Editorial updates on Security Guide upstream
Acted on Greg's comments Patch 1: Deleted duplicated docs and corrected references to fix build failure Patch 2: Acted on Greg's and Ron's comments. Patch 3: Acted on Greg's comment. Patch 4: Acted on Mary's comments. Patch 5: Solved merge conflict. Patch 6: Worked on Mary's comments. Patch 7: Fixed build conflict. Patch 8: Worked on Mary's comments. https://review.opendev.org/c/starlingx/docs/+/792461 Signed-off-by: egoncalv <elisamaraaoki.goncalves@windriver.com> Change-Id: I647711ac35f45bc9c79cc490269831770e98e2f4
This commit is contained in:
parent
b0906101ef
commit
5579744656
0
doc/source/_includes/manage-keystone-accounts.rest
Normal file
0
doc/source/_includes/manage-keystone-accounts.rest
Normal file
@ -34,10 +34,12 @@ for the external Root CA that you are using, on how to create public
|
||||
certificate and private key pairs, signed by an intermediate or Root CA, for
|
||||
HTTPS.
|
||||
|
||||
.. xreflink For lab purposes, see |sec-doc|: :ref:`Locally Creating
|
||||
Certificates <creating-certificates-locally-using-openssl>` to create a
|
||||
Intermediate or test Root CA certificate and key, and use it to sign test
|
||||
certificates.
|
||||
.. xreflink
|
||||
|
||||
For lab purposes, see |sec-doc|: :ref:`Create Certificates Locally
|
||||
using openssl <create-certificates-locally-using-openssl>` to create an
|
||||
Intermediate or test Root CA certificate and key, and use it to sign test
|
||||
certificates.
|
||||
|
||||
Put the Privacy Enhanced Mail \(PEM\) encoded versions of the certificate and
|
||||
key in a single file, and copy the file to the controller host.
|
||||
|
@ -2,9 +2,9 @@
|
||||
.. ibp1552572465781
|
||||
.. _about-keystone-accounts:
|
||||
|
||||
=======================
|
||||
About Keystone Accounts
|
||||
=======================
|
||||
=================
|
||||
Keystone Accounts
|
||||
=================
|
||||
|
||||
|prod| uses tenant accounts and user accounts to identify and manage access to
|
||||
StarlingX resources, and images in the Local Docker Registry.
|
||||
|
@ -2,9 +2,9 @@
|
||||
.. qfk1564403051860
|
||||
.. _add-a-trusted-ca:
|
||||
|
||||
================
|
||||
Add a Trusted CA
|
||||
================
|
||||
==============================
|
||||
Manage Trusted CA Certificates
|
||||
==============================
|
||||
|
||||
Generally a trusted |CA| certificate needs to be added if |prod| clients on
|
||||
the hosts will be connecting to server\(s\) secured with SSL and whose
|
||||
|
@ -0,0 +1,17 @@
|
||||
|
||||
|
||||
.. _cert-manager-post-installation-setup:
|
||||
|
||||
====================================
|
||||
Cert-Manager Post Installation Setup
|
||||
====================================
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
firewall-port-overrides
|
||||
enable-public-use-of-the-cert-manager-acmesolver-image
|
||||
enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace
|
||||
enable-the-use-of-cert-manager-apis-by-an-arbitrary-user
|
||||
|
||||
|
@ -2,9 +2,9 @@
|
||||
.. cms1597171128588
|
||||
.. _configure-vault-using-the-cli:
|
||||
|
||||
=============================
|
||||
Configure Vault Using the CLI
|
||||
=============================
|
||||
===================================
|
||||
Configure Vault Using the Vault CLI
|
||||
===================================
|
||||
|
||||
After Vault has been installed, you can configure Vault for use with |prod|
|
||||
using the |CLI|. This section describes the minimum configuration
|
||||
|
@ -2,9 +2,9 @@
|
||||
.. xgp1596216287484
|
||||
.. _configure-vault:
|
||||
|
||||
===============
|
||||
Configure Vault
|
||||
===============
|
||||
========================================
|
||||
Configure Vault Using the Vault REST API
|
||||
========================================
|
||||
|
||||
After Vault has been installed, you can configure Vault for use by hosted
|
||||
Kubernetes applications on |prod|. This section describes the minimum
|
||||
|
@ -15,6 +15,10 @@ namespaces.
|
||||
A cluster-admin ClusterRole is defined by default for such a user. To create
|
||||
an admin service account with cluster-admin role, use the following procedure:
|
||||
|
||||
.. note::
|
||||
It is recommended that you create and manage service accounts within the
|
||||
kube-system namespace.
