starlingx/docs
Code Issues Proposed changes

Editorial updates on Security Guide upstream

Browse Source 
Acted on Greg's comments

Patch 1: Deleted duplicated docs and corrected references to fix build failure

Patch 2: Acted on Greg's and Ron's comments.

Patch 3: Acted on Greg's comment.

Patch 4: Acted on Mary's comments.

Patch 5: Solved merge conflict.

Patch 6: Worked on Mary's comments.

Patch 7: Fixed build conflict.

Patch 8: Worked on Mary's comments.

https://review.opendev.org/c/starlingx/docs/+/792461

Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com>
Change-Id: I647711ac35f45bc9c79cc490269831770e98e2f4
This commit is contained in:
egoncalv 2021-05-20 14:11:59 -03:00
parent b0906101ef
commit 5579744656
27 changed files with 171 additions and 426 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

0
doc/source/_includes/manage-keystone-accounts.rest Normal file
View File

10
doc/source/admintasks/installing-updating-the-docker-registry-certificate.rst
View File

@ -34,10 +34,12 @@ for the external Root CA that you are using, on how to create public
certificate and private key pairs, signed by an intermediate or Root CA, for certificate and private key pairs, signed by an intermediate or Root CA, for
HTTPS. HTTPS.
.. xreflink For lab purposes, see |sec-doc|: :ref:`Locally Creating .. xreflink
Certificates <creating-certificates-locally-using-openssl>` to create a
Intermediate or test Root CA certificate and key, and use it to sign test For lab purposes, see |sec-doc|: :ref:`Create Certificates Locally
certificates. using openssl <create-certificates-locally-using-openssl>` to create an
Intermediate or test Root CA certificate and key, and use it to sign test
certificates.
Put the Privacy Enhanced Mail \(PEM\) encoded versions of the certificate and Put the Privacy Enhanced Mail \(PEM\) encoded versions of the certificate and
key in a single file, and copy the file to the controller host. key in a single file, and copy the file to the controller host.

6
doc/source/security/kubernetes/about-keystone-accounts.rst
View File

@ -2,9 +2,9 @@
.. ibp1552572465781 .. ibp1552572465781
.. _about-keystone-accounts: .. _about-keystone-accounts:
======================= =================
About Keystone Accounts Keystone Accounts
======================= =================
|prod| uses tenant accounts and user accounts to identify and manage access to |prod| uses tenant accounts and user accounts to identify and manage access to
StarlingX resources, and images in the Local Docker Registry. StarlingX resources, and images in the Local Docker Registry.

6
doc/source/security/kubernetes/add-a-trusted-ca.rst
View File

@ -2,9 +2,9 @@
.. qfk1564403051860 .. qfk1564403051860
.. _add-a-trusted-ca: .. _add-a-trusted-ca:
================ ==============================
Add a Trusted CA Manage Trusted CA Certificates
================ ==============================
Generally a trusted |CA| certificate needs to be added if |prod| clients on Generally a trusted |CA| certificate needs to be added if |prod| clients on
the hosts will be connecting to server\(s\) secured with SSL and whose the hosts will be connecting to server\(s\) secured with SSL and whose

17
doc/source/security/kubernetes/cert-manager-post-installation-setup.rst Normal file
View File

@ -0,0 +1,17 @@
.. _cert-manager-post-installation-setup:
====================================
Cert-Manager Post Installation Setup
====================================
.. toctree::
:maxdepth: 1
firewall-port-overrides
enable-public-use-of-the-cert-manager-acmesolver-image
enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace
enable-the-use-of-cert-manager-apis-by-an-arbitrary-user

6
doc/source/security/kubernetes/configure-vault-using-the-cli.rst
View File

@ -2,9 +2,9 @@
.. cms1597171128588 .. cms1597171128588
.. _configure-vault-using-the-cli: .. _configure-vault-using-the-cli:
============================= ===================================
Configure Vault Using the CLI Configure Vault Using the Vault CLI
============================= ===================================
After Vault has been installed, you can configure Vault for use with |prod| After Vault has been installed, you can configure Vault for use with |prod|
using the |CLI|. This section describes the minimum configuration using the |CLI|. This section describes the minimum configuration

6
doc/source/security/kubernetes/configure-vault.rst
View File

@ -2,9 +2,9 @@
.. xgp1596216287484 .. xgp1596216287484
.. _configure-vault: .. _configure-vault:
=============== ========================================
Configure Vault Configure Vault Using the Vault REST API
=============== ========================================
After Vault has been installed, you can configure Vault for use by hosted After Vault has been installed, you can configure Vault for use by hosted
Kubernetes applications on |prod|. This section describes the minimum Kubernetes applications on |prod|. This section describes the minimum

