63cd4f5fdc
Incorporated patchset 1 review comments Updated patchset 5 review comments Updated patchset 6 review comments Fixed merge conflicts Updated patchset 8 review comments Change-Id: Icd7b08ab69273f6073b960a13cf59905532f851a Signed-off-by: Juanita-Balaraj <juanita.balaraj@windriver.com>
7.0 KiB
Contents
System Accounts
types-of-system-accounts overview-of-system-accounts kube-service-account keystone-accounts remote-windows-active-directory-accounts
Linux User Accounts
the-sysadmin-account local-ldap-linux-user-accounts create-ldap-linux-accounts remote-access-for-linux-accounts password-recovery-for-linux-user-accounts establish-keystone-credentials-from-a-linux-account estabilish-credentials-for-linux-user-accounts starlingx-openstack-kubernetes-from-stsadmin-account-login kubernetes-cli-from-local-ldap-linux-account-login
Kubernetes Service Accounts
kubernetes-service-accounts create-an-admin-type-service-account
Keystone Accounts
about-keystone-accounts keystone-account-authentication manage-keystone-accounts configure-the-keystone-token-expiration-time password-recovery
Password Rules
starlingx-system-accounts-system-account-password-rules
Access the System
configure-local-cli-access remote-access-index security-access-the-gui configure-http-and-https-ports-for-horizon-using-the-cli configure-horizon-user-lockout-on-failed-logins install-the-kubernetes-dashboard security-rest-api-access connect-to-container-registries-through-a-firewall-or-proxy using-container-backed-remote-clis-and-clients
Manage Non-Admin Type Users
private-namespace-and-restricted-rbac pod-security-policies enable-pod-security-policy-checking disable-pod-security-policy-checking assign-pod-security-policies resource-management
User Authentication Using Windows Active Directory
overview-of-windows-active-directory configure-kubernetes-for-oidc-token-validation-while-bootstrapping-the-system configure-kubernetes-for-oidc-token-validation-after-bootstrapping-the-system configure-oidc-auth-applications centralized-oidc-authentication-setup-for-distributed-cloud configure-users-groups-and-authorization configure-kubectl-with-a-context-for-the-user
Obtain the Authentication Token
obtain-the-authentication-token-using-the-oidc-auth-shell-script obtain-the-authentication-token-using-the-browser
Deprovision Windows Active Directory
deprovision-windows-active-directory-authentication
Firewall Options
security-firewall-options security-default-firewall-rules
Secure HTTPS Connectivity
https-access-overview starlingx-rest-api-applications-and-the-web-administration-server enable-https-access-for-starlingx-rest-and-web-server-endpoints install-update-the-starlingx-rest-and-web-server-certificate secure-starlingx-rest-and-web-certificates-private-key-storage-with-tpm kubernetes-root-ca-certificate security-install-update-the-docker-registry-certificate add-a-trusted-ca
Cert Manager
security-cert-manager the-cert-manager-bootstrap-process
Post Installation Setup
firewall-port-overrides enable-public-use-of-the-cert-manager-acmesolver-image enable-use-of-cert-manager-acmesolver-image-in-a-particular-namespace enable-the-use-of-cert-manager-apis-by-an-arbitrary-user
Portieris Admission Controller
portieris-overview install-portieris remove-portieris portieris-clusterimagepolicy-and-imagepolicy-configuration
Vault Secret and Data Management
security-vault-overview install-vault remove-vault
Configure Vault
configure-vault configure-vault-using-the-cli
Encrypt Kubernetes Secret Data at Rest
encrypt-kubernetes-secret-data-at-rest
Operator Login/Authentication Logging
operator-login-authentication-logging
Operator Command Logging
operator-command-logging operator-login-authentication-logging operator-command-logging
UEFI Secure Boot
overview-of-uefi-secure-boot use-uefi-secure-boot
Trusted Platform Module
tpm-configuration-considerations
Authentication of Software Delivery
authentication-of-software-delivery
Security Feature Configuration for Spectre and Meltdown
security-feature-configuration-for-spectre-and-meltdown
Locally Create Certificates
create-certificates-locally-using-openssl create-certificates-locally-using-cert-manager-on-the-controller
Security Hardening Guidelines
security-hardening-intro
Recommended Security Features with a Minimal Performance Impact
uefi-secure-boot
Secure System Accounts
local-linux-account-for-sysadmin local-and-ldap-linux-user-accounts starlingx-accounts web-administration-login-timeout ssh-and-console-login-timeout system-account-password-rules
Security Features
secure-https-external-connectivity security-hardening-firewall-options isolate-starlingx-internal-cloud-management-network
Appendix: Locally creating certifciates
creating-certificates-locally-using-cert-manager-on-the-controller creating-certificates-locally-using-openssl