starlingx/docs
Code Issues Proposed changes

Create Security Guide Reference

Browse Source 
Change-Id: I1cfdc44fb72907e9e34294194084c59e29d8d80a
Signed-off-by: Suzana Fernandes <Suzana.Fernandes@windriver.com>
This commit is contained in:
Suzana Fernandes
2024-08-27 16:41:25 +00:00
parent 391e222c6e
commit 9fa54fe44e
27 changed files with 1953 additions and 175 deletions
Download Patch File Download Diff File Expand all files Collapse all files

223
doc/source/security/kubernetes/configure-oidc-ldap-authentication-for-k8s-user-authentication-8cea26362167.rst Normal file
View File

@@ -0,0 +1,223 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _configure-oidc-ldap-authentication-for-k8s-user-authentication-8cea26362167:
=====================================================================
Configure OIDC/LDAP Authentication for Kubernetes User Authentication
=====================================================================
After installing |prod|, you should configure |OIDC|/|LDAP| authentication
for kubernetes access user authentication.
|OIDC|/|LDAP| authentication can be supported by |prod|'s local |LDAP| server
and/or up to three remote |LDAP| servers (for example, Windows Active Directory).
In this example, |OIDC|/|LDAP| authentication is setup for local |LDAP|.
.. rubric:: |prereq|
- You must have the credentials for the 'sysadmin' local Linux user account
used for installation.
.. rubric:: |proc|
#. Login to the active controller as the 'sysadmin' user.
Use either a local console or |SSH|.
#. Setup 'sysadmin' credentials.
.. code-block::
$ source /etc/platform/openrc
#. Configure Kubernetes for |OIDC| token validation.
Use the default nodePort for the ``oidc-auth-apps`` system application of 30556.
.. code-block::
$ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}')
$ system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app
$ system service-parameter-add kubernetes kube_apiserver oidc-groups-claim=groups
$ system service-parameter-add kubernetes kube_apiserver oidc-issuer-url=https://${OAMIP}:30556/dex
$ system service-parameter-add kubernetes kube_apiserver oidc-username-claim=email
$ system service-parameter-apply kubernetes
#. Configure and apply the ``oidc-auth-apps`` system application.
#. Create the certificate to be used by both the |OIDC| client and the
|OIDC| identity provider.
.. code-block::
$ mkdir /home/sysadmin/oidc
$ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" |
awk '{print $4}')
$ cat <<EOF > /home/sysadmin/oidc/oidc-auth-apps-certificate.yaml
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: oidc-auth-apps-certificate
namespace: kube-system
spec:
secretName: oidc-auth-apps-certificate
duration: 2160h # 90 days
renewBefore: 360h # 15 days
issuerRef:
name: system-local-ca
kind: ClusterIssuer
commonName: ${OAMIP}
subject:
organizations:
- ABC-Company
organizationalUnits:
- StarlingX-system-oidc-auth-apps
ipAddresses:
- ${OAMIP}
EOF
$ kubectl apply -f/home/sysadmin/oidc/oidc-auth-apps-certificate.yaml
#. Configure the |OIDC|-client with the |OIDC| client certificate and
|OIDC| identity server certificate (created in the ``Create the
certificate to be used by both the OIDC client and the OIDC identity
provider`` step) and the Trusted |CA| that you used to sign these
certificates (i.e., the system-local-ca).
.. code-block::
$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/oidc/dex-ca-cert.crt
$ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/oidc/dex-ca-cert.crt -n kube-system
$ cat <<EOF > /home/sysadmin/oidc/oidc-client-overrides.yaml
tlsName: oidc-auth-apps-certificate
config:
# The |OIDC|-client container mounts the dex-ca-cert secret at /home, therefore
# issuer_root_ca: /home/<filename-only-of-generic-secret>
issuer_root_ca: /home/dex-ca-cert.crt
issuer_root_ca_secret: dex-ca-cert
# secret for accessing dex
client_secret: stx-oidc-client-p@ssw0rd
EOF
$ system helm-override-update oidc-auth-apps oidc-client kube-system --values /home/sysadmin/oidc/oidc-client-overrides.yaml
#. Configure the secret observer to track renewals of certificates.
.. code-block::
$ cat <<EOF > /home/sysadmin/oidc/secret-observer-overrides.yaml
cronSchedule: "*/15 * * * *"
observedSecrets:
- secretName: "dex-ca-cert"
filename: "dex-ca-cert.crt"
deploymentToRestart: "stx-oidc-client"
- secretName: "oidc-auth-apps-certificate"
filename: "tls.crt"
deploymentToRestart: "stx-oidc-client"
- secretName: "oidc-auth-apps-certificate"
filename: "tls.crt"
deploymentToRestart: "oidc-dex"
EOF
$ system helm-override-update oidc-auth-apps secret-observer kube-system --values /home/sysadmin/oidc/secret-observer-overrides.yaml
#. Create a secret with the certificate of the |CA| that signed the
certificate of local |LDAP|, i.e., ``system-local-ca``, to be
used in the ``Specify the configuration for connecting to Local LDAP
in the user overrides for the oidc-auth-apps application`` step.
.. code-block::
$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.\ `data.ca <http://data.ca>`__\\.crt}' | base64 --decode > /home/sysadmin/oidc/local-ldap-ca-cert.crt
$ kubectl create secret generic local-ldap-ca-cert --from-file=/home/sysadmin/oidc/local-ldap-ca-cert.crt -n kube-system
#. Specify the configuration for connecting to local |LDAP| in the user
overrides for the ``oidc-auth-apps`` application.
.. code-block::
$ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}')
$ MGMTIP=$(system addrpool-list --nowrap | fgrep management | awk '{print $14}')
$ BINDPW=$(keyring get ldap ldapadmin)
$ cat <<EOF > /home/sysadmin/oidc/dex-overrides.yaml
config:
staticClients:
- id: stx-oidc-client-app
name: STX OIDC Client app
redirectURIs: ['https://${OAMIP}:30555/callback']
secret: stx-oidc-client-p@ssw0rd
expiry:
idTokens: "10h"
connectors:
- type: ldap
name: LocalLDAP
id: localldap-1
config:
host: ${MGMTIP}:636
rootCA: /etc/ssl/certs/adcert/local-ldap-ca-cert.crt
insecureNoSSL: false
insecureSkipVerify: false
bindDN: CN=ldapadmin,DC=cgcs,DC=local
bindPW: ${BINDPW}
usernamePrompt: Username
userSearch:
baseDN: ou=People,dc=cgcs,dc=local
filter: "(objectClass=posixAccount)"
username: uid
idAttr: DN
emailAttr: uid
nameAttr: gecos
groupSearch:
baseDN: ou=Group,dc=cgcs,dc=local
filter: "(objectClass=posixGroup)"
userMatchers:
- userAttr: uid
groupAttr: memberUid
nameAttr: cn
volumeMounts:
- mountPath: /etc/ssl/certs/adcert
name: certdir
- mountPath: /etc/dex/tls
name: https-tls
volumes:
- name: certdir
secret:
secretName: local-ldap-ca-cert
- name: https-tls
secret:
defaultMode: 420
secretName: oidc-auth-apps-certificate
EOF
$ system helm-override-update oidc-auth-apps dex kube-system --values /home/sysadmin/oidc/dex-overrides.yaml
#. Apply the ``oidc-auth-apps`` system application.
.. code-block::
$ system application-apply oidc-auth-apps
#. Wait for the ``oidc-auth-apps`` system application to reach the 'applied' status.
.. code-block::
$ system application-list
.. rubric:: |postreq|
See :ref:`create-first-system-administrator-1775e1b20941`.

