diff --git a/doc/source/security/kubernetes/configure-oidc-ldap-authentication-for-k8s-user-authentication-8cea26362167.rst b/doc/source/security/kubernetes/configure-oidc-ldap-authentication-for-k8s-user-authentication-8cea26362167.rst new file mode 100644 index 000000000..0fbb00f00 --- /dev/null +++ b/doc/source/security/kubernetes/configure-oidc-ldap-authentication-for-k8s-user-authentication-8cea26362167.rst @@ -0,0 +1,223 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _configure-oidc-ldap-authentication-for-k8s-user-authentication-8cea26362167: + +===================================================================== +Configure OIDC/LDAP Authentication for Kubernetes User Authentication +===================================================================== + +After installing |prod|, you should configure |OIDC|/|LDAP| authentication +for kubernetes access user authentication. + +|OIDC|/|LDAP| authentication can be supported by |prod|'s local |LDAP| server +and/or up to three remote |LDAP| servers (for example, Windows Active Directory). + +In this example, |OIDC|/|LDAP| authentication is setup for local |LDAP|. + +.. rubric:: |prereq| + +- You must have the credentials for the 'sysadmin' local Linux user account + used for installation. + +.. rubric:: |proc| + +#. Login to the active controller as the 'sysadmin' user. + + Use either a local console or |SSH|. + +#. Setup 'sysadmin' credentials. + + .. code-block:: + + $ source /etc/platform/openrc + +#. Configure Kubernetes for |OIDC| token validation. + + Use the default nodePort for the ``oidc-auth-apps`` system application of 30556. + + .. code-block:: + + $ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}') + + $ system service-parameter-add kubernetes kube_apiserver oidc-client-id=stx-oidc-client-app + + $ system service-parameter-add kubernetes kube_apiserver oidc-groups-claim=groups + + $ system service-parameter-add kubernetes kube_apiserver oidc-issuer-url=https://${OAMIP}:30556/dex + + $ system service-parameter-add kubernetes kube_apiserver oidc-username-claim=email + + $ system service-parameter-apply kubernetes + +#. Configure and apply the ``oidc-auth-apps`` system application. + + #. Create the certificate to be used by both the |OIDC| client and the + |OIDC| identity provider. + + .. code-block:: + + $ mkdir /home/sysadmin/oidc + + $ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | + awk '{print $4}') + + $ cat < /home/sysadmin/oidc/oidc-auth-apps-certificate.yaml + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: oidc-auth-apps-certificate + namespace: kube-system + spec: + secretName: oidc-auth-apps-certificate + duration: 2160h # 90 days + renewBefore: 360h # 15 days + issuerRef: + name: system-local-ca + kind: ClusterIssuer + commonName: ${OAMIP} + subject: + organizations: + - ABC-Company + organizationalUnits: + - StarlingX-system-oidc-auth-apps + ipAddresses: + - ${OAMIP} + EOF + + $ kubectl apply -f/home/sysadmin/oidc/oidc-auth-apps-certificate.yaml + + #. Configure the |OIDC|-client with the |OIDC| client certificate and + |OIDC| identity server certificate (created in the ``Create the + certificate to be used by both the OIDC client and the OIDC identity + provider`` step) and the Trusted |CA| that you used to sign these + certificates (i.e., the system-local-ca). + + .. code-block:: + + $ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode > /home/sysadmin/oidc/dex-ca-cert.crt + + $ kubectl create secret generic dex-ca-cert --from-file=/home/sysadmin/oidc/dex-ca-cert.crt -n kube-system + + $ cat < /home/sysadmin/oidc/oidc-client-overrides.yaml + tlsName: oidc-auth-apps-certificate + config: + # The |OIDC|-client container mounts the dex-ca-cert secret at /home, therefore + # issuer_root_ca: /home/ + issuer_root_ca: /home/dex-ca-cert.crt + issuer_root_ca_secret: dex-ca-cert + # secret for accessing dex + client_secret: stx-oidc-client-p@ssw0rd + EOF + + $ system helm-override-update oidc-auth-apps oidc-client kube-system --values /home/sysadmin/oidc/oidc-client-overrides.yaml + + #. Configure the secret observer to track renewals of certificates. + + .. code-block:: + + $ cat < /home/sysadmin/oidc/secret-observer-overrides.yaml + cronSchedule: "*/15 * * * *" + observedSecrets: + - secretName: "dex-ca-cert" + filename: "dex-ca-cert.crt" + deploymentToRestart: "stx-oidc-client" + - secretName: "oidc-auth-apps-certificate" + filename: "tls.crt" + deploymentToRestart: "stx-oidc-client" + - secretName: "oidc-auth-apps-certificate" + filename: "tls.crt" + deploymentToRestart: "oidc-dex" + EOF + + $ system helm-override-update oidc-auth-apps secret-observer kube-system --values /home/sysadmin/oidc/secret-observer-overrides.yaml + + #. Create a secret with the certificate of the |CA| that signed the + certificate of local |LDAP|, i.e., ``system-local-ca``, to be + used in the ``Specify the configuration for connecting to Local LDAP + in the user overrides for the oidc-auth-apps application`` step. + + .. code-block:: + + $ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.\ `data.ca `__\\.crt}' | base64 --decode > /home/sysadmin/oidc/local-ldap-ca-cert.crt + + $ kubectl create secret generic local-ldap-ca-cert --from-file=/home/sysadmin/oidc/local-ldap-ca-cert.crt -n kube-system + + #. Specify the configuration for connecting to local |LDAP| in the user + overrides for the ``oidc-auth-apps`` application. + + .. code-block:: + + $ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}') + + $ MGMTIP=$(system addrpool-list --nowrap | fgrep management | awk '{print $14}') + + $ BINDPW=$(keyring get ldap ldapadmin) + + $ cat < /home/sysadmin/oidc/dex-overrides.yaml + config: + staticClients: + - id: stx-oidc-client-app + name: STX OIDC Client app + redirectURIs: ['https://${OAMIP}:30555/callback'] + secret: stx-oidc-client-p@ssw0rd + expiry: + idTokens: "10h" + connectors: + - type: ldap + name: LocalLDAP + id: localldap-1 + config: + host: ${MGMTIP}:636 + rootCA: /etc/ssl/certs/adcert/local-ldap-ca-cert.crt + insecureNoSSL: false + insecureSkipVerify: false + bindDN: CN=ldapadmin,DC=cgcs,DC=local + bindPW: ${BINDPW} + usernamePrompt: Username + userSearch: + baseDN: ou=People,dc=cgcs,dc=local + filter: "(objectClass=posixAccount)" + username: uid + idAttr: DN + emailAttr: uid + nameAttr: gecos + groupSearch: + baseDN: ou=Group,dc=cgcs,dc=local + filter: "(objectClass=posixGroup)" + userMatchers: + - userAttr: uid + groupAttr: memberUid + nameAttr: cn + volumeMounts: + - mountPath: /etc/ssl/certs/adcert + name: certdir + - mountPath: /etc/dex/tls + name: https-tls + volumes: + - name: certdir + secret: + secretName: local-ldap-ca-cert + - name: https-tls + secret: + defaultMode: 420 + secretName: oidc-auth-apps-certificate + EOF + + $ system helm-override-update oidc-auth-apps dex kube-system --values /home/sysadmin/oidc/dex-overrides.yaml + + #. Apply the ``oidc-auth-apps`` system application. + + .. code-block:: + + $ system application-apply oidc-auth-apps + + #. Wait for the ``oidc-auth-apps`` system application to reach the 'applied' status. + + .. code-block:: + + $ system application-list + +.. rubric:: |postreq| + +See :ref:`create-first-system-administrator-1775e1b20941`. diff --git a/doc/source/security/kubernetes/create-end-users-359693b84854.rst b/doc/source/security/kubernetes/create-end-users-359693b84854.rst new file mode 100644 index 000000000..b724653a8 --- /dev/null +++ b/doc/source/security/kubernetes/create-end-users-359693b84854.rst @@ -0,0 +1,197 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _create-end-users-359693b84854: + +================ +Create End Users +================ + +After setting up your system administrators, use a ``Level1SystemAdmin`` +system administrator to configure 'end users'. + +In the following example, creating end users consists of: + +- Create a general end user kubernetes ``ClusterRole`` with restricted + kubernetes capabilities. + +- For one or more specific end user groups: + + - Create an |LDAP| group; + + - You can disable the |SSH| access for this |LDAP| group (i.e., + restricting these end users to only use remote CLIs / APIs / GUIs); + + - Create a Kubernetes namespace for the group; + + - Bind the general end user kubernetes cluster role to the |LDAP| group + for this kubernetes namespace, + + - Create one or more |LDAP| users in this |LDAP| group. + +.. rubric:: |prereq| + +- You should already have created a system administrator. + +- You need to perform this procedure using the ``Level1SystemAdmin`` system administrator. + +.. rubric:: |proc| + +#. Login to the active controller as a ``Level1SystemAdmin`` system administrator, + ``joefulladmin`` in this example. + + Use either a local console or |SSH|. + + +#. Use the ``local_starlingxrc`` to setup |prod| environment variables + and to setup your keystone user's authentication credentials. + + .. code-block:: + + $ source local_starlingxrc + + Enter the password to be used with keystone user joefulladmin: + Created file /home/joefulladmin/joefulladmin-openrc + +#. Use the ``oidc-auth`` to authenticate via |OIDC|/|LDAP| for kubernetes CLI. + + .. code-block:: + + $ oidc-auth + Using "joefulladmin" as username. + Password: + Successful authentication. + Updated /home/joefulladmin/.kube/config. + + +#. Create a directory for temporary files for setting up users and groups. + + .. code-block:: + + $ mkdir /home/joefulladmin/users + + +#. Create a general end user kubernetes ``ClusterRole`` with restricted + kubernetes authorization privileges. + + .. code-block:: + + $ cat << EOF > /home/joefulladmin/users/GeneralEndUser-ClusterRole.yml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: GeneralEndUser + rules: + # For the core API group (""), allow full access to all resource types + # EXCEPT for resource policies (limitranges and resourcequotas) only allow read access + - apiGroups: [""] + resources: ["bindings", "configmaps", "endpoints", "events", "persistentvolumeclaims", "pods", "podtemplates", "replicationcontrollers", "secrets", "serviceaccounts", "services"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: [ "limitranges", "resourcequotas" ] + verbs: ["get", "list"] + # Allow full access to all resource types of the following explicit list of apiGroups. + # Notable exceptions here are: + # ApiGroup ResourceTypes + # ------- ------------- + # policy podsecuritypolicies, poddisruptionbudgets + # networking.k8s.io networkpolicies + # admissionregistration.k8s.io mutatingwebhookconfigurations, validatingwebhookconfigurations + # + - apiGroups: ["apps", "batch", "extensions", "autoscaling", "apiextensions.k8s.io", "rbac.authorization.k8s.io"] + resources: ["*"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + # Cert Manager API access + - apiGroups: ["cert-manager.io", "acme.cert-manager.io"] + resources: ["*"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + EOF + + $ kubectl apply -f /home/joefulladmin/users/GeneralEndUser-ClusterRole.yml + +#. For one or more specific end user groups, create an |LDAP| group, Kubernetes + namespace and one or more |LDAP| users. + + #. Create a new local |LDAP| group for the end user group. + + .. code-block:: + + $ sudo ldapaddgroup ABC-EndUsers + + + #. |Optional| Disallow this local |LDAP| group from using |SSH|. + + Users of this |LDAP| group can only use the remote kubernetes + API/CLI/GUI. Update the ``/etc/security/group.conf`` with |LDAP| group + mappings. + + .. note:: + + If it is |AIO-DX| controller configuration, disallow this local + |LDAP| group on both controllers. + + .. code-block:: + + $ sudo sed -i '$ a\\\*;\*;%ABC-EndUsers;Al0000-2400;denyssh' /etc/security/group.conf + + #. Create a kubernetes namespace for the end user group. + + .. code-block:: + + $ kubectl create namespace abc-ns + + #. Bind the ``GeneralEndUser`` role to this |LDAP| group for this + kubernetes namespace. + + .. code-block:: + + $ cat << EOF > /home/joefulladmin/users/ABC-EndUsers-rolebinding.yml + apiVersion: rbac.authorization.k8s.io/v1 + kind: RoleBinding + metadata: + name: ABC-EndUsers + namespace: abc-ns + subjects: + - kind: Group + name: ABC-EndUsers + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: GeneralEndUser + apiGroup: rbac.authorization.k8s.io + EOF + + $ kubectl apply -f /home/joefulladmin/users/ABC-EndUsers-rolebinding.yml + + #. Create one or more |LDAP| users for the end user group. + + .. code-block:: + + $ sudo ldapusersetup -u steveenduser + Password: + Successfully added user steveenduser to LDAP + Successfully set password for user steveenduser + Warning : password is reset, user will be asked to change password at login + Successfully modified user entry uid=steveenduser,ou=People,dc=cgcs,dc=local in LDAP + Updating password expiry to 90 days + Successfully modified user entry uid=steveenduser,ou=People,dc=cgcs,dc=local in LDAP + Updating password expiry to 2 days + + $ sudo ldapaddusertogroup steveenduser ABC-EndUsers + + #. Repeat the ``Create one or more LDAP users for the end user group`` step + for the next user in this end user group. + +#. Repeat the ``For one or more specific end user groups, create an LDAP group, kubernetes + namespace and one or more LDAP users`` step for the next end user group. + +.. rubric:: |postreq| + +The end user created is able to, optionally, use SSH on the system to execute +kubernetes |CLI| commands to manage the hosted containerized application and +execute Linux commands. See section: :ref:`end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671`. + +.. note:: + + More setup is required for end user to use remote CLIs/GUIs, see sections + :ref:`index-remote-access-2209661be417`. diff --git a/doc/source/security/kubernetes/create-first-system-administrator-1775e1b20941.rst b/doc/source/security/kubernetes/create-first-system-administrator-1775e1b20941.rst new file mode 100644 index 000000000..451d58776 --- /dev/null +++ b/doc/source/security/kubernetes/create-first-system-administrator-1775e1b20941.rst @@ -0,0 +1,154 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _create-first-system-administrator-1775e1b20941: + +================================= +Create First System Administrator +================================= + +After installing |prod|, you should create your first unique system +administrator account. + +In this example, a local |LDAP| user account and a local Keystone user account +are created for the first system administrator user. + +The first system administrator user must have full 'admin' privileges such that +it can create subsequent system administrators and end users. + +.. rubric:: |prereq| + +- You must have the credentials for the 'sysadmin' local Linux user + account used for the installation. + +.. rubric:: |proc| + +#. Login to the active controller as the 'sysadmin' user. + + Use either a local console or |SSH|. + + +#. Apply source credentials for the 'admin' keystone user. + + .. code-block:: + + $ source /etc/platform/openrc + + +#. Create a directory for temporary files for setting up users and groups. + + .. code-block:: + + $ mkdir /home/sysadmin/users + +#. Create a new local |LDAP| group for system administrators with full privileges. + + .. code-block:: + + $ sudo ldapaddgroup Level1SystemAdmin + + #. Add full Linux authorization privileges to the ``Level1SystemAdmin`` + |LDAP| group members. + + Enable ``pam_group.so`` in ``/etc/pam.d/common-auth``, and update + ``/etc/security/group.conf`` with |LDAP| group mappings. + + .. note:: + + If it is |AIO-DX| controller configuration, add full Linux authorization + privileges on both controllers. + + .. code-block:: + + # Execute this line only once, on each host + $ sudo sed -i '1i auth required `pam_group.so `__ use_first_pass}' /etc/pam.d/common-auth + + # Execute this line for each LDAP group being mapped to 1 or more local Linux groups, on each host + $ sudo sed -i '$ a\\\*;\*;%Level1SystemAdmin;Al0000-2400;sys_protected,root,sudo' /etc/security/group.conf + + #. Add full kubernetes authorization privileges to the ``Level1SystemAdmin`` + |LDAP| group members. + + Add a kubernetes ``ClusterRoleBinding`` to bind the ``Level1SystemAdmin`` + group to the ``cluster-admin`` role. + + .. code-block:: + + $ cat << EOF > /home/sysadmin/users/Level1SystemAdmin-clusterrolebinding.yml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: Level1SystemAdmin + subjects: + kind: Group + name: Level1SystemAdmin + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: cluster-admin + apiGroup: rbac.authorization.k8s.io + EOF + + $ kubectl apply -f /home/sysadmin/users/Level1SystemAdmin-clusterrolebinding.yml + + +#. Create a new local |LDAP| user for the first system administrator. + + .. code-block:: + + $ sudo ldapusersetup -u joefulladmin + Password: + Successfully added user joefulladmin to LDAP + Successfully set password for user joefulladmin + Warning : password is reset, user will be asked to change password at login + Successfully modified user entry uid=joefulladmin,ou=People,dc=cgcs,dc=local in LDAP + Updating password expiry to 90 days + Successfully modified user entry uid=joefulladmin,ou=People,dc=cgcs,dc=local in LDAP + Updating password expiry to 2 days + + +#. Add the first system administrator to the ``Level1SystemAdmin`` group. + + .. code-block:: + + $ sudo ldapaddusertogroup joefulladmin Level1SystemAdmin + + +#. Add a new local keystone user for the first system administrator using the + same username. + + Create a keystone user in the 'admin' project. The |prod| + infrastructure resources are all contained in the 'admin' project. + + .. code-block:: + + $ USERNAME="joefulladmin" + $ USERPASSWORD="" + $ PROJECTNAME="admin" + $ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'\` + $ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}" + $ openstack role add --project ${PROJECTNAME} --user ${USERNAME}_member_ + + #. Add full |prod| authorization privileges to the first system + administrator's keystone user account. + + .. code-block:: + + $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} admin + + +#. Logout as 'sysadmin'. + + .. code-block:: + + $ exit + + +.. rubric:: |postreq| + +- Login to the local console or |SSH| with this new first system + administrator, ``joefulladmin``. See :ref:`system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936` + +- Continue to :ref:`create-other-system-administrators-97b99bb94430` + + diff --git a/doc/source/security/kubernetes/create-other-system-administrators-97b99bb94430.rst b/doc/source/security/kubernetes/create-other-system-administrators-97b99bb94430.rst new file mode 100644 index 000000000..055eabea6 --- /dev/null +++ b/doc/source/security/kubernetes/create-other-system-administrators-97b99bb94430.rst @@ -0,0 +1,298 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _create-other-system-administrators-97b99bb94430: + +================================== +Create Other System Administrators +================================== + +After setting up your first system administrator, use this first +system administrator to configure other system administrators. + +In the following example, creating other system administrators consists of: + +- Create system administrator groups with different privilege levels. + + - The ``Level1SystemAdmin`` group with full privileges (including sudo) has + already been created, when