|
||||
|
||||
.. rubric:: |proc|
|
||||
|
||||
#. Create the user definition.
|
||||
@ -61,3 +65,8 @@ an admin service account with cluster-admin role, use the following procedure:
|
||||
access using tools such as :command:`kubectl` and :command:`helm` for a
|
||||
service account such as this.
|
||||
|
||||
.. note::
|
||||
|prod| can also use user accounts defined in an external Windows Active
|
||||
Directory to authenticate Kubernetes API, :command:`kubectl` CLI or the
|
||||
Kubernetes Dashboard. For more information, see :ref:`Configure OIDC
|
||||
Auth Applications <configure-oidc-auth-applications>`.
|
@ -1,108 +0,0 @@
|
||||
|
||||
.. qtr1594910639395
|
||||
.. _creating-certificates-locally-using-cert-manager-on-the-controller:
|
||||
|
||||
================================================================
|
||||
Create Certificates Locally using cert-manager on the Controller
|
||||
================================================================
|
||||
|
||||
You can use :command:`cert-manager` to locally create certificates suitable for
|
||||
use in a lab environment.
|
||||
|
||||
.. rubric:: |proc|
|
||||
|
||||
#. Create a Root |CA| Certificate and Key.
|
||||
|
||||
#. Create a self-signing issuer.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ echo "
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: my-selfsigning-issuer
|
||||
spec:
|
||||
selfSigned: {}
|
||||
" | kubectl apply -f -
|
||||
|
||||
#. Create a Root |CA| certificate and key.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ echo "
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: my-rootca-certificate
|
||||
spec:
|
||||
secretName: my-rootca-certificate
|
||||
commonName: "my-rootca"
|
||||
isCA: true
|
||||
issuerRef:
|
||||
name: my-selfsigning-issuer
|
||||
kind: Issuer
|
||||
" | kubectl apply -f -
|
||||
|
||||
#. Create a Root |CA| Issuer.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ echo "
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: Issuer
|
||||
metadata:
|
||||
name: my-rootca-issuer
|
||||
spec:
|
||||
ca:
|
||||
secretName: my-rootca-certificate
|
||||
" | kubectl apply -f -
|
||||
|
||||
|
||||
#. Create files for the Root |CA| certificate and key.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem
|
||||
$ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem
|
||||
|
||||
|
||||
#. Create and sign a Server certificate and key
|
||||
|
||||
#. Create the Server certificate and key.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ echo "
|
||||
apiVersion: cert-manager.io/v1alpha2
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: my-server-certificate
|
||||
spec:
|
||||
secretName: my-server-certificate
|
||||
duration: 2160h # 90d
|
||||
renewBefore: 360h # 15d
|
||||
organization:
|
||||
- WindRiver
|
||||
commonName: 1.1.1.1
|
||||
dnsNames:
|
||||
- myserver.wrs.com
|
||||
ipAddresses:
|
||||
- 1.1.1.1
|
||||
issuerRef:
|
||||
name: my-rootca-issuer
|
||||
kind: Issuer
|
||||
" | kubectl apply -f -
|
||||
|
||||
#. Create the |PEM| files for Server certificate and key.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem
|
||||
$ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pem
|
||||
|
||||
#. Combine the server certificate and key in a single file.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ cat my-server-cert.pem my-server-key.pem > my-server.pem
|
@ -1,64 +0,0 @@
|
||||
|
||||
.. rmn1594906401238
|
||||
.. _creating-certificates-locally-using-openssl:
|
||||
|
||||
=========================================
|
||||
Create Certificates Locally using openssl
|
||||
=========================================
|
||||
|
||||
You can use :command:`openssl` to locally create certificates suitable for use
|
||||
in a lab environment.
|
||||
|
||||
.. rubric:: |proc|
|
||||
|
||||
.. _creating-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb:
|
||||
|
||||
#. Create a Root |CA| Certificate and Key
|
||||
|
||||
#. Create the Root |CA| private key.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ openssl genrsa -out my-root-ca-key.pem 2048
|
||||
|
||||
#. Generate the Root |CA| x509 certificate.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ openssl req -x509 -new -nodes -key my-root-ca-key.pem -days 1024 -out my-root-ca-cert.pem -outform PEM
|
||||
|
||||
|
||||
#. Create and sign a server certificate and key.
|
||||
|
||||
#. Create the server private key.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ openssl genrsa -out my-server-key.pem 2048
|
||||
|
||||
#. Create the Server certificate signing request \(csr\).