9
doc/source/security/kubernetes/create-an-admin-type-service-account.rst
View File

@ -15,6 +15,10 @@ namespaces.
A cluster-admin ClusterRole is defined by default for such a user. To create A cluster-admin ClusterRole is defined by default for such a user. To create
an admin service account with cluster-admin role, use the following procedure: an admin service account with cluster-admin role, use the following procedure:
.. note::
It is recommended that you create and manage service accounts within the
kube-system namespace.
.. rubric:: |proc| .. rubric:: |proc|
#. Create the user definition. #. Create the user definition.
@ -61,3 +65,8 @@ an admin service account with cluster-admin role, use the following procedure:
access using tools such as :command:`kubectl` and :command:`helm` for a access using tools such as :command:`kubectl` and :command:`helm` for a
service account such as this. service account such as this.
.. note::
|prod| can also use user accounts defined in an external Windows Active
Directory to authenticate Kubernetes API, :command:`kubectl` CLI or the
Kubernetes Dashboard. For more information, see :ref:`Configure OIDC
Auth Applications <configure-oidc-auth-applications>`.

108
doc/source/security/kubernetes/creating-certificates-locally-using-cert-manager-on-the-controller.rst
View File

@ -1,108 +0,0 @@
.. qtr1594910639395
.. _creating-certificates-locally-using-cert-manager-on-the-controller:
================================================================
Create Certificates Locally using cert-manager on the Controller
================================================================
You can use :command:`cert-manager` to locally create certificates suitable for
use in a lab environment.
.. rubric:: |proc|
#. Create a Root |CA| Certificate and Key.
#. Create a self-signing issuer.
.. code-block:: none
$ echo "
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: my-selfsigning-issuer
spec:
selfSigned: {}
" | kubectl apply -f -
#. Create a Root |CA| certificate and key.
.. code-block:: none
$ echo "
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: my-rootca-certificate
spec:
secretName: my-rootca-certificate
commonName: "my-rootca"
isCA: true
issuerRef:
name: my-selfsigning-issuer
kind: Issuer
" | kubectl apply -f -
#. Create a Root |CA| Issuer.
.. code-block:: none
$ echo "
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
name: my-rootca-issuer
spec:
ca:
secretName: my-rootca-certificate
" | kubectl apply -f -
#. Create files for the Root |CA| certificate and key.
.. code-block:: none
$ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem
$ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem
#. Create and sign a Server certificate and key
#. Create the Server certificate and key.
.. code-block:: none
$ echo "
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
name: my-server-certificate
spec:
secretName: my-server-certificate
duration: 2160h # 90d
renewBefore: 360h # 15d
organization:
- WindRiver
commonName: 1.1.1.1
dnsNames:
- myserver.wrs.com
ipAddresses:
- 1.1.1.1
issuerRef:
name: my-rootca-issuer
kind: Issuer
" | kubectl apply -f -
#. Create the |PEM| files for Server certificate and key.
.. code-block:: none
$ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem
$ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pem
#. Combine the server certificate and key in a single file.
.. code-block:: none
$ cat my-server-cert.pem my-server-key.pem > my-server.pem

64
doc/source/security/kubernetes/creating-certificates-locally-using-openssl.rst
View File

@ -1,64 +0,0 @@
.. rmn1594906401238
.. _creating-certificates-locally-using-openssl:
=========================================
Create Certificates Locally using openssl
=========================================
You can use :command:`openssl` to locally create certificates suitable for use
in a lab environment.
.. rubric:: |proc|
.. _creating-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb:
#. Create a Root |CA| Certificate and Key
#. Create the Root |CA| private key.
.. code-block:: none
$ openssl genrsa -out my-root-ca-key.pem 2048
#. Generate the Root |CA| x509 certificate.
.. code-block:: none
$ openssl req -x509 -new -nodes -key my-root-ca-key.pem -days 1024 -out my-root-ca-cert.pem -outform PEM
#. Create and sign a server certificate and key.
#. Create the server private key.
.. code-block:: none
$ openssl genrsa -out my-server-key.pem 2048
#. Create the Server certificate signing request \(csr\).
Specify CN=<WRCP-OAM-Floating-IP> and do **not** specify a challenge
password.
.. code-block:: none
$ openssl req -new -key my-server-key.pem -out my-server.csr
#. Create the |SANs| list.
.. code-block:: none
$ echo subjectAltName = IP:<WRCP-OAM-Floating-IP>,DNS:registry.local,DNS:registry.central > extfile.cnf
#. Use the my-root-ca to sign the server certificate.
.. code-block:: none
$ openssl x509 -req -in my-server.csr -CA my-root-ca-cert.pem -CAkey my-root-ca-key.pem -CAcreateserial -out my-server-cert.pem -days 365 -extfile extfile.cnf
#. Put the server certificate and key in a single file.
.. code-block:: none
$ cat my-server-cert.pem my-server-key.pem > my-server.pem