creating the first system administrator. + + - Create a ``Level2SystemAdmin`` group with full privileges, with no linux + ``sudo`` capability. + + - Create a ``Level3SystemAdmin`` group with read-only privileges. + +- Create one or more new system administrator users in each of the above groups. + + - For each user, create both: + + - a local |LDAP| user account. + + - a keystone user account. + +.. rubric:: |prereq| + +- You need to use the first system administrator created to execute this procedure. + +.. rubric:: |proc| + +#. Login to the active controller as the first system administrator, + ``joefulladmin`` in this example. + + Use either a local console or |SSH|. + +#. Use the ``local_starlingxrc`` to setup |prod| environment variables + and to setup the keystone user's authentication credentials. + + .. code-block:: + + $ source local_starlingxrc + Enter the password to be used with keystone user joefulladmin: + Created file /home/joefulladmin/joefulladmin-openrc + +#. Use the ``oidc-auth`` to authenticate via |OIDC|/|LDAP| for kubernetes CLI. + + .. code-block:: + + $ oidc-auth + Using "joefulladmin" as username. + Password: + Successful authentication. + Updated /home/joefulladmin/.kube/config . + +#. Set up additional system admin groups with different privileges. + + Create a directory for temporary files for setting up users and + groups. + + .. code-block:: none + + $ mkdir /home/joefulladmin/users + + #. Create a new local |LDAP| group with full privilege (but without linux + ``sudo`` capability) for the system administrator. + + .. code-block:: none + + $ sudo ldapaddgroup Level2SystemAdmin + + + #. Add full Linux authorization privileges (but without linux 'sudo' + capability) to the ``Level2SystemAdmin`` |LDAP| group members. + + Update the ``/etc/security/group.conf`` with |LDAP| group mappings. + + .. note:: + + For a |AIO-DX| controller configuration, this step must be done + on both controllers. + + .. code-block:: none + + $ sudo sed -i '$a\\\*;\*;%Level2SystemAdmin;Al0000-2400;sys_protected,root' /etc/security/group.conf + + #. Add restricted kubernetes authorization privileges to the + ``Level2SystemAdmin`` |LDAP| group members. + + Add a kubernetes ``ClusterRole`` and kubernetes ``ClusterRoleBinding`` to + bind the ``Level2SystemAdmin`` group to a more restricted set of + kubernetes capabilities. + + .. code-block:: none + + $ cat << EOF > /home/joefulladmin/users/Level2SystemAdmin-clusterrolebinding.yml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: Level2SystemAdmin + rules: + # For the core API group (""), allow full access to all resource types + # EXCEPT for serviceaccounts and resource policies (limitranges and resourcequotas) only allow read access + - apiGroups: [""] + resources: ["bindings", "configmaps", "endpoints", "events", "persistentvolumeclaims", "pods", "podtemplates", "replicationcontrollers", "secrets", "services"] + verbs: ["get", "list", "watch", "create", "update", "patch", "delete"] + - apiGroups: [""] + resources: [ "serviceaccounts", "limitranges", "resourcequotas" ] + verbs: ["get", "list"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: Level2SystemAdmin + subjects: + - kind: Group + name: Level2SystemAdmin + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: Level2SystemAdmin + apiGroup: rbac.authorization.k8s.io + EOF + + $ kubectl apply -f /home/joefulladmin/users/Level2SystemAdmin-clusterrolebinding.yml + + #. 'admin' StarlingX Authorization Privileges will be given to the + ``Level2SystemAdmin`` |LDAP| Group members, when they are created in a + subsequent step. + + #. Create a new local |LDAP| group for read-only system administrators. + + .. code-block:: none + + $ sudo ldapaddgroup Level3SystemAdmin + + #. Do not add additional linux authorization privileges to the ``Level3SystemAdmin`` + |LDAP| group members. + + Update ``/etc/security/group.conf`` with |LDAP| group mappings. + + .. note:: + + For a |AIO-DX| controller configuration, this step must be done + on both controllers. + + .. code-block:: none + + $ sudo sed -i '$ a\\\*;\*;%Level3SystemAdmin;Al0000-2400;users' /etc/security/group.conf + + #. Add 'reader' Kubernetes authorization privileges to the ``Level3SystemAdmin`` + |LDAP| group members. + + Add a kubernetes ``ClusterRole`` and kubernetes ``ClusterRoleBinding`` + to bind the ``Level3SystemAdmin`` group to a reader only set of kubernetes + capabilities. + + .. code-block:: none + + $ cat << EOF > /home/joefulladmin/users/Level3SystemAdmin-clusterrolebinding.yml + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + name: Level3SystemAdmin + rules: + - apiGroups: [""] # "" indicates the core API group + resources: ["*"] + verbs: ["get", "watch", "list"] + --- + apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRoleBinding + metadata: + name: Level3SystemAdmin + subjects: + - kind: Group + name: Level3SystemAdmin + apiGroup: rbac.authorization.k8s.io + roleRef: + kind: ClusterRole + name: Level3SystemAdmin + apiGroup: rbac.authorization.k8s.io + EOF + + $ kubectl apply -f /home/joefulladmin/users/Level3SystemAdmin-clusterrolebinding.yml + + #. The 'reader' |prod| authorization privileges will be given to the + ``Level3SystemAdmin`` |LDAP| group members, when they are created + in a subsequent step. + + +#. Create system 'admin' users in each of the 3 system admin groups. + + #. Create one or more users in the ``Level1SystemAdmin`` group and give each + a keystone user account with an 'admin' role. + + .. code-block:: + + $ sudo ldapusersetup -u davefulladmin + Password: + Successfully added user davefulladmin to LDAP + Successfully set password for user davefulladmin + Warning : password is reset, user will be asked to change password at login + Successfully modified user entry uid=davefulladmin,ou=People,dc=cgcs,dc=local in LDAP + Updating password expiry to 90 days + Successfully modified user entry uid=davefulladmin,ou=People,dc=cgcs,dc=local in LDAP + Updating password expiry to 2 days + + $ sudo ldapaddusertogroup davefulladmin Level1SystemAdmin + + $ USERNAME="davefulladmin" + $ USERPASSWORD="" + $ PROJECTNAME="admin" + $ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'` + $ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}" + $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} _member_ + $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} admin + + Repeat this step for additional users required in the ``Level1SystemAdmin`` + group. + + #. Create one or more users in the ``Level2SystemAdmin`` group and give + each a keystone user account with an 'admin' role. + + .. code-block:: + + $ sudo ldapusersetup -u jimbasicadmin + Password: + Successfully added user jimbasicadmin to LDAP + Successfully set password for user jimbasicadmin + Warning : password is reset, user will be asked to change password at login + Successfully modified user entry uid=jimbasicadmin,ou=People,dc=cgcs,dc=local in LDAP + Updating password expiry to 90 days + Successfully modified user entry uid=jimbasicadmin,ou=People,dc=cgcs,dc=local in LDAP + Updating password expiry to 2 days + + $ sudo ldapaddusertogroup jimbasicadmin Level2SystemAdmin + + $ USERNAME="jimbasicadmin" + $ USERPASSWORD="" + $ PROJECTNAME="admin" + $ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'` + $ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}" + $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} _member_ + $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} admin + + Repeat this step for additional users required in the ``Level2SystemAdmin`` + group. + + #. Create one or more users in the ``Level3SystemAdmin`` group and give + each a keystone user account with 'reader' role. + + .. code-block:: + + $ sudo ldapusersetup -u billreaderadmin + Password: + Successfully added user billreaderadmin to LDAP + Successfully set password for user billreaderadmin + Warning : password is reset, user will be asked to change password at login + Successfully modified user entry uid=billreaderadmin,ou=People,dc=cgcs,dc=local in LDAP + Updating password expiry to 90 days + Successfully modified user entry uid=billreaderadmin,ou=People,dc=cgcs,dc=local in LDAP + Updating password expiry to 2 days + + $ sudo ldapaddusertogroup billreaderadmin Level3SystemAdmin + + $ USERNAME="billreaderadmin" + $ USERPASSWORD="" + $ PROJECTNAME="admin" + $ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'` + $ openstack user create --password "${USERPASSWORD}" --project ${PROJECTID} "${USERNAME}" + $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} _member_ + $ openstack role add --project ${PROJECTNAME} --user ${USERNAME} reader + + Repeat this step for additional users required in the ``Level3SystemAdmin`` + group. + +.. rubric:: |postreq| + +Each system administrator user created should now be able to: + +- |SSH| to the system + + - execute linux commands based on their linux authorizations. + + - execute |prod| CLI commands based on their |prod| authorizations. + + - execute kubernetes CLI commands based on their kubernetes |RBAC| role bindings. + +- See section: :ref:`system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936`. + + diff --git a/doc/source/security/kubernetes/encrypt-kubernetes-secret-data-at-rest.rst b/doc/source/security/kubernetes/encrypt-kubernetes-secret-data-at-rest.rst index 094edf593..f31ae8d7d 100644 --- a/doc/source/security/kubernetes/encrypt-kubernetes-secret-data-at-rest.rst +++ b/doc/source/security/kubernetes/encrypt-kubernetes-secret-data-at-rest.rst @@ -1,5 +1,6 @@ .. dxx1582118922443 + .. _encrypt-kubernetes-secret-data-at-rest: ====================================== @@ -7,9 +8,9 @@ Encrypt