Contents

UEFI Secure Boot

• Overview of UEFI Secure Boot
• Use UEFI Secure Boot

Firewall Management

• Default Firewall Rules
• Modify Firewall Options

Certificate Management

• HTTPS and Certificates Management Overview
• Display Certificates Installed on a System
  • The system certificate-list command
  • The show-certs.sh script
• Etcd Certificates
  • Install custom etcd Root CA certificate
  • Update/Renew etcd certificates
• Kubernetes Certificates
• Install Custom Kubernetes Root CA Certificate
• Update/Renew Kubernetes Certificates
• Manual Kubernetes Root CA Certificate Update
• Kubernetes Root CA Certificate Update Cloud Orchestration
• System Local CA Issuer
• Local LDAP Certificates
• Configure REST API Applications and Web Administration Server certificate
• Configure Docker Registry Certificate
• OIDC Client Dex Server Certificates
  • Install OIDC certificates
  • Update/Renew OIDC certificates
• Update system-local-ca or Migrate Platform Certificates to use Cert Manager
• Portieris Server Certificate
  • Install Portieris certificates
  • Update/Renew Portieris certificates
• Vault Server Certificate
  • Install Vault server certificate
  • Update/Renew Vault certificates
• Distributed Cloud Admin Endpoint Certificates
  • Certificate management for admin REST API endpoints
  • Certificates on the System Controller
  • Certificates on the subcloud
• System Trusted CA Certificates
  • Install/Uninstall Trusted CA certificates
  • Ansible Bootstrap Playbook
  • System CLI – Trusted CA Certificate Install
  • System CLI – Trusted CA Certificate Uninstall
  • Update/Renew Trusted CA Certificates
• Expiring-Soon and Expired Certificate Alarms
  • Overriding Default Certificate Alarming Behavior
  • Corrective action

Cert Manager

• Cert Manager
• Configure cert-manager at Bootstrap

Cert-Manager Post Installation Setup

• Firewall Port Overrides
• Enable Public Use of the cert-manager-acmesolver Image
• Enable Use of cert-manager-acmesolver Image in a Particular Namespace
• Enable the Use of cert-manager APIs by an Arbitrary User

User Management

• Introduction to User Management
  • User Types
  • User Account Types

Examples of User Management Common Tasks

• Examples of User Management Common Tasks
• Configure OIDC/LDAP Authentication for Kubernetes User Authentication
• Create First System Administrator
• System Administrator - Test Local Access using SSH/Linux Shell and System and Kubernetes CLI
• Create Other System Administrators
• Create End Users
• End Users - Test Local Access using SSH or Kubernetes CLI

Remote Access

• Remote Access
• System Administrator - Collect System Information for Remote User Access
• System Administrator - Access Horizon GUI
• System Administrator - Configure System Remote CLI & Kubernetes Remote CLI
• System Administrator - Access System Remote CLI & Kubernetes Remote CLI
• End User - Configure Kubernetes Remote CLI
• End User - Access Kubernetes Remote CLI

Reference Material

• The sysadmin Account
• Types of System Accounts

Linux User Accounts

• Linux User Accounts
• For StarlingX and Platform OpenStack CLIs from a Local LDAP Linux Account Login
• For StarlingX, Platform OpenStack and Kubernetes CLIs from the ‘sysadmin’ Linux Account Login
• For Kubernetes CLI from a Local LDAP Linux Account Login
• Add LDAP Users to Linux Groups Using PAM Configuration

Keystone Accounts

• Keystone Accounts
• Keystone Accounts Overview
• Keystone Account Authentication
• Keystone Account Roles
• Manage Keystone Accounts
• Configure the Keystone Token Expiration Time
• Keystone Password Recovery
• Keystone Security Compliance Configuration