197
doc/source/security/kubernetes/create-end-users-359693b84854.rst Normal file
View File

@@ -0,0 +1,197 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _create-end-users-359693b84854:
================
Create End Users
================
After setting up your system administrators, use a ``Level1SystemAdmin``
system administrator to configure 'end users'.
In the following example, creating end users consists of:
- Create a general end user kubernetes ``ClusterRole`` with restricted
kubernetes capabilities.
- For one or more specific end user groups:
- Create an |LDAP| group;
- You can disable the |SSH| access for this |LDAP| group (i.e.,
restricting these end users to only use remote CLIs / APIs / GUIs);
- Create a Kubernetes namespace for the group;
- Bind the general end user kubernetes cluster role to the |LDAP| group
for this kubernetes namespace,
- Create one or more |LDAP| users in this |LDAP| group.
.. rubric:: |prereq|
- You should already have created a system administrator.
- You need to perform this procedure using the ``Level1SystemAdmin`` system administrator.
.. rubric:: |proc|
#. Login to the active controller as a ``Level1SystemAdmin`` system administrator,
``joefulladmin`` in this example.
Use either a local console or |SSH|.
#. Use the ``local_starlingxrc`` to setup |prod| environment variables
and to setup your keystone user's authentication credentials.
.. code-block::
$ source local_starlingxrc
Enter the password to be used with keystone user joefulladmin:
Created file /home/joefulladmin/joefulladmin-openrc
#. Use the ``oidc-auth`` to authenticate via |OIDC|/|LDAP| for kubernetes CLI.
.. code-block::
$ oidc-auth
Using "joefulladmin" as username.
Password:
Successful authentication.
Updated /home/joefulladmin/.kube/config.
#. Create a directory for temporary files for setting up users and groups.
.. code-block::
$ mkdir /home/joefulladmin/users
#. Create a general end user kubernetes ``ClusterRole`` with restricted
kubernetes authorization privileges.
.. code-block::
$ cat << EOF > /home/joefulladmin/users/GeneralEndUser-ClusterRole.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: GeneralEndUser
rules:
# For the core API group (""), allow full access to all resource types
# EXCEPT for resource policies (limitranges and resourcequotas) only allow read access
- apiGroups: [""]
resources: ["bindings", "configmaps", "endpoints", "events", "persistentvolumeclaims", "pods", "podtemplates", "replicationcontrollers", "secrets", "serviceaccounts", "services"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: [ "limitranges", "resourcequotas" ]
verbs: ["get", "list"]
# Allow full access to all resource types of the following explicit list of apiGroups.
# Notable exceptions here are:
# ApiGroup ResourceTypes
# ------- -------------
# policy podsecuritypolicies, poddisruptionbudgets
# networking.k8s.io networkpolicies
# admissionregistration.k8s.io mutatingwebhookconfigurations, validatingwebhookconfigurations
#
- apiGroups: ["apps", "batch", "extensions", "autoscaling", "apiextensions.k8s.io", "rbac.authorization.k8s.io"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
# Cert Manager API access
- apiGroups: ["cert-manager.io", "acme.cert-manager.io"]
resources: ["*"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
EOF
$ kubectl apply -f /home/joefulladmin/users/GeneralEndUser-ClusterRole.yml
#. For one or more specific end user groups, create an |LDAP| group, Kubernetes
namespace and one or more |LDAP| users.
#. Create a new local |LDAP| group for the end user group.
.. code-block::
$ sudo ldapaddgroup ABC-EndUsers
#. |Optional| Disallow this local |LDAP| group from using |SSH|.
Users of this |LDAP| group can only use the remote kubernetes
API/CLI/GUI. Update the ``/etc/security/group.conf`` with |LDAP| group
mappings.
.. note::
If it is |AIO-DX| controller configuration, disallow this local
|LDAP| group on both controllers.
.. code-block::
$ sudo sed -i '$ a\\\*;\*;%ABC-EndUsers;Al0000-2400;denyssh' /etc/security/group.conf
#. Create a kubernetes namespace for the end user group.
.. code-block::
$ kubectl create namespace abc-ns
#. Bind the ``GeneralEndUser`` role to this |LDAP| group for this
kubernetes namespace.
.. code-block::
$ cat << EOF > /home/joefulladmin/users/ABC-EndUsers-rolebinding.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: ABC-EndUsers
namespace: abc-ns
subjects:
- kind: Group
name: ABC-EndUsers
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: GeneralEndUser
apiGroup: rbac.authorization.k8s.io
EOF
$ kubectl apply -f /home/joefulladmin/users/ABC-EndUsers-rolebinding.yml
#. Create one or more |LDAP| users for the end user group.
.. code-block::
$ sudo ldapusersetup -u steveenduser
Password:
Successfully added user steveenduser to LDAP
Successfully set password for user steveenduser
Warning : password is reset, user will be asked to change password at login
Successfully modified user entry uid=steveenduser,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 90 days
Successfully modified user entry uid=steveenduser,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 2 days
$ sudo ldapaddusertogroup steveenduser ABC-EndUsers
#. Repeat the ``Create one or more LDAP users for the end user group`` step
for the next user in this end user group.
#. Repeat the ``For one or more specific end user groups, create an LDAP group, kubernetes
namespace and one or more LDAP users`` step for the next end user group.
.. rubric:: |postreq|
The end user created is able to, optionally, use SSH on the system to execute
kubernetes |CLI| commands to manage the hosted containerized application and
execute Linux commands. See section: :ref:`end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671`.
.. note::
More setup is required for end user to use remote CLIs/GUIs, see sections
:ref:`index-remote-access-2209661be417`.

154
doc/source/security/kubernetes/create-first-system-administrator-1775e1b20941.rst Normal file
View File

@@ -0,0 +1,154 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _create-first-system-administrator-1775e1b20941:
=================================
Create First System Administrator
=================================
After installing |prod|, you should create your first unique system
administrator account.
In this example, a local |LDAP| user account and a local Keystone user account
are created for the first system administrator user.
The first system administrator user must have full 'admin' privileges such that
it can create subsequent system administrators and end users.
.. rubric:: |prereq|
- You must have the credentials for the 'sysadmin' local Linux user
account used for the installation.
.. rubric:: |proc|
#. Login to the active controller as the 'sysadmin' user.
Use either a local console or |SSH|.
#. Apply source credentials for the 'admin' keystone user.
.. code-block::
$ source /etc/platform/openrc
#. Create a directory for temporary files for setting up users and groups.
.. code-block::
$ mkdir /home/sysadmin/users
#. Create a new local |LDAP| group for system administrators with full privileges.
.. code-block::
$ sudo ldapaddgroup Level1SystemAdmin
#. Add full Linux authorization privileges to the ``Level1SystemAdmin``
|LDAP| group members.
Enable ``pam_group.so`` in ``/etc/pam.d/common-auth``, and update
``/etc/security/group.conf`` with |LDAP| group mappings.
.. note::
If it is |AIO-DX| controller configuration, add full Linux authorization
privileges on both controllers.
.. code-block::
# Execute this line only once, on each host
$ sudo sed -i '1i auth required `pam_group.so <http://pam_group.so>`__ use_first_pass}' /etc/pam.d/common-auth
# Execute this line for each LDAP group being mapped to 1 or more local Linux groups, on each host
$ sudo sed -i '$ a\\\*;\*;%Level1SystemAdmin;Al0000-2400;sys_protected,root,sudo' /etc/security/group.conf
#. Add full kubernetes authorization privileges to the ``Level1SystemAdmin``
|LDAP| group members.
Add a kubernetes ``ClusterRoleBinding`` to bind the ``Level1SystemAdmin``
group to the ``cluster-admin`` role.
.. code-block::
$ cat << EOF > /home/sysadmin/users/Level1SystemAdmin-clusterrolebinding.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: Level1SystemAdmin
subjects:
kind: Group
name: Level1SystemAdmin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: cluster-admin
apiGroup: rbac.authorization.k8s.io
EOF
$ kubectl apply -f /home/sysadmin/users/Level1SystemAdmin-clusterrolebinding.yml
#. Create a new local |LDAP| user for the first system administrator.
.. code-block::
$ sudo ldapusersetup -u joefulladmin
Password:
Successfully added user joefulladmin to LDAP
Successfully set password for user joefulladmin
Warning : password is reset, user will be asked to change password at login
Successfully modified user entry uid=joefulladmin,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 90 days
Successfully modified user entry uid=joefulladmin,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 2 days
#. Add the first system administrator to the ``Level1SystemAdmin`` group.
.. code-block::
$ sudo ldapaddusertogroup joefulladmin Level1SystemAdmin
#. Add a new local keystone user for the first system administrator using the
same username.
Create a keystone user in the 'admin' project. The |prod|
infrastructure resources are all contained in the 'admin' project.
.. code-block::
$ USERNAME="joefulladmin"
$ USERPASSWORD="<password>"
$ PROJECTNAME="admin"
$ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'\`
$ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}"
$ openstack role add --project ${PROJECTNAME} --user ${USERNAME}_member_
#. Add full |prod| authorization privileges to the first system
administrator's keystone user account.
.. code-block::
$ openstack role add --project ${PROJECTNAME} --user ${USERNAME} admin
#. Logout as 'sysadmin'.
.. code-block::
$ exit
.. rubric:: |postreq|
- Login to the local console or |SSH| with this new first system
administrator, ``joefulladmin``. See :ref:`system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936`
- Continue to :ref:`create-other-system-administrators-97b99bb94430`