|
||||
|
||||
Specify CN=<WRCP-OAM-Floating-IP> and do **not** specify a challenge
|
||||
password.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ openssl req -new -key my-server-key.pem -out my-server.csr
|
||||
|
||||
#. Create the |SANs| list.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ echo subjectAltName = IP:<WRCP-OAM-Floating-IP>,DNS:registry.local,DNS:registry.central > extfile.cnf
|
||||
|
||||
#. Use the my-root-ca to sign the server certificate.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ openssl x509 -req -in my-server.csr -CA my-root-ca-cert.pem -CAkey my-root-ca-key.pem -CAcreateserial -out my-server-cert.pem -days 365 -extfile extfile.cnf
|
||||
|
||||
#. Put the server certificate and key in a single file.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
$ cat my-server-cert.pem my-server-key.pem > my-server.pem
|
@ -14,19 +14,10 @@ These include:
|
||||
|
||||
.. _https-access-overview-ul-eyn-5ln-gjb:
|
||||
|
||||
- |prod| REST API applications and the |prod| web administration server
|
||||
|
||||
- Kubernetes API
|
||||
|
||||
- Local Docker registry
|
||||
|
||||
.. contents::
|
||||
:local:
|
||||
:depth: 1
|
||||
|
||||
You can also add a trusted Certificate Authority \(CA\) for the |prod| system.
|
||||
|
||||
|
||||
.. _https-access-overview-section-N10048-N10024-N10001:
|
||||
|
||||
-------------------------------------------------------
|
||||
|
@ -7,57 +7,13 @@ System Accounts
|
||||
***************
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
:maxdepth: 2
|
||||
|
||||
types-of-system-accounts
|
||||
overview-of-system-accounts
|
||||
kube-service-account
|
||||
keystone-accounts
|
||||
remote-windows-active-directory-accounts
|
||||
|
||||
Linux User Accounts
|
||||
*******************
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
the-sysadmin-account
|
||||
local-ldap-linux-user-accounts
|
||||
create-ldap-linux-accounts
|
||||
remote-access-for-linux-accounts
|
||||
password-recovery-for-linux-user-accounts
|
||||
establish-keystone-credentials-from-a-linux-account
|
||||
estabilish-credentials-for-linux-user-accounts
|
||||
starlingx-openstack-kubernetes-from-stsadmin-account-login
|
||||
kubernetes-cli-from-local-ldap-linux-account-login
|
||||
|
||||
Kubernetes Service Accounts
|
||||
***************************
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
kubernetes-service-accounts
|
||||
create-an-admin-type-service-account
|
||||
|
||||
Keystone Accounts
|
||||
*****************
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
about-keystone-accounts
|
||||
keystone-account-authentication
|
||||
manage-keystone-accounts
|
||||
configure-the-keystone-token-expiration-time
|
||||
password-recovery
|
||||
|
||||
Password Rules
|
||||
**************
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
starlingx-system-accounts-system-account-password-rules
|
||||
|
||||
*****************
|
||||
@ -70,9 +26,6 @@ Access the System
|
||||
configure-local-cli-access
|
||||
remote-access-index
|
||||
security-access-the-gui
|
||||
configure-http-and-https-ports-for-horizon-using-the-cli
|
||||
configure-horizon-user-lockout-on-failed-logins
|
||||
install-the-kubernetes-dashboard
|
||||
security-rest-api-access
|
||||
connect-to-container-registries-through-a-firewall-or-proxy
|
||||
|
||||
@ -129,21 +82,18 @@ Firewall Options
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
security-firewall-options
|
||||
security-default-firewall-rules
|
||||
security-firewall-options
|
||||
|
||||
*************************
|
||||
Secure HTTPS Connectivity
|
||||
*************************
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
:maxdepth: 2
|
||||
|
||||
https-access-overview
|
||||
starlingx-rest-api-applications-and-the-web-administration-server
|
||||
enable-https-access-for-starlingx-rest-and-web-server-endpoints
|
||||
install-update-the-starlingx-rest-and-web-server-certificate
|
||||
secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm
|
||||
kubernetes-root-ca-certificate
|
||||
security-install-update-the-docker-registry-certificate
|
||||
add-a-trusted-ca
|
||||
@ -157,17 +107,7 @@ Cert Manager
|
||||
|
||||
security-cert-manager
|
||||
the-cert-manager-bootstrap-process
|
||||
|
||||
Post Installation Setup
|
||||
***********************
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
firewall-port-overrides
|
||||
enable-public-use-of-the-cert-manager-acmesolver-image
|
||||
enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace
|
||||
enable-the-use-of-cert-manager-apis-by-an-arbitrary-user
