Contents

UEFI Secure Boot

• Overview of UEFI Secure Boot
• Use UEFI Secure Boot

Firewall Management

• Default Firewall Rules
• Modify Firewall Options

Certificate Management

• HTTPS and Certificates Management Overview
• Display Certificates Installed on a System
• Etcd Certificates
  • Install custom etcd Root CA certificate
  • Update/Renew etcd certificates
• Kubernetes Certificates
• System Local CA Issuer
• Local LDAP Certificates
• Configure REST API Applications and Web Administration Server certificate
• Configure Docker Registry Certificate
• OIDC Client Dex Server Certificates
  • Install OIDC certificates
  • Update/Renew OIDC certificates
• Update system-local-ca or Migrate Platform Certificates to use Cert Manager
• Portieris Server Certificate
  • Install Portieris certificates
  • Update/Renew Portieris certificates
• Vault Server Certificate
  • Install Vault server certificate
  • Update/Renew Vault certificates
• Distributed Cloud Admin Endpoint Certificates
  • Certificate management for admin REST API endpoints
  • Certificates on the System Controller
  • Certificates on the subcloud
• System Trusted CA Certificates
  • Install/Uninstall Trusted CA certificates
  • Ansible Bootstrap Playbook
  • System CLI – Trusted CA Certificate Install
  • System CLI – Trusted CA Certificate Uninstall
  • Update/Renew Trusted CA Certificates
• Expiring-Soon and Expired Certificate Alarms
  • Overriding Default Certificate Alarming Behavior
  • Corrective action

Cert Manager

• Cert Manager
• Configure cert-manager at Bootstrap
• Cert-Manager Post Installation Setup

