ above certificate.
|
|||||||
|
|
||||||
where:
|
where:
|
||||||
|
|
||||||
**<pathTocertificateAndKey>**
|
``<pathTocertificateAndKey>``
|
||||||
is the path to the file containing both the docker registry's
|
is the path to the file containing both the Docker registry's
|
||||||
intermediate or Root CA-signed certificate and private key to install.
|
intermediate or Root CA-signed certificate and private key to install.
|
||||||
|
|
||||||
|
|
||||||
|
@ -2,9 +2,9 @@
|
|||||||
.. xlb1552573425956
|
.. xlb1552573425956
|
||||||
.. _starlingx-rest-api-applications-and-the-web-administration-server:
|
.. _starlingx-rest-api-applications-and-the-web-administration-server:
|
||||||
|
|
||||||
=================================================================
|
=============================================================================
|
||||||
StarlingX REST API Applications and the Web Administration Server
|
StarlingX REST API Applications and the Web Administration Server Certificate
|
||||||
=================================================================
|
=============================================================================
|
||||||
|
|
||||||
|prod| provides support for secure HTTPS external connections used for
|
|prod| provides support for secure HTTPS external connections used for
|
||||||
StarlingX REST API application endpoints \(Keystone, Barbican and
|
StarlingX REST API application endpoints \(Keystone, Barbican and
|
||||||
@ -29,3 +29,12 @@ recommended.
|
|||||||
|
|
||||||
You can update the certificate used for HTTPS access at any time.
|
You can update the certificate used for HTTPS access at any time.
|
||||||
|
|
||||||
|
For more details, refer to:
|
||||||
|
|
||||||
|
.. toctree::
|
||||||
|
:maxdepth: 1
|
||||||
|
|
||||||
|
enable-https-access-for-starlingx-rest-and-web-server-endpoints
|
||||||
|
install-update-the-starlingx-rest-and-web-server-certificate
|
||||||
|
secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm
|
||||||
|
tpm-configuration-considerations
|
@ -2,13 +2,16 @@
|
|||||||
.. gks1588335341933
|
.. gks1588335341933
|
||||||
.. _the-cert-manager-bootstrap-process:
|
.. _the-cert-manager-bootstrap-process:
|
||||||
|
|
||||||
==================================
|
=====================================
|
||||||
The cert-manager Bootstrap Process
|
Configure cert-manager at Bootstrap
|
||||||
==================================
|
=====================================
|
||||||
|
|
||||||
Both nginx-ingress-controller and cert-manager are packaged as armada system
|
Both nginx-ingress-controller and cert-manager are installed at bootstrap time
|
||||||
applications managed via :command:`system application-\*` and
|
with defaults appropriate to most use cases, but their configuration can be
|
||||||
:command:`system helm-override-\*` commands.
|
modified at bootstrap.
|
||||||
|
|
||||||
|
Nginx-ingress-controller and cert-manager are packaged as armada system
|
||||||
|
applications.
|
||||||
|
|
||||||
Both system applications are uploaded and applied, by default, as part of
|
Both system applications are uploaded and applied, by default, as part of
|
||||||
the bootstrap phase of the |prod-long| installation.
|
the bootstrap phase of the |prod-long| installation.
|
||||||
@ -25,10 +28,10 @@ contains the following definition:
|
|||||||
|
|
||||||
|
|
||||||
As with other parameters in default.yml, you can override this definition in
|
As with other parameters in default.yml, you can override this definition in
|
||||||
$HOME/localhost.yml. In the case of the applications: parameter, do this to
|
$HOME/localhost.yml. In the case of the ``applications``: parameter, do this to
|
||||||
change the application helm overrides for an application.
|
change the application helm overrides for an application.
