openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

Moving files to security section

Browse Source
This commit is contained in:
Andrea Hoffer
2020-06-25 13:06:12 -04:00
committed by openshift-cherrypick-robot
parent 37f2165bb6
commit 56e7d64174
36 changed files with 60 additions and 54 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
_topic_map.yml
View File

@@ -331,9 +331,32 @@ Topics:
- Name: Disabling the web console
File: disabling-web-console
Distros: openshift-enterprise,openshift-webscale,openshift-origin
---
Name: Authentication
Name: Security
Dir: security
Distros: openshift-enterprise,openshift-webscale,openshift-origin
Topics:
- Name: Configuring certificates
Dir: certificates
Distros: openshift-enterprise,openshift-webscale,openshift-origin
Topics:
- Name: Replacing the default ingress certificate
File: replacing-default-ingress-certificate
- Name: Adding API server certificates
File: api-server
- Name: Securing service traffic using service serving certificates
File: service-serving-certificate
- Name: Certificate types and descriptions
File: certificate-types-descriptions
Distros: openshift-enterprise,openshift-webscale,openshift-origin
- Name: Allowing JavaScript-based access to the API server from additional hosts
File: allowing-javascript-access-api-server
Distros: openshift-enterprise,openshift-webscale,openshift-origin
- Name: Encrypting etcd data
File: encrypting-etcd
Distros: openshift-enterprise,openshift-webscale,openshift-origin
---
Name: Authentication and authorization
Dir: authentication
Distros: openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated
Topics:
@@ -343,9 +366,6 @@ Topics:
- Name: Understanding identity provider configuration
File: dedicated-understanding-authentication
Distros: openshift-dedicated
- Name: Certificate types and descriptions
File: certificate-types-descriptions
Distros: openshift-enterprise,openshift-webscale,openshift-origin
- Name: Configuring the internal OAuth server
File: configuring-internal-oauth
Distros: openshift-enterprise,openshift-webscale,openshift-origin
@@ -378,16 +398,6 @@ Topics:
File: configuring-google-identity-provider
- Name: Configuring an OpenID Connect identity provider
File: configuring-oidc-identity-provider
- Name: Configuring certificates
Dir: certificates
Distros: openshift-enterprise,openshift-webscale,openshift-origin
Topics:
- Name: Replacing the default ingress certificate
File: replacing-default-ingress-certificate
- Name: Adding API server certificates
File: api-server
- Name: Securing service traffic using service serving certificates
File: service-serving-certificate
- Name: Using RBAC to define and apply permissions
File: using-rbac
- Name: Removing the kubeadmin user
@@ -417,12 +427,6 @@ Topics:
- Name: Syncing LDAP groups
File: ldap-syncing
Distros: openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated
- Name: Allowing JavaScript-based access to the API server from additional hosts
File: allowing-javascript-access-api-server
Distros: openshift-enterprise,openshift-webscale,openshift-origin
- Name: Encrypting etcd data
File: encrypting-etcd
Distros: openshift-enterprise,openshift-webscale,openshift-origin
---
Name: Networking
Dir: networking

2
installing/install_config/customizations.adoc
View File

@@ -33,7 +33,7 @@ to @api-approvers (github) or #forum-api-review (slack).
|Description
|apiserver.config.openshift.io
|Provides api-server configuration such as xref:../../authentication/certificates/api-server.adoc#api-server-certificates[certificates and certificate authorities].
|Provides api-server configuration such as xref:../../security/certificates/api-server.adoc#api-server-certificates[certificates and certificate authorities].
|authentication.config.openshift.io
|Controls the xref:../../authentication/understanding-identity-provider.adoc#understanding-identity-provider[identity provider]and authentication configuration for the cluster.