9
doc/source/security/kubernetes/https-access-overview.rst
View File

@ -14,19 +14,10 @@ These include:
.. _https-access-overview-ul-eyn-5ln-gjb: .. _https-access-overview-ul-eyn-5ln-gjb:
- |prod| REST API applications and the |prod| web administration server
- Kubernetes API
- Local Docker registry
.. contents:: .. contents::
:local: :local:
:depth: 1 :depth: 1
You can also add a trusted Certificate Authority \(CA\) for the |prod| system.
.. _https-access-overview-section-N10048-N10024-N10001: .. _https-access-overview-section-N10048-N10024-N10001:
------------------------------------------------------- -------------------------------------------------------

106
doc/source/security/kubernetes/index.rst
View File

@ -7,57 +7,13 @@ System Accounts
*************** ***************
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 2
types-of-system-accounts types-of-system-accounts
overview-of-system-accounts overview-of-system-accounts
kube-service-account kube-service-account
keystone-accounts keystone-accounts
remote-windows-active-directory-accounts remote-windows-active-directory-accounts
Linux User Accounts
*******************
.. toctree::
:maxdepth: 1
the-sysadmin-account
local-ldap-linux-user-accounts
create-ldap-linux-accounts
remote-access-for-linux-accounts
password-recovery-for-linux-user-accounts
establish-keystone-credentials-from-a-linux-account
estabilish-credentials-for-linux-user-accounts
starlingx-openstack-kubernetes-from-stsadmin-account-login
kubernetes-cli-from-local-ldap-linux-account-login
Kubernetes Service Accounts
***************************
.. toctree::
:maxdepth: 1
kubernetes-service-accounts
create-an-admin-type-service-account
Keystone Accounts
*****************
.. toctree::
:maxdepth: 1
about-keystone-accounts
keystone-account-authentication
manage-keystone-accounts
configure-the-keystone-token-expiration-time
password-recovery
Password Rules
**************
.. toctree::
:maxdepth: 1
starlingx-system-accounts-system-account-password-rules starlingx-system-accounts-system-account-password-rules
***************** *****************
@ -70,9 +26,6 @@ Access the System
configure-local-cli-access configure-local-cli-access
remote-access-index remote-access-index
security-access-the-gui security-access-the-gui
configure-http-and-https-ports-for-horizon-using-the-cli
configure-horizon-user-lockout-on-failed-logins
install-the-kubernetes-dashboard
security-rest-api-access security-rest-api-access
connect-to-container-registries-through-a-firewall-or-proxy connect-to-container-registries-through-a-firewall-or-proxy
@ -129,21 +82,18 @@ Firewall Options
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
security-firewall-options
security-default-firewall-rules security-default-firewall-rules
security-firewall-options
************************* *************************
Secure HTTPS Connectivity Secure HTTPS Connectivity
************************* *************************
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 2
https-access-overview https-access-overview
starlingx-rest-api-applications-and-the-web-administration-server starlingx-rest-api-applications-and-the-web-administration-server
enable-https-access-for-starlingx-rest-and-web-server-endpoints
install-update-the-starlingx-rest-and-web-server-certificate
secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm
kubernetes-root-ca-certificate kubernetes-root-ca-certificate
security-install-update-the-docker-registry-certificate security-install-update-the-docker-registry-certificate
add-a-trusted-ca add-a-trusted-ca
@ -157,17 +107,7 @@ Cert Manager
security-cert-manager security-cert-manager
the-cert-manager-bootstrap-process the-cert-manager-bootstrap-process
cert-manager-post-installation-setup
Post Installation Setup
***********************
.. toctree::
:maxdepth: 1
firewall-port-overrides
enable-public-use-of-the-cert-manager-acmesolver-image
enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace
enable-the-use-of-cert-manager-apis-by-an-arbitrary-user
****************************** ******************************
Portieris Admission Controller Portieris Admission Controller
@ -178,8 +118,8 @@ Portieris Admission Controller
portieris-overview portieris-overview
install-portieris install-portieris
remove-portieris
portieris-clusterimagepolicy-and-imagepolicy-configuration portieris-clusterimagepolicy-and-imagepolicy-configuration
remove-portieris
******************************** ********************************
Vault Secret and Data Management Vault Secret and Data Management
@ -190,16 +130,9 @@ Vault Secret and Data Management
security-vault-overview security-vault-overview
install-vault install-vault
remove-vault
Configure Vault
***************
.. toctree::
:maxdepth: 1
configure-vault configure-vault
configure-vault-using-the-cli configure-vault-using-the-cli
remove-vault
************************************** **************************************
Encrypt Kubernetes Secret Data at Rest Encrypt Kubernetes Secret Data at Rest
@ -227,8 +160,6 @@ Operator Command Logging
:maxdepth: 1 :maxdepth: 1
operator-command-logging operator-command-logging
operator-login-authentication-logging
operator-command-logging
**************** ****************
UEFI Secure Boot UEFI Secure Boot
@ -240,15 +171,6 @@ UEFI Secure Boot
overview-of-uefi-secure-boot overview-of-uefi-secure-boot
use-uefi-secure-boot use-uefi-secure-boot
***********************
Trusted Platform Module
***********************
.. toctree::
:maxdepth: 1
tpm-configuration-considerations
*********************************** ***********************************
Authentication of Software Delivery Authentication of Software Delivery
*********************************** ***********************************
@ -267,16 +189,6 @@ Security Feature Configuration for Spectre and Meltdown
security-feature-configuration-for-spectre-and-meltdown security-feature-configuration-for-spectre-and-meltdown
***************************
Locally Create Certificates
***************************
.. toctree::
:maxdepth: 1
create-certificates-locally-using-openssl
create-certificates-locally-using-cert-manager-on-the-controller
***************************** *****************************
Security Hardening Guidelines Security Hardening Guidelines
***************************** *****************************
@ -318,11 +230,11 @@ Security Features
isolate-starlingx-internal-cloud-management-network isolate-starlingx-internal-cloud-management-network
*************************************** ***************************************
Appendix: Locally creating certifciates Appendix: Locally creating certificates
*************************************** ***************************************
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1
creating-certificates-locally-using-cert-manager-on-the-controller create-certificates-locally-using-openssl
creating-certificates-locally-using-openssl create-certificates-locally-using-cert-manager-on-the-controller