|
||||
cert-manager-post-installation-setup
|
||||
|
||||
******************************
|
||||
Portieris Admission Controller
|
||||
@ -178,8 +118,8 @@ Portieris Admission Controller
|
||||
|
||||
portieris-overview
|
||||
install-portieris
|
||||
remove-portieris
|
||||
portieris-clusterimagepolicy-and-imagepolicy-configuration
|
||||
remove-portieris
|
||||
|
||||
********************************
|
||||
Vault Secret and Data Management
|
||||
@ -190,16 +130,9 @@ Vault Secret and Data Management
|
||||
|
||||
security-vault-overview
|
||||
install-vault
|
||||
remove-vault
|
||||
|
||||
Configure Vault
|
||||
***************
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
configure-vault
|
||||
configure-vault-using-the-cli
|
||||
remove-vault
|
||||
|
||||
**************************************
|
||||
Encrypt Kubernetes Secret Data at Rest
|
||||
@ -227,8 +160,6 @@ Operator Command Logging
|
||||
:maxdepth: 1
|
||||
|
||||
operator-command-logging
|
||||
operator-login-authentication-logging
|
||||
operator-command-logging
|
||||
|
||||
****************
|
||||
UEFI Secure Boot
|
||||
@ -240,15 +171,6 @@ UEFI Secure Boot
|
||||
overview-of-uefi-secure-boot
|
||||
use-uefi-secure-boot
|
||||
|
||||
***********************
|
||||
Trusted Platform Module
|
||||
***********************
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
tpm-configuration-considerations
|
||||
|
||||
***********************************
|
||||
Authentication of Software Delivery
|
||||
***********************************
|
||||
@ -267,16 +189,6 @@ Security Feature Configuration for Spectre and Meltdown
|
||||
|
||||
security-feature-configuration-for-spectre-and-meltdown
|
||||
|
||||
***************************
|
||||
Locally Create Certificates
|
||||
***************************
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
create-certificates-locally-using-openssl
|
||||
create-certificates-locally-using-cert-manager-on-the-controller
|
||||
|
||||
*****************************
|
||||
Security Hardening Guidelines
|
||||
*****************************
|
||||
@ -318,11 +230,11 @@ Security Features
|
||||
isolate-starlingx-internal-cloud-management-network
|
||||
|
||||
***************************************
|
||||
Appendix: Locally creating certifciates
|
||||
Appendix: Locally creating certificates
|
||||
***************************************
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
creating-certificates-locally-using-cert-manager-on-the-controller
|
||||
creating-certificates-locally-using-openssl
|
||||
create-certificates-locally-using-openssl
|
||||
create-certificates-locally-using-cert-manager-on-the-controller
|
@ -2,9 +2,9 @@
|
||||
.. law1570030645265
|
||||
.. _install-update-the-starlingx-rest-and-web-server-certificate:
|
||||
|
||||
=================================================================
|
||||
============================================================
|
||||
Install/Update the StarlingX Rest and Web Server Certificate
|
||||
=================================================================
|
||||
============================================================
|
||||
|
||||
Use the following procedure to install or update the certificate for the REST
|
||||
API application endpoints \(Keystone, Barbican and StarlingX\) and the web
|
||||
@ -18,12 +18,10 @@ Intermediate or Root |CA| that you are using, on how to create public
|
||||
certificate and private key pairs, signed by intermediate or a Root |CA|, for
|
||||
HTTPS.
|
||||
|
||||
.. xbooklink
|
||||
|
||||
For lab purposes, see :ref:`Locally Creating Certificates
|
||||
<creating-certificates-locally-using-openssl>` for how to create a test
|
||||
intermediate or Root |CA| certificate and key, and use it to sign test
|
||||
certificates.
|
||||
For lab purposes, see :ref:`Create Certificates Locally using openssl
|
||||
<create-certificates-locally-using-openssl>` for how to create a test
|
||||
intermediate or Root |CA| certificate and key, and use it to sign test
|
||||
certificates.
|
||||
|
||||
Put the |PEM| encoded versions of the certificate and key in a single file,
|
||||
and copy the file to the controller host.
|
||||
|
@ -10,5 +10,13 @@ Keystone Accounts
|
||||
StarlingX REST APIs, the |CLI|, the Horizon Web interface and the Local Docker
|
||||
Registry. |prod|'s Keystone uses the default local SQL Backend.
|
||||
|
||||
See :ref:`About Keystone Accounts <about-keystone-accounts>` for more details.
|
||||
See :ref:`Keystone Accounts <about-keystone-accounts>` for more details.
