Contents

Overview

• Overview
• Authentication of Software Delivery

UEFI Secure Boot

• Overview of UEFI Secure Boot
• Use UEFI Secure Boot
• Add Certificate to UEFI Secure Boot Database on already installed System

Firewall Management

• Default Firewall Rules
• Modify Firewall Options

Certificate Management

• HTTPS and Certificates Management Overview
• Display Certificates Installed on a System
  • The system certificate-list command
  • The show-certs.sh script
• Etcd Certificates
  • Install custom etcd Root CA certificate
  • Update/Renew etcd certificates
• Kubernetes Certificates
• Install Custom Kubernetes Root CA Certificate
• Update/Renew Kubernetes Certificates
• Manual Kubernetes Root CA Certificate Update
• Kubernetes Root CA Certificate Update Cloud Orchestration
• System Local CA Issuer
• Local LDAP Certificates
• Configure REST API Applications and Web Administration Server certificate
• Configure Docker Registry Certificate
• OIDC Client Dex Server Certificates
  • Install OIDC certificates
  • Update/Renew OIDC certificates
• Update system-local-ca or Migrate Platform Certificates to use Cert Manager
• Portieris Server Certificate
  • Install Portieris certificates
  • Update/Renew Portieris certificates
• Vault Server Certificate
  • Install Vault server certificate
  • Update/Renew Vault certificates
• Distributed Cloud Admin Endpoint Certificates
  • Certificate management for admin REST API endpoints
  • Certificates on the System Controller
  • Certificates on the subcloud
• System Trusted CA Certificates
  • Install/Uninstall Trusted CA certificates
  • Ansible Bootstrap Playbook
  • System CLI – Trusted CA Certificate Install
  • System CLI – Trusted CA Certificate Uninstall
  • Update/Renew Trusted CA Certificates
• Expiring-Soon and Expired Certificate Alarms
  • Overriding Default Certificate Alarming Behavior
  • Corrective action

Cert Manager

• Cert Manager
• Configure cert-manager at Bootstrap

Cert-Manager Post Installation Setup

• Firewall Port Overrides
• Enable Public Use of the cert-manager-acmesolver Image
• Enable Use of cert-manager-acmesolver Image in a Particular Namespace
• Enable the Use of cert-manager APIs by an Arbitrary User

Locally creating certificates

• Create Certificates Locally using openssl
• Create Certificates Locally using cert-manager on the Controller

User Management

Introduction

• Introduction to User Management
  • User Types
  • User Account Types
• Examples of User Management Common Tasks
  • Configure OIDC/LDAP Authentication for Kubernetes User Authentication
  • Create First System Administrator
  • System Administrator - Test Local Access using SSH/Linux Shell and System and Kubernetes CLI
  • Create Other System Administrators
  • Create End Users
  • End Users - Test Local Access using SSH or Kubernetes CLI
  • Remote Access
    • System Administrator - Collect System Information for Remote User Access
    • System Administrator - Access Horizon GUI
    • System Administrator - Configure System Remote CLI & Kubernetes Remote CLI
    • System Administrator - Access System Remote CLI & Kubernetes Remote CLI
    • End User - Configure Kubernetes Remote CLI
    • End User - Access Kubernetes Remote CLI
    • Install the Kubernetes Dashboard

Reference Material

• User Account Types
  • The sysadmin Account
  • Keystone Accounts
    • System-Critical Keystone User Accounts
    • Keystone Accounts Overview
    • Keystone Account Authentication
    • Keystone Account Roles
    • Manage Keystone Accounts
    • Configure the Keystone Token Expiration Time
    • Keystone Password Recovery
    • Keystone Security Compliance Configuration
  • LDAP Accounts
    • Local LDAP Accounts
    • Remote Windows Active Directory accounts
  • Manage Composite Local LDAP & Keystone Accounts at Scale
    • Create Inventory File Using Ansible-Vault
    • Run the Playbook
    • Use the Created Composite Local LDAP Accounts
    • Troubleshooting
  • Password Rules
    • System Account Password Rules
    • Linux Accounts Password Rules
• StarlingX Authentication and Authorization
  • StarlingX Horizon/GUI Configuration
    • Configure HTTP and HTTPS Ports for Horizon Using the CLI
    • Configure Horizon User Lockout on Failed Logins
  • Access StarlingX CLI locally from SSH/Local Console Session
    • For sysadmin Account
    • For General Keystone Account
    • CLI Confirmation Support
  • Access StarlingX CLIs and GUI Remotely
  • Access StarlingX REST APIs
• Kubernetes Authentication & Authorization
  • Kubernetes API User Authentication Using LDAP Server
    • Overview of LDAP Servers
    • Centralized vs Distributed OIDC Authentication Setup
    • Configure Kubernetes for OIDC Token Validation while Bootstrapping the System
    • Configure Kubernetes for OIDC Token Validation after Bootstrapping the System
    • Set up OIDC Auth Applications
    • Configure Kubernetes Client Access
  • Kubernetes API User Authorization For LDAP Server
    • Configure Users, Groups, and Authorization
    • Private Namespace and Restricted RBAC
    • Resource Management
    • Pod Security Admission Controller
    • Deprovision LDAP Server Authentication & Authorization
  • Kubernetes API User Access
    • Access Kubernetes CLI locally from SSH/Local Console Session
    • Access Kubernetes CLIs and GUI Remotely
    • Access Kubernetes REST APIs
• SSH Authentication & Authorization
  • SSH Authentication
    • SSH Authentication
    • Selectively Disable SSH for Local LDAP and WAD Users
  • SSH Authorization
    • Add LDAP Users to Linux Groups Using PAM Configuration

Auditing

• Linux Auditing System
• Operator Login/Authentication Logging
• StarlingX Operator Command Logging
• Kubernetes Operator Command Logging

Container Image Integrity (Signature Validation)

• Portieris Overview
• Install Portieris
• Portieris ClusterImagePolicy and ImagePolicy Configuration
• Remove Portieris

Container AppArmor Profile

• About AppArmor
• Enable/Disable AppArmor on a Host
• Enable/Disable AppArmor on a Host using Horizon
• Install Security Profiles Operator (SPO)
• Profile Management
• Apply a Profile to a Pod
• Enable AppArmor Log
• Author AppArmor Profiles

Encrypting Data at Rest

• Partial Disk (Transparent) Encryption Support via Software Encryption (LUKS)
• Encrypt Kubernetes Secret Data at Rest

Vault Secret and Data Management

• Vault Overview
• Install Vault
• Configure Vault Using the Vault REST API
• Configure Vault Using the Vault CLI
• Remove Vault

IPsec on Management Network

• IPsec Overview
• Configure and Enable IPsec
• IPSec Certificates
• IPsec CLIs

Secure Inter-host Pod-to-pod Network Traffic

• Inter-host Pod-to-pod Security Overview
• Install IPsec Policy Operator System Application
• Configure IPsec for Selected Inter-host Pod-to-pod Traffic using IPsec Policies
• Remove Ipsec-policy-operator System Application

CVE Maintenance

• CVE Maintenance

Security Feature Configuration for Spectre and Meltdown

• Security Feature Configuration for Spectre and Meltdown

Deprecated Functionality

• StarlingX REST API Applications and the Web Administration Server Certificate
• HTTPS Access for StarlingX REST and Web Server Endpoints

Appendix: Configurations for CIS benchmark

• Configure System to CIS Benchmark for Hosts Standards
• Configure System to CIS Benchmark for Containers Standards