Contents Menu Expand Light mode Dark mode Auto light/dark mode
Documentation Portal
Logo
Mirantis OpenStack for Kubernetes
  • Product Overview
  • Reference Architecture
    • Deployment profiles
    • Components overview
    • Requirements
      • MOSK cluster hardware requirements
      • Management cluster storage
      • System requirements for the seed node
      • Components collocation
      • Infrastructure requirements
      • Automatic upgrade of a host operating system
    • Cloud services
      • Compute service
      • Networking service
      • Block Storage service
      • Identity service
        • Integration with Mirantis Container Cloud IAM
        • Regions
        • Application credentials
        • Domain-specific configuration
      • Image service
      • Object Storage service
      • Dashboard
      • Telemetry services
      • Bare Metal service
      • DNS service
      • Key Manager service
      • Instance High Availability service
      • Shared Filesystems service
    • OpenStack
      • OpenStack cluster
      • OpenStack lifecycle management
        • OpenStack Controller
        • OpenStackDeployment Admission Controller
      • OpenStack configuration
        • OpenStackDeployment custom resource
        • OpenStackDeploymentSecret custom resource
        • OpenStackDeploymentStatus custom resource
      • OpenStack database
        • Overview of the OpenStack database backup and restoration
        • Workflows of the OpenStack database backup and restoration
        • OpenStack database auto-cleanup
        • Periodic OpenStack database backups
        • Remote storage for OpenStack database backups
      • OpenStack message bus
    • Tungsten Fabric
      • Tungsten Fabric cluster
        • Tungsten Fabric cluster components
        • Tungsten Fabric traffic flow
      • Tungsten Fabric lifecycle management
        • Tungsten Fabric Operator
        • TFOperator custom resource
      • Tungsten Fabric configuration
        • Cassandra configuration
        • Custom vRouter settings
        • Control plane traffic interface
        • Traffic encapsulation
        • Autonomous System Number (ASN)
        • Access to external DNS
        • Gateway for vRouter data plane network
        • Tungsten Fabric image precaching
      • Tungsten Fabric services
        • Tungsten Fabric load balancing
      • Tungsten Fabric known limitations
      • Tungsten Fabric integration with OpenStack
    • Networking
      • Networking overview
      • Management cluster networking
      • MOSK cluster networking
      • Network types
      • Multi-rack architecture
      • Physical networks layout
      • Performance optimization
    • Storage
      • Ceph overview
      • Ceph limitations
      • Ceph integration with OpenStack
    • Mirantis StackLight
      • Deployment architecture
      • Monitored components
      • OpenSearch and Prometheus storage sizing
      • StackLight integration with OpenStack
    • Blueprints New
      • Remote compute nodes
        • Introduction to edge computing
        • Overview of the remote compute nodes approach
        • Design considerations for a remote site
        • Remote compute nodes with Tungsten Fabric
      • Large clusters
    • Node maintenance API
      • Node maintenance API objects
      • OpenStack Controller maintenance API
      • Tungsten Fabric Controller maintenance API
      • Cluster update flow
  • Deployment Guide
    • Plan the deployment
    • Provision a Container Cloud bare metal management cluster
    • Create a managed cluster
      • Add a bare metal host
      • Create a custom bare metal host profile
        • Default configuration of the host system storage
        • Create MOSK host profiles
        • Enable huge pages in a host profile
        • Configure RAID support
          • Create an LVM software RAID (raid1)
          • Create an mdadm software RAID (raid0, raid1, raid10)
        • Create LVM volume groups on top of RAID devices
      • Create a MOSK cluster
        • Create a managed bare metal cluster
        • Workflow of network interface naming
        • Service labels and their life cycle
        • Create subnets
        • Create subnets for a MOSK cluster
        • Create L2 templates
          • Create an L2 template for a Kubernetes manager node
          • Create an L2 template for a MOSK controller node
          • Create an L2 template for a MOSK compute node
          • Create an L2 template for a MOSK storage node
          • Edit and apply L2 templates
          • Mandatory parameters of L2 templates
          • Netplan template macros
          • L2 template example with bonds and bridges
        • Configure the MetalLB speaker node selector
      • Add a machine
        • Create a machine using CLI
        • Assign L2 templates to machines