14
doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst
View File

@ -2,9 +2,9 @@
.. law1570030645265 .. law1570030645265
.. _install-update-the-starlingx-rest-and-web-server-certificate: .. _install-update-the-starlingx-rest-and-web-server-certificate:
================================================================= ============================================================
Install/Update the StarlingX Rest and Web Server Certificate Install/Update the StarlingX Rest and Web Server Certificate
================================================================= ============================================================
Use the following procedure to install or update the certificate for the REST Use the following procedure to install or update the certificate for the REST
API application endpoints \(Keystone, Barbican and StarlingX\) and the web API application endpoints \(Keystone, Barbican and StarlingX\) and the web
@ -18,12 +18,10 @@ Intermediate or Root |CA| that you are using, on how to create public
certificate and private key pairs, signed by intermediate or a Root |CA|, for certificate and private key pairs, signed by intermediate or a Root |CA|, for
HTTPS. HTTPS.
.. xbooklink For lab purposes, see :ref:`Create Certificates Locally using openssl
<create-certificates-locally-using-openssl>` for how to create a test
For lab purposes, see :ref:`Locally Creating Certificates intermediate or Root |CA| certificate and key, and use it to sign test
<creating-certificates-locally-using-openssl>` for how to create a test certificates.
intermediate or Root |CA| certificate and key, and use it to sign test
certificates.
Put the |PEM| encoded versions of the certificate and key in a single file, Put the |PEM| encoded versions of the certificate and key in a single file,
and copy the file to the controller host. and copy the file to the controller host.

10
doc/source/security/kubernetes/keystone-accounts.rst
View File

@ -10,5 +10,13 @@ Keystone Accounts
StarlingX REST APIs, the |CLI|, the Horizon Web interface and the Local Docker StarlingX REST APIs, the |CLI|, the Horizon Web interface and the Local Docker
Registry. |prod|'s Keystone uses the default local SQL Backend. Registry. |prod|'s Keystone uses the default local SQL Backend.
See :ref:`About Keystone Accounts <about-keystone-accounts>` for more details. See :ref:`Keystone Accounts <about-keystone-accounts>` for more details.
.. toctree::
:maxdepth: 1
about-keystone-accounts
keystone-account-authentication
manage-keystone-accounts
configure-the-keystone-token-expiration-time
password-recovery

