Frankfurt
Integration health checks will automatically perform the following security checks for the Frankfurt release.
- pod_root: Pods must not run as root in Frankfurt. Example of how to configure a Docker not to run as root.
- Java debug wire protocol (jdwp) port (port 6379) must be closed (onap-dcae-redis-0, onap-dcae-redis-1, onap-dcae-redis-2, onap-msb-eag-57f7ccb568-ht7h6, onap-msb-iag-6f8f449bd7-d582t, onap-vnfsdk-566786f85f-m9q9b 8000)
- Update the test to exclude false positives reported by the project teams (redis default port = jdpw default port (6379)).
- nodeport_ingress: HTTP ports must be migrated to HTTPS.
- Review the list of the current 20 HTTP ports to determine which ones are necessary (robot, portal-sdk, portal-app, message-router, dmaap-bc, log-kibana, log-es, dmaap-dr-prov, cli , consul-server-ui, sniro-emulator, refrepo , uui, config-binding-service, dashboard, netbox-nginx, music-tomcat, cds-blueprints-processor-http, aaf-fs). The aaf-fs port is a known exception.
- Upgrade test to exclude those HTTP ports.
- Review the list of the current 20 HTTP ports to determine which ones are necessary (robot, portal-sdk, portal-app, message-router, dmaap-bc, log-kibana, log-es, dmaap-dr-prov, cli , consul-server-ui, sniro-emulator, refrepo , uui, config-binding-service, dashboard, netbox-nginx, music-tomcat, cds-blueprints-processor-http, aaf-fs). The aaf-fs port is a known exception.
CIS Benchmarks