4
installing/installing-fips.adoc
View File

@@ -47,7 +47,7 @@ Although the {product-title} cluster itself uses FIPS validated / Implementation
[id="installation-about-fips-components-etcd_{context}"]
=== etcd
To ensure that the secrets that are stored in etcd use FIPS validated / Implementation Under Test encryption, encrypt the etcd datastore by using a FIPS-approved cryptographic algorithm. After you install the cluster, you can xref:../authentication/encrypting-etcd.adoc#encrypting-etcd[encrypt the etcd data] by using the `aes cbc` algorithm.
To ensure that the secrets that are stored in etcd use FIPS validated / Implementation Under Test encryption, encrypt the etcd datastore by using a FIPS-approved cryptographic algorithm. After you install the cluster, you can xref:../security/encrypting-etcd.adoc#encrypting-etcd[encrypt the etcd data] by using the `aes cbc` algorithm.
[id="installation-about-fips-components-storage_{context}"]
=== Storage
@@ -73,6 +73,6 @@ To install a cluster in FIPS mode, follow the instructions to install a customiz
* xref:../installing/installing_openstack/installing-openstack-installer-custom.adoc#installing-openstack-installer-custom[{rh-openstack-first}]
* xref:../installing/installing_vsphere/installing-vsphere.adoc#installing-vsphere[VMware vSphere]
To apply `AES CBC` encryption to your etcd data store, follow the xref:../authentication/encrypting-etcd.adoc#encrypting-etcd[Encrypting etcd data] process after you install your cluster.
To apply `AES CBC` encryption to your etcd data store, follow the xref:../security/encrypting-etcd.adoc#encrypting-etcd[Encrypting etcd data] process after you install your cluster.
If you add RHEL nodes to your cluster, ensure that you enable FIPS mode on the machines before their initial boot. See xref:../machine_management/adding-rhel-compute.adoc#adding-rhel-compute[Adding RHEL compute machines to an {product-title} cluster] and link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations#sec-Enabling-FIPS-Mode[Enabling FIPS Mode] in the RHEL 7 documentation.

2
modules/about-etcd-encryption.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/encrypting-etcd.adoc
// * security/encrypting-etcd.adoc
[id="about-etcd_{context}"]
= About etcd encryption

2
modules/admission-webhooks-about.adoc
View File

@@ -25,7 +25,7 @@ When an API request comes in, mutating or validating admission plug-ins use the
* If an error is encountered when calling a webhook, the request is either denied or the webhook is ignored depending on the error policy set. If the error policy is set to `Ignore`, the request is unconditionally accepted in the event of a failure. If the policy is set to `Fail`, failed requests are denied. Using `Ignore` can result in unpredictable behavior for all clients.
//Future xrefs - Communication between the webhook admission plug-in and the webhook server must use TLS. Generate a certificate authority (CA) certificate and use the certificate to sign the server certificate that is used by your webhook server. The PEM-encoded CA certificate is supplied to the webhook admission plug-in using a mechanism, such as xref:../authentication/certificates/service-serving-certificate.adoc#service-serving-certificate[service serving certificate secrets].
//Future xrefs - Communication between the webhook admission plug-in and the webhook server must use TLS. Generate a certificate authority (CA) certificate and use the certificate to sign the server certificate that is used by your webhook server. The PEM-encoded CA certificate is supplied to the webhook admission plug-in using a mechanism, such as xref:../security/certificates/service-serving-certificate.adoc#service-serving-certificate[service serving certificate secrets].
Communication between the webhook admission plug-in and the webhook server must use TLS. Generate a CA certificate and use the certificate to sign the server certificate that is used by your webhook admission server. The PEM-encoded CA certificate is supplied to the webhook admission plug-in using a mechanism, such as service serving certificate secrets.
The following diagram illustrates the sequential admission chain process within which multiple webhook servers are called.