298
doc/source/security/kubernetes/create-other-system-administrators-97b99bb94430.rst Normal file
View File

@@ -0,0 +1,298 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _create-other-system-administrators-97b99bb94430:
==================================
Create Other System Administrators
==================================
After setting up your first system administrator, use this first
system administrator to configure other system administrators.
In the following example, creating other system administrators consists of:
- Create system administrator groups with different privilege levels.
- The ``Level1SystemAdmin`` group with full privileges (including sudo) has
already been created, when creating the first system administrator.
- Create a ``Level2SystemAdmin`` group with full privileges, with no linux
``sudo`` capability.
- Create a ``Level3SystemAdmin`` group with read-only privileges.
- Create one or more new system administrator users in each of the above groups.
- For each user, create both:
- a local |LDAP| user account.
- a keystone user account.
.. rubric:: |prereq|
- You need to use the first system administrator created to execute this procedure.
.. rubric:: |proc|
#. Login to the active controller as the first system administrator,
``joefulladmin`` in this example.
Use either a local console or |SSH|.
#. Use the ``local_starlingxrc`` to setup |prod| environment variables
and to setup the keystone user's authentication credentials.
.. code-block::
$ source local_starlingxrc
Enter the password to be used with keystone user joefulladmin:
Created file /home/joefulladmin/joefulladmin-openrc
#. Use the ``oidc-auth`` to authenticate via |OIDC|/|LDAP| for kubernetes CLI.
.. code-block::
$ oidc-auth
Using "joefulladmin" as username.
Password:
Successful authentication.
Updated /home/joefulladmin/.kube/config .
#. Set up additional system admin groups with different privileges.
Create a directory for temporary files for setting up users and
groups.
.. code-block:: none
$ mkdir /home/joefulladmin/users
#. Create a new local |LDAP| group with full privilege (but without linux
``sudo`` capability) for the system administrator.
.. code-block:: none
$ sudo ldapaddgroup Level2SystemAdmin
#. Add full Linux authorization privileges (but without linux 'sudo'
capability) to the ``Level2SystemAdmin`` |LDAP| group members.
Update the ``/etc/security/group.conf`` with |LDAP| group mappings.
.. note::
For a |AIO-DX| controller configuration, this step must be done
on both controllers.
.. code-block:: none
$ sudo sed -i '$a\\\*;\*;%Level2SystemAdmin;Al0000-2400;sys_protected,root' /etc/security/group.conf
#. Add restricted kubernetes authorization privileges to the
``Level2SystemAdmin`` |LDAP| group members.
Add a kubernetes ``ClusterRole`` and kubernetes ``ClusterRoleBinding`` to
bind the ``Level2SystemAdmin`` group to a more restricted set of
kubernetes capabilities.
.. code-block:: none
$ cat << EOF > /home/joefulladmin/users/Level2SystemAdmin-clusterrolebinding.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: Level2SystemAdmin
rules:
# For the core API group (""), allow full access to all resource types
# EXCEPT for serviceaccounts and resource policies (limitranges and resourcequotas) only allow read access
- apiGroups: [""]
resources: ["bindings", "configmaps", "endpoints", "events", "persistentvolumeclaims", "pods", "podtemplates", "replicationcontrollers", "secrets", "services"]
verbs: ["get", "list", "watch", "create", "update", "patch", "delete"]
- apiGroups: [""]
resources: [ "serviceaccounts", "limitranges", "resourcequotas" ]
verbs: ["get", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: Level2SystemAdmin
subjects:
- kind: Group
name: Level2SystemAdmin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: Level2SystemAdmin
apiGroup: rbac.authorization.k8s.io
EOF
$ kubectl apply -f /home/joefulladmin/users/Level2SystemAdmin-clusterrolebinding.yml
#. 'admin' StarlingX Authorization Privileges will be given to the
``Level2SystemAdmin`` |LDAP| Group members, when they are created in a
subsequent step.
#. Create a new local |LDAP| group for read-only system administrators.
.. code-block:: none
$ sudo ldapaddgroup Level3SystemAdmin
#. Do not add additional linux authorization privileges to the ``Level3SystemAdmin``
|LDAP| group members.
Update ``/etc/security/group.conf`` with |LDAP| group mappings.
.. note::
For a |AIO-DX| controller configuration, this step must be done
on both controllers.
.. code-block:: none
$ sudo sed -i '$ a\\\*;\*;%Level3SystemAdmin;Al0000-2400;users' /etc/security/group.conf
#. Add 'reader' Kubernetes authorization privileges to the ``Level3SystemAdmin``
|LDAP| group members.
Add a kubernetes ``ClusterRole`` and kubernetes ``ClusterRoleBinding``
to bind the ``Level3SystemAdmin`` group to a reader only set of kubernetes
capabilities.
.. code-block:: none
$ cat << EOF > /home/joefulladmin/users/Level3SystemAdmin-clusterrolebinding.yml
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: Level3SystemAdmin
rules:
- apiGroups: [""] # "" indicates the core API group
resources: ["*"]
verbs: ["get", "watch", "list"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: Level3SystemAdmin
subjects:
- kind: Group
name: Level3SystemAdmin
apiGroup: rbac.authorization.k8s.io
roleRef:
kind: ClusterRole
name: Level3SystemAdmin
apiGroup: rbac.authorization.k8s.io
EOF
$ kubectl apply -f /home/joefulladmin/users/Level3SystemAdmin-clusterrolebinding.yml
#. The 'reader' |prod| authorization privileges will be given to the
``Level3SystemAdmin`` |LDAP| group members, when they are created
in a subsequent step.
#. Create system 'admin' users in each of the 3 system admin groups.
#. Create one or more users in the ``Level1SystemAdmin`` group and give each
a keystone user account with an 'admin' role.
.. code-block::
$ sudo ldapusersetup -u davefulladmin
Password:
Successfully added user davefulladmin to LDAP
Successfully set password for user davefulladmin
Warning : password is reset, user will be asked to change password at login
Successfully modified user entry uid=davefulladmin,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 90 days
Successfully modified user entry uid=davefulladmin,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 2 days
$ sudo ldapaddusertogroup davefulladmin Level1SystemAdmin
$ USERNAME="davefulladmin"
$ USERPASSWORD="<password>"
$ PROJECTNAME="admin"
$ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'`
$ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}"
$ openstack role add --project ${PROJECTNAME} --user ${USERNAME} _member_
$ openstack role add --project ${PROJECTNAME} --user ${USERNAME} admin
Repeat this step for additional users required in the ``Level1SystemAdmin``
group.
#. Create one or more users in the ``Level2SystemAdmin`` group and give
each a keystone user account with an 'admin' role.
.. code-block::
$ sudo ldapusersetup -u jimbasicadmin
Password:
Successfully added user jimbasicadmin to LDAP
Successfully set password for user jimbasicadmin
Warning : password is reset, user will be asked to change password at login
Successfully modified user entry uid=jimbasicadmin,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 90 days
Successfully modified user entry uid=jimbasicadmin,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 2 days
$ sudo ldapaddusertogroup jimbasicadmin Level2SystemAdmin
$ USERNAME="jimbasicadmin"
$ USERPASSWORD="<password>"
$ PROJECTNAME="admin"
$ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'`
$ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}"
$ openstack role add --project ${PROJECTNAME} --user ${USERNAME} _member_
$ openstack role add --project ${PROJECTNAME} --user ${USERNAME} admin
Repeat this step for additional users required in the ``Level2SystemAdmin``
group.
#. Create one or more users in the ``Level3SystemAdmin`` group and give
each a keystone user account with 'reader' role.
.. code-block::
$ sudo ldapusersetup -u billreaderadmin
Password:
Successfully added user billreaderadmin to LDAP
Successfully set password for user billreaderadmin
Warning : password is reset, user will be asked to change password at login
Successfully modified user entry uid=billreaderadmin,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 90 days
Successfully modified user entry uid=billreaderadmin,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 2 days
$ sudo ldapaddusertogroup billreaderadmin Level3SystemAdmin
$ USERNAME="billreaderadmin"
$ USERPASSWORD="<password>"
$ PROJECTNAME="admin"
$ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'`
$ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}"
$ openstack role add --project ${PROJECTNAME} --user ${USERNAME} _member_
$ openstack role add --project ${PROJECTNAME} --user ${USERNAME} reader
Repeat this step for additional users required in the ``Level3SystemAdmin``
group.
.. rubric:: |postreq|
Each system administrator user created should now be able to:
- |SSH| to the system
- execute linux commands based on their linux authorizations.
- execute |prod| CLI commands based on their |prod| authorizations.
- execute kubernetes CLI commands based on their kubernetes |RBAC| role bindings.
- See section: :ref:`system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936`.

