From 5579744656b4b515bd52091542018e6437175b63 Mon Sep 17 00:00:00 2001 From: egoncalv Date: Thu, 20 May 2021 14:11:59 -0300 Subject: [PATCH] Editorial updates on Security Guide upstream Acted on Greg's comments Patch 1: Deleted duplicated docs and corrected references to fix build failure Patch 2: Acted on Greg's and Ron's comments. Patch 3: Acted on Greg's comment. Patch 4: Acted on Mary's comments. Patch 5: Solved merge conflict. Patch 6: Worked on Mary's comments. Patch 7: Fixed build conflict. Patch 8: Worked on Mary's comments. https://review.opendev.org/c/starlingx/docs/+/792461 Signed-off-by: egoncalv Change-Id: I647711ac35f45bc9c79cc490269831770e98e2f4 --- .../_includes/manage-keystone-accounts.rest | 0 ...dating-the-docker-registry-certificate.rst | 10 +- .../kubernetes/about-keystone-accounts.rst | 6 +- .../security/kubernetes/add-a-trusted-ca.rst | 6 +- .../cert-manager-post-installation-setup.rst | 17 +++ .../configure-vault-using-the-cli.rst | 6 +- .../security/kubernetes/configure-vault.rst | 6 +- .../create-an-admin-type-service-account.rst | 9 ++ ...y-using-cert-manager-on-the-controller.rst | 108 ------------------ ...ing-certificates-locally-using-openssl.rst | 64 ----------- .../kubernetes/https-access-overview.rst | 9 -- doc/source/security/kubernetes/index.rst | 106 ++--------------- ...rlingx-rest-and-web-server-certificate.rst | 14 +-- .../security/kubernetes/keystone-accounts.rst | 10 +- .../kubernetes/kube-service-account.rst | 5 +- .../kubernetes-root-ca-certificate.rst | 23 ++-- .../kubernetes-service-accounts.rst | 27 ----- .../kubernetes/manage-keystone-accounts.rst | 35 +----- .../overview-of-system-accounts.rst | 21 +++- .../security/kubernetes/password-recovery.rst | 6 +- ...tificates-private-key-storage-with-tpm.rst | 6 +- .../kubernetes/security-access-the-gui.rst | 9 ++ .../kubernetes/security-firewall-options.rst | 6 +- ...update-the-docker-registry-certificate.rst | 30 ++--- ...ions-and-the-web-administration-server.rst | 15 ++- .../the-cert-manager-bootstrap-process.rst | 33 +++--- .../kubernetes/types-of-system-accounts.rst | 10 +- 27 files changed, 171 insertions(+), 426 deletions(-) create mode 100644 doc/source/_includes/manage-keystone-accounts.rest create mode 100644 doc/source/security/kubernetes/cert-manager-post-installation-setup.rst delete mode 100644 doc/source/security/kubernetes/creating-certificates-locally-using-cert-manager-on-the-controller.rst delete mode 100644 doc/source/security/kubernetes/creating-certificates-locally-using-openssl.rst delete mode 100644 doc/source/security/kubernetes/kubernetes-service-accounts.rst diff --git a/doc/source/_includes/manage-keystone-accounts.rest b/doc/source/_includes/manage-keystone-accounts.rest new file mode 100644 index 000000000..e69de29bb diff --git a/doc/source/admintasks/installing-updating-the-docker-registry-certificate.rst b/doc/source/admintasks/installing-updating-the-docker-registry-certificate.rst index e23cb8ddb..bcdbb6673 100644 --- a/doc/source/admintasks/installing-updating-the-docker-registry-certificate.rst +++ b/doc/source/admintasks/installing-updating-the-docker-registry-certificate.rst @@ -34,10 +34,12 @@ for the external Root CA that you are using, on how to create public certificate and private key pairs, signed by an intermediate or Root CA, for HTTPS. -.. xreflink For lab purposes, see |sec-doc|: :ref:`Locally Creating - Certificates ` to create a - Intermediate or test Root CA certificate and key, and use it to sign test - certificates. +.. xreflink + +For lab purposes, see |sec-doc|: :ref:`Create Certificates Locally +using openssl ` to create an +Intermediate or test Root CA certificate and key, and use it to sign test +certificates. Put the Privacy Enhanced Mail \(PEM\) encoded versions of the certificate and key in a single file, and copy the file to the controller host. diff --git a/doc/source/security/kubernetes/about-keystone-accounts.rst b/doc/source/security/kubernetes/about-keystone-accounts.rst index bc3b3e51a..adc82f45b 100644 --- a/doc/source/security/kubernetes/about-keystone-accounts.rst +++ b/doc/source/security/kubernetes/about-keystone-accounts.rst @@ -2,9 +2,9 @@ .. ibp1552572465781 .. _about-keystone-accounts: -======================= -About Keystone Accounts -======================= +================= +Keystone Accounts +================= |prod| uses tenant accounts and user accounts to identify and manage access to StarlingX resources, and images in the Local Docker Registry. diff --git a/doc/source/security/kubernetes/add-a-trusted-ca.rst b/doc/source/security/kubernetes/add-a-trusted-ca.rst index 949ad957f..9599fc9f7 100644 --- a/doc/source/security/kubernetes/add-a-trusted-ca.rst +++ b/doc/source/security/kubernetes/add-a-trusted-ca.rst @@ -2,9 +2,9 @@ .. qfk1564403051860 .. _add-a-trusted-ca: -================ -Add a Trusted CA -================ +============================== +Manage Trusted CA Certificates +============================== Generally a