2
modules/auth-allowing-javascript-access-api-server.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/configuring-corsallowedorigins.adoc
// * security/allowing-javascript-access-api-server.adoc
[id="auth-allowing-javascript-access-api-server_{context}"]
= Allowing JavaScript-based access to the API server from additional hosts

2
modules/bootstrap-certificates.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificate-types-descriptions.adoc
// * security/certificate-types-descriptions.adoc
[id="bootstrap-certificates_{context}"]
= Bootstrap certificates

2
modules/customize-certificates-add-service-serving-apiservice.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificates/service-serving-certificate.adoc
// * security/certificates/service-serving-certificate.adoc
[id="add-service-certificate-apiservice_{context}"]
= Add the service CA bundle to an APIService

2
modules/customize-certificates-add-service-serving-configmap.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificates/service-serving-certificate.adoc
// * security/certificates/service-serving-certificate.adoc
[id="add-service-certificate-configmap_{context}"]
= Add the service CA bundle to a ConfigMap

2
modules/customize-certificates-add-service-serving-crd.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificates/service-serving-certificate.adoc
// * security/certificates/service-serving-certificate.adoc
[id="add-service-certificate-crd_{context}"]
= Add the service CA bundle to a Custom Resource Definition

2
modules/customize-certificates-add-service-serving-mutating-webhook.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificates/service-serving-certificate.adoc
// * security/certificates/service-serving-certificate.adoc
[id="add-service-certificate-mutating-webhook_{context}"]
= Add the service CA bundle to a MutatingWebhookConfiguration

2
modules/customize-certificates-add-service-serving-validating-webhook.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificates/service-serving-certificate.adoc
// * security/certificates/service-serving-certificate.adoc
[id="add-service-certificate-validating-webhook_{context}"]
= Add the service CA bundle to a ValidatingWebhookConfiguration

2
modules/customize-certificates-add-service-serving.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificates/service-serving-certificate.adoc
// * security/certificates/service-serving-certificate.adoc
[id="add-service-certificate_{context}"]
= Add a service certificate

2
modules/customize-certificates-api-add-default.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificates/api-server.adoc
// * security/certificates/api-server.adoc
[id="add-default-api-server_{context}"]
= Add an API server default certificate

2
modules/customize-certificates-api-add-named.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificates/api-server.adoc
// * security/certificates/api-server.adoc
[id="add-named-api-server_{context}"]
= Add an API server named certificate

2
modules/customize-certificates-replace-default-router.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificates/replacing-default-ingress-certificate.adoc
// * security/certificates/replacing-default-ingress-certificate.adoc
[id="replacing-default-ingress_{context}"]
= Replacing the default ingress certificate

2
modules/customize-certificates-rotate-service-serving.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificates/service-serving-certificate.adoc
// * security/certificates/service-serving-certificate.adoc
[id="rotate-service-serving_{context}"]
= Manually rotate the generated service certificate

2
modules/customize-certificates-understanding-default-router.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// authentication/certificates/replacing-default-ingress-certificate.adoc
// security/certificates/replacing-default-ingress-certificate.adoc
[id="understanding-default-ingress_{context}"]
= Understanding the default ingress certificate

2
modules/customize-certificates-understanding-service-serving.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificates/service-serving-certificate.adoc
// * security/certificates/service-serving-certificate.adoc
[id="understanding-service-serving_{context}"]
= Understanding service serving certificates

2
modules/disabling-etcd-encryption.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/encrypting-etcd.adoc
// * security/encrypting-etcd.adoc
[id="disabling-etcd-encryption_{context}"]
= Disabling etcd encryption

2
modules/enabling-etcd-encryption.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/encrypting-etcd.adoc
// * security/encrypting-etcd.adoc
[id="enabling-etcd-encryption_{context}"]
= Enabling etcd encryption

2
modules/etcd-certificates.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificate-types-descriptions.adoc
// * security/certificate-types-descriptions.adoc
[id="etcd-certificates_{context}"]
= etcd certificates

2
modules/olm-certificates.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificate-types-descriptions.adoc
// * security/certificate-types-descriptions.adoc
[id="olm-certificates_{context}"]
= OLM certificates

2
modules/proxy-certificates.adoc
View File

@@ -1,7 +1,7 @@
// Module included in the following assemblies:
//
// * authentication/certificate-types-descriptions.adoc
// * security/certificate-types-descriptions.adoc
[id="proxy-certificates_{context}"]
= Proxy certificates

2
modules/service-ca-certificates.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificate-types-descriptions.adoc
// * security/certificate-types-descriptions.adoc
[id="service-ca-certificates_{context}"]
= Service CA certificates