5
doc/source/security/kubernetes/encrypt-kubernetes-secret-data-at-rest.rst
View File

@@ -1,5 +1,6 @@
.. dxx1582118922443
.. _encrypt-kubernetes-secret-data-at-rest:
======================================
@@ -7,9 +8,9 @@ Encrypt Kubernetes Secret Data at Rest
======================================
By default, |prod| configures the kube-apiserver to encrypt or decrypt the
data in the Kubernetes 'Secret' resources in / from the etcd database.
data in the Kubernetes 'Secret' resources in / from the 'etcd' database.
This protects sensitive information in the event of access to the etcd
This protects sensitive information in the event of access to the 'etcd'
database being compromised. The encryption and decryption operations are
transparent to the Kubernetes API user.

30
doc/source/security/kubernetes/end-user-access-k8s-remote-cli-7bb5b71ed604.rst Normal file
View File

@@ -0,0 +1,30 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _end-user-access-k8s-remote-cli-7bb5b71ed604:
=======================================
End User - Access Kubernetes Remote CLI
=======================================
Access your |prod| system through kubernetes remote |CLI| on your Linux-based
system.
.. rubric:: |prereq|
You need to have a Linux-based system that has configured the Kubernetes remote
|CLI|. See section: :ref:`end-user-configure-k8s-remote-cli-fad235bb7a18`.
.. rubric:: |proc|
#. Update your |OIDC| token in your ``KUBECONFIG``.
.. code-block::
$ ./oidc-auth -u <StarlingX-LDAP-Username> -c <OAM-FLOATING-IP>
#. Test kubernetes remote |CLI| commands.
.. code-block::
$ kubectl get all

78
doc/source/security/kubernetes/end-user-configure-k8s-remote-cli-fad235bb7a18.rst Normal file
View File

@@ -0,0 +1,78 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _end-user-configure-k8s-remote-cli-fad235bb7a18:
==========================================
End User - Configure Kubernetes Remote CLI
==========================================
Configure the kubernetes remote |CLI| on your Linux-based system to enable access
to the |prod| system kubernetes remote |CLI| commands.
This procedure should be performed on your Linux-based system.
.. rubric:: |prereq|
- You need to have a Linux-based system with python installed.
- You need to have the ``stx-remote-access.tar`` file from your system administrator,
containing system information related to your |prod| system.
.. rubric:: |proc|
#. Install the ``kubectl`` client CLI on the host.
Follow the instructions on `Install and Set Up kubectl on
Linux <https://kubernetes.io/docs/tasks/tools/install-kubectl-linux/>`.
The example below can be used for Ubuntu.
.. code-block::
$ sudo curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
$ sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl
#. Download the ``oidc-auth`` shell script from |prod| site and install
python mechanize.
.. code-block::
$ wget`https://mirror.starlingx.cengn.ca/mirror/starlingx/master/debian/monolithic/latest_build/outputs/remote-cli/ <https://mirror.starlingx.cengn.ca/mirror/starlingx/master/debian/monolithic/latest_build/outputs/remote-cli/stx-remote-cli-1.0.tgz>`__\ oidc-auth
$ chmod a+rx oidc-auth
$ sudo apt install python3-pip
$ sudo pip install mechanize
#. Extract the |prod| system information from the
``stx-remote-access-info.tar`` file from your |prod| system administrator.
.. code-block::
# Files from your StarlingX System Administrator
$ ls ~/stx-remote-access-info.tar
$ tar xvf ~/stx-remote-access-info.tar
#. Update the ``KUBECONFIG`` file.
.. code-block::
$ mkdir ~/.kube
$ cp ~/stx-remote-access-info/kubeconfig ~/.kube/config
$ vi ~/.kube/config
// and change YOURUSERNAMEHERE to your StarlingX LDAP Username, everywhere in file
# Add ~/stx-remote-access-info/stx.ca.crt to the list of Trusted CA
# e.g. commands shown for ubuntu below
$ sudo cp ~/stx-remote-access-info/stx.ca.crt /usr/local/share/ca-certificates
$ sudo update-ca-certificates
# Authenticate with OIDC/LDAP on StarlingX ... and token will be put in ~/.kube/config
$ ./oidc-auth -u <StarlingX-LDAP-Username> -c <OAM-FLOATING-IP>
.. rubric:: |postreq|
Access the kubernetes remote |CLI|.
See :ref:`end-user-access-k8s-remote-cli-7bb5b71ed604`.

94
doc/source/security/kubernetes/end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671.rst Normal file
View File

@@ -0,0 +1,94 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671:
=========================================================
End Users - Test Local Access using SSH or Kubernetes CLI
=========================================================
After creating end users, test their access to the the Kubernetes commands / resources
and linux access.
.. rubric:: |prereq|
- You should already have created at least one end user.
- You need to perform this procedure using an end user.
.. rubric:: |proc|
#. Login to the active controller as an end user, ``steveenduser`` in this
example.
Use either a local console or |SSH|.
#. Test access to linux commands (admin and non-admin) using the following commands:
.. code-block::
# Creating user requires sudo
$ sudo ldapusersetup -u johnsmith
steveenduser is not allowed to run sudo on controller-0. This incident will be reported.
# Listing IP interfaces does not require admin privileges
$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 08:00:27:39:06:4e brd ff:ff:ff:ff:ff:ff
3: enp0s8: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000
link/ether 08:00:27:38:8b:7c brd ff:ff:ff:ff:ff:ff
...
#. Test access to kubernetes commands / resources using the following steps:
#. Use ``kubeconfig-setup`` to setup ``KUBECONFIG`` for local environment.
.. code-block::
$ kubeconfig-setup
$ source ~/.profile
#. Use ``oidc-auth`` to authenticate through |OIDC|/|LDAP|.
.. code-block::
$ oidc-auth
Using "steveenduser" as username.
Password:
Successful authentication.
Updated /home/johnsmith/.kube/config .
#. Use ``kubectl`` to test access to kubernetes commands / resources
(admin and non-admin).
.. code-block::
# Displaying anything in 'kube-system' namespace requires 'cluster-admin' privileges
$ kubectl -n kube-system get secrets
Error from server (Forbidden): secrets is forbidden: User "steveenduser" cannot list resource "secrets" in API group "" in the namespace "kube-system"
# Should be able to display resources in his own namespace, 'ABC-ns'
$ kubectl -n abc-ns get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3d9h
#. Test access to |prod| commands / resources.
.. code-block::
$ source local_starlingxrc
Enter the password to be used with Keystone user steveenduser:
Created file /home/johnsmith/steveenduser-openrc
$ system host-list
Must provide Keystone credentials or user-defined endpoint and token, error was: The request you have made requires authentication. (HTTP 401) (Request-ID: req-0feb292f-d649-4d9f-8e60-f63643265207)
.. rubric:: |postreq|
Setup remote access for any end users requiring remote access. See :ref:`index-remote-access-2209661be417`.