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
about-keystone-accounts
|
||||
keystone-account-authentication
|
||||
manage-keystone-accounts
|
||||
configure-the-keystone-token-expiration-time
|
||||
password-recovery
|
@ -9,6 +9,7 @@ Kubernetes Service Accounts
|
||||
|prod| uses Kubernetes service accounts and |RBAC| policies for authentication
|
||||
and authorization of users of the Kubernetes API, |CLI|, and Dashboard.
|
||||
|
||||
See :ref:`Kubernetes Service Accounts <kubernetes-service-accounts>` for more
|
||||
details.
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
create-an-admin-type-service-account
|
@ -14,11 +14,9 @@ It is recommended that you update the Kubernetes Root |CA| and with a custom
|
||||
Root |CA| certificate and key, generated by yourself, and trusted by external
|
||||
servers connecting to the |prod|'s Kubernetes API endpoint.
|
||||
|
||||
.. xbooklink
|
||||
|
||||
See :ref:`Locally Creating Certificates
|
||||
<creating-certificates-locally-using-openssl>` for how to create a
|
||||
private Root |CA| certificate and key.
|
||||
See :ref:`Create Certificates Locally using openssl
|
||||
<create-certificates-locally-using-openssl>` for how to create a private Root
|
||||
|CA| certificate and key.
|
||||
|
||||
.. caution::
|
||||
The default duration for the generated Kubernetes Root CA certificate is 10
|
||||
@ -41,16 +39,23 @@ certificate and key for the Kubernetes root |CA|.
|
||||
Specifies the certificate for the Kubernetes root |CA|. The
|
||||
<k8s\_root\_ca\_cert> value is the absolute path of the certificate
|
||||
file. The certificate must be in |PEM| format and the value must be
|
||||
provided as part of a pair with <k8s\_root\_ca\_key>. The playbook will
|
||||
not proceed if only one value is provided.
|
||||
provided as part of a pair with <k8s\_root\_ca\_key>.
|
||||
|
||||
**<k8s\_root\_ca\_key>**
|
||||
|
||||
Specifies the key for the Kubernetes root |CA|. The <k8s\_root\_ca\_key>
|
||||
value is the absolute path of the certificate file. The certificate
|
||||
must be in |PEM| format and the value must be provided as part of a pair
|
||||
with <k8s\_root\_ca\_cert>. The playbook will not proceed if only one
|
||||
value is provided.
|
||||
with <k8s\_root\_ca\_cert>.
|
||||
|
||||
For example:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
k8s_root_ca_cert: /home/sysadmin/mystarlingx-k8s-rootca-certificate.pem
|
||||
k8s_root_ca_key: /home/sysadmin/mystarlingx-k8s-rootca-certificate-key.pem
|
||||
|
||||
The playbook will not proceed if only one value is provided.
|
||||
|
||||
.. caution::
|
||||
The default duration for the generated Kubernetes Root |CA|
|
||||
|
@ -1,27 +0,0 @@
|
||||
|
||||
.. oud1564679022947
|
||||
.. _kubernetes-service-accounts:
|
||||
|
||||
===========================
|
||||
Kubernetes Service Accounts
|
||||
===========================
|
||||
|
||||
|prod| uses Kubernetes service accounts and Kubernetes |RBAC| policies to
|
||||
identify and manage remote access to Kubernetes resources using the
|
||||
Kubernetes API, kubectl CLI or the Kubernetes Dashboard.
|
||||
|
||||
.. note::
|
||||
|prod| can also use user accounts defined in an external Windows Active
|
||||
Directory to authenticate Kubernetes API, :command:`kubectl` CLI or the
|
||||
Kubernetes Dashboard. For more information, see :ref:`Configure OIDC
|
||||
Auth Applications <configure-oidc-auth-applications>`.
|
||||
|
||||
You can create and manage Kubernetes service accounts using
|
||||
:command:`kubectl` as shown below.
|
||||
|
||||
.. note::
|
||||
It is recommended that you create and manage service accounts within the
|
||||
kube-system namespace. See :ref:`Create an Admin Type Service
|
||||
Account <create-an-admin-type-service-account>`
|
||||
|
||||
|
@ -9,42 +9,13 @@ Manage Keystone Accounts
|
||||
See
|
||||
`https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html
|
||||
<https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html>`_
|
||||
_ for details on managing Keystone projects, users, and roles.
|
||||
for details on managing Keystone projects, users, and roles.
|
||||
|
||||
|
||||
All Kubernetes accounts are subject to system password rules. For complete
|
||||
details on password rules, see :ref:`System Account Password Rules
|
||||
<starlingx-system-accounts-system-account-password-rules>`.