trusted |CA| certificate needs to be added if |prod| clients on the hosts will be connecting to server\(s\) secured with SSL and whose diff --git a/doc/source/security/kubernetes/cert-manager-post-installation-setup.rst b/doc/source/security/kubernetes/cert-manager-post-installation-setup.rst new file mode 100644 index 000000000..f63853e5d --- /dev/null +++ b/doc/source/security/kubernetes/cert-manager-post-installation-setup.rst @@ -0,0 +1,17 @@ + + +.. _cert-manager-post-installation-setup: + +==================================== +Cert-Manager Post Installation Setup +==================================== + +.. toctree:: + :maxdepth: 1 + + firewall-port-overrides + enable-public-use-of-the-cert-manager-acmesolver-image + enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace + enable-the-use-of-cert-manager-apis-by-an-arbitrary-user + + diff --git a/doc/source/security/kubernetes/configure-vault-using-the-cli.rst b/doc/source/security/kubernetes/configure-vault-using-the-cli.rst index de7ebab2a..b8d8a41ec 100644 --- a/doc/source/security/kubernetes/configure-vault-using-the-cli.rst +++ b/doc/source/security/kubernetes/configure-vault-using-the-cli.rst @@ -2,9 +2,9 @@ .. cms1597171128588 .. _configure-vault-using-the-cli: -============================= -Configure Vault Using the CLI -============================= +=================================== +Configure Vault Using the Vault CLI +=================================== After Vault has been installed, you can configure Vault for use with |prod| using the |CLI|. This section describes the minimum configuration diff --git a/doc/source/security/kubernetes/configure-vault.rst b/doc/source/security/kubernetes/configure-vault.rst index a67d83cc7..9ae9fb551 100644 --- a/doc/source/security/kubernetes/configure-vault.rst +++ b/doc/source/security/kubernetes/configure-vault.rst @@ -2,9 +2,9 @@ .. xgp1596216287484 .. _configure-vault: -=============== -Configure Vault -=============== +======================================== +Configure Vault Using the Vault REST API +======================================== After Vault has been installed, you can configure Vault for use by hosted Kubernetes applications on |prod|. This section describes the minimum diff --git a/doc/source/security/kubernetes/create-an-admin-type-service-account.rst b/doc/source/security/kubernetes/create-an-admin-type-service-account.rst index 0674b2e7f..1fd64d7ea 100644 --- a/doc/source/security/kubernetes/create-an-admin-type-service-account.rst +++ b/doc/source/security/kubernetes/create-an-admin-type-service-account.rst @@ -15,6 +15,10 @@ namespaces. A cluster-admin ClusterRole is defined by default for such a user. To create an admin service account with cluster-admin role, use the following procedure: +.. note:: + It is recommended that you create and manage service accounts within the + kube-system namespace. + .. rubric:: |proc| #. Create the user definition. @@ -61,3 +65,8 @@ an admin service account with cluster-admin role, use the following procedure: access using tools such as :command:`kubectl` and :command:`helm` for a service account such as this. +.. note:: + |prod| can also use user accounts defined in an external Windows Active + Directory to authenticate Kubernetes API, :command:`kubectl` CLI or the + Kubernetes Dashboard. For more information, see :ref:`Configure OIDC + Auth Applications `. \ No newline at end of file diff --git a/doc/source/security/kubernetes/creating-certificates-locally-using-cert-manager-on-the-controller.rst b/doc/source/security/kubernetes/creating-certificates-locally-using-cert-manager-on-the-controller.rst deleted file mode 100644 index fc3c600a6..000000000 --- a/doc/source/security/kubernetes/creating-certificates-locally-using-cert-manager-on-the-controller.rst +++ /dev/null @@ -1,108 +0,0 @@ - -.. qtr1594910639395 -.. _creating-certificates-locally-using-cert-manager-on-the-controller: - -================================================================ -Create Certificates Locally using cert-manager on the Controller -================================================================ - -You can use :command:`cert-manager` to locally create certificates suitable for -use in a lab environment. - -.. rubric:: |proc| - -#. Create a Root |CA| Certificate and Key. - - #. Create a self-signing issuer. - - .. code-block:: none - - $ echo " - apiVersion: cert-manager.io/v1alpha2 - kind: Issuer - metadata: - name: my-selfsigning-issuer - spec: - selfSigned: {} - " | kubectl apply -f - - - #. Create a Root |CA| certificate and key. - - .. code-block:: none - - $ echo " - apiVersion: cert-manager.io/v1alpha2 - kind: Certificate - metadata: - name: my-rootca-certificate - spec: - secretName: my-rootca-certificate - commonName: "my-rootca" - isCA: true - issuerRef: - name: my-selfsigning-issuer - kind: Issuer - " | kubectl apply -f - - - #. Create a Root |CA| Issuer. - - .. code-block:: none - - $ echo " - apiVersion: cert-manager.io/v1alpha2 - kind: Issuer - metadata: - name: my-rootca-issuer - spec: - ca: - secretName: my-rootca-certificate - " | kubectl apply -f - - - - #. Create files for the Root |CA| certificate and key. - - .. code-block:: none - - $ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-rootca-cert.pem - $ kubectl get secret my-rootca-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-rootca-key.pem - - -#. Create and sign a Server certificate and key - - #. Create the Server certificate and key. - - .. code-block:: none - - $ echo " - apiVersion: cert-manager.io/v1alpha2 - kind: Certificate - metadata: - name: my-server-certificate - spec: - secretName: my-server-certificate - duration: 2160h # 90d - renewBefore: 360h # 15d - organization: - - WindRiver - commonName: 1.1.1.1 - dnsNames: - - myserver.wrs.com - ipAddresses: - - 1.1.1.1 - issuerRef: - name: my-rootca-issuer - kind: Issuer - " | kubectl apply -f - - - #. Create the |PEM| files for Server certificate and key. - - .. code-block:: none - - $ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.crt:" | awk '{print $2}' | base64 --decode > my-server-cert.pem - $ kubectl get secret my-server-certificate -o yaml | egrep "^ tls.key:" | awk '{print $2}' | base64 --decode > my-server-key.pem - - #. Combine the server certificate and key in a single file. - - .. code-block:: none - - $ cat my-server-cert.pem my-server-key.pem > my-server.pem diff --git a/doc/source/security/kubernetes/creating-certificates-locally-using-openssl.rst b/doc/source/security/kubernetes/creating-certificates-locally-using-openssl.rst deleted file mode 100644 index bf8ec5c27..000000000 --- a/doc/source/security/kubernetes/creating-certificates-locally-using-openssl.rst +++ /dev/null @@ -1,64 +0,0 @@ - -.. rmn1594906401238 -.. _creating-certificates-locally-using-openssl: - -========================================= -Create Certificates Locally using openssl -========================================= - -You can use :command:`openssl` to locally create certificates suitable for use -in a lab environment. - -.. rubric:: |proc| - -.. _creating-certificates-locally-using-openssl-steps-unordered-pln-qhc-jmb: - -#. Create a Root |CA| Certificate and Key - - #. Create the Root |CA| private key. - - .. code-block:: none - - $ openssl genrsa -out my-root-ca-key.pem 2048 - - #. Generate the Root |CA| x509 certificate. - - .. code-block:: none - - $ openssl req -x509 -new -nodes -key my-root-ca-key.pem -days 1024 -out my-root-ca-cert.pem -outform PEM - - -#. Create and sign a server certificate and key. - - #. Create the server private key. - - .. code-block:: none - - $ openssl genrsa -out my-server-key.pem 2048 - - #. Create the Server certificate signing request \(csr\). - - Specify CN= and do **not** specify a challenge - password. - - .. code-block:: none - - $ openssl req -new -key my-server-key.pem -out my-server.csr - - #. Create the |SANs| list. - - .. code-block:: none - - $ echo subjectAltName = IP:,DNS:registry.local,DNS:registry.central > extfile.cnf - - #. Use the my-root-ca to sign the server certificate. - - .. code-block:: none - - $ openssl x509 -req -in my-server.csr -CA my-root-ca-cert.pem -CAkey my-root-ca-key.pem -CAcreateserial -out my-server-cert.pem -days 365 -extfile extfile.cnf - - #. Put the server certificate and key in a single file. - - .. code-block:: none - - $ cat my-server-cert.pem my-server-key.pem > my-server.pem diff --git a/doc/source/security/kubernetes/https-access-overview.rst b/doc/source/security/kubernetes/https-access-overview.rst index 78e50d4e1..42624e4de 100644 --- a/doc/source/security/kubernetes/https-access-overview.rst +++ b/doc/source/security/kubernetes/https-access-overview.rst @@ -14,19 +14,10 @@ These include: .. _https-access-overview-ul-eyn-5ln-gjb: -- |prod| REST API applications and the |prod| web administration server - -- Kubernetes API - -- Local Docker registry - .. contents:: :local: :depth: 1 -You can also add a trusted Certificate Authority \(CA\) for the |prod| system. - - .. _https-access-overview-section-N10048-N10024-N10001: ------------------------------------------------------- diff --git a/doc/source/security/kubernetes/index.rst b/doc/source/security/kubernetes/index.rst index 628b5ff43..2582155f1 100644 --- a/doc/source/security/kubernetes/index.rst +++ b/doc/source/security/kubernetes/index.rst @@ -7,57 +7,13 @@ System Accounts *************** .. toctree:: - :maxdepth: 1 + :maxdepth: 2 types-of-system-accounts overview-of-system-accounts kube-service-account keystone-accounts remote-windows-active-directory-accounts - -Linux User Accounts -******************* - -.. toctree:: - :maxdepth: 1 - - the-sysadmin-account - local-ldap-linux-user-accounts - create-ldap-linux-accounts - remote-access-for-linux-accounts - password-recovery-for-linux-user-accounts - establish-keystone-credentials-from-a-linux-account - estabilish-credentials-for-linux-user-accounts - starlingx-openstack-kubernetes-from-stsadmin-account-login - kubernetes-cli-from-local-ldap-linux-account-login - -Kubernetes Service Accounts -*************************** - -.. toctree:: - :maxdepth: 1 - - kubernetes-service-accounts - create-an-admin-type-service-account - -Keystone Accounts -***************** - -.. toctree:: - :maxdepth: 1 - - about-keystone-accounts - keystone-account-authentication - manage-keystone-accounts - configure-the-keystone-token-expiration-time - password-recovery - -Password Rules -************** - -.. toctree:: - :maxdepth: 1 - starlingx-system-accounts-system-account-password-rules ***************** @@ -70,9 +26,6 @@ Access the System configure-local-cli-access remote-access-index security-access-the-gui - configure-http-and-https-ports-for-horizon-using-the-cli - configure-horizon-user-lockout-on-failed-logins - install-the-kubernetes-dashboard security-rest-api-access connect-to-container-registries-through-a-firewall-or-proxy @@ -129,21 +82,18 @@ Firewall Options .. toctree:: :maxdepth: 1 - security-firewall-options security-default-firewall-rules + security-firewall-options ************************* Secure HTTPS Connectivity ************************* .. toctree:: - :maxdepth: 1 + :maxdepth: 2 https-access-overview starlingx-rest-api-applications-and-the-web-administration-server - enable-https-access-for-starlingx-rest-and-web-server-endpoints - install-update-the-starlingx-rest-and-web-server-certificate - secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm kubernetes-root-ca-certificate security-install-update-the-docker-registry-certificate add-a-trusted-ca @@ -157,17 +107,7 @@ Cert Manager security-cert-manager the-cert-manager-bootstrap-process - -Post Installation Setup -*********************** - -.. toctree:: - :maxdepth: 1 - - firewall-port-overrides - enable-public-use-of-the-cert-manager-acmesolver-image - enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace - enable-the-use-of-cert-manager-apis-by-an-arbitrary-user + cert-manager-post-installation-setup ****************************** Portieris Admission Controller @@ -178,8 +118,8 @@ Portieris Admission Controller portieris-overview install-portieris - remove-portieris portieris-clusterimagepolicy-and-imagepolicy-configuration + remove-portieris ******************************** Vault Secret and Data Management @@ -190,16 +130,9 @@ Vault Secret and Data Management security-vault-overview install-vault - remove-vault - -Configure Vault -*************** - -.. toctree:: - :maxdepth: 1 - configure-vault configure-vault-using-the-cli + remove-vault ************************************** Encrypt Kubernetes Secret Data at Rest @@ -227,8 +160,6 @@ Operator Command Logging :maxdepth: 1 operator-command-logging - operator-login-authentication-logging - operator-command-logging **************** UEFI Secure Boot @@ -240,15 +171,6 @@ UEFI Secure Boot overview-of-uefi-secure-boot use-uefi-secure-boot -*********************** -Trusted Platform Module -*********************** - -.. toctree:: - :maxdepth: 1 - - tpm-configuration-considerations - *********************************** Authentication of Software Delivery *********************************** @@ -267,16 +189,6 @@ Security Feature Configuration for Spectre and Meltdown security-feature-configuration-for-spectre-and-meltdown -*************************** -Locally Create Certificates -*************************** - -.. toctree:: - :maxdepth: 1 - - create-certificates-locally-using-openssl - create-certificates-locally-using-cert-manager-on-the-controller - ***************************** Security Hardening Guidelines ***************************** @@ -318,11 +230,11 @@ Security Features isolate-starlingx-internal-cloud-management-network *************************************** -Appendix: Locally creating certifciates +Appendix: Locally creating certificates *************************************** .. toctree:: :maxdepth: 1 - creating-certificates-locally-using-cert-manager-on-the-controller - creating-certificates-locally-using-openssl + create-certificates-locally-using-openssl + create-certificates-locally-using-cert-manager-on-the-controller \ No newline at end of file diff --git a/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst b/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst index 5814886ff..b89bfd0c9 100644 --- a/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst +++ b/doc/source/security/kubernetes/install-update-the-starlingx-rest-and-web-server-certificate.rst @@ -2,9 +2,9 @@ .. law1570030645265 .. _install-update-the-starlingx-rest-and-web-server-certificate: -================================================================= +============================================================ Install/Update the StarlingX Rest and Web Server Certificate -================================================================= +============================================================ Use the following procedure to install or update the certificate for the REST API application endpoints \(Keystone, Barbican and