User Management

• Introduction to User Management
  • User Types
  • User Account Types
• Examples of User Management Common Tasks
  • Configure OIDC/LDAP Authentication for Kubernetes User Authentication
  • Create First System Administrator
  • System Administrator - Test Local Access using SSH/Linux Shell and System and Kubernetes CLI
  • Create Other System Administrators
  • Create End Users
  • End Users - Test Local Access using SSH or Kubernetes CLI
  • Remote Access
    • System Administrator - Collect System Information for Remote User Access
    • System Administrator - Access Horizon GUI
    • System Administrator - Configure System Remote CLI & Kubernetes Remote CLI
    • System Administrator - Access System Remote CLI & Kubernetes Remote CLI
    • End User - Configure Kubernetes Remote CLI
    • End User - Access Kubernetes Remote CLI
• Reference Material
  • The sysadmin Account
  • Types of System Accounts
  • Linux User Accounts
    • The sysadmin Account
    • Local LDAP Linux User Accounts
      • Default LDAP User Accounts
    • Create LDAP Linux Accounts
    • Create LDAP Linux Groups
    • Delete LDAP Linux Accounts
    • Remote Access for Linux Accounts
    • Password Recovery for Linux User Accounts
      • Linux System Users
      • LDAP System Users
    • Local LDAP user password expiry control
      • Setting shadow password expiry information in local LDAP server
      • Password Expiry behavior on a running system
    • Establish Credentials for Linux User Accounts
    • For StarlingX and Platform OpenStack CLIs from a Local LDAP Linux Account Login
    • For StarlingX, Platform OpenStack and Kubernetes CLIs from the ‘sysadmin’ Linux Account Login
    • For Kubernetes CLI from a Local LDAP Linux Account Login
    • Manage Composite Local LDAP Accounts at Scale
      • Create inventory file using Ansible-Vault
      • Run the playbook
      • Use the created composite Local LDAP accounts
      • Troubleshooting
    • Selectively Disable SSH for Local LDAP and WAD Users
      • Deny SSH Access Local LDAP Users
      • Deny SSH Access for WAD Users
    • Add LDAP Users to Linux Groups Using PAM Configuration
  • Keystone Accounts
    • Keystone Accounts
    • Keystone Account Authentication
    • Keystone Account Roles
      • Creation of user with specific role for Horizon only
      • Creation of user with specific role for Horizon and CLI
    • Manage Keystone Accounts
    • Configure the Keystone Token Expiration Time
    • Keystone Password Recovery
    • Keystone Security Compliance Configuration
  • LDAP Accounts
    • Local LDAP Accounts
      • Local LDAP Linux User Accounts
        • Default LDAP User Accounts
      • Create LDAP Linux Accounts
      • Create LDAP Linux Groups
      • Delete LDAP Linux Accounts
      • Remote Access for Linux Accounts
      • Password Recovery for Linux User Accounts
        • Linux System Users
        • LDAP System Users
      • Local LDAP user password expiry control
        • Setting shadow password expiry information in local LDAP server
        • Password Expiry behavior on a running system
      • Establish Credentials for Linux User Accounts
      • Manage Composite Local LDAP Accounts at Scale
        • Create inventory file using Ansible-Vault
        • Run the playbook
        • Use the created composite Local LDAP accounts
        • Troubleshooting
    • Remote Windows Active Directory accounts
      • SSH User Authentication using Windows Active Directory (WAD)
        • Install WAD CA Certificate
        • Add Remote WAD Domain
        • SSH using the WAD domain user
        • Modify/Delete WAD Domain parameters
        • Delete a WAD Domain configuration
        • Default Local OpenLDAP Domain Configuration
        • SSSD logs
    • Selectively Disable SSH for Local LDAP and WAD Users
      • Deny SSH Access Local LDAP Users
      • Deny SSH Access for WAD Users
    • Manage Composite Local LDAP Accounts at Scale
      • Create inventory file using Ansible-Vault
      • Run the playbook
      • Use the created composite Local LDAP accounts
      • Troubleshooting
    • Kubernetes API User Authentication Using LDAP Server
      • Overview of LDAP Servers
      • Centralized vs Distributed OIDC Authentication Setup
        • Distributed Setup
        • Centralized Setup
      • Configure Kubernetes for OIDC Token Validation while Bootstrapping the System
      • Configure Kubernetes for OIDC Token Validation after Bootstrapping the System
      • Set up OIDC Auth Applications
        • Configure OIDC Auth Applications
        • Default helm overrides for oidc-auth-apps application
      • Configure Users, Groups, and Authorization
        • Grant Kubernetes permissions through direct role binding
        • Grant Kubernetes permissions through groups
      • Configure Kubernetes Client Access
        • Configure Kubernetes Local Client Access
        • Configure Kubernetes Remote Client Access
      • Deprovision LDAP Server Authentication
  • Password Rules
    • System Account Password Rules
    • Linux Accounts Password Rules
      • Verify Changes
  • Access the System
    • Configure Local CLI Access
    • Remote CLI Access
      • Configure Remote CLI Access
      • Configure Container-backed Remote CLIs and Clients
      • Use Container-backed Remote CLIs and Clients
      • Install Kubectl and Helm Clients Directly on a Host
    • Access the GUI
      • Configure HTTP and HTTPS Ports for Horizon Using the CLI
      • Configure Horizon User Lockout on Failed Logins
      • Install the Kubernetes Dashboard
    • REST API Access
      • Kubernetes
    • Connect to Container Registries through a Firewall or Proxy
  • Private Namespace and Restricted RBAC
  • Resource Management
    • LimitRange
    • ResourceQuota
  • Pod Security Admission Controller
    • Pod Security levels
    • Pod Security Admission labels for namespaces
    • Enable Pod Security Admission
    • Configure defaults for the Pod Security Admission Controller
    • Platform namespaces configuration
    • Pod Security Admission Controller - Usage Example

Auditing

• Linux Auditing System
• Operator Login/Authentication Logging
• StarlingX Operator Command Logging
• Kubernetes Operator Command Logging

Container Image Integrity (Signature Validation)

• Portieris Overview
• Install Portieris
• Portieris ClusterImagePolicy and ImagePolicy Configuration
• Remove Portieris

Container AppArmor Profile

• About AppArmor
• Enable/Disable AppArmor on a Host
• Enable/Disable AppArmor on a Host using Horizon
• Install Security Profiles Operator (SPO)
• Profile Management
• Apply a Profile to a Pod
• Enable AppArmor Log
• Author AppArmor Profiles

Encrypting Data at Rest

• Partial Disk (Transparent) Encryption Support via Software Encryption (LUKS)
• Encrypt Kubernetes Secret Data at Rest
• Vault Secret and Data Management

Software Delivery Integrity

• Authentication of Software Delivery

IPsec on Management Network

• IPsec Overview
• Configure and Enable IPsec
• IPSec Certificates
• IPsec CLIs

CVE Maintenance

• CVE Maintenance

Security Feature Configuration for Spectre and Meltdown

• Security Feature Configuration for Spectre and Meltdown

Deprecated Functionality

• StarlingX REST API Applications and the Web Administration Server Certificate

Appendix: Locally creating certificates

• Create Certificates Locally using openssl
• Create Certificates Locally using cert-manager on the Controller