|
||||
|
||||
If you are using when changing the keystone 'admin' user password, you must:
|
||||
.. only:: partner
|
||||
|
||||
.. _managing-keystone-accounts-ol-wyq-l4d-mmb:
|
||||
|
||||
#. If the **deployment-config.yaml** file has been moved off-box for security
|
||||
reasons, upload the file back to the system to be updated.
|
||||
|
||||
.. warning::
|
||||
The **deployment-config.yaml** file includes sensitive information
|
||||
\(including system credentials and passwords\). For increased security,
|
||||
it is recommended to store the **deployment-config.yaml** in a safe
|
||||
location off-box. Upload the file to the system only when it is
|
||||
required \(during initial configuration, and when reapplying an updated
|
||||
configuration\).
|
||||
|
||||
#. Update the password in the 'system-endpoint' secret in the 's
|
||||
deployment-config.yaml file, with the new keystone 'admin' user password.
|
||||
Make this change to the OS\_PASSWORD value. It must be base64 encoded. For
|
||||
example:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
OS_PASSWORD: U3Q4cmxpbmdYKg==
|
||||
|
||||
#. Apply the updated deployment configuration.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
kubectl apply -f deployment-config.yaml
|
||||
|
||||
#. \(Optional\) For security reasons, copy the updated
|
||||
**deployment-config.yaml** file off-box and delete it from the system.
|
||||
.. include:: /_includes/manage-keystone-accounts.rest
|
@ -2,9 +2,9 @@
|
||||
.. lgd1552571882796
|
||||
.. _overview-of-system-accounts:
|
||||
|
||||
==================
|
||||
Linux UserAccounts
|
||||
==================
|
||||
===================
|
||||
Linux User Accounts
|
||||
===================
|
||||
|
||||
A brief description of the system accounts available in a |prod| system.
|
||||
|
||||
@ -33,3 +33,18 @@ A brief description of the system accounts available in a |prod| system.
|
||||
For security reasons, it is recommended that ONLY admin level users be
|
||||
allowed to |SSH| to the nodes of the |prod|. Non-admin level users should
|
||||
strictly use remote |CLIs| or remote web GUIs.
|
||||
|
||||
For more information, refer to the following:
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
the-sysadmin-account
|
||||
local-ldap-linux-user-accounts
|
||||
create-ldap-linux-accounts
|
||||
remote-access-for-linux-accounts
|
||||
password-recovery-for-linux-user-accounts
|
||||
estabilish-credentials-for-linux-user-accounts
|
||||
establish-keystone-credentials-from-a-linux-account
|
||||
starlingx-openstack-kubernetes-from-stsadmin-account-login
|
||||
kubernetes-cli-from-local-ldap-linux-account-login
|
@ -2,9 +2,9 @@
|
||||
.. not1578924824783
|
||||
.. _password-recovery:
|
||||
|
||||
=================
|
||||
Password Recovery
|
||||
=================
|
||||
==========================
|
||||
Keystone Password Recovery
|
||||
==========================
|
||||
|
||||
.. rubric:: |context|
|
||||
|
||||
|
@ -37,10 +37,8 @@ re-installed, in order to update the new standby controller's |TPM| device.
|
||||
public certificate and private key pairs, signed by an intermediate or
|
||||
Root-signed |CA|, for HTTPS.
|
||||
|
||||
.. xbooklink
|
||||
|
||||
For lab purposes, see :ref:`Locally Creating Certificates
|
||||
<creating-certificates-locally-using-openssl>` for details on how to create
|
||||
For lab purposes, see :ref:`Create Certificates Locally using openssl
|
||||
<create-certificates-locally-using-openssl>` for details on how to create
|
||||
a test intermediate or Root |CA| certificate and key, and use it to sign
|
||||
test certificates.
|
||||
|
||||
|
@ -44,3 +44,12 @@ from a browser.
|
||||
<install-the-kubernetes-dashboard>` for information on how to install
|
||||
the Kubernetes Dashboard and create a Kubernetes service account for
|
||||
the admin user to use the dashboard.