22
doc/source/security/kubernetes/index-accessing-the-system-7d190226d3a5.rst Normal file
View File

@@ -0,0 +1,22 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-accessing-the-system-7d190226d3a5:
=================
Access the System
=================
.. Uncomment topic-a etc. below and replace with the names of your topics,
excluding the .rst extension
.. toctree::
:maxdepth: 2
configure-local-cli-access
remote-access-index
security-access-the-gui
security-rest-api-access
connect-to-container-registries-through-a-firewall-or-proxy

25
doc/source/security/kubernetes/index-example-common-tasks-97773f3a82f0.rst Normal file
View File

@@ -0,0 +1,25 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-example-common-tasks-97773f3a82f0:
========================================
Examples of User Management Common Tasks
========================================
This section provides a set of common tasks related to the user management of
both system administrations and general end users, to set up unique users for
your system.
.. toctree::
:maxdepth: 3
configure-oidc-ldap-authentication-for-k8s-user-authentication-8cea26362167
create-first-system-administrator-1775e1b20941
system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936
create-other-system-administrators-97b99bb94430
create-end-users-359693b84854
end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671
index-remote-access-2209661be417

25
doc/source/security/kubernetes/index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a.rst Normal file
View File

@@ -0,0 +1,25 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a:
====================================================
Kubernetes API User Authentication Using LDAP Server
====================================================
.. Uncomment topic-a etc. below and replace with the names of your topics,
excluding the .rst extension
.. toctree::
:maxdepth: 2
overview-of-ldap-servers
centralized-vs-distributed-oidc-auth-setup
configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system
configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system
configure-oidc-auth-applications
configure-users-groups-and-authorization
configure-kubernetes-client-access
deprovision-ldap-server-authentication

22
doc/source/security/kubernetes/index-ldap-accounts-e8ee204e6092.rst Normal file
View File

@@ -0,0 +1,22 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-ldap-accounts-e8ee204e6092:
=============
LDAP Accounts
=============
.. Uncomment topic-a etc. below and replace with the names of your topics,
excluding the .rst extension
.. toctree::
:maxdepth: 2
index-local-ldap-accounts-2f2128fe2f49
remote-windows-active-directory-accounts
selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c
manage-local-ldap-39fe3a85a528
index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a

24
doc/source/security/kubernetes/index-local-ldap-accounts-2f2128fe2f49.rst Normal file
View File

@@ -0,0 +1,24 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-local-ldap-accounts-2f2128fe2f49:
===================
Local LDAP Accounts
===================
.. Uncomment topic-a etc. below and replace with the names of your topics,
excluding the .rst extension
.. toctree::
:maxdepth: 2
local-ldap-linux-user-accounts
create-ldap-linux-accounts
create-ldap-linux-groups-4c94045f8ee0
delete-ldap-linux-accounts-7de0782fbafd
remote-access-for-linux-accounts
password-recovery-for-linux-user-accounts
local-ldap-user-password-expiry-mechanism-eba5d34abbd4
estabilish-credentials-for-linux-user-accounts
manage-local-ldap-39fe3a85a528

18
doc/source/security/kubernetes/index-password-rules-8429cd4ebddb.rst Normal file
View File

@@ -0,0 +1,18 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-password-rules-8429cd4ebddb:
==============
Password Rules
==============
.. Uncomment topic-a etc. below and replace with the names of your topics,
excluding the .rst extension
.. toctree::
:maxdepth: 2
starlingx-system-accounts-system-account-password-rules
linux-accounts-password-3dcad436dce4

24
doc/source/security/kubernetes/index-reference-material-4e1c59258fa8.rst Normal file
View File

@@ -0,0 +1,24 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-reference-material-4e1c59258fa8:
==================
Reference Material
==================
.. Uncomment topic-a etc. below and replace with the names of your topics,
excluding the .rst extension
.. toctree::
:maxdepth: 4
the-sysadmin-account
types-of-system-accounts
overview-of-system-accounts
keystone-accounts
index-ldap-accounts-e8ee204e6092
index-password-rules-8429cd4ebddb
index-accessing-the-system-7d190226d3a5
private-namespace-and-restricted-rbac
resource-management
pod-security-admission-controller-8e9e6994100f

24
doc/source/security/kubernetes/index-remote-access-2209661be417.rst Normal file
View File

@@ -0,0 +1,24 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-remote-access-2209661be417:
=============
Remote Access
=============
This section provides a procedure for a system administrator to collect system
and user information required for a user to connect remotely to |prod|.
It also provides procedures for system administrators and end users to remotely
connect to |prod| CLIs, kubernetes CLIs and GUIs.
.. toctree::
:maxdepth: 2
system-administrator-collect-system-information-for-user-8502c985343d
system-administrator-access-system-horizon-gui-a4a95fe70ef9
system-administrator-configure-system-remote-cli-and-7b814d8937df
system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87
end-user-configure-k8s-remote-cli-fad235bb7a18
end-user-access-k8s-remote-cli-7bb5b71ed604