|
||||||
|
|
||||||
The full general syntax for the applications: structure is:
|
The full general syntax for the ``applications:`` structure is:
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
@ -47,7 +50,7 @@ The full general syntax for the applications: structure is:
|
|||||||
namespace: kube-system
|
namespace: kube-system
|
||||||
values-path: /home/sysinv/appTwo-ChartOne-overrides.yaml
|
values-path: /home/sysinv/appTwo-ChartOne-overrides.yaml
|
||||||
|
|
||||||
If you do override applications: in $HOME/localhost.yml, note the following:
|
If you do override ``applications:`` in $HOME/localhost.yml, note the following:
|
||||||
|
|
||||||
|
|
||||||
.. _the-cert-manager-bootstrap-process-ul-o3j-vdv-nlb:
|
.. _the-cert-manager-bootstrap-process-ul-o3j-vdv-nlb:
|
||||||
@ -59,7 +62,8 @@ If you do override applications: in $HOME/localhost.yml, note the following:
|
|||||||
and must be in this order, otherwise bootstrap fails.
|
and must be in this order, otherwise bootstrap fails.
|
||||||
|
|
||||||
|
|
||||||
|org| recommends that you copy applications: from default.yml and add in any required overrides.
|
|org| recommends that you copy ``applications:`` from default.yml and add in
|
||||||
|
any required overrides.
|
||||||
|
|
||||||
At a high-level, the default configuration for the two mandatory applications is:
|
At a high-level, the default configuration for the two mandatory applications is:
|
||||||
|
|
||||||
@ -69,11 +73,11 @@ At a high-level, the default configuration for the two mandatory applications is
|
|||||||
- nginx-ingress-controller
|
- nginx-ingress-controller
|
||||||
|
|
||||||
|
|
||||||
- Runs as a DaemonSet only on masters/controllers
|
- Runs as a DaemonSet only on masters/controllers.
|
||||||
|
|
||||||
- Uses host networking, which means it can use any port numbers.
|
- Uses host networking, which means it can use any port numbers.
|
||||||
|
|
||||||
Does not change the nginx default ports of 80 and 443.
|
- Does not change the nginx default ports of 80 and 443.
|
||||||
|
|
||||||
- Has a default backend.
|
- Has a default backend.
|
||||||
|
|
||||||
@ -88,13 +92,12 @@ At a high-level, the default configuration for the two mandatory applications is
|
|||||||
|
|
||||||
- The deployment replicaCount is set to 1 for bootstrap.
|
- The deployment replicaCount is set to 1 for bootstrap.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
replicaCount can NOT be changed at bootstrap time. The second controller
|
replicaCount can NOT be changed at bootstrap time. The second controller
|
||||||
must be configured and unlocked before replicaCount can be set to 2.
|
must be configured and unlocked before replicaCount can be set to 2.
|
||||||
|
|
||||||
The Helm Chart Values that you can override are described at on the following web pages:
|
The Helm Chart Values that you can override are described on the following
|
||||||
|
web pages:
|
||||||
|
|
||||||
|
|
||||||
.. _the-cert-manager-bootstrap-process-ul-d4j-khv-nlb:
|
.. _the-cert-manager-bootstrap-process-ul-d4j-khv-nlb:
|
||||||
|
@ -6,10 +6,7 @@
|
|||||||
Types of System Accounts
|
Types of System Accounts
|
||||||
========================
|
========================
|
||||||
|
|
||||||
This Chapter describes the system accounts available in a |prod|
|
This Chapter describes the system accounts available in a |prod| system.
|
||||||
system.
|
|
||||||
|
|
||||||
For more information, see:
|
|
||||||
|
|
||||||
.. _types-of-system-accounts-ul-rms-mwk-znb:
|
.. _types-of-system-accounts-ul-rms-mwk-znb:
|
||||||
|
|
||||||
@ -20,6 +17,3 @@ For more information, see:
|
|||||||
- :ref:`Keystone Accounts <keystone-accounts>`
|
- :ref:`Keystone Accounts <keystone-accounts>`
|
||||||
|
|
||||||
- :ref:`Remote Windows Active Directory Accounts <remote-windows-active-directory-accounts>`
|
- :ref:`Remote Windows Active Directory Accounts <remote-windows-active-directory-accounts>`
|
||||||
|
|
||||||
- :ref:`Linux User Accounts <overview-of-system-accounts>`
|
|
||||||
|
|
||||||
|
Loading…
x
Reference in New Issue
Block a user