|
||||
|
||||
For more information, refer to the following:
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
configure-http-and-https-ports-for-horizon-using-the-cli
|
||||
configure-horizon-user-lockout-on-failed-logins
|
||||
install-the-kubernetes-dashboard
|
@ -2,9 +2,9 @@
|
||||
.. zlk1582057887959
|
||||
.. _security-firewall-options:
|
||||
|
||||
================
|
||||
Firewall Options
|
||||
================
|
||||
=======================
|
||||
Modify Firewall Options
|
||||
=======================
|
||||
|
||||
|prod| incorporates a default firewall for the |OAM| network. You can configure
|
||||
additional Kubernetes Network Policies in order to augment or override the
|
||||
|
@ -2,11 +2,11 @@
|
||||
.. vri1561486014514
|
||||
.. _security-install-update-the-docker-registry-certificate:
|
||||
|
||||
==============================================
|
||||
Install/Update the Docker Registry Certificate
|
||||
==============================================
|
||||
=================================
|
||||
Local Docker Registry Certificate
|
||||
=================================
|
||||
|
||||
The local docker registry provides secure HTTPS access using the registry API.
|
||||
The local Docker registry provides secure HTTPS access using the registry API.
|
||||
|
||||
.. rubric:: |context|
|
||||
|
||||
@ -33,8 +33,10 @@ intermediate or Root |CA|. Refer to the documentation for the external Root
|
||||
|CA| that you are using, on how to create public certificate and private key
|
||||
pairs, signed by an intermediate or Root |CA|, for HTTPS.
|
||||
|
||||
For lab purposes, see Appendix A for how to create a test intermediate or Root
|
||||
|CA| certificate and key, and use it to sign test certificates.
|
||||
For lab purposes, see :ref:`Create Certificates Locally using openssl
|
||||
<create-certificates-locally-using-openssl>` for how to create a test
|
||||
intermediate or Root |CA| certificate and key, and use it to sign test
|
||||
certificates.
|
||||
|
||||
Put the |PEM| encoded versions of the certificate and key in a single file,
|
||||
and copy the file to the controller host.
|
||||
@ -47,9 +49,9 @@ above certificate.
|
||||
|
||||
.. _security-install-update-the-docker-registry-certificate-d527e71:
|
||||
|
||||
#. In order to enable internal use of the docker registry certificate,
|
||||
#. In order to enable internal use of the Docker registry certificate,
|
||||
update the trusted |CA| list for this system with the Root |CA| associated
|
||||
with the docker registry certificate.
|
||||
with the Docker registry certificate.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
@ -58,15 +60,15 @@ above certificate.
|
||||
|
||||
where:
|
||||
|
||||
**<pathTocertificate>**
|
||||
``<pathTocertificate>``
|
||||
is the path to the intermediate or Root |CA| certificate associated
|
||||
with the docker registry's intermediate or Root |CA|-signed
|
||||
with the Docker registry's intermediate or Root |CA|-signed
|
||||
certificate.
|
||||
|
||||
#. Update the docker registry certificate using the
|
||||
#. Update the Docker registry certificate using the
|
||||
:command:`certificate-install` command.
|
||||
|
||||
Set the mode \(-m or --mode\) parameter to docker\_registry.
|
||||
Set the ``mode (-m or --mode)`` parameter to ``docker_registry``.
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
@ -75,8 +77,8 @@ above certificate.
|
||||
|
||||
where:
|
||||
|
||||
**<pathTocertificateAndKey>**
|
||||
is the path to the file containing both the docker registry's
|
||||
``<pathTocertificateAndKey>``
|
||||
is the path to the file containing both the Docker registry's
|
||||
intermediate or Root CA-signed certificate and private key to install.
|
||||
|
||||
|
||||
|
@ -2,9 +2,9 @@
|
||||
.. xlb1552573425956
|
||||
.. _starlingx-rest-api-applications-and-the-web-administration-server:
|
||||
|
||||
=================================================================
|
||||
StarlingX REST API Applications and the Web Administration Server
|
||||
=================================================================
|
||||
=============================================================================
|
||||
StarlingX REST API Applications and the Web Administration Server Certificate
|
||||
=============================================================================
|
||||
|
||||
|prod| provides support for secure HTTPS external connections used for
|
||||
StarlingX REST API application endpoints \(Keystone, Barbican and
|
||||
@ -29,3 +29,12 @@ recommended.
|
||||
|
||||
You can update the certificate used for HTTPS access at any time.
|
||||
|
||||
For more details, refer to:
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 1
|
||||
|
||||
enable-https-access-for-starlingx-rest-and-web-server-endpoints
|
||||
install-update-the-starlingx-rest-and-web-server-certificate
|
||||
secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm
|
||||
tpm-configuration-considerations
|
@ -2,13 +2,16 @@
|
||||
.. gks1588335341933
|
||||
.. _the-cert-manager-bootstrap-process:
|
||||
|
||||
==================================
|
||||
The cert-manager Bootstrap Process
|
||||
==================================
|
||||
=====================================
|
||||
Configure cert-manager at Bootstrap
|
||||
=====================================
|
||||
|
||||
Both nginx-ingress-controller and cert-manager are packaged as armada system
|
||||
applications managed via :command:`system application-\*` and
|
||||
:command:`system helm-override-\*` commands.
