docs/doc/source/security/kubernetes/index.rst

.. _security-kubernetes-index:

.. include:: /_includes/toc-title-security-kub.rest

.. only:: partner

   .. include:: /security/index.rst
      :start-after: kub-begin
      :end-before: kub-end

***************
System Accounts
***************

.. toctree::
   :maxdepth: 2

   types-of-system-accounts
   overview-of-system-accounts
   kube-service-account
   keystone-accounts
   remote-windows-active-directory-accounts
   starlingx-system-accounts-system-account-password-rules

*****************
Access the System
*****************

.. toctree::
   :maxdepth: 2

   configure-local-cli-access
   remote-access-index
   security-access-the-gui
   security-rest-api-access
   connect-to-container-registries-through-a-firewall-or-proxy

***************************
Manage Non-Admin Type Users
***************************

.. toctree::
   :maxdepth: 1

   private-namespace-and-restricted-rbac
   pod-security-policies
   enable-pod-security-policy-checking
   disable-pod-security-policy-checking
   assign-pod-security-policies
   resource-management

.. _user-authentication-using-windows-active-directory-security-index:

**************************************************
User Authentication Using Windows Active Directory
**************************************************

.. toctree::
   :maxdepth: 1

   overview-of-windows-active-directory
   configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system
   configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system
   configure-oidc-auth-applications
   centralized-oidc-authentication-setup-for-distributed-cloud
   configure-users-groups-and-authorization
   configure-kubectl-with-a-context-for-the-user

Obtain the Authentication Token
*******************************

.. toctree::
   :maxdepth: 1

   obtain-the-authentication-token-using-the-oidc-auth-shell-script
   obtain-the-authentication-token-using-the-browser

Deprovision Windows Active Directory
************************************

.. toctree::
   :maxdepth: 1

   deprovision-windows-active-directory-authentication

****************
Firewall Options
****************

.. toctree::
   :maxdepth: 1

   security-default-firewall-rules
   security-firewall-options

****************************
HTTPS Certificate Management
****************************

.. toctree::
   :maxdepth: 2

   https-access-overview
   utility-script-to-display-certificates
   starlingx-rest-api-applications-and-the-web-administration-server
   kubernetes-certificates-f4196d7cae9c
   etcd-certificates-c1fc943e4a9c
   security-install-update-the-docker-registry-certificate
   oidc-client-dex-server-certificates-dc174462d51a
   portieris-server-certificate-a0c7054844bd
   vault-server-certificate-8573125eeea6
   dc-admin-endpoint-certificates-8fe7adf3f932
   add-a-trusted-ca
   one-single-root-ca-multiple-server-client-certificates-0692df6ce16d

************
Cert Manager
************

.. toctree::
   :maxdepth: 1

   security-cert-manager
   the-cert-manager-bootstrap-process
   cert-manager-post-installation-setup

.. _portieris-admission-controller-security-index:

******************************
Portieris Admission Controller
******************************

.. toctree::
   :maxdepth: 1

   portieris-overview
   install-portieris
   portieris-clusterimagepolicy-and-imagepolicy-configuration
   remove-portieris

.. _vault-secret-and-data-management-security-index:

********************************
Vault Secret and Data Management
********************************

.. toctree::
   :maxdepth: 1

   security-vault-overview
   install-vault
   configure-vault
   configure-vault-using-the-cli
   remove-vault

**************************************
Encrypt Kubernetes Secret Data at Rest
**************************************

.. toctree::
   :maxdepth: 1

   encrypt-kubernetes-secret-data-at-rest

*************************************
Operator Login/Authentication Logging
*************************************

.. toctree::
   :maxdepth: 1

   operator-login-authentication-logging

************************
Operator Command Logging
************************

.. toctree::
   :maxdepth: 1

   operator-command-logging

****************
UEFI Secure Boot
****************

.. toctree::
   :maxdepth: 1

   overview-of-uefi-secure-boot
   use-uefi-secure-boot

***********************************
Authentication of Software Delivery
***********************************

.. toctree::
   :maxdepth: 1

   authentication-of-software-delivery

*******************************************************
Security Feature Configuration for Spectre and Meltdown
*******************************************************

.. toctree::
   :maxdepth: 1

   security-feature-configuration-for-spectre-and-meltdown

*****************************
Security Hardening Guidelines
*****************************

.. toctree::
   :maxdepth: 1

   security-hardening-intro

Recommended Security Features with a Minimal Performance Impact
***************************************************************

.. toctree::
   :maxdepth: 1

   uefi-secure-boot

Secure System Accounts
**********************

.. toctree::
   :maxdepth: 1

   local-linux-account-for-sysadmin
   local-and-ldap-linux-user-accounts
   starlingx-accounts
   web-administration-login-timeout
   ssh-and-console-login-timeout
   system-account-password-rules

Security Features
*****************

.. toctree::
   :maxdepth: 1

   secure-https-external-connectivity
   security-hardening-firewall-options
   isolate-starlingx-internal-cloud-management-network

***************************************
Appendix: Locally creating certificates
***************************************

.. toctree::
   :maxdepth: 1

   create-certificates-locally-using-openssl
   create-certificates-locally-using-cert-manager-on-the-controller