236
doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst
View File

@@ -8,87 +8,29 @@
:start-after: kub-begin
:end-before: kub-end
***************
System Accounts
***************
.. toctree::
:maxdepth: 2
types-of-system-accounts
overview-of-system-accounts
keystone-accounts
remote-windows-active-directory-accounts
starlingx-system-accounts-system-account-password-rules
manage-local-ldap-39fe3a85a528
linux-accounts-password-3dcad436dce4
*****************
Access the System
*****************
.. toctree::
:maxdepth: 2
configure-local-cli-access
remote-access-index
security-access-the-gui
security-rest-api-access
connect-to-container-registries-through-a-firewall-or-proxy
***************************
Manage Non-Admin Type Users
***************************
.. toctree::
:maxdepth: 1
private-namespace-and-restricted-rbac
resource-management
pod-security-admission-controller-8e9e6994100f
.. _user-authentication-using-windows-active-directory-security-index:
******************************************************
SSH User Authentication Using Windows Active Directory
******************************************************
.. toctree::
:maxdepth: 1
sssd-support-5fb6c4b0320b
*********************************************
K8S API User Authentication Using LDAP Server
*********************************************
.. toctree::
:maxdepth: 1
overview-of-ldap-servers
centralized-vs-distributed-oidc-auth-setup
configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system
configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system
configure-oidc-auth-applications
configure-users-groups-and-authorization
configure-kubernetes-client-access
deprovision-ldap-server-authentication
****************
Firewall Options
UEFI Secure Boot
****************
.. toctree::
:maxdepth: 1
overview-of-uefi-secure-boot
use-uefi-secure-boot
*******************
Firewall Management
*******************
.. toctree::
:maxdepth: 1
security-default-firewall-rules
security-firewall-options
****************************
HTTPS Certificate Management
****************************
**********************
Certificate Management
**********************
.. toctree::
:maxdepth: 2
@@ -120,11 +62,34 @@ Cert Manager
the-cert-manager-bootstrap-process
cert-manager-post-installation-setup
***************
User Management
***************
.. toctree::
:maxdepth: 5
introduction-to-user-management-6c0b13c6d325
index-example-common-tasks-97773f3a82f0
index-reference-material-4e1c59258fa8
********
Auditing
********
.. toctree::
:maxdepth: 1
auditd-support-339a51d8ce16
operator-login-authentication-logging
operator-command-logging
kubernetes-operator-command-logging-663fce5d74e7
.. _portieris-admission-controller-security-index:
******************************
Portieris Admission Controller
******************************
************************************************
Container Image Integrity (Signature Validation)
************************************************
.. toctree::
:maxdepth: 1
@@ -134,20 +99,39 @@ Portieris Admission Controller
portieris-clusterimagepolicy-and-imagepolicy-configuration
remove-portieris
.. _vault-secret-and-data-management-security-index:
********************************
Vault Secret and Data Management
********************************
**************************
Container AppArmor Profile
**************************
.. toctree::
:maxdepth: 1
security-vault-overview
install-vault
configure-vault
configure-vault-using-the-cli
remove-vault
about-apparmor-ebdab8f1ed87
enable-disable-apparmor-on-a-host-63a7a184d310
enable-disable-apparmor-on-a-host-using-horizon-a318ab726396
install-security-profiles-operator-1b2f9a0f0108
profile-management-a8df19c86a5d
apply-a-profile-to-a-pod-c2fa4d958dec
enable-apparmor-log-bb600560d794
author-apparmor-profiles-b02de0a22771
***********************
Encrypting Data at Rest
***********************
.. toctree::
:maxdepth: 1
partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c
encrypt-kubernetes-secret-data-at-rest
index-vault-secret-and-data-management-050a998960d0
***************************
Software Delivery Integrity
***************************
.. toctree::
:maxdepth: 1
authentication-of-software-delivery
***************************
IPsec on Management Network
@@ -161,88 +145,6 @@ IPsec on Management Network
ipsec-certificates-2c0655a2a888
ipsec-clis-5f38181d077f
**************************************
Encrypt Kubernetes Secret Data at Rest
**************************************
.. toctree::
:maxdepth: 1
encrypt-kubernetes-secret-data-at-rest
****************************************************************************
Partial Disk (Transparent) Encryption Support via Software Encryption (LUKS)
****************************************************************************
.. toctree::
:maxdepth: 1
partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c
*********************
Linux Auditing System
*********************
.. toctree::
:maxdepth: 1
auditd-support-339a51d8ce16
********
AppArmor
********
.. toctree::
:maxdepth: 1
about-apparmor-ebdab8f1ed87
enable-disable-apparmor-on-a-host-63a7a184d310
enable-disable-apparmor-on-a-host-using-horizon-a318ab726396
install-security-profiles-operator-1b2f9a0f0108
profile-management-a8df19c86a5d
apply-a-profile-to-a-pod-c2fa4d958dec
enable-apparmor-log-bb600560d794
author-apparmor-profiles-b02de0a22771
*************************************
Operator Login/Authentication Logging
*************************************
.. toctree::
:maxdepth: 1
operator-login-authentication-logging
************************
Operator Command Logging
************************
.. toctree::
:maxdepth: 1
operator-command-logging
kubernetes-operator-command-logging-663fce5d74e7
****************
UEFI Secure Boot
****************
.. toctree::
:maxdepth: 1
overview-of-uefi-secure-boot
use-uefi-secure-boot
***********************************
Authentication of Software Delivery
***********************************
.. toctree::
:maxdepth: 1
authentication-of-software-delivery
***************
CVE Maintenance

19
doc/source/security/kubernetes/index-vault-secret-and-data-management-050a998960d0.rst Normal file
View File

@@ -0,0 +1,19 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _index-vault-secret-and-data-management-050a998960d0:
.. _vault-secret-and-data-management-security-index:
================================
Vault Secret and Data Management
================================
.. toctree::
:maxdepth: 2
security-vault-overview
install-vault
configure-vault
configure-vault-using-the-cli
remove-vault

150
doc/source/security/kubernetes/introduction-to-user-management-6c0b13c6d325.rst Normal file
View File

@@ -0,0 +1,150 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _introduction-to-user-management-6c0b13c6d325:
===============================
Introduction to User Management
===============================
User Management is the capability to configure unique users for your system,
i.e. both system administrators and general end users. There are multiple user
types and user account types in |prod|.
User Types
==========
- **'sysadmin' Linux User**
The 'sysadmin' linux user is a special-case user for intial install only.
- **System Administrators**
The system administrator user type is for managing the |prod| system
infrastructure. A user of this type requires:
- A **Keystone user account**
The Keystone user account is used for access to |prod| services through
the |prod| GUI, RESTAPIs, local or remote CLIs.
- The bulk of the |prod| system infrastructure is managed through
the |prod| GUI, RESTAPIs, local or remote CLIs.
- A **LDAP user account**
- The |LDAP| user account is used for |SSH| access to |prod| physical hosts.
- |SSH| access is required to access local |prod| Ansible Playbooks
or |prod| scripts for management of |prod| system infrastructure
not covered by |prod| GUI, RESTAPIs, CLIs.
- The |LDAP| user account is also used for access to kubernetes services
through the kubernetes CLIs.
- Kubernetes CLIs are required for management of |prod| system
infrastructure not covered by |prod| GUI, RESTAPIs, CLIs,
|prod| Ansible Playbooks, or |prod| scripts.
- **End Users**
The *end user* user type is for managing hosted containerized applications on
|prod| (for example, a containerized |O-RAN| application). A user of this
type requires:
- A **LDAP User Account**
- The |LDAP| user account is used for access to kubernetes services through
the kubernetes GUI, RESTAPIs, local or remote CLIs.
- It is for creating / managing end users kubernetes resources of containerized
applications hosted by |prod|.
- |Optional| the |LDAP| user account can also be used for |SSH| access to
|prod| physical hosts.
- |SSH| access provides access to local Linux services (for example,
hardware status,metrics) for the purposes of monitoring Linux
resources (for example, interfaces) of end users' containerized
applications hosted by |prod|.
User Account Types
==================
- **'sysadmin' Linux User Account**
- The 'sysadmin' local Linux user account is created on the initial software
install. The default initial password is: sysadmin. The installer is forced
to change the password immediately on the first login as part of the install
procedure.
- The 'sysadmin' user has LINUX 'sudo all' capability and is a member of the
root group. This user also has Kubernetes ``cluster-admin`` role, which allows
it to do all operations in kubernetes environment. When executing ``source /etc/platform/openrc``,
the user becomes the keystone 'admin' user with 'admin' role, which allows
it to do all operations in |prod| environment.
- The 'sysadmin' linux user should only be used by end users for initial installation,
i.e. do not use this as a shared user account. Do not use this as a shared account
amongst your set of system administrators. Create unique user accounts (both
keystone user accounts and |LDAP| user accounts) for each of your system
administrators, with only the required privileges.
- Do not remove the 'sysadmin' linux user. It is used internally by the |prod|
platform.
- **Keystone User Accounts**
- The Keystone users are required for access to |prod| services through the
|prod| GUI, RESTAPIs, local or remote CLIs. The Keystone users are
created / managed locally on the |prod| system.
- There is a default 'admin' Keystone user (with 'admin' role) whose
password is set to the same password as provided by the initial
password change for the 'sysadmin' Linux user. Do not use this as a
shared account amongst your set of system administrators. Create unique
Keystone user accounts for each of your system administrators, with only
the required privileges.
- There are two static keystone roles for |prod| services:
- 'admin' - can run all commands.
- 'reader' - has read-only access to |prod| services. The reader cannot
perform changes to the system, but can read/show/list any data.
- **LDAP User Accounts**
- |LDAP| users are required for |SSH| access to local |prod| ansible
playbooks / |prod| scripts and/or access to Kubernetes services
through the Kubernetes CLIs.
- There are two types of |LDAP| users/groups supported on |prod|:
- Local |LDAP| - where Local |LDAP| users and groups are created locally
on |prod| system.
- Remote |LDAP| (for example, Windows Active Directory) - where |LDAP|
users and groups are created remotely on an external |LDAP| system. The
|prod| system accesses external |LDAP| system, according to configured
access parameters, and discovers the remote |LDAP| users and groups.
There can be up to 3 remote |LDAP| servers configured.
- For both, the Local |LDAP| scenario and the remote |LDAP| scenario, a
|LDAP| user (or members of a |LDAP| group), can be assigned linux
privileges via a group/role-binding to a local |prod| linux group,
specifically one or more of the following groups:
- **sudo group** - provides sudo all capabilities.
- **sys_protected group** - provides access to 'collect'
tool for collecting system diagnostic info.
- **root group** - provides read access to log files.
The Local |LDAP| scenario and the remote |LDAP| scenario, a |LDAP| user
can also be assigned to Kubernetes privileges through a Kubernetes
ClusterRoleBinding/RoleBinding to either an existing Kubernetes
ClusterRole/Role or a new customer configured Kubernetes ClusterRole/Role.