5
doc/source/security/kubernetes/kube-service-account.rst
View File

@ -9,6 +9,7 @@ Kubernetes Service Accounts
|prod| uses Kubernetes service accounts and |RBAC| policies for authentication |prod| uses Kubernetes service accounts and |RBAC| policies for authentication
and authorization of users of the Kubernetes API, |CLI|, and Dashboard. and authorization of users of the Kubernetes API, |CLI|, and Dashboard.
See :ref:`Kubernetes Service Accounts <kubernetes-service-accounts>` for more .. toctree::
details. :maxdepth: 1
create-an-admin-type-service-account

23
doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst
View File

@ -14,11 +14,9 @@ It is recommended that you update the Kubernetes Root |CA| and with a custom
Root |CA| certificate and key, generated by yourself, and trusted by external Root |CA| certificate and key, generated by yourself, and trusted by external
servers connecting to the |prod|'s Kubernetes API endpoint. servers connecting to the |prod|'s Kubernetes API endpoint.
.. xbooklink See :ref:`Create Certificates Locally using openssl
<create-certificates-locally-using-openssl>` for how to create a private Root
See :ref:`Locally Creating Certificates |CA| certificate and key.
<creating-certificates-locally-using-openssl>` for how to create a
private Root |CA| certificate and key.
.. caution:: .. caution::
The default duration for the generated Kubernetes Root CA certificate is 10 The default duration for the generated Kubernetes Root CA certificate is 10
@ -41,16 +39,23 @@ certificate and key for the Kubernetes root |CA|.
Specifies the certificate for the Kubernetes root |CA|. The Specifies the certificate for the Kubernetes root |CA|. The
<k8s\_root\_ca\_cert> value is the absolute path of the certificate <k8s\_root\_ca\_cert> value is the absolute path of the certificate
file. The certificate must be in |PEM| format and the value must be file. The certificate must be in |PEM| format and the value must be
provided as part of a pair with <k8s\_root\_ca\_key>. The playbook will provided as part of a pair with <k8s\_root\_ca\_key>.
not proceed if only one value is provided.
**<k8s\_root\_ca\_key>** **<k8s\_root\_ca\_key>**
Specifies the key for the Kubernetes root |CA|. The <k8s\_root\_ca\_key> Specifies the key for the Kubernetes root |CA|. The <k8s\_root\_ca\_key>
value is the absolute path of the certificate file. The certificate value is the absolute path of the certificate file. The certificate
must be in |PEM| format and the value must be provided as part of a pair must be in |PEM| format and the value must be provided as part of a pair
with <k8s\_root\_ca\_cert>. The playbook will not proceed if only one with <k8s\_root\_ca\_cert>.
value is provided.
For example:
.. code-block:: none
k8s_root_ca_cert: /home/sysadmin/mystarlingx-k8s-rootca-certificate.pem
k8s_root_ca_key: /home/sysadmin/mystarlingx-k8s-rootca-certificate-key.pem
The playbook will not proceed if only one value is provided.
.. caution:: .. caution::
The default duration for the generated Kubernetes Root |CA| The default duration for the generated Kubernetes Root |CA|

27
doc/source/security/kubernetes/kubernetes-service-accounts.rst
View File

@ -1,27 +0,0 @@
.. oud1564679022947
.. _kubernetes-service-accounts:
===========================
Kubernetes Service Accounts
===========================
|prod| uses Kubernetes service accounts and Kubernetes |RBAC| policies to
identify and manage remote access to Kubernetes resources using the
Kubernetes API, kubectl CLI or the Kubernetes Dashboard.
.. note::
|prod| can also use user accounts defined in an external Windows Active
Directory to authenticate Kubernetes API, :command:`kubectl` CLI or the
Kubernetes Dashboard. For more information, see :ref:`Configure OIDC
Auth Applications <configure-oidc-auth-applications>`.
You can create and manage Kubernetes service accounts using
:command:`kubectl` as shown below.
.. note::
It is recommended that you create and manage service accounts within the
kube-system namespace. See :ref:`Create an Admin Type Service
Account <create-an-admin-type-service-account>`

