Contents

System Accounts

• Types of System Accounts
• Linux User Accounts
  • The sysadmin Account
  • Local LDAP Linux User Accounts
  • Create LDAP Linux Accounts
  • Create LDAP Linux Groups
  • Delete LDAP Linux Accounts
  • Remote Access for Linux Accounts
  • Password Recovery for Linux User Accounts
  • Local LDAP user password expiry control
  • Establish Credentials for Linux User Accounts
  • For StarlingX and Platform OpenStack CLIs from a Local LDAP Linux Account Login
  • For StarlingX, Platform OpenStack and Kubernetes CLIs from the ‘sysadmin’ Linux Account Login
  • For Kubernetes CLI from a Local LDAP Linux Account Login
  • Manage Composite Local LDAP Accounts at Scale
• Keystone Accounts
  • Keystone Accounts
  • Keystone Account Authentication
  • Keystone Account Roles
  • Manage Keystone Accounts
  • Configure the Keystone Token Expiration Time
  • Keystone Password Recovery
  • Keystone Security Compliance Configuration
• Remote Windows Active Directory Accounts
• System Account Password Rules
• Manage Composite Local LDAP Accounts at Scale
  • Create inventory file using Ansible-Vault
  • Run the playbook
  • Use the created composite Local LDAP accounts
  • Troubleshooting

Access the System

• Configure Local CLI Access
• Remote CLI Access
  • Configure Remote CLI Access
  • Configure Container-backed Remote CLIs and Clients
  • Use Container-backed Remote CLIs and Clients
  • Install Kubectl and Helm Clients Directly on a Host
• Access the GUI
  • Configure HTTP and HTTPS Ports for Horizon Using the CLI
  • Configure Horizon User Lockout on Failed Logins
  • Install the Kubernetes Dashboard
• REST API Access
  • Kubernetes
• Connect to Container Registries through a Firewall or Proxy

Manage Non-Admin Type Users

• Private Namespace and Restricted RBAC
• Pod Security Policies
• Enable Pod Security Policy Checking
• Disable Pod Security Policy Checking
• Assign Pod Security Policies
• Resource Management
• Pod Security Admission Controller

SSH User Authentication Using Windows Active Directory

• SSH User Authentication using Windows Active Directory (WAD)

K8S API User Authentication Using LDAP Server

• Overview of LDAP Servers
• Centralized vs Distributed OIDC Authentication Setup
• Configure Kubernetes for OIDC Token Validation while Bootstrapping the System
• Configure Kubernetes for OIDC Token Validation after Bootstrapping the System
• Set up OIDC Auth Applications
• Configure Users, Groups, and Authorization
• Configure Kubernetes Client Access
• Deprovision LDAP Server Authentication

Firewall Options

• Default Firewall Rules
• Modify Firewall Options

HTTPS Certificate Management

• HTTPS and Certificates Management Overview
• Display Certificates Installed on a System
• Etcd Certificates
  • Install custom etcd Root CA certificate
  • Update/Renew etcd certificates
• Kubernetes Certificates
• System Local CA Issuer
• Local LDAP Certificates
• Configure REST API Applications and Web Administration Server certificate
  • Limitations for using IPv6 addresses related to management and OAM networks
• Configure Docker Registry Certificate
  • Limitations for using IPv6 addresses related to management and OAM networks
• OIDC Client Dex Server Certificates
  • Install OIDC certificates
  • Update/Renew OIDC certificates
• Update system-local-ca or Migrate Platform Certificates to use Cert Manager
• Portieris Server Certificate
  • Install Portieris certificates
  • Update/Renew Portieris certificates
• Vault Server Certificate
  • Install Vault server certificate
  • Update/Renew Vault certificates
• Distributed Cloud Admin Endpoint Certificates
  • Certificate management for admin REST API endpoints
  • Certificates on the System Controller
  • Certificates on the subcloud
• System Trusted CA Certificates
  • Install/Uninstall Trusted CA certificates
  • Ansible Bootstrap Playbook
  • System CLI – Trusted CA certificate install
  • System CLI – Trusted CA certificate uninstall
  • Update/Renew trusted CA certificates
• Expiring-Soon and Expired Certificate Alarms
  • Overriding Default Certificate Alarming Behavior
  • Corrective action

Cert Manager

• Cert Manager
• Configure cert-manager at Bootstrap
• Cert-Manager Post Installation Setup

Portieris Admission Controller

• Portieris Overview
• Install Portieris
• Portieris ClusterImagePolicy and ImagePolicy Configuration
• Remove Portieris

Vault Secret and Data Management

• Vault Overview
• Install Vault
• Configure Vault Using the Vault REST API
• Configure Vault Using the Vault CLI
• Remove Vault

Encrypt Kubernetes Secret Data at Rest

• Encrypt Kubernetes Secret Data at Rest

Linux Auditing System

• Linux Auditing System

AppArmor

• About AppArmor
• Enable/Disable AppArmor on a Host
• Enable/Disable AppArmor on a Host using Horizon
• Install Security Profiles Operator (SPO)
• Profile Management
• Apply a Profile to a Pod
• Enable AppArmor Log
• Author AppArmor Profiles

Operator Login/Authentication Logging

• Operator Login/Authentication Logging

Operator Command Logging

• StarlingX Operator Command Logging
• Kubernetes Operator Command Logging

UEFI Secure Boot

• Overview of UEFI Secure Boot
• Use UEFI Secure Boot

Authentication of Software Delivery

• Authentication of Software Delivery

CVE Maintenance

• CVE Maintenance

Security Feature Configuration for Spectre and Meltdown

• Security Feature Configuration for Spectre and Meltdown

Deprecated Functionality

• StarlingX REST API Applications and the Web Administration Server Certificate
• Local Registry Server Certificates

Appendix: Locally creating certificates

• Create Certificates Locally using openssl
• Create Certificates Locally using cert-manager on the Controller