Security Hardening

This is an overarching guide to further harden the security posture of a Cray System Management (CSM) system.

If a subset of the steps in this procedure were completed as a consequence of an install, upgrade, or other guidance, then it is safe to skip that subset following a review.

Prerequisites

None.

Procedure

  1. Change passwords and credentials.

    Perform procedure(s) in Change Passwords and Credentials.

  2. Limit Kubernetes API audit log Retention.

    If Kubernetes API Auditing was enabled at install, perform procedure(s) in Limit Kubernetes API Audit Log Maximum Backups.

    Failure to apply the referenced configuration could result in NCN disk space exhaustion on Kubernetes Master Nodes.

  3. Customize (“randomize”) iPXE binary name.

    Perform procedure(s) in Customize iPXE Binary Names.

  4. (Optional) Enable Spire and OPA xname validation.

    Perform procedure(s) in xname validation.

  5. (Optional) Enable Kubernetes API encryption.

    Perform procedure(s) in Kubernetes Encryption.

  6. (Optional) Change Keycloak OAuth token lifetime.

    Perform procedure(s) in Change Keycloak token lifetime.

  7. (Optional) Remove Kiali.

    Perform procedure(s) in Remove Kiali.