35
doc/source/security/kubernetes/manage-keystone-accounts.rst
View File

@ -9,42 +9,13 @@ Manage Keystone Accounts
See See
`https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html `https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html
<https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html>`_ <https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html>`_
_ for details on managing Keystone projects, users, and roles. for details on managing Keystone projects, users, and roles.
All Kubernetes accounts are subject to system password rules. For complete All Kubernetes accounts are subject to system password rules. For complete
details on password rules, see :ref:`System Account Password Rules details on password rules, see :ref:`System Account Password Rules
<starlingx-system-accounts-system-account-password-rules>`. <starlingx-system-accounts-system-account-password-rules>`.
If you are using when changing the keystone 'admin' user password, you must: .. only:: partner
.. _managing-keystone-accounts-ol-wyq-l4d-mmb: .. include:: /_includes/manage-keystone-accounts.rest
#. If the **deployment-config.yaml** file has been moved off-box for security
reasons, upload the file back to the system to be updated.
.. warning::
The **deployment-config.yaml** file includes sensitive information
\(including system credentials and passwords\). For increased security,
it is recommended to store the **deployment-config.yaml** in a safe
location off-box. Upload the file to the system only when it is
required \(during initial configuration, and when reapplying an updated
configuration\).
#. Update the password in the 'system-endpoint' secret in the 's
deployment-config.yaml file, with the new keystone 'admin' user password.
Make this change to the OS\_PASSWORD value. It must be base64 encoded. For
example:
.. code-block:: none
OS_PASSWORD: U3Q4cmxpbmdYKg==
#. Apply the updated deployment configuration.
.. code-block:: none
kubectl apply -f deployment-config.yaml
#. \(Optional\) For security reasons, copy the updated
**deployment-config.yaml** file off-box and delete it from the system.

21
doc/source/security/kubernetes/overview-of-system-accounts.rst
View File

@ -2,9 +2,9 @@
.. lgd1552571882796 .. lgd1552571882796
.. _overview-of-system-accounts: .. _overview-of-system-accounts:
================== ===================
Linux UserAccounts Linux User Accounts
================== ===================
A brief description of the system accounts available in a |prod| system. A brief description of the system accounts available in a |prod| system.
@ -33,3 +33,18 @@ A brief description of the system accounts available in a |prod| system.
For security reasons, it is recommended that ONLY admin level users be For security reasons, it is recommended that ONLY admin level users be
allowed to |SSH| to the nodes of the |prod|. Non-admin level users should allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
strictly use remote |CLIs| or remote web GUIs. strictly use remote |CLIs| or remote web GUIs.
For more information, refer to the following:
.. toctree::
:maxdepth: 1
the-sysadmin-account
local-ldap-linux-user-accounts
create-ldap-linux-accounts
remote-access-for-linux-accounts
password-recovery-for-linux-user-accounts
estabilish-credentials-for-linux-user-accounts
establish-keystone-credentials-from-a-linux-account
starlingx-openstack-kubernetes-from-stsadmin-account-login
kubernetes-cli-from-local-ldap-linux-account-login

6
doc/source/security/kubernetes/password-recovery.rst
View File

@ -2,9 +2,9 @@
.. not1578924824783 .. not1578924824783
.. _password-recovery: .. _password-recovery:
================= ==========================
Password Recovery Keystone Password Recovery
================= ==========================
.. rubric:: |context| .. rubric:: |context|

6
doc/source/security/kubernetes/secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm.rst
View File

@ -37,10 +37,8 @@ re-installed, in order to update the new standby controller's |TPM| device.
public certificate and private key pairs, signed by an intermediate or public certificate and private key pairs, signed by an intermediate or
Root-signed |CA|, for HTTPS. Root-signed |CA|, for HTTPS.
.. xbooklink For lab purposes, see :ref:`Create Certificates Locally using openssl
<create-certificates-locally-using-openssl>` for details on how to create
For lab purposes, see :ref:`Locally Creating Certificates
<creating-certificates-locally-using-openssl>` for details on how to create
a test intermediate or Root |CA| certificate and key, and use it to sign a test intermediate or Root |CA| certificate and key, and use it to sign
test certificates. test certificates.

9
doc/source/security/kubernetes/security-access-the-gui.rst
View File

@ -44,3 +44,12 @@ from a browser.
<install-the-kubernetes-dashboard>` for information on how to install <install-the-kubernetes-dashboard>` for information on how to install
the Kubernetes Dashboard and create a Kubernetes service account for the Kubernetes Dashboard and create a Kubernetes service account for
the admin user to use the dashboard. the admin user to use the dashboard.
For more information, refer to the following:
.. toctree::
:maxdepth: 1
configure-http-and-https-ports-for-horizon-using-the-cli
configure-horizon-user-lockout-on-failed-logins
install-the-kubernetes-dashboard