        • Deploy a machine to a specific bare metal host
        • Override network interfaces naming and order
      • Add a Ceph cluster
      • Delete a managed cluster
    • Deploy OpenStack
      • Deploy an OpenStack cluster
      • Advanced OpenStack configuration (optional)
        • Enable LVM ephemeral storage
        • Enable LVM block storage
        • Enable DPDK with OVS
        • Enable SR-IOV with OVS
        • Enable BGP VPN
        • Encrypt the east-west traffic
        • Enable Cinder back end for Glance
        • Enable Cinder volume encryption
        • Advanced configuration for OpenStack compute nodes
          • Configure the CPU model
          • Enable huge pages for OpenStack
          • Configure CPU isolation for an instance
          • Configure custom CPU topologies
          • Configure PCI passthrough for guests
          • Limit HW resources for hyperconverged OpenStack compute nodes
        • Enable image signature verification
        • Enable Telemetry services
        • Configure LoadBalancer for PowerDNS
      • Access OpenStack after deployment
        • Configure DNS to access OpenStack
        • Access your OpenStack environment
      • Troubleshoot an OpenStack deployment
        • Debugging the Helm releases
        • Debugging the OpenStack Controller
        • Debugging the OsDpl CR
    • Deploy Tungsten Fabric
      • Tungsten Fabric deployment prerequisites
      • Deploy Tungsten Fabric
      • Advanced Tungsten Fabric configuration (optional)
        • Enable huge pages for OpenStack with Tungsten Fabric
        • Enable DPDK for Tungsten Fabric
        • Enable SR-IOV for Tungsten Fabric
        • Configure multiple Contrail API workers
      • Access the Tungsten Fabric web UI
      • Troubleshoot the Tungsten Fabric deployment
        • Enable debug logs for the Tungsten Fabric services
        • Troubleshoot access to the Tungsten Fabric web UI
        • Disable TX offloading on NICs used by vRouter
  • Operations Guide
    • Update a MOSK cluster
    • Update a MOSK cluster to 22.2 or earlier
    • Calculate a maintenance window duration for update
    • OpenStack operations
      • Update OpenStack
      • Upgrade OpenStack
      • Backup and restore OpenStack databases
        • Enable OpenStack database periodic backups
        • Enable OpenStack database remote backups
        • Restore OpenStack databases from a backup
        • Verify the periodic backup jobs for the OpenStack database
      • Add a controller node
      • Replace a failed controller node
      • Add a compute node
      • Delete a compute node
      • Reschedule stateful applications
      • Run Tempest tests
      • Remove an OpenStack cluster
      • Remove an OpenStack service
      • Enable uploading of an image through Horizon with untrusted SSL certificates
    • OpenStack services configuration
      • Configure high availability with Masakari
    • Ceph operations
      • Configure Ceph Object Gateway TLS
      • Ceph default configuration options
      • Use object storage server-side encryption
      • Calculate target ratio for Ceph pools
    • StackLight operations
      • View Grafana dashboards
      • View OpenSearch Dashboards
      • StackLight alerts
        • Core services
          • Libvirt
          • MariaDB
          • Memcached
          • SSL certificates
          • RabbitMQ
        • OpenStack
          • OpenStack services API
          • Cinder
          • Ironic
          • Neutron
          • Nova
        • Tungsten Fabric
          • Cassandra
          • Kafka
          • Redis
          • Tungsten Fabric
          • ZooKeeper
        • Alert dependencies
      • Configure StackLight
        • StackLight configuration procedure
        • StackLight configuration parameters
        • Verify StackLight after configuration
    • Tungsten Fabric operations
      • Update Tungsten Fabric
      • Upgrade Tungsten Fabric to 2011
      • Back up TF databases
      • Restore TF data
      • Replace a failed TF controller node
      • Verify the Tungsten Fabric deployment
      • Configure load balancing
      • Enable contrail-tools
      • Enable tf-api-cli
    • Container Cloud operations
      • Modify network configuration on an existing machine
      • Add more racks to an existing MOSK cluster
      • Expand IP addresses capacity in an existing cluster
      • Restart a bare metal host
    • Limitations
  • API Reference
  • User Guide
    • Use the Instance HA service
    • Manage application credentials
    • Use the Shared Filesystems service
  • Security Guide New
    • CADF audit notifications in OpenStack services
    • Firewall configuration
      • Container Cloud
      • Mirantis Kubernetes Engine
      • StackLight
      • Ceph
      • MOSK
      • OpenStack
      • Tungsten Fabric

