98f8b72701
Updated the title in the rest file Shorten filename. Link with very long file name is broken in some URL contexts such as local builds This change corrects it in local testing but needs further verification from other contributors. Linked to: https://review.opendev.org/c/starlingx/docs/+/891913 Change-Id: I3ad7ac655ef46190efa0f4bb88345195333d4030 Signed-off-by: Juanita Balaraj <juanita.balaraj@windriver.com>
284 lines
6.4 KiB
ReStructuredText
284 lines
6.4 KiB
ReStructuredText
.. _index-security-kub-81153c1254c3:
|
|
|
|
.. include:: /_includes/toc-title-security-kub.rest
|
|
|
|
.. only:: partner
|
|
|
|
.. include:: /security/index-security-84d0d8aa401b.rst
|
|
:start-after: kub-begin
|
|
:end-before: kub-end
|
|
|
|
***************
|
|
System Accounts
|
|
***************
|
|
|
|
.. toctree::
|
|
:maxdepth: 2
|
|
|
|
types-of-system-accounts
|
|
overview-of-system-accounts
|
|
kube-service-account
|
|
keystone-accounts
|
|
remote-windows-active-directory-accounts
|
|
starlingx-system-accounts-system-account-password-rules
|
|
manage-local-ldap-39fe3a85a528
|
|
|
|
*****************
|
|
Access the System
|
|
*****************
|
|
|
|
.. toctree::
|
|
:maxdepth: 2
|
|
|
|
configure-local-cli-access
|
|
remote-access-index
|
|
security-access-the-gui
|
|
security-rest-api-access
|
|
connect-to-container-registries-through-a-firewall-or-proxy
|
|
|
|
***************************
|
|
Manage Non-Admin Type Users
|
|
***************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
private-namespace-and-restricted-rbac
|
|
pod-security-policies
|
|
enable-pod-security-policy-checking
|
|
disable-pod-security-policy-checking
|
|
assign-pod-security-policies
|
|
resource-management
|
|
pod-security-admission-controller-8e9e6994100f
|
|
|
|
.. _user-authentication-using-windows-active-directory-security-index:
|
|
|
|
|
|
******************************************************
|
|
SSH User Authentication Using Windows Active Directory
|
|
******************************************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
sssd-support-5fb6c4b0320b
|
|
|
|
|
|
**********************************************************
|
|
K8S API User Authentication Using Windows Active Directory
|
|
**********************************************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
overview-of-windows-active-directory
|
|
configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system
|
|
configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system
|
|
configure-oidc-auth-applications
|
|
centralized-oidc-authentication-setup-for-distributed-cloud
|
|
configure-users-groups-and-authorization
|
|
configure-kubectl-with-a-context-for-the-user
|
|
|
|
Obtain the Authentication Token
|
|
*******************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
obtain-the-authentication-token-using-the-oidc-auth-shell-script
|
|
obtain-the-authentication-token-using-the-browser
|
|
|
|
Deprovision Windows Active Directory
|
|
************************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
deprovision-windows-active-directory-authentication
|
|
|
|
****************
|
|
Firewall Options
|
|
****************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
security-default-firewall-rules
|
|
security-firewall-options
|
|
|
|
****************************
|
|
HTTPS Certificate Management
|
|
****************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 2
|
|
|
|
https-access-overview
|
|
utility-script-to-display-certificates
|
|
etcd-certificates-c1fc943e4a9c
|
|
kubernetes-certificates-f4196d7cae9c
|
|
starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834
|
|
configure-rest-api-apps-and-web-admin-server-certs-after-inst-6816457ab95f
|
|
configure-docker-registry-certificate-after-installation-c519edbfe90a
|
|
oidc-client-dex-server-certificates-dc174462d51a
|
|
migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d
|
|
portieris-server-certificate-a0c7054844bd
|
|
vault-server-certificate-8573125eeea6
|
|
dc-admin-endpoint-certificates-8fe7adf3f932
|
|
add-a-trusted-ca
|
|
alarm-expiring-soon-and-expired-certificates-baf5b8f73009
|
|
|
|
************
|
|
Cert Manager
|
|
************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
security-cert-manager
|
|
the-cert-manager-bootstrap-process
|
|
cert-manager-post-installation-setup
|
|
|
|
.. _portieris-admission-controller-security-index:
|
|
|
|
******************************
|
|
Portieris Admission Controller
|
|
******************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
portieris-overview
|
|
install-portieris
|
|
portieris-clusterimagepolicy-and-imagepolicy-configuration
|
|
remove-portieris
|
|
|
|
.. _vault-secret-and-data-management-security-index:
|
|
|
|
********************************
|
|
Vault Secret and Data Management
|
|
********************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
security-vault-overview
|
|
install-vault
|
|
configure-vault
|
|
configure-vault-using-the-cli
|
|
remove-vault
|
|
|
|
**************************************
|
|
Encrypt Kubernetes Secret Data at Rest
|
|
**************************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
encrypt-kubernetes-secret-data-at-rest
|
|
|
|
|
|
*********************
|
|
Linux Auditing System
|
|
*********************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
auditd-support-339a51d8ce16
|
|
|
|
|
|
********
|
|
AppArmor
|
|
********
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
about-apparmor-ebdab8f1ed87
|
|
enable-disable-apparmor-on-a-host-63a7a184d310
|
|
enable-disable-apparmor-on-a-host-using-horizon-a318ab726396
|
|
install-security-profiles-operator-1b2f9a0f0108
|
|
profile-management-a8df19c86a5d
|
|
apply-a-profile-to-a-pod-c2fa4d958dec
|
|
enable-apparmor-log-bb600560d794
|
|
author-apparmor-profiles-b02de0a22771
|
|
|
|
|
|
*************************************
|
|
Operator Login/Authentication Logging
|
|
*************************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
operator-login-authentication-logging
|
|
|
|
************************
|
|
Operator Command Logging
|
|
************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
operator-command-logging
|
|
kubernetes-operator-command-logging-663fce5d74e7
|
|
|
|
****************
|
|
UEFI Secure Boot
|
|
****************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
overview-of-uefi-secure-boot
|
|
use-uefi-secure-boot
|
|
|
|
***********************************
|
|
Authentication of Software Delivery
|
|
***********************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
authentication-of-software-delivery
|
|
|
|
***************
|
|
CVE Maintenance
|
|
***************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
cve-maintenance-723cd9dd54b3
|
|
|
|
|
|
*******************************************************
|
|
Security Feature Configuration for Spectre and Meltdown
|
|
*******************************************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
security-feature-configuration-for-spectre-and-meltdown
|
|
|
|
************************
|
|
Deprecated Functionality
|
|
************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
starlingx-rest-api-applications-and-the-web-administration-server-deprecated
|
|
security-install-update-the-docker-registry-certificate-deprecated
|
|
|
|
|
|
***************************************
|
|
Appendix: Locally creating certificates
|
|
***************************************
|
|
|
|
.. toctree::
|
|
:maxdepth: 1
|
|
|
|
create-certificates-locally-using-openssl
|
|
create-certificates-locally-using-cert-manager-on-the-controller
|