Kubernetes Secret Data at Rest ====================================== By default, |prod| configures the kube-apiserver to encrypt or decrypt the -data in the Kubernetes 'Secret' resources in / from the etcd database. +data in the Kubernetes 'Secret' resources in / from the 'etcd' database. -This protects sensitive information in the event of access to the etcd +This protects sensitive information in the event of access to the 'etcd' database being compromised. The encryption and decryption operations are transparent to the Kubernetes API user. diff --git a/doc/source/security/kubernetes/end-user-access-k8s-remote-cli-7bb5b71ed604.rst b/doc/source/security/kubernetes/end-user-access-k8s-remote-cli-7bb5b71ed604.rst new file mode 100644 index 000000000..a5197812a --- /dev/null +++ b/doc/source/security/kubernetes/end-user-access-k8s-remote-cli-7bb5b71ed604.rst @@ -0,0 +1,30 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _end-user-access-k8s-remote-cli-7bb5b71ed604: + +======================================= +End User - Access Kubernetes Remote CLI +======================================= + +Access your |prod| system through kubernetes remote |CLI| on your Linux-based +system. + +.. rubric:: |prereq| + +You need to have a Linux-based system that has configured the Kubernetes remote +|CLI|. See section: :ref:`end-user-configure-k8s-remote-cli-fad235bb7a18`. + +.. rubric:: |proc| + +#. Update your |OIDC| token in your ``KUBECONFIG``. + + .. code-block:: + + $ ./oidc-auth -u -c + +#. Test kubernetes remote |CLI| commands. + + .. code-block:: + + $ kubectl get all diff --git a/doc/source/security/kubernetes/end-user-configure-k8s-remote-cli-fad235bb7a18.rst b/doc/source/security/kubernetes/end-user-configure-k8s-remote-cli-fad235bb7a18.rst new file mode 100644 index 000000000..de6f5103d --- /dev/null +++ b/doc/source/security/kubernetes/end-user-configure-k8s-remote-cli-fad235bb7a18.rst @@ -0,0 +1,78 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _end-user-configure-k8s-remote-cli-fad235bb7a18: + +========================================== +End User - Configure Kubernetes Remote CLI +========================================== + +Configure the kubernetes remote |CLI| on your Linux-based system to enable access +to the |prod| system kubernetes remote |CLI| commands. + +This procedure should be performed on your Linux-based system. + +.. rubric:: |prereq| + +- You need to have a Linux-based system with python installed. + +- You need to have the ``stx-remote-access.tar`` file from your system administrator, + containing system information related to your |prod| system. + +.. rubric:: |proc| + +#. Install the ``kubectl`` client CLI on the host. + + Follow the instructions on `Install and Set Up kubectl on + Linux `. + + The example below can be used for Ubuntu. + + .. code-block:: + + $ sudo curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl" + $ sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl + +#. Download the ``oidc-auth`` shell script from |prod| site and install + python mechanize. + + .. code-block:: + + $ wget`https://mirror.starlingx.cengn.ca/mirror/starlingx/master/debian/monolithic/latest_build/outputs/remote-cli/ `__\ oidc-auth + $ chmod a+rx oidc-auth + + $ sudo apt install python3-pip + $ sudo pip install mechanize + +#. Extract the |prod| system information from the + ``stx-remote-access-info.tar`` file from your |prod| system administrator. + + .. code-block:: + + # Files from your StarlingX System Administrator + $ ls ~/stx-remote-access-info.tar + + $ tar xvf ~/stx-remote-access-info.tar + +#. Update the ``KUBECONFIG`` file. + + .. code-block:: + + $ mkdir ~/.kube + $ cp ~/stx-remote-access-info/kubeconfig ~/.kube/config + $ vi ~/.kube/config + // and change YOURUSERNAMEHERE to your StarlingX LDAP Username, everywhere in file + + # Add ~/stx-remote-access-info/stx.ca.crt to the list of Trusted CA + # e.g. commands shown for ubuntu below + $ sudo cp ~/stx-remote-access-info/stx.ca.crt /usr/local/share/ca-certificates + $ sudo update-ca-certificates + + # Authenticate with OIDC/LDAP on StarlingX ... and token will be put in ~/.kube/config + $ ./oidc-auth -u -c + +.. rubric:: |postreq| + +Access the kubernetes remote |CLI|. + +See :ref:`end-user-access-k8s-remote-cli-7bb5b71ed604`. diff --git a/doc/source/security/kubernetes/end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671.rst b/doc/source/security/kubernetes/end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671.rst new file mode 100644 index 000000000..fdb71323d --- /dev/null +++ b/doc/source/security/kubernetes/end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671.rst @@ -0,0 +1,94 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671: + +========================================================= +End Users - Test Local Access using SSH or Kubernetes CLI +========================================================= + +After creating end users, test their access to the the Kubernetes commands / resources +and linux access. + +.. rubric:: |prereq| + +- You should already have created at least one end user. + +- You need to perform this procedure using an end user. + +.. rubric:: |proc| + +#. Login to the active controller as an end user, ``steveenduser`` in this + example. + + Use either a local console or |SSH|. + +#. Test access to linux commands (admin and non-admin) using the following commands: + + .. code-block:: + + # Creating user requires sudo + + $ sudo ldapusersetup -u johnsmith + steveenduser is not allowed to run sudo on controller-0. This incident will be reported. + + # Listing IP interfaces does not require admin privileges + + $ ip link show + 1: lo: mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + 2: enp0s3: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 + link/ether 08:00:27:39:06:4e brd ff:ff:ff:ff:ff:ff + 3: enp0s8: mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000 + link/ether 08:00:27:38:8b:7c brd ff:ff:ff:ff:ff:ff + ... + +#. Test access to kubernetes commands / resources using the following steps: + + #. Use ``kubeconfig-setup`` to setup ``KUBECONFIG`` for local environment. + + .. code-block:: + + $ kubeconfig-setup + $ source ~/.profile + + #. Use ``oidc-auth`` to authenticate through |OIDC|/|LDAP|. + + .. code-block:: + + $ oidc-auth + Using "steveenduser" as username. + Password: + Successful authentication. + Updated /home/johnsmith/.kube/config . + + #. Use ``kubectl`` to test access to kubernetes commands / resources + (admin and non-admin). + + .. code-block:: + + # Displaying anything in 'kube-system' namespace requires 'cluster-admin' privileges + + $ kubectl -n kube-system get secrets + Error from server (Forbidden): secrets is forbidden: User "steveenduser" cannot list resource "secrets" in API group "" in the namespace "kube-system" + + # Should be able to display resources in his own namespace, 'ABC-ns' + + $ kubectl -n abc-ns get all + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + service/kubernetes ClusterIP 10.96.0.1 443/TCP 3d9h + +#. Test access to |prod| commands / resources. + + .. code-block:: + + $ source local_starlingxrc + Enter the password to be used with Keystone user steveenduser: + Created file /home/johnsmith/steveenduser-openrc + + $ system host-list + Must provide Keystone credentials or user-defined endpoint and token, error was: The request you have made requires authentication. (HTTP 401) (Request-ID: req-0feb292f-d649-4d9f-8e60-f63643265207) + +.. rubric:: |postreq| + +Setup remote access for any end users requiring remote access. See :ref:`index-remote-access-2209661be417`. diff --git a/doc/source/security/kubernetes/index-accessing-the-system-7d190226d3a5.rst b/doc/source/security/kubernetes/index-accessing-the-system-7d190226d3a5.rst new file mode 100644 index 000000000..048c8f613 --- /dev/null +++ b/doc/source/security/kubernetes/index-accessing-the-system-7d190226d3a5.rst @@ -0,0 +1,22 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _index-accessing-the-system-7d190226d3a5: + +================= +Access the System +================= + +.. Uncomment topic-a etc. below and replace with the names of your topics, + excluding the .rst extension + +.. toctree:: + :maxdepth: 2 + + configure-local-cli-access + remote-access-index + security-access-the-gui + security-rest-api-access + connect-to-container-registries-through-a-firewall-or-proxy + + diff --git a/doc/source/security/kubernetes/index-example-common-tasks-97773f3a82f0.rst b/doc/source/security/kubernetes/index-example-common-tasks-97773f3a82f0.rst new file mode 100644 index 000000000..cea8940aa --- /dev/null +++ b/doc/source/security/kubernetes/index-example-common-tasks-97773f3a82f0.rst @@ -0,0 +1,25 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _index-example-common-tasks-97773f3a82f0: + +======================================== +Examples of User Management Common Tasks +======================================== + +This section provides a set of common tasks related to the user management of +both system administrations and general end users, to set up unique users for +your system. + +.. toctree:: + :maxdepth: 3 + + configure-oidc-ldap-authentication-for-k8s-user-authentication-8cea26362167 + create-first-system-administrator-1775e1b20941 + system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936 + create-other-system-administrators-97b99bb94430 + create-end-users-359693b84854 + end-users-local-access-using-ssh-or-k8s-cli-2b88b1235671 + index-remote-access-2209661be417 + + diff --git a/doc/source/security/kubernetes/index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a.rst b/doc/source/security/kubernetes/index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a.rst