2
modules/user-provided-certificates-for-api-server.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// *authentication/certificate-types-descriptions.adoc
// *security/certificate-types-descriptions.adoc
[id="user-provided-certificates-for-the-api-server_{context}"]
= User-provided certificates for the API server

2
modules/user-provided-certificates-for-default-ingress.adoc
View File

@@ -1,6 +1,6 @@
// Module included in the following assemblies:
//
// * authentication/certificate-types-descriptions.adoc
// * security/certificate-types-descriptions.adoc
[id="user-provided-certificates-for-default-ingress_{context}"]
= User-provided certificates for default ingress

0
authentication/allowing-javascript-access-api-server.adoc → security/allowing-javascript-access-api-server.adoc
View File

10
authentication/certificate-types-descriptions.adoc → security/certificate-types-descriptions.adoc
View File

@@ -137,7 +137,7 @@ its own certificate.
== Management
Ingress certificates are managed by the user. See
xref:../authentication/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Replacing
xref:../security/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Replacing
the default ingress certificate] for more information.
[discrete]
@@ -191,12 +191,12 @@ from expired control plane certificates]
.Additional resources
* xref:../authentication/certificates/service-serving-certificate.adoc#add-service-serving[Manually rotate service serving certificates]
* xref:../authentication/certificates/service-serving-certificate.adoc#add-service-serving[Securing service traffic using service serving certificate secrets]
* xref:../security/certificates/service-serving-certificate.adoc#add-service-serving[Manually rotate service serving certificates]
* xref:../security/certificates/service-serving-certificate.adoc#add-service-serving[Securing service traffic using service serving certificate secrets]
* xref:../backup_and_restore/disaster_recovery/scenario-3-expired-certs.adoc#dr-recovering-expired-certs[Recovering
from expired control plane certificates]
* xref:../networking/enable-cluster-wide-proxy.adoc#enable-cluster-wide-proxy[Configuring the cluster-wide proxy]
* xref:../authentication/certificates/api-server.adoc#api-server-certificates[Adding API server certificates]
* xref:../authentication/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Replacing the default ingress certificate]
* xref:../security/certificates/api-server.adoc#api-server-certificates[Adding API server certificates]
* xref:../security/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Replacing the default ingress certificate]
* xref:../nodes/nodes/nodes-nodes-working.adoc#nodes-nodes-working[Working with nodes]
* xref:../backup_and_restore/disaster_recovery/scenario-1-infra-recovery.adoc#dr-scenario-1-recover-master-hosts_dr-infrastructure-recovery[Recovering from lost master hosts]

0
authentication/certificates/api-server.adoc → security/certificates/api-server.adoc
View File

0
authentication/certificates/replacing-default-ingress-certificate.adoc → security/certificates/replacing-default-ingress-certificate.adoc
View File

0
authentication/certificates/service-serving-certificate.adoc → security/certificates/service-serving-certificate.adoc
View File

0
authentication/encrypting-etcd.adoc → security/encrypting-etcd.adoc
View File

1
security/images Symbolic link
View File

@@ -0,0 +1 @@
../images

1
security/modules Symbolic link
View File

@@ -0,0 +1 @@
../modules

2
welcome/index.adoc
View File

@@ -178,7 +178,7 @@ xref:../authentication/identity_providers/configuring-google-identity-provider.a
and
xref:../authentication/identity_providers/configuring-oidc-identity-provider.adoc#configuring-oidc-identity-provider[OpenID].
- **Manage xref:../authentication/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Ingress], xref:../authentication/certificates/api-server.adoc#api-server-certificates[API server], and xref:../authentication/certificates/service-serving-certificate.adoc#add-service-serving[service] certificates**: {product-title} creates certificates
- **Manage xref:../security/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Ingress], xref:../security/certificates/api-server.adoc#api-server-certificates[API server], and xref:../security/certificates/service-serving-certificate.adoc#add-service-serving[service] certificates**: {product-title} creates certificates
by default for the Ingress Operator, the API server, and for
services needed by complex middleware applications that require
encryption. At some point, you may need to change, add, and