StarlingX\) and the web @@ -18,12 +18,10 @@ Intermediate or Root |CA| that you are using, on how to create public certificate and private key pairs, signed by intermediate or a Root |CA|, for HTTPS. -.. xbooklink - - For lab purposes, see :ref:`Locally Creating Certificates - ` for how to create a test - intermediate or Root |CA| certificate and key, and use it to sign test - certificates. +For lab purposes, see :ref:`Create Certificates Locally using openssl +` for how to create a test +intermediate or Root |CA| certificate and key, and use it to sign test +certificates. Put the |PEM| encoded versions of the certificate and key in a single file, and copy the file to the controller host. diff --git a/doc/source/security/kubernetes/keystone-accounts.rst b/doc/source/security/kubernetes/keystone-accounts.rst index 9b9860c69..9d7d53d51 100644 --- a/doc/source/security/kubernetes/keystone-accounts.rst +++ b/doc/source/security/kubernetes/keystone-accounts.rst @@ -10,5 +10,13 @@ Keystone Accounts StarlingX REST APIs, the |CLI|, the Horizon Web interface and the Local Docker Registry. |prod|'s Keystone uses the default local SQL Backend. -See :ref:`About Keystone Accounts ` for more details. +See :ref:`Keystone Accounts ` for more details. +.. toctree:: + :maxdepth: 1 + + about-keystone-accounts + keystone-account-authentication + manage-keystone-accounts + configure-the-keystone-token-expiration-time + password-recovery \ No newline at end of file diff --git a/doc/source/security/kubernetes/kube-service-account.rst b/doc/source/security/kubernetes/kube-service-account.rst index e087f0b5f..599dfea05 100644 --- a/doc/source/security/kubernetes/kube-service-account.rst +++ b/doc/source/security/kubernetes/kube-service-account.rst @@ -9,6 +9,7 @@ Kubernetes Service Accounts |prod| uses Kubernetes service accounts and |RBAC| policies for authentication and authorization of users of the Kubernetes API, |CLI|, and Dashboard. -See :ref:`Kubernetes Service Accounts ` for more -details. +.. toctree:: + :maxdepth: 1 + create-an-admin-type-service-account \ No newline at end of file diff --git a/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst b/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst index e2a708b46..f97c0b03c 100644 --- a/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst +++ b/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst @@ -14,11 +14,9 @@ It is recommended that you update the Kubernetes Root |CA| and with a custom Root |CA| certificate and key, generated by yourself, and trusted by external servers connecting to the |prod|'s Kubernetes API endpoint. -.. xbooklink - - See :ref:`Locally Creating Certificates - ` for how to create a - private Root |CA| certificate and key. +See :ref:`Create Certificates Locally using openssl +` for how to create a private Root +|CA| certificate and key. .. caution:: The default duration for the generated Kubernetes Root CA certificate is 10 @@ -41,16 +39,23 @@ certificate and key for the Kubernetes root |CA|. Specifies the certificate for the Kubernetes root |CA|. The value is the absolute path of the certificate file. The certificate must be in |PEM| format and the value must be -provided as part of a pair with . The playbook will -not proceed if only one value is provided. +provided as part of a pair with . **** Specifies the key for the Kubernetes root |CA|. The value is the absolute path of the certificate file. The certificate must be in |PEM| format and the value must be provided as part of a pair -with . The playbook will not proceed if only one -value is provided. +with . + +For example: + +.. code-block:: none + + k8s_root_ca_cert: /home/sysadmin/mystarlingx-k8s-rootca-certificate.pem + k8s_root_ca_key: /home/sysadmin/mystarlingx-k8s-rootca-certificate-key.pem + +The playbook will not proceed if only one value is provided. .. caution:: The default duration for the generated Kubernetes Root |CA| diff --git a/doc/source/security/kubernetes/kubernetes-service-accounts.rst b/doc/source/security/kubernetes/kubernetes-service-accounts.rst deleted file mode 100644 index a8c83207a..000000000 --- a/doc/source/security/kubernetes/kubernetes-service-accounts.rst +++ /dev/null @@ -1,27 +0,0 @@ - -.. oud1564679022947 -.. _kubernetes-service-accounts: - -=========================== -Kubernetes Service Accounts -=========================== - -|prod| uses Kubernetes service accounts and Kubernetes |RBAC| policies to -identify and manage remote access to Kubernetes resources using the -Kubernetes API, kubectl CLI or the Kubernetes Dashboard. - -.. note:: - |prod| can also use user accounts defined in an external Windows Active - Directory to authenticate Kubernetes API, :command:`kubectl` CLI or the - Kubernetes Dashboard. For more information, see :ref:`Configure OIDC - Auth Applications `. - -You can create and manage Kubernetes service accounts using -:command:`kubectl` as shown below. - -.. note:: - It is recommended that you create and manage service