Release notes

  • Release Notes
    • MOSK 22.5 release
      • New features
      • Major components versions
      • Known issues
        • OpenStack known issues
        • Tungsten Fabric known issues
        • Cluster update known issues
        • Ceph known issues
        • StackLight known issues
      • Release artifacts
      • Addressed issues
      • Update notes
      • Security notes
    • MOSK 22.4 release
      • New features
      • Major components versions
      • Known issues
        • OpenStack known issues
        • Tungsten Fabric known issues
        • Cluster update known issues
        • Ceph known issues
        • StackLight known issues
      • Release artifacts
      • Addressed issues
      • Update notes
      • Security notes
    • MOSK 22.3 release
      • New features
      • Major components versions
      • Known issues
        • OpenStack known issues
        • Tungsten Fabric known issues
        • Ceph known issues
        • Cluster update known issues
      • Release artifacts
      • Addressed issues
      • Update notes
      • Security notes
    • MOSK 22.2 release
      • New features
      • Major components versions
      • Known issues
        • Tungsten Fabric known issues
        • OpenStack known issues
        • Cluster update known issues
      • Release artifacts
      • Addressed issues
      • Update notes
      • Security notes
    • Release notes for older product versions
      • MOSK 22.1 release
        • New features
        • Major components versions
        • Known issues
          • Tungsten Fabric known issues and limitations
          • OpenStack known issues
          • Cluster update known issues
        • Release artifacts
        • Addressed issues
        • Update notes
      • MOS 21.6 release
        • New features
        • Major components versions
        • Known issues
          • Tungsten Fabric known issues and limitations
          • OpenStack known issues
          • Cluster update known issues
          • Ceph known issues
        • Release artifacts
        • Addressed issues
      • MOS 21.5 release
        • New features
        • Major components versions
        • Known issues
          • Tungsten Fabric known issues and limitations
          • OpenStack known issues
          • Cluster update known issues
          • Ceph known issues
        • Release artifacts
        • Addressed issues
      • MOS 21.4 release
        • New features
        • Major components versions
        • Known issues
          • Tungsten Fabric known issues and limitations
          • OpenStack known issues
          • StackLight known issues
          • Cluster update known issues
        • Release artifacts
        • Addressed issues
      • MOS 21.3 release
        • New features
        • Major components versions
        • Known issues
          • Tungsten Fabric known issues and limitations
          • OpenStack known issues
          • Ceph known issues
          • StackLight known issues
        • Release artifacts
        • Addressed issues
      • MOS 21.2 release
        • New features
        • Major components versions
        • Known issues
          • Tungsten Fabric known issues and limitations
          • OpenStack known issues
          • StackLight known issues
        • Release artifacts
        • Addressed issues
      • MOS 21.1 release
        • New features
        • Major components versions
        • Known issues
          • OpenStack known issues
          • Tungsten Fabric known issues and limitations
        • Release artifacts
        • Addressed issues
      • MOS Ussuri GA Update release
        • New features
        • Major components versions
        • Known issues
          • OpenStack known issues and limitations
          • Tungsten Fabric known issues and limitations
        • Release artifacts
        • Addressed issues
      • MOS Ussuri GA release
        • Product highlights
        • Major components versions
        • Known issues
          • OpenStack known issues and limitations
          • Tungsten Fabric known issues and limitations
        • Release artifacts
  • Deprecation Notes
  • Release cadence and support cycle
  • Release Compatibility Matrix
  • Container Cloud Release Compatibility Matrix

Security Guide New¶

This guide provides recommendations on how to effectively use product capabilities to harden the security of a Mirantis OpenStack for Kubernetes (MOSK) deployment.

Note

The guide is being under development and will be updated with new sections in future releases of the product documentation.

  • CADF audit notifications in OpenStack services
  • Firewall configuration
    • Container Cloud
    • Mirantis Kubernetes Engine
    • StackLight
    • Ceph
    • MOSK
    • OpenStack
    • Tungsten Fabric
Next
CADF audit notifications in OpenStack services
Previous
Use the Shared Filesystems service
  • Multi-page view
  • Single-page view

Mirantis Inc. 900 E Hamilton Avenue, Suite 650, Campbell, CA 95008 +1-650-963-9828

© 2005 - 2023 Mirantis, Inc. All rights reserved. "Mirantis" and "FUEL" are registered trademarks of Mirantis, Inc. All other trademarks are the property of their respective owners.