LDAP Accounts

Local LDAP Accounts

• Local LDAP Linux User Accounts
  • Default LDAP User Accounts
• Create LDAP Linux Accounts
• Create LDAP Linux Groups
• Delete LDAP Linux Accounts
• Remote Access for Linux Accounts
• Password Recovery for Linux User Accounts
  • Linux System Users
  • LDAP System Users
• Local LDAP user password expiry control
  • Setting shadow password expiry information in local LDAP server
  • Password Expiry behavior on a running system
• Establish Credentials for Linux User Accounts
• Manage Composite Local LDAP Accounts at Scale
  • Create inventory file using Ansible-Vault
  • Run the playbook
  • Use the created composite Local LDAP accounts
  • Troubleshooting

Remote Windows Active Directory accounts

• Remote Windows Active Directory accounts
• SSH User Authentication using Windows Active Directory (WAD)

Selectively Disable SSH for Local LDAP and WAD Users

• Selectively Disable SSH for Local LDAP and WAD Users

Manage Composite Local LDAP Accounts at Scale

• Manage Composite Local LDAP Accounts at Scale

Kubernetes API User Authentication Using LDAP Server

• Overview of LDAP Servers
• Centralized vs Distributed OIDC Authentication Setup
  • Distributed Setup
  • Centralized Setup
• Configure Kubernetes for OIDC Token Validation while Bootstrapping the System
• Configure Kubernetes for OIDC Token Validation after Bootstrapping the System
• Set up OIDC Auth Applications
  • Configure OIDC Auth Applications
  • Default helm overrides for oidc-auth-apps application
• Configure Users, Groups, and Authorization
  • Grant Kubernetes permissions through direct role binding
  • Grant Kubernetes permissions through groups
• Configure Kubernetes Client Access
  • Configure Kubernetes Local Client Access
  • Configure Kubernetes Remote Client Access
• Deprovision LDAP Server Authentication

Password Rules

• System Account Password Rules
• Linux Accounts Password Rules
  • Verify Changes

Access the System

• Configure Local CLI Access
• Configure Remote CLI Access
• Configure Container-backed Remote CLIs and Clients
• Use Container-backed Remote CLIs and Clients
• Install Kubectl and Helm Clients Directly on a Host
• Access the GUI
• Configure HTTP and HTTPS Ports for Horizon Using the CLI
• Configure Horizon User Lockout on Failed Logins
• Install the Kubernetes Dashboard
• REST API Access
  • Kubernetes
• Connect to Container Registries through a Firewall or Proxy

Private Namespace and Restricted RBAC

• Private Namespace and Restricted RBAC

Resource Management

• Resource Management

Pod Security Admission Controller

• Pod Security Admission Controller

Auditing

• Linux Auditing System
• Operator Login/Authentication Logging
• StarlingX Operator Command Logging
• Kubernetes Operator Command Logging

Container Image Integrity (Signature Validation)

• Portieris Overview
• Install Portieris
• Portieris ClusterImagePolicy and ImagePolicy Configuration
• Remove Portieris

Container AppArmor Profile

• About AppArmor
• Enable/Disable AppArmor on a Host
• Enable/Disable AppArmor on a Host using Horizon
• Install Security Profiles Operator (SPO)
• Profile Management
• Apply a Profile to a Pod
• Enable AppArmor Log
• Author AppArmor Profiles

Encrypting Data at Rest

• Partial Disk (Transparent) Encryption Support via Software Encryption (LUKS)
• Encrypt Kubernetes Secret Data at Rest

Vault Secret and Data Management

• Vault Overview
• Install Vault
• Configure Vault Using the Vault REST API
• Configure Vault Using the Vault CLI
• Remove Vault

Software Delivery Integrity

• Authentication of Software Delivery

IPsec on Management Network

• IPsec Overview
• Configure and Enable IPsec
• IPSec Certificates
• IPsec CLIs

CVE Maintenance

• CVE Maintenance

Security Feature Configuration for Spectre and Meltdown

• Security Feature Configuration for Spectre and Meltdown

Deprecated Functionality

• StarlingX REST API Applications and the Web Administration Server Certificate
• HTTPS Access for StarlingX REST and Web Server Endpoints
• Install/Update the StarlingX Rest and Web Server Certificate

Appendix: Locally creating certificates

• Create Certificates Locally using openssl
• Create Certificates Locally using cert-manager on the Controller