accounts within the - kube-system namespace. See :ref:`Create an Admin Type Service - Account ` - - diff --git a/doc/source/security/kubernetes/manage-keystone-accounts.rst b/doc/source/security/kubernetes/manage-keystone-accounts.rst index 147492835..248cc295d 100644 --- a/doc/source/security/kubernetes/manage-keystone-accounts.rst +++ b/doc/source/security/kubernetes/manage-keystone-accounts.rst @@ -9,42 +9,13 @@ Manage Keystone Accounts See `https://docs.openstack.org/keystone/pike/admin/cli-manage-projects-users-and-roles.html `_ -_ for details on managing Keystone projects, users, and roles. +for details on managing Keystone projects, users, and roles. All Kubernetes accounts are subject to system password rules. For complete details on password rules, see :ref:`System Account Password Rules `. -If you are using when changing the keystone 'admin' user password, you must: +.. only:: partner -.. _managing-keystone-accounts-ol-wyq-l4d-mmb: - -#. If the **deployment-config.yaml** file has been moved off-box for security - reasons, upload the file back to the system to be updated. - - .. warning:: - The **deployment-config.yaml** file includes sensitive information - \(including system credentials and passwords\). For increased security, - it is recommended to store the **deployment-config.yaml** in a safe - location off-box. Upload the file to the system only when it is - required \(during initial configuration, and when reapplying an updated - configuration\). - -#. Update the password in the 'system-endpoint' secret in the 's - deployment-config.yaml file, with the new keystone 'admin' user password. - Make this change to the OS\_PASSWORD value. It must be base64 encoded. For - example: - - .. code-block:: none - - OS_PASSWORD: U3Q4cmxpbmdYKg== - -#. Apply the updated deployment configuration. - - .. code-block:: none - - kubectl apply -f deployment-config.yaml - -#. \(Optional\) For security reasons, copy the updated - **deployment-config.yaml** file off-box and delete it from the system. + .. include:: /_includes/manage-keystone-accounts.rest \ No newline at end of file diff --git a/doc/source/security/kubernetes/overview-of-system-accounts.rst b/doc/source/security/kubernetes/overview-of-system-accounts.rst index 35d72a916..2df36370a 100644 --- a/doc/source/security/kubernetes/overview-of-system-accounts.rst +++ b/doc/source/security/kubernetes/overview-of-system-accounts.rst @@ -2,9 +2,9 @@ .. lgd1552571882796 .. _overview-of-system-accounts: -================== -Linux UserAccounts -================== +=================== +Linux User Accounts +=================== A brief description of the system accounts available in a |prod| system. @@ -33,3 +33,18 @@ A brief description of the system accounts available in a |prod| system. For security reasons, it is recommended that ONLY admin level users be allowed to |SSH| to the nodes of the |prod|. Non-admin level users should strictly use remote |CLIs| or remote web GUIs. + +For more information, refer to the following: + +.. toctree:: + :maxdepth: 1 + + the-sysadmin-account + local-ldap-linux-user-accounts + create-ldap-linux-accounts + remote-access-for-linux-accounts + password-recovery-for-linux-user-accounts + estabilish-credentials-for-linux-user-accounts + establish-keystone-credentials-from-a-linux-account + starlingx-openstack-kubernetes-from-stsadmin-account-login + kubernetes-cli-from-local-ldap-linux-account-login \ No newline at end of file diff --git a/doc/source/security/kubernetes/password-recovery.rst b/doc/source/security/kubernetes/password-recovery.rst index 72f6430ea..98dd674cd 100644 --- a/doc/source/security/kubernetes/password-recovery.rst +++ b/doc/source/security/kubernetes/password-recovery.rst @@ -2,9 +2,9 @@ .. not1578924824783 .. _password-recovery: -================= -Password Recovery -================= +========================== +Keystone Password Recovery +========================== .. rubric:: |context| diff --git a/doc/source/security/kubernetes/secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm.rst b/doc/source/security/kubernetes/secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm.rst index 2bef2de55..cae31ddd8 100644 --- a/doc/source/security/kubernetes/secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm.rst +++ b/doc/source/security/kubernetes/secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm.rst @@ -37,10 +37,8 @@ re-installed, in order to update the new standby controller's |TPM| device. public certificate and private key pairs, signed by an intermediate or Root-signed |CA|, for HTTPS. -.. xbooklink - - For lab purposes, see :ref:`Locally Creating Certificates - ` for details on how to create + For lab purposes, see :ref:`Create Certificates Locally using openssl + ` for details on how to create a test intermediate or Root |CA| certificate and key, and use it to sign test certificates. diff --git a/doc/source/security/kubernetes/security-access-the-gui.rst