new file mode 100644 index 000000000..eea08ae09 --- /dev/null +++ b/doc/source/security/kubernetes/index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a.rst @@ -0,0 +1,25 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a: + +==================================================== +Kubernetes API User Authentication Using LDAP Server +==================================================== + +.. Uncomment topic-a etc. below and replace with the names of your topics, + excluding the .rst extension + +.. toctree:: + :maxdepth: 2 + + overview-of-ldap-servers + centralized-vs-distributed-oidc-auth-setup + configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system + configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system + configure-oidc-auth-applications + configure-users-groups-and-authorization + configure-kubernetes-client-access + deprovision-ldap-server-authentication + + diff --git a/doc/source/security/kubernetes/index-ldap-accounts-e8ee204e6092.rst b/doc/source/security/kubernetes/index-ldap-accounts-e8ee204e6092.rst new file mode 100644 index 000000000..605192be5 --- /dev/null +++ b/doc/source/security/kubernetes/index-ldap-accounts-e8ee204e6092.rst @@ -0,0 +1,22 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _index-ldap-accounts-e8ee204e6092: + +============= +LDAP Accounts +============= + +.. Uncomment topic-a etc. below and replace with the names of your topics, + excluding the .rst extension + +.. toctree:: + :maxdepth: 2 + + index-local-ldap-accounts-2f2128fe2f49 + remote-windows-active-directory-accounts + selectively-disable-ssh-for-local-openldap-and-wad-users-e5aaf09e790c + manage-local-ldap-39fe3a85a528 + index-k8s-api-user-authentication-using-ldap-server-222e1e4d7c1a + + diff --git a/doc/source/security/kubernetes/index-local-ldap-accounts-2f2128fe2f49.rst b/doc/source/security/kubernetes/index-local-ldap-accounts-2f2128fe2f49.rst new file mode 100644 index 000000000..282411aa7 --- /dev/null +++ b/doc/source/security/kubernetes/index-local-ldap-accounts-2f2128fe2f49.rst @@ -0,0 +1,24 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _index-local-ldap-accounts-2f2128fe2f49: + +=================== +Local LDAP Accounts +=================== + +.. Uncomment topic-a etc. below and replace with the names of your topics, + excluding the .rst extension + +.. toctree:: + :maxdepth: 2 + + local-ldap-linux-user-accounts + create-ldap-linux-accounts + create-ldap-linux-groups-4c94045f8ee0 + delete-ldap-linux-accounts-7de0782fbafd + remote-access-for-linux-accounts + password-recovery-for-linux-user-accounts + local-ldap-user-password-expiry-mechanism-eba5d34abbd4 + estabilish-credentials-for-linux-user-accounts + manage-local-ldap-39fe3a85a528 \ No newline at end of file diff --git a/doc/source/security/kubernetes/index-password-rules-8429cd4ebddb.rst b/doc/source/security/kubernetes/index-password-rules-8429cd4ebddb.rst new file mode 100644 index 000000000..859dbc9b7 --- /dev/null +++ b/doc/source/security/kubernetes/index-password-rules-8429cd4ebddb.rst @@ -0,0 +1,18 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _index-password-rules-8429cd4ebddb: + +============== +Password Rules +============== + +.. Uncomment topic-a etc. below and replace with the names of your topics, + excluding the .rst extension + +.. toctree:: + :maxdepth: 2 + + starlingx-system-accounts-system-account-password-rules + linux-accounts-password-3dcad436dce4 + diff --git a/doc/source/security/kubernetes/index-reference-material-4e1c59258fa8.rst b/doc/source/security/kubernetes/index-reference-material-4e1c59258fa8.rst new file mode 100644 index 000000000..0e0dc9163 --- /dev/null +++ b/doc/source/security/kubernetes/index-reference-material-4e1c59258fa8.rst @@ -0,0 +1,24 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _index-reference-material-4e1c59258fa8: + +================== +Reference Material +================== + +.. Uncomment topic-a etc. below and replace with the names of your topics, + excluding the .rst extension +.. toctree:: + :maxdepth: 4 + + the-sysadmin-account + types-of-system-accounts + overview-of-system-accounts + keystone-accounts + index-ldap-accounts-e8ee204e6092 + index-password-rules-8429cd4ebddb + index-accessing-the-system-7d190226d3a5 + private-namespace-and-restricted-rbac + resource-management + pod-security-admission-controller-8e9e6994100f diff --git a/doc/source/security/kubernetes/index-remote-access-2209661be417.rst b/doc/source/security/kubernetes/index-remote-access-2209661be417.rst new file mode 100644 index 000000000..28021ffdc --- /dev/null +++ b/doc/source/security/kubernetes/index-remote-access-2209661be417.rst @@ -0,0 +1,24 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _index-remote-access-2209661be417: + +============= +Remote Access +============= + +This section provides a procedure for a system administrator to collect system +and user information required for a user to connect remotely to |prod|. +It also provides procedures for system administrators and end users to remotely +connect to |prod| CLIs, kubernetes CLIs and GUIs. + + +.. toctree:: + :maxdepth: 2 + + system-administrator-collect-system-information-for-user-8502c985343d + system-administrator-access-system-horizon-gui-a4a95fe70ef9 + system-administrator-configure-system-remote-cli-and-7b814d8937df + system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87 + end-user-configure-k8s-remote-cli-fad235bb7a18 + end-user-access-k8s-remote-cli-7bb5b71ed604 diff --git a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst index 4e12e8d82..f16038295 100644 --- a/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst +++ b/doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst @@ -8,87 +8,29 @@ :start-after: kub-begin :end-before: kub-end -*************** -System Accounts -*************** - -.. toctree:: - :maxdepth: 2 - - types-of-system-accounts - overview-of-system-accounts - keystone-accounts - remote-windows-active-directory-accounts - starlingx-system-accounts-system-account-password-rules - manage-local-ldap-39fe3a85a528 - linux-accounts-password-3dcad436dce4 - -***************** -Access the System -***************** - -.. toctree:: - :maxdepth: 2 - - configure-local-cli-access - remote-access-index - security-access-the-gui - security-rest-api-access - connect-to-container-registries-through-a-firewall-or-proxy - -*************************** -Manage Non-Admin Type Users -*************************** - -.. toctree:: - :maxdepth: 1 - - private-namespace-and-restricted-rbac - resource-management - pod-security-admission-controller-8e9e6994100f - -.. _user-authentication-using-windows-active-directory-security-index: - - -****************************************************** -SSH User Authentication Using Windows Active Directory -****************************************************** - -.. toctree:: - :maxdepth: 1 - - sssd-support-5fb6c4b0320b - - -********************************************* -K8S API User Authentication Using LDAP Server -********************************************* - -.. toctree:: - :maxdepth: 1 - - overview-of-ldap-servers - centralized-vs-distributed-oidc-auth-setup - configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system - configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system - configure-oidc-auth-applications - configure-users-groups-and-authorization - configure-kubernetes-client-access - deprovision-ldap-server-authentication - **************** -Firewall Options +UEFI Secure Boot **************** +.. toctree:: + :maxdepth: 1 + + overview-of-uefi-secure-boot + use-uefi-secure-boot + +******************* +Firewall Management +******************* + .. toctree:: :maxdepth: 1 security-default-firewall-rules security-firewall-options -**************************** -HTTPS Certificate Management -**************************** +********************** +Certificate Management +********************** .. toctree:: :maxdepth: 2 @@ -120,11 +62,34 @@ Cert Manager the-cert-manager-bootstrap-process cert-manager-post-installation-setup +*************** +User Management +*************** + +.. toctree:: + :maxdepth: 5 + + introduction-to-user-management-6c0b13c6d325 + index-example-common-tasks-97773f3a82f0 + index-reference-material-4e1c59258fa8 + +******** +Auditing +******** +.. toctree:: + :maxdepth: 1 + + auditd-support-339a51d8ce16 + operator-login-authentication-logging + operator-command-logging + kubernetes-operator-command-logging-663fce5d74e7 + + .. _portieris-admission-controller-security-index: -****************************** -Portieris Admission Controller -****************************** +************************************************ +Container Image Integrity (Signature Validation) +************************************************ .. toctree:: :maxdepth: 1 @@ -134,20 +99,39 @@ Portieris Admission Controller portieris-clusterimagepolicy-and-imagepolicy-configuration remove-portieris -.. _vault-secret-and-data-management-security-index: - -******************************** -Vault Secret and Data Management -******************************** +************************** +Container AppArmor Profile +************************** .. toctree:: :maxdepth: 1 - security-vault-overview - install-vault - configure-vault - configure-vault-using-the-cli - remove-vault + about-apparmor-ebdab8f1ed87 + enable-disable-apparmor-on-a-host-63a7a184d310 + enable-disable-apparmor-on-a-host-using-horizon-a318ab726396 + install-security-profiles-operator-1b2f9a0f0108 + profile-management-a8df19c86a5d + apply-a-profile-to-a-pod-c2fa4d958dec + enable-apparmor-log-bb600560d794 + author-apparmor-profiles-b02de0a22771 + +*********************** +Encrypting Data at Rest +*********************** +.. toctree:: + :maxdepth: 1 + + partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c + encrypt-kubernetes-secret-data-at-rest + index-vault-secret-and-data-management-050a998960d0 + +*************************** +Software Delivery Integrity +*************************** +.. toctree:: + :maxdepth: 1 + + authentication-of-software-delivery *************************** IPsec on Management Network @@ -161,88 +145,6 @@ IPsec on Management Network ipsec-certificates-2c0655a2a888 ipsec-clis-5f38181d077f -************************************** -Encrypt Kubernetes Secret Data at Rest -************************************** - -.. toctree:: - :maxdepth: 1 - - encrypt-kubernetes-secret-data-at-rest - - -**************************************************************************** -Partial Disk (Transparent) Encryption Support via Software Encryption (LUKS) -**************************************************************************** - -.. toctree:: - :maxdepth: 1 - - partial-disk-transparent-encryption-support-via-software-enc-27a570f3142c - -********************* -Linux Auditing System -********************* - -.. toctree:: - :maxdepth: 1 - - auditd-support-339a51d8ce16 - - -******** -AppArmor -******** -.. toctree:: - :maxdepth: 1 - - about-apparmor-ebdab8f1ed87 - enable-disable-apparmor-on-a-host-63a7a184d310 - enable-disable-apparmor-on-a-host-using-horizon-a318ab726396 - install-security-profiles-operator-1b2f9a0f0108 - profile-management-a8df19c86a5d - apply-a-profile-to-a-pod-c2fa4d958dec - enable-apparmor-log-bb600560d794 - author-apparmor-profiles-b02de0a22771 - - -************************************* -Operator Login/Authentication Logging -************************************* - -.. toctree:: - :maxdepth: 1 - - operator-login-authentication-logging - -************************ -Operator Command Logging -************************ - -.. toctree:: - :maxdepth: 1 - - operator-command-logging - kubernetes-operator-command-logging-663fce5d74e7 - -**************** -UEFI Secure Boot -**************** - -.. toctree:: - :maxdepth: 1 - - overview-of-uefi-secure-boot - use-uefi-secure-boot - -*********************************** -Authentication of Software Delivery -*********************************** - -.. toctree:: - :maxdepth: 1 - - authentication-of-software-delivery *************** CVE Maintenance diff --git a/doc/source/security/kubernetes/index-vault-secret-and-data-management-050a998960d0.rst b/doc/source/security/kubernetes/index-vault-secret-and-data-management-050a998960d0.rst new file mode 100644 index 000000000..2c522763c --- /dev/null +++ b/doc/source/security/kubernetes/index-vault-secret-and-data-management-050a998960d0.rst @@ -0,0 +1,19 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _index-vault-secret-and-data-management-050a998960d0: +.. _vault-secret-and-data-management-security-index: + +================================ +Vault Secret and Data Management +================================ + +.. toctree:: + :maxdepth: 2 + + security-vault-overview + install-vault + configure-vault + configure-vault-using-the-cli + remove-vault + diff --git a/doc/source/security/kubernetes/introduction-to-user-management-6c0b13c6d325.rst b/doc/source/security/kubernetes/introduction-to-user-management-6c0b13c6d325.rst new file mode 100644 index 000000000..c7058dba3 --- /dev/null +++ b/doc/source/security/kubernetes/introduction-to-user-management-6c0b13c6d325.rst @@ -0,0 +1,150 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _introduction-to-user-management-6c0b13c6d325: + +=============================== +Introduction to User Management +=============================== + +User Management is the capability to configure unique users for your system, +i.e. both system administrators and general end users. There are multiple user +types and user account types in |prod|. + +User Types +========== + +- **'sysadmin' Linux User** + + The 'sysadmin' linux user is a special-case user for intial install only. + +- **System Administrators** + + The system administrator user type is for managing the |prod| system + infrastructure. A user of this type requires: + + - A **Keystone user account** + + The Keystone user account is used for access to |prod| services through + the |prod| GUI, RESTAPIs, local or remote CLIs. + + - The bulk of the |prod| system infrastructure is managed through + the |prod| GUI, RESTAPIs, local or remote CLIs. + + - A **LDAP user account** + + - The |LDAP| user account is used for |SSH| access to |prod| physical hosts. + + - |SSH| access is required to access local |prod| Ansible Playbooks + or |prod| scripts for management of |prod| system infrastructure + not covered by |prod| GUI, RESTAPIs, CLIs. + + - The |LDAP| user account is also used for access to kubernetes services + through the kubernetes CLIs. + + - Kubernetes CLIs are required for management of |prod| system + infrastructure not covered by |prod| GUI, RESTAPIs, CLIs, + |prod| Ansible Playbooks, or |prod| scripts. + + +- **End Users** + + The *end user* user type is for managing hosted containerized applications on + |prod| (for example, a containerized |O-RAN| application). A user of this + type requires: + + - A **LDAP User Account** + + - The |LDAP| user account is used for access to kubernetes services through + the kubernetes GUI, RESTAPIs, local or remote CLIs. + + - It is for creating / managing end users kubernetes resources of containerized + applications hosted by |prod|. + + - |Optional| the |LDAP| user account can also be used for |SSH| access to + |prod| physical hosts. + + - |SSH| access provides access to local Linux services (for example, + hardware status,metrics) for the purposes of monitoring Linux + resources (for example, interfaces) of end users' containerized + applications hosted by |prod|. + +User Account Types +================== + +- **'sysadmin' Linux User Account** + + - The 'sysadmin' local Linux user account is created on the initial software + install. The default initial password is: sysadmin. The installer is forced + to change the password immediately on the first login as part of the install + procedure. + + - The 'sysadmin' user has LINUX 'sudo all' capability and is a member of the + root group. This user also has Kubernetes ``cluster-admin`` role, which allows + it to do all operations in kubernetes environment. When executing ``source /etc/platform/openrc``, + the user becomes the keystone 'admin' user with 'admin' role, which allows + it to do all operations in |prod| environment. + + - The 'sysadmin' linux user should only be used by end users for initial installation, + i.e. do not use this as a shared user account. Do not use this as a shared account + amongst your set of system administrators. Create unique user accounts (both + keystone user accounts and |LDAP| user accounts) for each of your system + administrators, with only the required privileges. + + - Do not remove the 'sysadmin' linux user. It is used internally by the |prod| + platform. + +- **Keystone User Accounts** + + - The Keystone users are required for access to |prod| services through the + |prod| GUI, RESTAPIs, local or remote CLIs. The Keystone users are + created / managed locally on the |prod| system. + + - There is a default 'admin' Keystone user (with 'admin' role) whose + password is set to the same password as provided by the initial + password change for the 'sysadmin' Linux user. Do not use this as a + shared account amongst your set of system administrators. Create unique + Keystone user accounts for each of your system administrators, with only + the required privileges. + + - There are two static keystone roles for |prod| services: + + - 'admin' - can run all commands. + + - 'reader' - has read-only access to |prod| services. The reader cannot + perform changes to the system, but can read/show/list any data. + +- **LDAP User Accounts** + + - |LDAP| users are required for |SSH| access to local |prod| ansible + playbooks / |prod| scripts and/or access to Kubernetes services + through the Kubernetes CLIs. + + - There are two types of |LDAP| users/groups supported on |prod|: + + - Local |LDAP| - where Local |LDAP| users and groups are created locally + on |prod| system. + + - Remote |LDAP| (for example, Windows Active Directory) - where |LDAP| + users and groups are created remotely on an external |LDAP| system. The + |prod| system accesses external |LDAP| system, according to configured + access parameters, and discovers the remote |LDAP| users and groups. + There can be up to 3 remote |LDAP| servers configured. + + - For both, the Local |LDAP| scenario and the remote |LDAP| scenario, a + |LDAP| user (or members of a |LDAP| group), can be assigned linux + privileges via a group/role-binding to a local |prod| linux group, + specifically one or more of the following groups: + + - **sudo group** - provides sudo all capabilities. + + - **sys_protected group** - provides access to 'collect' + tool for collecting system diagnostic info. + + - **root group** - provides read access to log files. + + The Local |LDAP| scenario and the remote |LDAP| scenario, a |LDAP| user + can also be assigned to Kubernetes privileges through a Kubernetes + ClusterRoleBinding/RoleBinding to either an existing Kubernetes + ClusterRole/Role or a new customer configured Kubernetes ClusterRole/Role. + diff --git a/doc/source/security/kubernetes/oidc-client-dex-server-certificates-dc174462d51a.rst b/doc/source/security/kubernetes/oidc-client-dex-server-certificates-dc174462d51a.rst index 9979d1d78..e3d1b4ec1 100644 --- a/doc/source/security/kubernetes/oidc-client-dex-server-certificates-dc174462d51a.rst +++ b/doc/source/security/kubernetes/oidc-client-dex-server-certificates-dc174462d51a.rst @@ -90,8 +90,7 @@ and restarting the ``oidc-auth`` application. .. note:: This step is only required if you are not using cert-manager for your - certificate as described in :ref:`Configure OIDC Auth Applications - `. + certificate as described in :ref:`configure-oidc-auth-applications`. .. code-block:: none diff --git a/doc/source/security/kubernetes/remote-windows-active-directory-accounts.rst b/doc/source/security/kubernetes/remote-windows-active-directory-accounts.rst index d6808bc05..48e63c500 100644 --- a/doc/source/security/kubernetes/remote-windows-active-directory-accounts.rst +++ b/doc/source/security/kubernetes/remote-windows-active-directory-accounts.rst @@ -3,12 +3,19 @@ .. _remote-windows-active-directory-accounts: ======================================== -Remote Windows Active Directory Accounts +Remote Windows Active Directory accounts ======================================== |prod| can optionally be configured to use remote Windows Active Directory -Accounts and native Kubernetes |RBAC| policies for authentication and +accounts and native Kubernetes |RBAC| policies for authentication and authorization of users of the Kubernetes API, |CLI|, and Dashboard. +.. _user-authentication-using-windows-active-directory-security-index: + +.. toctree:: + :maxdepth: 1 + + sssd-support-5fb6c4b0320b + See :ref:`Overview of LDAP Servers ` for more details. diff --git a/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst b/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst index 4f55490c4..25d2bfcf2 100644 --- a/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst +++ b/doc/source/security/kubernetes/sssd-support-5fb6c4b0320b.rst @@ -149,7 +149,7 @@ Commands to add mandatory parameters for a remote ldap domain: The ``ldap_access_filter`` service parameter can be configured to allow access to the Linux host. In the following example, the access is restricted to members of the group ``allowedusers``. Users that are not - part of ``allowedusers`` will get the message ``Authentication failed``. + part of ``allowedusers`` will get the message ``authentication failed``. Here, ``allowedusers`` is an example of a |WAD| group. .. code-block:: none @@ -220,7 +220,7 @@ Default WAD Domain Configuration The default |WAD| domain configuration parameters are pre-configured. Main |SSSD| default configuration settings include: -- Offline Authentication is enabled, allowing users to still authenticate +- Offline authentication is enabled, allowing users to still authenticate even if the ldap identity provider is unavailable. using their cached credentials. User credentials caching is enabled by parameter setting ``cache_credentials = true``. After a successful login user credentials are diff --git a/doc/source/security/kubernetes/system-administrator-access-system-horizon-gui-a4a95fe70ef9.rst b/doc/source/security/kubernetes/system-administrator-access-system-horizon-gui-a4a95fe70ef9.rst new file mode 100644 index 000000000..52f729e61 --- /dev/null +++ b/doc/source/security/kubernetes/system-administrator-access-system-horizon-gui-a4a95fe70ef9.rst @@ -0,0 +1,42 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _system-administrator-access-system-horizon-gui-a4a95fe70ef9: + +========================================= +System Administrator - Access Horizon GUI +========================================= + +Access the |prod| Horizon GUI using your browser. + +This procedure should be performed on your system that has a web browser. + +.. rubric:: |prereq| + +- A system with a web browser. + +- You need to have the ``stx-remote-access.tar`` file from your system administrator, + containing system information related to your |prod| system. + +.. rubric:: |proc| + +#. Update your web browser to 'trust' the |prod| |CA| certificate. + + #. Extract the files from the ``stx-remote-access-info.tar`` file + from your |prod| system administrator. + + .. code-block:: + + $ cd ~ + $ tar xvf ./stx-remote-access-info.tar + + # The StarlingX CA Certificate is here: + $ ls ./stx-remote-access-info/stx.ca.crt + + + #. Follow your web browser's instructions to add '~/stx-remote-access-info/stx.ca.crt' + to the list of trusted CAs for your browser. + +#. Open your web browser at address ``https://:8443`` + + Login with your keystone account's 'username' and 'password'. diff --git a/doc/source/security/kubernetes/system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87.rst b/doc/source/security/kubernetes/system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87.rst new file mode 100644 index 000000000..e6bc79d7a --- /dev/null +++ b/doc/source/security/kubernetes/system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87.rst @@ -0,0 +1,47 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87: + +========================================================================== +System Administrator - Access System Remote CLI & Kubernetes Remote CLI +========================================================================== + +Access your |prod| system through the |prod| remote |CLI| and kubernetes +remote |CLI| on your Linux-based system. + +.. rubric:: |prereq| + +You need to have a Linux-based system that has configured the |prod| remote |CLI| +and kubernetes remote |CLI|. See section: +:ref:`system-administrator-configure-system-remote-cli-and-7b814d8937df`. + +.. rubric:: |proc| + +#. Source the remote client for the |prod| platform. + + .. code-block:: + + $ cd ~/remote_cli + + $ source ./remote_client_platform.sh + +#. Test the |prod| remote CLI commands. + + .. code-block:: + + $ cd ~/remote_cli + + $ system host-list + + $ fm alarm-list + +#. Test kubernetes remote CLI commands. + + .. code-block:: + + $ cd ~/remote_cli + + $ oidc-auth -u -p -c + + $ kubectl get all diff --git a/doc/source/security/kubernetes/system-administrator-collect-system-information-for-user-8502c985343d.rst b/doc/source/security/kubernetes/system-administrator-collect-system-information-for-user-8502c985343d.rst new file mode 100644 index 000000000..b2d8e48b3 --- /dev/null +++ b/doc/source/security/kubernetes/system-administrator-collect-system-information-for-user-8502c985343d.rst @@ -0,0 +1,119 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _system-administrator-collect-system-information-for-user-8502c985343d: + +======================================================================== +System Administrator - Collect System Information for Remote User Access +======================================================================== + +This procedure collects up a variety of data requried for a user to +remotely interface with |prod| system. + +The following data needs to be collected: + +- The public certificate of the Root |CA| that signed the certificates of + the |prod| system. + + - the remote user needs to update the remote system to trust this certificate. + +- Kubernetes environment data for the |prod| system. + +- |prod| environment data for the |prod| system. + +.. rubric:: |proc| + +#. Login to the active controller as a ``Level1SystemAdmin`` system + administrator, ``joefulladmin`` in this example. + + Use either a local console or |SSH|. + +#. Use ``local_starlingxrc`` to setup |prod| environment variables + and to setup your keystone user's authentication credentials. + + .. code-block:: + + $ source local_starlingxrc + Enter the password to be used with Keystone user joefulladmin: + Created file /home/joefulladmin/joefulladmin-openrc + +#. Use ``kubeconfig-setup`` to setup ``KUBECONFIG`` for local environment + and use ``oidc-auth`` to setup |OIDC|/|LDAP| authentication credentials. + + .. code-block:: + + $ kubeconfig-setup + $ source ~/.profile + + $ oidc-auth + Using "joefulladmin" as username. + Password: + Successful authentication. + Updated /home/joefulladmin/.kube/config . + +#. Create a directory for storing information for remote users. + + .. code-block:: + + $ mkdir ~/stx-remote-access-info + +#. Get public certificate of the Root |CA| that signed the certificates of the + |prod| system. + + .. code-block:: + + $ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.tls\.crt}' | base64 --decode > ~/stx-remote-access-info/stx.ca.crt + +#. Get the kubernetes environment data for the |prod| system. + + .. code-block:: + + $ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}') + + $ touch ~/stx-remote-access-info/kubeconfig + $ kubectl config --kubeconfig ~/stx-remote-access-info/kubeconfig set-cluster stx-cluster --server=https://${OAMIP}:6443 --embed-certs --certificate-authority=/etc/kubernetes/pki/ca.crt + $ kubectl config --kubeconfig ~/stx-remote-access-info/kubeconfig set-context YOURUSERNAMEHERE@stx-cluster --cluster=stx-cluster --user YOURUSERNAMEHERE + $ kubectl config --kubeconfig ~/stx-remote-access-info/kubeconfig use-context YOURUSERNAMEHERE@stx-cluster + +#. Get the |prod| environment data for the |prod| system. + + .. code-block:: + + $ OAMIP=$(system oam-show | egrep "(oam_ip|oam_floating_ip)" | awk '{print $4}') + $ PROJECTNAME="admin" + $ PROJECTID=`openstack project list | grep ${PROJECTNAME} | awk '{print $2}'` + + $ cat < ~/stx-remote-access-info/starlingxrc + #!