docs/doc/source/security/kubernetes/deprovision-windows-active-directory-authentication.rst


.. luo1591184217439
.. _deprovision-windows-active-directory-authentication:

===================================================
Deprovision Windows Active Directory Authentication
===================================================

You can remove Windows Active Directory authentication from |prod-long|.

.. rubric:: |proc|

#.  Remove the configuration of kube-apiserver to use oidc-auth-apps for
    authentication.


    #.  Determine the UUIDs of parameters used in the kubernetes **kube-apiserver** group.

        These include oidc\_client\_id, oidc\_groups\_claim,
        oidc\_issuer\_url and oidc\_username\_claim.

        .. code-block:: none

            ~(keystone_admin)$ system service-parameter-list

    #.  Delete each parameter.

        .. code-block:: none

            ~(keystone_admin)$ system service-parameter-delete <UUID>

    #.  Apply the changes.

        .. code-block:: none

            ~(keystone_admin)$ system service-parameter-apply kubernetes


#.  Uninstall oidc-auth-apps.

    .. code-block:: none

        ~(keystone_admin)$ system application-remove oidc-auth-apps

#.  Clear the helm-override configuration.

    .. code-block:: none

        ~(keystone_admin)$ system helm-override-update oidc-auth-apps dex kube-system --reset-values
        ~(keystone_admin)$ system helm-override-show oidc-auth-apps dex kube-system

        ~(keystone_admin)$ system helm-override-update oidc-auth-apps oidc-client kube-system --reset-values
        ~(keystone_admin)$ system helm-override-show oidc-auth-apps oidc-client kube-system

#.  Remove secrets that contain certificate data.

    .. code-block:: none

        ~(keystone_admin)$ kubectl delete secret local-dex.tls -n kube-system
        ~(keystone_admin)$ kubectl delete secret dex-client-secret -n kube-system
        ~(keystone_admin)$ kubectl delete secret wadcert -n kube-system

#.  Remove any |RBAC| RoleBindings added for |OIDC| users and/or groups.

    For example:

    .. code-block:: none

        $ kubectl delete clusterrolebinding testuser-rolebinding
        $ kubectl delete clusterrolebinding billingdeptgroup-rolebinding
Security guide update Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com> 2020-08-31 11:01:56 -04:00
			`.. luo1591184217439`
			`.. _deprovision-windows-active-directory-authentication:`

			`===================================================`
			`Deprovision Windows Active Directory Authentication`
			`===================================================`

			`You can remove Windows Active Directory authentication from \|prod-long\|.`

			`.. rubric:: \|proc\|`

			`#. Remove the configuration of kube-apiserver to use oidc-auth-apps for`
			`authentication.`


			`#. Determine the UUIDs of parameters used in the kubernetes kube-apiserver group.`

			`These include oidc\_client\_id, oidc\_groups\_claim,`
			`oidc\_issuer\_url and oidc\_username\_claim.`

			`.. code-block:: none`

			`~(keystone_admin)$ system service-parameter-list`

			`#. Delete each parameter.`

			`.. code-block:: none`

			`~(keystone_admin)$ system service-parameter-delete <UUID>`

			`#. Apply the changes.`

			`.. code-block:: none`

			`~(keystone_admin)$ system service-parameter-apply kubernetes`


			`#. Uninstall oidc-auth-apps.`

			`.. code-block:: none`

			`~(keystone_admin)$ system application-remove oidc-auth-apps`

			`#. Clear the helm-override configuration.`

			`.. code-block:: none`

			`~(keystone_admin)$ system helm-override-update oidc-auth-apps dex kube-system --reset-values`
			`~(keystone_admin)$ system helm-override-show oidc-auth-apps dex kube-system`

			`~(keystone_admin)$ system helm-override-update oidc-auth-apps oidc-client kube-system --reset-values`
			`~(keystone_admin)$ system helm-override-show oidc-auth-apps oidc-client kube-system`

			`#. Remove secrets that contain certificate data.`

			`.. code-block:: none`

			`~(keystone_admin)$ kubectl delete secret local-dex.tls -n kube-system`
			`~(keystone_admin)$ kubectl delete secret dex-client-secret -n kube-system`
			`~(keystone_admin)$ kubectl delete secret wadcert -n kube-system`

			`#. Remove any \|RBAC\| RoleBindings added for \|OIDC\| users and/or groups.`

			`For example:`

			`.. code-block:: none`

			`$ kubectl delete clusterrolebinding testuser-rolebinding`
			`$ kubectl delete clusterrolebinding billingdeptgroup-rolebinding`