b/doc/source/security/kubernetes/security-access-the-gui.rst index ae34fc004..26ba61d9b 100644 --- a/doc/source/security/kubernetes/security-access-the-gui.rst +++ b/doc/source/security/kubernetes/security-access-the-gui.rst @@ -44,3 +44,12 @@ from a browser. ` for information on how to install the Kubernetes Dashboard and create a Kubernetes service account for the admin user to use the dashboard. + +For more information, refer to the following: + +.. toctree:: + :maxdepth: 1 + + configure-http-and-https-ports-for-horizon-using-the-cli + configure-horizon-user-lockout-on-failed-logins + install-the-kubernetes-dashboard \ No newline at end of file diff --git a/doc/source/security/kubernetes/security-firewall-options.rst b/doc/source/security/kubernetes/security-firewall-options.rst index 692ff20c4..10713a758 100644 --- a/doc/source/security/kubernetes/security-firewall-options.rst +++ b/doc/source/security/kubernetes/security-firewall-options.rst @@ -2,9 +2,9 @@ .. zlk1582057887959 .. _security-firewall-options: -================ -Firewall Options -================ +======================= +Modify Firewall Options +======================= |prod| incorporates a default firewall for the |OAM| network. You can configure additional Kubernetes Network Policies in order to augment or override the diff --git a/doc/source/security/kubernetes/security-install-update-the-docker-registry-certificate.rst b/doc/source/security/kubernetes/security-install-update-the-docker-registry-certificate.rst index 7f545b28c..789a1cd72 100644 --- a/doc/source/security/kubernetes/security-install-update-the-docker-registry-certificate.rst +++ b/doc/source/security/kubernetes/security-install-update-the-docker-registry-certificate.rst @@ -2,11 +2,11 @@ .. vri1561486014514 .. _security-install-update-the-docker-registry-certificate: -============================================== -Install/Update the Docker Registry Certificate -============================================== +================================= +Local Docker Registry Certificate +================================= -The local docker registry provides secure HTTPS access using the registry API. +The local Docker registry provides secure HTTPS access using the registry API. .. rubric:: |context| @@ -33,8 +33,10 @@ intermediate or Root |CA|. Refer to the documentation for the external Root |CA| that you are using, on how to create public certificate and private key pairs, signed by an intermediate or Root |CA|, for HTTPS. -For lab purposes, see Appendix A for how to create a test intermediate or Root -|CA| certificate and key, and use it to sign test certificates. +For lab purposes, see :ref:`Create Certificates Locally using openssl +` for how to create a test +intermediate or Root |CA| certificate and key, and use it to sign test +certificates. Put the |PEM| encoded versions of the certificate and key in a single file, and copy the file to the controller host. @@ -47,9 +49,9 @@ above certificate. .. _security-install-update-the-docker-registry-certificate-d527e71: -#. In order to enable internal use of the docker registry certificate, +#. In order to enable internal use of the Docker registry certificate, update the trusted |CA| list for this system with the Root |CA| associated - with the docker registry certificate. + with the Docker registry certificate. .. code-block:: none @@ -58,15 +60,15 @@ above certificate. where: - **** + ```` is the path to the intermediate or Root |CA| certificate associated - with the docker registry's intermediate or Root |CA|-signed + with the Docker registry's intermediate or Root |CA|-signed certificate. -#. Update the docker registry certificate using the +#. Update the Docker registry certificate using the :command:`certificate-install` command. - Set the mode \(-m or --mode\) parameter to docker\_registry. + Set the ``mode (-m or --mode)`` parameter to ``docker_registry``. .. code-block:: none @@ -75,8 +77,8 @@ above certificate. where: - **** - is the path to the file containing both the docker registry's + ```` + is the path to the file containing both the Docker registry's intermediate or Root CA-signed certificate and private key to install. diff --git a/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-administration-server.rst b/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-administration-server.rst index d3d8da977..efde5d669 100644 --- a/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-administration-server.rst +++ b/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-administration-server.rst @@ -2,9 +2,9 @@ .. xlb1552573425956 .. _starlingx-rest-api-applications-and-the-web-administration-server: -================================================================= -StarlingX REST API Applications and the Web Administration Server -================================================================= +============================================================================= +StarlingX REST API Applications and the Web Administration