/usr/bin/env bash + # + export OS_AUTH_URL=https://${OAMIP}:5000/v3 + export OS_PROJECT_ID=${PROJECTID} + export OS_PROJECT_NAME=${PROJECTNAME} + export OS_USER_DOMAIN_NAME="Default" + export OS_PROJECT_DOMAIN_ID="default" + export OS_PROJECT_DOMAIN_NAME="" + export OS_USERNAME=YOURUSERNAMEHERE + echo "Please enter your OpenStack Password for project \$OS_PROJECT_NAME as user \$OS_USERNAME: " + read -sr OS_PASSWORD_INPUT + export OS_PASSWORD=\$OS_PASSWORD_INPUT + export OS_REGION_NAME=${OS_REGION_NAME} + export OS_INTERFACE=public + export OS_IDENTITY_API_VERSION=3 + export OS_CACERT=./stx-remote-access-info/stx.ca.crt + EOF + +#. Package up the following files for a remote user to use when + setting up his remote access on his system. + + .. code-block:: + + $ cd ~ + $ tar cvf stx-remote-access-info.tar ./stx-remote-access-info + +.. rubric:: |postreq| + +For any user requiring remote access: + +- securely send them the ``stx-remote-access-info.tar`` file. + +- have them follow the procedures for setting up remote access. See :ref:`index-remote-access-2209661be417`. diff --git a/doc/source/security/kubernetes/system-administrator-configure-system-remote-cli-and-7b814d8937df.rst b/doc/source/security/kubernetes/system-administrator-configure-system-remote-cli-and-7b814d8937df.rst new file mode 100644 index 000000000..eb2509805 --- /dev/null +++ b/doc/source/security/kubernetes/system-administrator-configure-system-remote-cli-and-7b814d8937df.rst @@ -0,0 +1,96 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _system-administrator-configure-system-remote-cli-and-7b814d8937df: + +========================================================================== +System Administrator - Configure System Remote CLI & Kubernetes Remote CLI +========================================================================== + +Configure the |prod| remote |CLI| and kubernetes remote |CLI| on your +Linux-based system so that you can remotely access your |prod| system through +remote CLI commands. + +This procedure should be performed on your Linux-based system. + +.. rubric:: |prereq| + +- You need to have a Linux-based system with python installed and either with + Docker installed or 'sudo' capability to install Docker. + +- You need to have the ``stx-remote-access.tar`` file from your system administrator, + containing system information related to your |prod| system. + +.. rubric:: |proc| + +#. Install Docker on your Linux-based system. The following example is for ubuntu. + + .. code-block:: + + # Add Docker's official GPG key: + $ sudo apt-get update + $ sudo apt-get install ca-certificates curl + $ sudo install -m 0755 -d /etc/apt/keyrings + $ sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc + $ sudo chmod a+r /etc/apt/keyrings/docker.asc + + # Add the repository to Apt sources: + $ echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu \ + $(. /etc/os-release && echo "$VERSION_CODENAME") stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null + $ sudo apt-get update + + # Install Docker Packages + $ sudo apt-get install docker-ce docker-ce-cli `containerd.io `__ docker-buildx-plugin docker-compose-plugin + + # Verify that the Docker Engine installation is successful by running the hello-world image. + $ sudo docker run hello-world + + # Manage docker as non-root user + $ sudo groupadd docker + $ sudo usermod -aG docker $USER + $ sudo reboot + +#. Download and extract the |prod| remote CLI tar file from the |prod| site. + + .. code-block:: + + $ cd ~ + $ wget https://mirror.starlingx.cengn.ca/mirror/starlingx/master/debian/monolithic/latest_build/outputs/remote-cli/stx-remote-cli-1.0.tgz + $ tar xvf stx-remote-cli-1.0.tgz + +#. Extract the |prod| system information from the ``stx-remote-access-info.tar`` + file from your |prod| system administrator. + + .. code-block:: + + # Files from your StarlingX System Administrator + $ ls ~/stx-remote-access-info.tar + + $ cd ~/remote_cli + $ tar xvf ~/stx-remote-access-info.tar + +#. Update the ``starlingxrc`` file. + + .. code-block:: + + $ vi ~/remote_cli/stx-remote-access-info/starlingxrc + // and change YOURUSERNAMEHERE to your StarlingX LDAP Username, everywhere in file + +#. Update the ``KUBECONFIG`` file. + + .. code-block:: + + $ vi ~/remote_cli/stx-remote-access-info/kubeconfig + // and change YOURUSERNAMEHERE to your StarlingX LDAP Username, everywhere in file + +#. Configure the containerized remote CLI clients. + + .. code-block:: + + $ ./configure_client.sh -t platform -r ${HOME}/remote_cli/stx-remote-access-info/starlingxrc -k ${HOME}/remote_cli/stx-remote-access-info/kubeconfig -w ${HOME}/remote_cli -p docker.io/starlingx/stx-platformclients:stx.9.0-v1.5.13 + +.. rubric:: |postreq| + +- Access the |prod| remote CLI and kubernetes remote CLI. + +- See :ref:`system-administrator-access-system-remote-cli-and-k8s-3807c4f96c87` diff --git a/doc/source/security/kubernetes/system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936.rst b/doc/source/security/kubernetes/system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936.rst new file mode 100644 index 000000000..b095b8d89 --- /dev/null +++ b/doc/source/security/kubernetes/system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936.rst @@ -0,0 +1,138 @@ +.. WARNING: Add no lines of text between the label immediately following +.. and the title. + +.. _system-administrator-local-access-using-ssh-linux-shell-and-st-69213db2a936: + +============================================================================================ +System Administrator - Test Local Access using SSH/Linux Shell and System and Kubernetes CLI +============================================================================================ + +After installing your first system administrator, with full privileges, +test access to Linux, |prod| and Kubernetes commands and resources. + +.. rubric:: |prereq| + +- You must have created your first system administrator; + +- You need to perform this procedure using the first system administrator. + +.. rubric:: |proc| + +#. Login to active controller as the first system administrator, + ``joefulladmin`` in these examples. + + Use either local console or |SSH|. + + .. note:: + + If this is the first time logging in with your Local |LDAP| account, the + password configured is your username. You will be forced to update your + password. + +#. Test access to linux commands (admin and non-admin). + + .. code-block:: + + # Creating user requires sudo + + $ sudo ldapusersetup -u johnsmith + Successfully added user johnsmith to LDAP + Successfully set password for user johnsmith + Warning : password is reset, user will be asked to change password at login + Successfully modified user entry uid=johnsmith,ou=People,dc=cgcs,dc=local in LDAP + Updating password expiry to 90 days + Successfully modified user entry uid=johnsmith,ou=People,dc=cgcs,dc=local in LDAP + Updating password expiry to 2 days + + # Listing IP interfaces does not require admin privileges + + $ ip link show + 1: lo: mtu 1500 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 + link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 + 2: enp0s3: mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 + link/ether 08:00:27:39:06:4e brd ff:ff:ff:ff:ff:ff + 3: enp0s8: mtu 1500 qdisc fq_codel state DOWN mode DEFAULT group default qlen 1000 + link/ether 08:00:27:38:8b:7c brd ff:ff:ff:ff:ff:ff + ... + +#. Test access to Kubernetes commands / resources. + + #. Use ``kubeconfig-setup`` to setup ``KUBECONFIG`` for local environment. + + .. code-block:: + + $ kubeconfig-setup + $ source ~/.profile + + #. Use ``oidc-auth`` to authenticate via |OIDC|/|LDAP|. + + .. code-block:: + + $ oidc-auth + Using "joefulladmin" as username. + Password: + Successful authentication. + Updated /home/joefulladmin/.kube/config . + + #. Use ``kubectl`` to test access to kubernetes commands / resources + (admin and non-admin). + + .. code-block:: + + # Displaying anything in 'kube-system' namespace requires 'cluster-admin' privileges + $ kubectl -n kube-system get secrets + NAME TYPE DATA AGE + ceph-admin Opaque 2 3d8h + ceph-pool-kube-cephfs-data kubernetes.io/cephfs 4 3d8h + ceph-pool-kube-rbd kubernetes.io/rbd 2 3d8h + + + # Anyone can display resources in 'default' namespace + $ kubectl -n default get all + NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE + service/kubernetes ClusterIP 10.96.0.1 443/TCP 3d9h + +#. Test access to |prod| commands / resources. + + #. Use ``local_starlingxrc`` to setup |prod| environment variables + and to setup your keystone user's authentication credentials. + + .. code-block:: + + $ source local_starlingxrc + Enter the password to be used with Keystone user joefulladmin: + Created file /home/joefulladmin/joefulladmin-openrc + + + #. Test keystone commands (admin and non-admin). + + .. code-block:: none + + # Making changes to the system requires 'admin' role + $ system modify -l Ottawa + + +----------------------+--------------------------------------+ + | Property | Value | + +----------------------+--------------------------------------+ + | contact | None | + | created_at | 2024-07-12T10:52:40.609006+00:00 | + | description | None | + | https_enabled | True | + | latitude | None | + | location | Ottawa | + | longitude | None | + ... + + # Any member of 'admin' project can display system parameters + $ system host-if-list controller-0 + + +--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+ + | uuid | name | class | type | vlan id | ports | uses i/f | used by i/f | attributes | + +--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+ + | 287eca5a-8721-4422-b73a-bf24805eac4c | enp0s3 | platform | ethernet | None | ['enp0s3'] | [] | [] | MTU=1500 | + | 325c32b9-fe40-4900-a0ff-59062190ce80 | lo | platform | virtual | None | [] | [] | [] | MTU=1500 | + +--------------------------------------+--------+----------+----------+---------+------------+----------+-------------+------------+ + +.. rubric:: |postreq| + +Continue to :ref:`Create other System Administrators `.