3
doc/source/security/kubernetes/oidc-client-dex-server-certificates-dc174462d51a.rst
View File

@@ -90,8 +90,7 @@ and restarting the ``oidc-auth`` application.
.. note::
This step is only required if you are not using cert-manager for your
certificate as described in :ref:`Configure OIDC Auth Applications
<configure-oidc-auth-applications>`.
certificate as described in :ref:`configure-oidc-auth-applications`.
.. code-block:: none

11
doc/source/security/kubernetes/remote-windows-active-directory-accounts.rst
View File

@@ -3,12 +3,19 @@
.. _remote-windows-active-directory-accounts:
========================================
Remote Windows Active Directory Accounts
Remote Windows Active Directory accounts
========================================
|prod| can optionally be configured to use remote Windows Active Directory
Accounts and native Kubernetes |RBAC| policies for authentication and
accounts and native Kubernetes |RBAC| policies for authentication and
authorization of users of the Kubernetes API, |CLI|, and Dashboard.
.. _user-authentication-using-windows-active-directory-security-index:
.. toctree::
:maxdepth: 1
sssd-support-5fb6c4b0320b
See :ref:`Overview of LDAP Servers <overview-of-ldap-servers>` for more details.

4
doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst
View File

@@ -149,7 +149,7 @@ Commands to add mandatory parameters for a remote ldap domain:
The ``ldap_access_filter`` service parameter can be configured to allow
access to the Linux host. In the following example, the access is
restricted to members of the group ``allowedusers``. Users that are not
part of ``allowedusers`` will get the message ``Authentication failed``.
part of ``allowedusers`` will get the message ``authentication failed``.
Here, ``allowedusers`` is an example of a |WAD| group.
.. code-block:: none
@@ -220,7 +220,7 @@ Default WAD Domain Configuration
The default |WAD| domain configuration parameters are pre-configured. Main |SSSD|
default configuration settings include:
- Offline Authentication is enabled, allowing users to still authenticate
- Offline authentication is enabled, allowing users to still authenticate
even if the ldap identity provider is unavailable. using their cached
credentials. User credentials caching is enabled by parameter setting
``cache_credentials = true``. After a successful login user credentials are

42
doc/source/security/kubernetes/system-administrator-access-system-horizon-gui-a4a95fe70ef9.rst Normal file
View File

@@ -0,0 +1,42 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _system-administrator-access-system-horizon-gui-a4a95fe70ef9:
=========================================
System Administrator - Access Horizon GUI
=========================================
Access the |prod| Horizon GUI using your browser.
This procedure should be performed on your system that has a web browser.
.. rubric:: |prereq|
- A system with a web browser.
- You need to have the ``stx-remote-access.tar`` file from your system administrator,
containing system information related to your |prod| system.
.. rubric:: |proc|
#. Update your web browser to 'trust' the |prod| |CA| certificate.
#. Extract the files from the ``stx-remote-access-info.tar`` file
from your |prod| system administrator.
.. code-block::
$ cd ~
$ tar xvf ./stx-remote-access-info.tar
# The StarlingX CA Certificate is here:
$ ls ./stx-remote-access-info/stx.ca.crt
#. Follow your web browser's instructions to add '~/stx-remote-access-info/stx.ca.crt'
to the list of trusted CAs for your browser.
#. Open your web browser at address ``https://<OAM-Floating-IP-Address>:8443``
Login with your keystone account's 'username' and 'password'.

47
doc/source/security/kubernetes/system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87.rst Normal file
View File

@@ -0,0 +1,47 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87:
==========================================================================
System Administrator - Access System Remote CLI & Kubernetes Remote CLI
==========================================================================
Access your |prod| system through the |prod| remote |CLI| and kubernetes
remote |CLI| on your Linux-based system.
.. rubric:: |prereq|
You need to have a Linux-based system that has configured the |prod| remote |CLI|
and kubernetes remote |CLI|. See section:
:ref:`system-administrator-configure-system-remote-cli-and-7b814d8937df`.
.. rubric:: |proc|
#. Source the remote client for the |prod| platform.
.. code-block::
$ cd ~/remote_cli
$ source ./remote_client_platform.sh
#. Test the |prod| remote CLI commands.
.. code-block::
$ cd ~/remote_cli
$ system host-list
$ fm alarm-list
#. Test kubernetes remote CLI commands.
.. code-block::
$ cd ~/remote_cli
$ oidc-auth -u <LDAP-USERNAME> -p <LDAP-PASSWORD> -c <OAM-FLOATING-IP>
$ kubectl get all

119
doc/source/security/kubernetes/system-administrator-collect-system-information-for-user-8502c985343d.rst Normal file
View File

@@ -0,0 +1,119 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _system-administrator-collect-system-information-for-user-8502c985343d:
========================================================================
System Administrator - Collect System Information for Remote User Access
========================================================================
This procedure collects up a variety of data requried for a user to
remotely interface with |prod| system.
The following data needs to be collected:
- The public certificate of the Root |CA| that signed the certificates of
the |prod| system.
- the remote user needs to update the remote system to trust this certificate.
- Kubernetes environment data for the |prod| system.
- |prod| environment data for the |prod| system.
.. rubric:: |proc|
#. Login to the active controller as a ``Level1SystemAdmin`` system
administrator, ``joefulladmin`` in this example.
Use either a local console or |SSH|.
#. Use ``local_starlingxrc`` to setup |prod| environment variables
and to setup your keystone user's authentication credentials.
.. code-block::
$ source local_starlingxrc
Enter the password to be used with Keystone user joefulladmin:
Created file /home/joefulladmin/joefulladmin-openrc
#. Use ``kubeconfig-setup`` to setup ``KUBECONFIG`` for local environment
and use ``oidc-auth`` to setup |OIDC|/|LDAP| authentication credentials.
.. code-block::
$ kubeconfig-setup
$ source ~/.profile
$ oidc-auth
Using "joefulladmin" as username.
Password:
Successful authentication.
Updated /home/joefulladmin/.kube/config .
#. Create a directory for storing information for remote users.
.. code-block::
$ mkdir ~/stx-remote-access-info
#. Get public certificate of the Root |CA| that signed the certificates of the
|prod| system.
.. code-block::
$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.tls\.crt}' | base64 --decode > ~/stx-remote-access-info/stx.ca.crt
#. Get the kubernetes environment data for the |prod| system.
.. code-block::
$ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}')
$ touch ~/stx-remote-access-info/kubeconfig
$ kubectl config --kubeconfig ~/stx-remote-access-info/kubeconfig set-cluster stx-cluster --server=https://${OAMIP}:6443 --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt
$ kubectl config --kubeconfig ~/stx-remote-access-info/kubeconfig set-context YOURUSERNAMEHERE@stx-cluster --cluster=stx-cluster --user YOURUSERNAMEHERE
$ kubectl config --kubeconfig ~/stx-remote-access-info/kubeconfig use-context YOURUSERNAMEHERE@stx-cluster
#. Get the |prod| environment data for the |prod| system.
.. code-block::
$ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}')
$ PROJECTNAME="admin"
$ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'`
$ cat <<EOF > ~/stx-remote-access-info/starlingxrc
#!/usr/bin/env bash
#
export OS_AUTH_URL=https://${OAMIP}:5000/v3
export OS_PROJECT_ID=${PROJECTID}
export OS_PROJECT_NAME=${PROJECTNAME}
export OS_USER_DOMAIN_NAME="Default"
export OS_PROJECT_DOMAIN_ID="default"
export OS_PROJECT_DOMAIN_NAME=""
export OS_USERNAME=YOURUSERNAMEHERE
echo "Please enter your OpenStack Password for project \$OS_PROJECT_NAME as user \$OS_USERNAME: "
read -sr OS_PASSWORD_INPUT
export OS_PASSWORD=\$OS_PASSWORD_INPUT
export OS_REGION_NAME=${OS_REGION_NAME}
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3
export OS_CACERT=./stx-remote-access-info/stx.ca.crt
EOF
#. Package up the following files for a remote user to use when
setting up his remote access on his system.
.. code-block::
$ cd ~
$ tar cvf stx-remote-access-info.tar ./stx-remote-access-info
.. rubric:: |postreq|
For any user requiring remote access:
- securely send them the ``stx-remote-access-info.tar`` file.
- have them follow the procedures for setting up remote access. See :ref:`index-remote-access-2209661be417`.