Server Certificate +============================================================================= |prod| provides support for secure HTTPS external connections used for StarlingX REST API application endpoints \(Keystone, Barbican and @@ -29,3 +29,12 @@ recommended. You can update the certificate used for HTTPS access at any time. +For more details, refer to: + +.. toctree:: + :maxdepth: 1 + + enable-https-access-for-starlingx-rest-and-web-server-endpoints + install-update-the-starlingx-rest-and-web-server-certificate + secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm + tpm-configuration-considerations \ No newline at end of file diff --git a/doc/source/security/kubernetes/the-cert-manager-bootstrap-process.rst b/doc/source/security/kubernetes/the-cert-manager-bootstrap-process.rst index 83ab46de9..edad9c80f 100644 --- a/doc/source/security/kubernetes/the-cert-manager-bootstrap-process.rst +++ b/doc/source/security/kubernetes/the-cert-manager-bootstrap-process.rst @@ -2,13 +2,16 @@ .. gks1588335341933 .. _the-cert-manager-bootstrap-process: -================================== -The cert-manager Bootstrap Process -================================== +===================================== +Configure cert-manager at Bootstrap +===================================== -Both nginx-ingress-controller and cert-manager are packaged as armada system -applications managed via :command:`system application-\*` and -:command:`system helm-override-\*` commands. +Both nginx-ingress-controller and cert-manager are installed at bootstrap time +with defaults appropriate to most use cases, but their configuration can be +modified at bootstrap. + +Nginx-ingress-controller and cert-manager are packaged as armada system +applications. Both system applications are uploaded and applied, by default, as part of the bootstrap phase of the |prod-long| installation. @@ -25,10 +28,10 @@ contains the following definition: As with other parameters in default.yml, you can override this definition in -$HOME/localhost.yml. In the case of the applications: parameter, do this to +$HOME/localhost.yml. In the case of the ``applications``: parameter, do this to change the application helm overrides for an application. -The full general syntax for the applications: structure is: +The full general syntax for the ``applications:`` structure is: .. code-block:: none @@ -47,7 +50,7 @@ The full general syntax for the applications: structure is: namespace: kube-system values-path: /home/sysinv/appTwo-ChartOne-overrides.yaml -If you do override applications: in $HOME/localhost.yml, note the following: +If you do override ``applications:`` in $HOME/localhost.yml, note the following: .. _the-cert-manager-bootstrap-process-ul-o3j-vdv-nlb: @@ -59,7 +62,8 @@ If you do override applications: in $HOME/localhost.yml, note the following: and must be in this order, otherwise bootstrap fails. -|org| recommends that you copy applications: from default.yml and add in any required overrides. +|org| recommends that you copy ``applications:`` from default.yml and add in +any required overrides. At a high-level, the default configuration for the two mandatory applications is: @@ -69,11 +73,11 @@ At a high-level, the default configuration for the two mandatory applications is - nginx-ingress-controller - - Runs as a DaemonSet only on masters/controllers + - Runs as a DaemonSet only on masters/controllers. - Uses host networking, which means it can use any port numbers. - Does not change the nginx default ports of 80 and 443. + - Does not change the nginx default ports of 80 and 443. - Has a default backend. @@ -88,13 +92,12 @@ At a high-level, the default configuration for the two mandatory applications is - The deployment replicaCount is set to 1 for bootstrap. - - .. note:: replicaCount can NOT be changed at bootstrap time. The second controller must be configured and unlocked before replicaCount can be set to 2. -The Helm Chart Values that you can override are described at on the following web pages: +The Helm Chart Values that you can override are described on the following +web pages: .. _the-cert-manager-bootstrap-process-ul-d4j-khv-nlb: diff --git a/doc/source/security/kubernetes/types-of-system-accounts.rst b/doc/source/security/kubernetes/types-of-system-accounts.rst index 6cbb2ef0e..604eaa368 100644 --- a/doc/source/security/kubernetes/types-of-system-accounts.rst +++ b/doc/source/security/kubernetes/types-of-system-accounts.rst @@ -6,10 +6,7 @@ Types of System Accounts ======================== -This Chapter describes the system accounts available in a |prod| -system. - -For more information, see: +This Chapter describes the system accounts available in a |prod| system. .. _types-of-system-accounts-ul-rms-mwk-znb: @@ -19,7 +16,4 @@ For more information, see: - :ref:`Keystone Accounts ` -- :ref:`Remote Windows Active Directory Accounts ` - -- :ref:`Linux User Accounts ` - +- :ref:`Remote Windows Active Directory Accounts ` \ No newline at end of file