Contents

System Accounts

• Types of System Accounts
• Linux User Accounts
  • The sysadmin Account
  • Local LDAP Linux User Accounts
  • Create LDAP Linux Accounts
  • Remote Access for Linux Accounts
  • Password Recovery for Linux User Accounts
  • Establish Credentials for Linux User Accounts
  • For StarlingX and Platform OpenStack CLIs from a Local LDAP Linux Account Login
  • For StarlingX, Platform OpenStack and Kubernetes CLIs from the ‘sysadmin’ Linux Account Login
  • For Kubernetes CLI from a Local LDAP Linux Account Login
• Kubernetes Service Accounts
  • Create an Admin Type Service Account
• Keystone Accounts
  • Keystone Accounts
  • Keystone Account Authentication
  • Manage Keystone Accounts
  • Configure the Keystone Token Expiration Time
  • Keystone Password Recovery
  • Keystone Security Compliance Configuration
• Remote Windows Active Directory Accounts
• System Account Password Rules

Access the System

• Configure Local CLI Access
• Remote CLI Access
  • Configure Remote CLI Access
  • Configure Container-backed Remote CLIs and Clients
  • Use Container-backed Remote CLIs and Clients
  • Install Kubectl and Helm Clients Directly on a Host
  • Configure Remote Helm v2 Client
• Access the GUI
  • Configure HTTP and HTTPS Ports for Horizon Using the CLI
  • Configure Horizon User Lockout on Failed Logins
  • Install the Kubernetes Dashboard
• REST API Access
  • Kubernetes
• Connect to Container Registries through a Firewall or Proxy

Manage Non-Admin Type Users

• Private Namespace and Restricted RBAC
• Pod Security Policies
• Enable Pod Security Policy Checking
• Disable Pod Security Policy Checking
• Assign Pod Security Policies
• Resource Management

User Authentication Using Windows Active Directory

• Overview of Windows Active Directory
• Configure Kubernetes for OIDC Token Validation while Bootstrapping the System
• Configure Kubernetes for OIDC Token Validation after Bootstrapping the System
• Set up OIDC Auth Applications
• Centralized OIDC Authentication Setup for Distributed Cloud
• Configure Users, Groups, and Authorization
• Configure Kubectl with a Context for the User

Obtain the Authentication Token

• Obtain the Authentication Token Using the oidc-auth Shell Script
• Obtain the Authentication Token Using the Browser

Deprovision Windows Active Directory

• Deprovision Windows Active Directory Authentication

Firewall Options

• Default Firewall Rules
• Modify Firewall Options

HTTPS Certificate Management

• HTTPS and Certificates Management Overview
  • Limitations for using IPv6 addresses related to management and OAM networks
• Display Certificates Installed on a System
• Create a local CA Issuer
  • Create the ClusterIssuer
• Kubernetes Certificates
  • Install Custom Kubernetes Root CA Certificate
  • Update/Renew Kubernetes Certificates
  • Manual Kubernetes Root CA Certificate Update
  • Kubernetes Root CA Certificate Update Cloud Orchestration
• Etcd Certificates
  • Install custom etcd Root CA certificate
  • Update/Renew etcd certificates
• Install Custom Kubernetes Root CA Certificate
• Configure REST API Applications and Web Administration Server certificate
• Configure Docker Registry Certificate
• OIDC Client Dex Server Certificates
  • Install OIDC certificates
  • Update/Renew OIDC certificates
• Migrate/Update Platform Certificates to use Cert Manager
• Portieris Server Certificate
  • Install Portieris certificates
  • Update/Renew Portieris certificates
• Vault Server Certificate
  • Install Vault server certificate
  • Update/Renew Vault certificates
• Distributed Cloud Admin Endpoint Certificates
  • Certificate management for admin REST API endpoints
  • Certificates on the System Controller
  • Certificates on the subcloud
• System Trusted CA Certificates
  • Install/Uninstall Trusted CA certificates
  • Ansible Bootstrap Playbook
  • System CLI – Trusted CA certificate install
  • System CLI – Trusted CA certificate uninstall
  • Update/Renew trusted CA certficates
• Certificate Management Guidelines
• Expiring-Soon and Expired Certificate Alarms
  • Overriding Default Certificate Alarming Behavior
  • Corrective action

Cert Manager

• Cert Manager
• Configure cert-manager at Bootstrap
• Cert-Manager Post Installation Setup

Portieris Admission Controller

• Portieris Overview
• Install Portieris
• Portieris ClusterImagePolicy and ImagePolicy Configuration
• Remove Portieris

Vault Secret and Data Management

• Vault Overview
• Install Vault
• Configure Vault Using the Vault REST API
• Configure Vault Using the Vault CLI
• Remove Vault

Encrypt Kubernetes Secret Data at Rest

• Encrypt Kubernetes Secret Data at Rest

Linux Auditing System

• Linux Auditing System

Operator Login/Authentication Logging

• Operator Login/Authentication Logging

Operator Command Logging

• Operator Command Logging

UEFI Secure Boot

• Overview of UEFI Secure Boot
• Use UEFI Secure Boot

Authentication of Software Delivery

• Authentication of Software Delivery

Security Feature Configuration for Spectre and Meltdown

• Security Feature Configuration for Spectre and Meltdown

Security Hardening Guidelines

• Security Hardening Introduction

Recommended Security Features with a Minimal Performance Impact

• UEFI Secure Boot

Secure System Accounts

• Local Linux Account for ‘sysadmin’
• Local LDAP Linux User Accounts
• StarlingX Accounts
• Web Administration Login Timeout
• SSH and Console Login Timeout
• System Account Password Rules

Security Features

• Secure HTTPS External Connectivity
• Firewall Options
• Isolate StarlingX’s Internal Cloud Management Network

Deprecated Functionality

• StarlingX REST API Applications and the Web Administration Server Certificate
• Local Registry Server Certificates

Appendix: Locally creating certificates

• Create Certificates Locally using openssl
• Create Certificates Locally using cert-manager on the Controller