This is an overarching guide to further harden the security posture of a Cray System Management (CSM) system.
If a subset of the steps in this procedure were completed as a consequence of an install, upgrade, or other guidance, then it is safe to skip that subset following a review.
None.
Change passwords and credentials.
Perform procedure(s) in Change Passwords and Credentials.
Customize (“randomize”) iPXE binary name.
Perform procedure(s) in Customize iPXE Binary Names.
(Optional) Enable Spire and OPA xname validation.
Perform procedure(s) in xname validation.
(Optional) Enable Kubernetes API encryption.
Perform procedure(s) in Kubernetes Encryption.
(Optional) Change Keycloak OAuth token lifetime.
Perform procedure(s) in Change Keycloak token lifetime.
(Optional) Remove Kiali.
Perform procedure(s) in Remove Kiali.
(Optional) Kubernetes API audit log file parameter settings.
If Kubernetes API Auditing is enabled, then it is recommended to set --audit-log-maxage to 30 or appropriate value
and --audit-log-maxsize parameter to 100 or appropriate value.
For more information on setting the audit parameters refer Audit parameter settings.