Infrastructure Security

A key aspect of planning your installation and configuration is addressing infrastructure security. By planning your configuration to include industry standard best practices prior to deployment, you can reduce the risk of security and compliance issues.

StarlingX Infrastructure Security Features

The security features listed below are available with StarlingX and should be included in your infrastructure security planning.

• Regular CVE scanning and fixing of StarlingX Platform’s DEB Kernel and RPM Packages

• UEFI Secure Boot on StarlingX Hosts

  • Signed boot loaders, initramfs, kernel and kernel modules

  • Signed in formal builds with StarlingX private key on StarlingX secure signing server

  • Validated by board-specific UEFI Secure Boot Firmware

  For more information, see Kubernetes UEFI Secure Boot Planning

• Signed ISOs and Patches/Updates

  • Signed in formal builds with StarlingX private key on StarlingX secure signing server

  • Public key built into ISO and patch signature validation code

  • Signatures checked on load import and update import commands

• Authentication and Authorization on all interfaces of:

  • SSH / Local Console (local LDAP)

    • Linux User/Group Permissions

    • Linux sudo

  • StarlingX REST APIs/CLIs (Keystone - local DB)

    • Keystone Roles - admin, member

  • Kubernetes APIs/CLIs (Service Accounts and Remote LDAP / Windows Active Directory via OIDC/DEX)

    • K8S RBAC Policies

  • StarlingX Dashboard Webserver (Keystone - Local DB)

    • Keystone Roles - admin, member

  • Local Docker Registry (Keystone - Local DB)

    • Keystone - admin, non-admin user

• HTTPS Support for all external Platform endpoints including:

  • System, Kubernetes, local docker registry REST APIs

  • Platform Dashboard Webserver

  • Certificate Management for K8S Certificates

    • Bootstrap configured K8S Root CA Certificates (auto-generated or user-specified)

    • Cron Jobs for renewing K8S server & client Certificates

    • Procedure for updating K8S Root CA Certificate

  • Certificate Management for HTTPS Platform endpoints (StarlingX APIs, Registry, OIDC, …) including use of Cert-Manager for install and auto-renewal of Certificates

  • Trusted CA Management for local client-side certificate validation

  • Alarming of soon-to-expired and expired Certificates

  • ‘show-certs.sh’ for displaying status and residual time for all certificates.

• Secure (HTTPS) Platform management network communication in Distributed Cloud providing secure management network connectivity between the system controller and subclouds with auto-renewal of certificates

• OAM / API Firewall includes default firewall rules automatically applied and customer modifiable through Calico network policies

• Helm v3 support including the removal of the default use of Helmv2/Tiller (insecure)

• Secure User Management including:

  • User Password Complexity enforcement

  • User forced log out on idle activity

  • User temporary lock out on N consecutive authentication failures

• Audit logs for operator commands and authentication events

  • Shell commands (on SSH / Local Console)

  • StarlingX REST APIs / CLIs

• Linux Auditd support for running on all hosts with configurable rules

• OpenScap Modules included in Host ISO

• Security Services for Hosted Applications including:

  • Cert Manager support including integration of the cert-manager project to automate the management and issuance of TLS certificates from various issuing sources (e.g. interface with external CA for certificate signing, auto-renewal of certificates)

  • Secure secret management and storage (Hashicorp Vault) with the integration of upstream Hashicorp Vault project and Support Vault general secret management for hosted applications

Kubernetes UEFI Secure Boot Planning

UEFI Secure Boot Planning allows you to authenticate modules before they are allowed to execute.

The initial installation of StarlingX should be done in UEFI mode if you plan on using the secure boot feature in the future.

The StarlingX secure boot certificate can be found in the StarlingX ISO, on the EFI bootable FAT filesystem. The file is in the directory /CERTS. You must add this certificate database to the motherboard’s UEFI certificate database. How to add this certificate to the database is determined by the UEFI implementation provided by the motherboard manufacturer.

You may need to work with your hardware vendor to have the certificate installed.

There is an option in the UEFI setup utility that allows a user to browse to a file containing a certificate to be loaded in the authorized database. This option may be hidden in the UEFI setup utility unless UEFI mode is enabled, and secure boot is enabled.

Many motherboards ship with Microsoft secure boot certificates pre-programmed in the UEFI certificate database. These certificates may be required to boot UEFI drivers for video cards, RAID controllers, or NICs (for example, the PXE boot software for a NIC may have been signed by a Microsoft certificate). While certificates can be removed from the certificate database (this is UEFI implementation specific) it may be required that you keep the Microsoft certificates to allow for complete system operation.

Mixed combinations of secure boot and non-secure boot nodes are supported. For example, a controller node may secure boot, while a worker node may not. Secure boot must be enabled in the UEFI firmware of each node for that node to be protected by secure boot.

• Secure Boot is supported in UEFI installations only. It is not used when booting StarlingX as a legacy boot target.

• StarlingX does not currently support switching from legacy to UEFI mode after a system has been installed. Doing so requires a reinstall of the system. This means that upgrading from a legacy install to a secure boot install (UEFI) is not supported.

• When upgrading a StarlingX system from a version that did not support secure boot to a version that does, do not enable secure boot in UEFI firmware until the upgrade is complete.