6
doc/source/security/kubernetes/security-firewall-options.rst
View File

@ -2,9 +2,9 @@
.. zlk1582057887959 .. zlk1582057887959
.. _security-firewall-options: .. _security-firewall-options:
================ =======================
Firewall Options Modify Firewall Options
================ =======================
|prod| incorporates a default firewall for the |OAM| network. You can configure |prod| incorporates a default firewall for the |OAM| network. You can configure
additional Kubernetes Network Policies in order to augment or override the additional Kubernetes Network Policies in order to augment or override the

30
doc/source/security/kubernetes/security-install-update-the-docker-registry-certificate.rst
View File

@ -2,11 +2,11 @@
.. vri1561486014514 .. vri1561486014514
.. _security-install-update-the-docker-registry-certificate: .. _security-install-update-the-docker-registry-certificate:
============================================== =================================
Install/Update the Docker Registry Certificate Local Docker Registry Certificate
============================================== =================================
The local docker registry provides secure HTTPS access using the registry API. The local Docker registry provides secure HTTPS access using the registry API.
.. rubric:: |context| .. rubric:: |context|
@ -33,8 +33,10 @@ intermediate or Root |CA|. Refer to the documentation for the external Root
|CA| that you are using, on how to create public certificate and private key |CA| that you are using, on how to create public certificate and private key
pairs, signed by an intermediate or Root |CA|, for HTTPS. pairs, signed by an intermediate or Root |CA|, for HTTPS.
For lab purposes, see Appendix A for how to create a test intermediate or Root For lab purposes, see :ref:`Create Certificates Locally using openssl
|CA| certificate and key, and use it to sign test certificates. <create-certificates-locally-using-openssl>` for how to create a test
intermediate or Root |CA| certificate and key, and use it to sign test
certificates.
Put the |PEM| encoded versions of the certificate and key in a single file, Put the |PEM| encoded versions of the certificate and key in a single file,
and copy the file to the controller host. and copy the file to the controller host.
@ -47,9 +49,9 @@ above certificate.
.. _security-install-update-the-docker-registry-certificate-d527e71: .. _security-install-update-the-docker-registry-certificate-d527e71:
#. In order to enable internal use of the docker registry certificate, #. In order to enable internal use of the Docker registry certificate,
update the trusted |CA| list for this system with the Root |CA| associated update the trusted |CA| list for this system with the Root |CA| associated
with the docker registry certificate. with the Docker registry certificate.
.. code-block:: none .. code-block:: none
@ -58,15 +60,15 @@ above certificate.
where: where:
**<pathTocertificate>** ``<pathTocertificate>``
is the path to the intermediate or Root |CA| certificate associated is the path to the intermediate or Root |CA| certificate associated
with the docker registry's intermediate or Root |CA|-signed with the Docker registry's intermediate or Root |CA|-signed
certificate. certificate.
#. Update the docker registry certificate using the #. Update the Docker registry certificate using the
:command:`certificate-install` command. :command:`certificate-install` command.
Set the mode \(-m or --mode\) parameter to docker\_registry. Set the ``mode (-m or --mode)`` parameter to ``docker_registry``.
.. code-block:: none .. code-block:: none
@ -75,8 +77,8 @@ above certificate.
where: where:
**<pathTocertificateAndKey>** ``<pathTocertificateAndKey>``
is the path to the file containing both the docker registry's is the path to the file containing both the Docker registry's
intermediate or Root CA-signed certificate and private key to install. intermediate or Root CA-signed certificate and private key to install.

15
doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-administration-server.rst
View File

@ -2,9 +2,9 @@
.. xlb1552573425956 .. xlb1552573425956
.. _starlingx-rest-api-applications-and-the-web-administration-server: .. _starlingx-rest-api-applications-and-the-web-administration-server:
================================================================= =============================================================================
StarlingX REST API Applications and the Web Administration Server StarlingX REST API Applications and the Web Administration Server Certificate
================================================================= =============================================================================
|prod| provides support for secure HTTPS external connections used for |prod| provides support for secure HTTPS external connections used for
StarlingX REST API application endpoints \(Keystone, Barbican and StarlingX REST API application endpoints \(Keystone, Barbican and
@ -29,3 +29,12 @@ recommended.
You can update the certificate used for HTTPS access at any time. You can update the certificate used for HTTPS access at any time.
For more details, refer to:
.. toctree::
:maxdepth: 1
enable-https-access-for-starlingx-rest-and-web-server-endpoints
install-update-the-starlingx-rest-and-web-server-certificate
secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm
tpm-configuration-considerations

33
doc/source/security/kubernetes/the-cert-manager-bootstrap-process.rst
View File