|
||||
Both nginx-ingress-controller and cert-manager are installed at bootstrap time
|
||||
with defaults appropriate to most use cases, but their configuration can be
|
||||
modified at bootstrap.
|
||||
|
||||
Nginx-ingress-controller and cert-manager are packaged as armada system
|
||||
applications.
|
||||
|
||||
Both system applications are uploaded and applied, by default, as part of
|
||||
the bootstrap phase of the |prod-long| installation.
|
||||
@ -25,10 +28,10 @@ contains the following definition:
|
||||
|
||||
|
||||
As with other parameters in default.yml, you can override this definition in
|
||||
$HOME/localhost.yml. In the case of the applications: parameter, do this to
|
||||
$HOME/localhost.yml. In the case of the ``applications``: parameter, do this to
|
||||
change the application helm overrides for an application.
|
||||
|
||||
The full general syntax for the applications: structure is:
|
||||
The full general syntax for the ``applications:`` structure is:
|
||||
|
||||
.. code-block:: none
|
||||
|
||||
@ -47,7 +50,7 @@ The full general syntax for the applications: structure is:
|
||||
namespace: kube-system
|
||||
values-path: /home/sysinv/appTwo-ChartOne-overrides.yaml
|
||||
|
||||
If you do override applications: in $HOME/localhost.yml, note the following:
|
||||
If you do override ``applications:`` in $HOME/localhost.yml, note the following:
|
||||
|
||||
|
||||
.. _the-cert-manager-bootstrap-process-ul-o3j-vdv-nlb:
|
||||
@ -59,7 +62,8 @@ If you do override applications: in $HOME/localhost.yml, note the following:
|
||||
and must be in this order, otherwise bootstrap fails.
|
||||
|
||||
|
||||
|org| recommends that you copy applications: from default.yml and add in any required overrides.
|
||||
|org| recommends that you copy ``applications:`` from default.yml and add in
|
||||
any required overrides.
|
||||
|
||||
At a high-level, the default configuration for the two mandatory applications is:
|
||||
|
||||
@ -69,11 +73,11 @@ At a high-level, the default configuration for the two mandatory applications is
|
||||
- nginx-ingress-controller
|
||||
|
||||
|
||||
- Runs as a DaemonSet only on masters/controllers
|
||||
- Runs as a DaemonSet only on masters/controllers.
|
||||
|
||||
- Uses host networking, which means it can use any port numbers.
|
||||
|
||||
Does not change the nginx default ports of 80 and 443.
|
||||
- Does not change the nginx default ports of 80 and 443.
|
||||
|
||||
- Has a default backend.
|
||||
|
||||
@ -88,13 +92,12 @@ At a high-level, the default configuration for the two mandatory applications is
|
||||
|
||||
- The deployment replicaCount is set to 1 for bootstrap.
|
||||
|
||||
|
||||
|
||||
.. note::
|
||||
replicaCount can NOT be changed at bootstrap time. The second controller
|
||||
must be configured and unlocked before replicaCount can be set to 2.
|
||||
|
||||
The Helm Chart Values that you can override are described at on the following web pages:
|
||||
The Helm Chart Values that you can override are described on the following
|
||||
web pages:
|
||||
|
||||
|
||||
.. _the-cert-manager-bootstrap-process-ul-d4j-khv-nlb:
|
||||
|
@ -6,10 +6,7 @@
|
||||
Types of System Accounts
|
||||
========================
|
||||
|
||||
This Chapter describes the system accounts available in a |prod|
|
||||
system.
|
||||
|
||||
For more information, see:
|
||||
This Chapter describes the system accounts available in a |prod| system.
|
||||
|
||||
.. _types-of-system-accounts-ul-rms-mwk-znb:
|
||||
|
||||
@ -19,7 +16,4 @@ For more information, see:
|
||||
|
||||
- :ref:`Keystone Accounts <keystone-accounts>`
|
||||
|
||||
- :ref:`Remote Windows Active Directory Accounts <remote-windows-active-directory-accounts>`
|
||||
|
||||
- :ref:`Linux User Accounts <overview-of-system-accounts>`
|
||||
|
||||
- :ref:`Remote Windows Active Directory Accounts <remote-windows-active-directory-accounts>`
|
Loading…
Reference in New Issue
Block a user