96
doc/source/security/kubernetes/system-administrator-configure-system-remote-cli-and-7b814d8937df.rst Normal file
View File

@@ -0,0 +1,96 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _system-administrator-configure-system-remote-cli-and-7b814d8937df:
==========================================================================
System Administrator - Configure System Remote CLI & Kubernetes Remote CLI
==========================================================================
Configure the |prod| remote |CLI| and kubernetes remote |CLI| on your
Linux-based system so that you can remotely access your |prod| system through
remote CLI commands.
This procedure should be performed on your Linux-based system.
.. rubric:: |prereq|
- You need to have a Linux-based system with python installed and either with
Docker installed or 'sudo' capability to install Docker.
- You need to have the ``stx-remote-access.tar`` file from your system administrator,
containing system information related to your |prod| system.
.. rubric:: |proc|
#. Install Docker on your Linux-based system. The following example is for ubuntu.
.. code-block::
# Add Docker's official GPG key:
$ sudo apt-get update
$ sudo apt-get install ca-certificates curl
$ sudo install -m 0755 -d /etc/apt/keyrings
$ sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
$ sudo chmod a+r /etc/apt/keyrings/docker.asc
# Add the repository to Apt sources:
$ echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \
$(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null
$ sudo apt-get update
# Install Docker Packages
$ sudo apt-get install docker-ce docker-ce-cli `containerd.io <http://containerd.io>`__ docker-buildx-plugin docker-compose-plugin
# Verify that the Docker Engine installation is successful by running the hello-world image.
$ sudo docker run hello-world
# Manage docker as non-root user
$ sudo groupadd docker
$ sudo usermod -aG docker $USER
$ sudo reboot
#. Download and extract the |prod| remote CLI tar file from the |prod| site.
.. code-block::
$ cd ~
$ wget https://mirror.starlingx.cengn.ca/mirror/starlingx/master/debian/monolithic/latest_build/outputs/remote-cli/stx-remote-cli-1.0.tgz
$ tar xvf stx-remote-cli-1.0.tgz
#. Extract the |prod| system information from the ``stx-remote-access-info.tar``
file from your |prod| system administrator.
.. code-block::
# Files from your StarlingX System Administrator
$ ls ~/stx-remote-access-info.tar
$ cd ~/remote_cli
$ tar xvf ~/stx-remote-access-info.tar
#. Update the ``starlingxrc`` file.
.. code-block::
$ vi ~/remote_cli/stx-remote-access-info/starlingxrc
// and change YOURUSERNAMEHERE to your StarlingX LDAP Username, everywhere in file
#. Update the ``KUBECONFIG`` file.
.. code-block::
$ vi ~/remote_cli/stx-remote-access-info/kubeconfig
// and change YOURUSERNAMEHERE to your StarlingX LDAP Username, everywhere in file
#. Configure the containerized remote CLI clients.
.. code-block::
$ ./configure_client.sh -t platform -r ${HOME}/remote_cli/stx-remote-access-info/starlingxrc -k ${HOME}/remote_cli/stx-remote-access-info/kubeconfig -w ${HOME}/remote_cli -p docker.io/starlingx/stx-platformclients:stx.9.0-v1.5.13
.. rubric:: |postreq|
- Access the |prod| remote CLI and kubernetes remote CLI.
- See :ref:`system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87`

138
doc/source/security/kubernetes/system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936.rst Normal file
View File

@@ -0,0 +1,138 @@
.. WARNING: Add no lines of text between the label immediately following
.. and the title.
.. _system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936:
============================================================================================
System Administrator - Test Local Access using SSH/Linux Shell and System and Kubernetes CLI
============================================================================================
After installing your first system administrator, with full privileges,
test access to Linux, |prod| and Kubernetes commands and resources.
.. rubric:: |prereq|
- You must have created your first system administrator;
- You need to perform this procedure using the first system administrator.
.. rubric:: |proc|
#. Login to active controller as the first system administrator,
``joefulladmin`` in these examples.
Use either local console or |SSH|.
.. note::
If this is the first time logging in with your Local |LDAP| account, the
password configured is your username. You will be forced to update your
password.
#. Test access to linux commands (admin and non-admin).
.. code-block::
# Creating user requires sudo
$ sudo ldapusersetup -u johnsmith
Successfully added user johnsmith to LDAP
Successfully set password for user johnsmith
Warning : password is reset, user will be asked to change password at login
Successfully modified user entry uid=johnsmith,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 90 days
Successfully modified user entry uid=johnsmith,ou=People,dc=cgcs,dc=local in LDAP
Updating password expiry to 2 days
# Listing IP interfaces does not require admin privileges
$ ip link show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000
link/ether 08:00:27:39:06:4e brd ff:ff:ff:ff:ff:ff
3: enp0s8: <BROADCAST,MULTICAST> mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000
link/ether 08:00:27:38:8b:7c brd ff:ff:ff:ff:ff:ff
...
#. Test access to Kubernetes commands / resources.
#. Use ``kubeconfig-setup`` to setup ``KUBECONFIG`` for local environment.
.. code-block::
$ kubeconfig-setup
$ source ~/.profile
#. Use ``oidc-auth`` to authenticate via |OIDC|/|LDAP|.
.. code-block::
$ oidc-auth
Using "joefulladmin" as username.
Password:
Successful authentication.
Updated /home/joefulladmin/.kube/config .
#. Use ``kubectl`` to test access to kubernetes commands / resources
(admin and non-admin).
.. code-block::
# Displaying anything in 'kube-system' namespace requires 'cluster-admin' privileges
$ kubectl -n kube-system get secrets
NAME TYPE DATA AGE
ceph-admin Opaque 2 3d8h
ceph-pool-kube-cephfs-data kubernetes.io/cephfs 4 3d8h
ceph-pool-kube-rbd kubernetes.io/rbd 2 3d8h
# Anyone can display resources in 'default' namespace
$ kubectl -n default get all
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/kubernetes ClusterIP 10.96.0.1 <none> 443/TCP 3d9h
#. Test access to |prod| commands / resources.
#. Use ``local_starlingxrc`` to setup |prod| environment variables
and to setup your keystone user's authentication credentials.
.. code-block::
$ source local_starlingxrc
Enter the password to be used with Keystone user joefulladmin:
Created file /home/joefulladmin/joefulladmin-openrc
#. Test keystone commands (admin and non-admin).
.. code-block:: none
# Making changes to the system requires 'admin' role
$ system modify -l Ottawa
+----------------------+--------------------------------------+
| Property | Value |
+----------------------+--------------------------------------+
| contact | None |
| created_at | 2024-07-12T10:52:40.609006+00:00 |
| description | None |
| https_enabled | True |
| latitude | None |
| location | Ottawa |
| longitude | None |
...
# Any member of 'admin' project can display system parameters
$ system host-if-list controller-0
+--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+
| uuid | name | class | type | vlan id | ports | uses i/f | used by i/f | attributes |
+--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+
| 287eca5a-8721-4422-b73a-bf24805eac4c | enp0s3 | platform | ethernet | None | ['enp0s3'] | [] | [] | MTU=1500 |
| 325c32b9-fe40-4900-a0ff-59062190ce80 | lo | platform | virtual | None | [] | [] | [] | MTU=1500 |
+--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+
.. rubric:: |postreq|
Continue to :ref:`Create other System Administrators <create-other-system-administrators-97b99bb94430>`.