@ -2,13 +2,16 @@
.. gks1588335341933 .. gks1588335341933
.. _the-cert-manager-bootstrap-process: .. _the-cert-manager-bootstrap-process:
================================== =====================================
The cert-manager Bootstrap Process Configure cert-manager at Bootstrap
================================== =====================================
Both nginx-ingress-controller and cert-manager are packaged as armada system Both nginx-ingress-controller and cert-manager are installed at bootstrap time
applications managed via :command:`system application-\*` and with defaults appropriate to most use cases, but their configuration can be
:command:`system helm-override-\*` commands. modified at bootstrap.
Nginx-ingress-controller and cert-manager are packaged as armada system
applications.
Both system applications are uploaded and applied, by default, as part of Both system applications are uploaded and applied, by default, as part of
the bootstrap phase of the |prod-long| installation. the bootstrap phase of the |prod-long| installation.
@ -25,10 +28,10 @@ contains the following definition:
As with other parameters in default.yml, you can override this definition in As with other parameters in default.yml, you can override this definition in
$HOME/localhost.yml. In the case of the applications: parameter, do this to $HOME/localhost.yml. In the case of the ``applications``: parameter, do this to
change the application helm overrides for an application. change the application helm overrides for an application.
The full general syntax for the applications: structure is: The full general syntax for the ``applications:`` structure is:
.. code-block:: none .. code-block:: none
@ -47,7 +50,7 @@ The full general syntax for the applications: structure is:
namespace: kube-system namespace: kube-system
values-path: /home/sysinv/appTwo-ChartOne-overrides.yaml values-path: /home/sysinv/appTwo-ChartOne-overrides.yaml
If you do override applications: in $HOME/localhost.yml, note the following: If you do override ``applications:`` in $HOME/localhost.yml, note the following:
.. _the-cert-manager-bootstrap-process-ul-o3j-vdv-nlb: .. _the-cert-manager-bootstrap-process-ul-o3j-vdv-nlb:
@ -59,7 +62,8 @@ If you do override applications: in $HOME/localhost.yml, note the following:
and must be in this order, otherwise bootstrap fails. and must be in this order, otherwise bootstrap fails.
|org| recommends that you copy applications: from default.yml and add in any required overrides. |org| recommends that you copy ``applications:`` from default.yml and add in
any required overrides.
At a high-level, the default configuration for the two mandatory applications is: At a high-level, the default configuration for the two mandatory applications is:
@ -69,11 +73,11 @@ At a high-level, the default configuration for the two mandatory applications is
- nginx-ingress-controller - nginx-ingress-controller
- Runs as a DaemonSet only on masters/controllers - Runs as a DaemonSet only on masters/controllers.
- Uses host networking, which means it can use any port numbers. - Uses host networking, which means it can use any port numbers.
Does not change the nginx default ports of 80 and 443. - Does not change the nginx default ports of 80 and 443.
- Has a default backend. - Has a default backend.
@ -88,13 +92,12 @@ At a high-level, the default configuration for the two mandatory applications is
- The deployment replicaCount is set to 1 for bootstrap. - The deployment replicaCount is set to 1 for bootstrap.
.. note:: .. note::
replicaCount can NOT be changed at bootstrap time. The second controller replicaCount can NOT be changed at bootstrap time. The second controller
must be configured and unlocked before replicaCount can be set to 2. must be configured and unlocked before replicaCount can be set to 2.
The Helm Chart Values that you can override are described at on the following web pages: The Helm Chart Values that you can override are described on the following
web pages:
.. _the-cert-manager-bootstrap-process-ul-d4j-khv-nlb: .. _the-cert-manager-bootstrap-process-ul-d4j-khv-nlb:

10
doc/source/security/kubernetes/types-of-system-accounts.rst
View File

@ -6,10 +6,7 @@
Types of System Accounts Types of System Accounts
======================== ========================
This Chapter describes the system accounts available in a |prod| This Chapter describes the system accounts available in a |prod| system.
system.
For more information, see:
.. _types-of-system-accounts-ul-rms-mwk-znb: .. _types-of-system-accounts-ul-rms-mwk-znb:
@ -19,7 +16,4 @@ For more information, see:
- :ref:`Keystone Accounts <keystone-accounts>` - :ref:`Keystone Accounts <keystone-accounts>`
- :ref:`Remote Windows Active Directory Accounts <remote-windows-active-directory-accounts>` - :ref:`Remote Windows Active Directory Accounts <remote-windows-active-directory-accounts>`
- :ref:`Linux User Accounts <overview-of-system-accounts>`