This page is mostly a wishful thinking. It does not reflect the current state of ONAP security. It's rather where we would like to be.

ONAP introduction

Abstract ONAP Architecture

Abstractly, ONAP is an independent software system that exposes Northbound interfaces for User, Admin and OSS/BSS systems and Southbound interfaces for xNFs (VNF, CNF, PNF). ONAP uses interfaces provided by NFVi and xNFs.


ONAP deployed on kubernetes

In the early releases, ONAP was deployed on VMs. ONAP is now virtualized using containers orchestrated by Kubernetes (K8S). ONAP uses interfaces exposed by K8S.


ONAP deployed on kubernetes with external databases

Most ONAP components require a data persistence layer, implemented using a databases. In early releases, most ONAP components had their own databases. As the platform has matured, components have moved to shared databases. A logical progression to make the platform simpler to deploy in an operator environment, is to create interfaces that allow an operator to configure ONAP to use external DB engines in the operators environment.


ONAP deployed on K8S with external databases and external identity and access management (IAM)

ONAP includes AAF, an identity management system that supports authentication, authorization, identity lifecycle management (ILM), and certificate management, including a certificate authority (CA) designed to support a lab deployment. It is likely that an operator will want to integrate ONAP with their IAM system, thus ONAP needs to support standard IAM protocols.

  • TO DO: specify the protocols
    • LDAP
    • ...



ONAP deployed on kubernetes with external databases and external IAM and external CA

Most of the operators probably already have Certificate Authority server running in their network and a requirement that all services should present a valid certificate signed by this CA. This means that ONAP should provide the ability to integrate with external CA instead of shipping own one.



Defining system boundaries

Provided interfaces

  1. Admin/User/OSS/BSS interfaces are REST.
  2. xNF southbound interfaces are VES events (protocol depends on the collector used)

Used interfaces

  1. Kubernetes interface is REST. Exact supported version of kubernetes has to be specified by every ONAP release
  2. Database interface depends on DB type but only encrypted communication should be used
  3. xNF interface depends on particular xNF but all xNFs should support secure protocols for communication
  4. NFVI interface is REST (usually OpenStack or Kubernetes)
  5. IAM interface is Open ID Connect
    1. if operator already has OIDC compatible solution ONAP should just use it
    2. if operator has Identity Provider (LDAP/Kerberos/etc) external OIDC solution should be deployed (ie keycloak) with operator IdP configured as backend
    3. In testing environment external OIDC solution should be deployed and bootstraped with test users
  6. CA interface can be one of:
    1. Manual interaction by deployer that will retrieve certificates and the bootstrap ONAP instance with them
    2. One of automated certificate retrieval protocols (ACME, CMPv2 etc)
    3. In testing environment external CA (and ONAP should use automated certificate retrieval as described in b) solution should be deployed

Requirements on interfaces

Kubernetes

  1. Cluster should be configured according to CIS Kubernetes Benchmark
  2. Encryption at rest should be properly configured to ensure that secrets are never stored in the plain text

Databases

  1. Each DB should be configured according to corresponding CIS guideline
  2. All DB should be already created or ONAP should be provided with user that is capable of creating DB
  3. If ONAP creates a DB a dedicated user account with privileges limited to that DB should be created. Password used for this user cannot be hardcoded in ONAP source.

xNF

  1. Define by the  ONAP VNF security requirements

NFVI

  1. Defined by the CNTT Reference Architecture 1 & 2

IAM

  1. IAM must support OpenID Connect standard

CA

  1. If automated certificate retrieval is used one of .... has to be supported by the CA (CMPv2, ACME, SCEP)

Requirements on exposed interfaces

  1. North and south interfaces should be separated (ie different instance of ingress controller) to provide operator deployment flexibility
  2. All Northbound interfaces musts be protected using TLS
  3. All Northbound interfaces must support SSO
  4. All Northbound interfaces must support RBAC
  5. All roles used in ONAP have to be documented
  6. All forms should validate and sanitize their input provided by the user
  7. Southbound interfaces must satisfy VNF security requirements
  8. ...

Internal ONAP security requirements

  1. ONAP should not include any user database
  2. ONAP should not implement RBAC on it's own but depend on external component to provide it
  3. ONAP should not implement CA functionality but depend on external component to provide it
  4. ONAP components should use mTLS instead of username/password for authentication between each other
  5. ONAP should configure network policies so that only desired components can communicate with each other
  6. ONAP must store all sensitive material (keys, passwords) in Kubernetes secrets
  7. ONAP docker images have to be hardened (see CIS Docker Benchmark)
  8. ONAP must use only approved docker base images
  9. ONAP should log all important events to a centralized location
  10. ONAP should log security audit logs to a secure location
  11. ONAP logs cannot include any secret material (e.g., passwords and keys)
  12. All ONAP components must support OIDC
  13. ...

Current ONAP security model

Cloud-Native ONAP security model

  1. Every component in its own namespace
  2. All "common" components in separate namespaces
  3. No implicit dependencies between common components and ONAP
  4. No nodeports unless really required
  5. istio-ingress used as ingress controller
  6. Up to 4 entrypoints for deployment. For example
    1. simpledemo.onap.org (UI)
    2. south.simpledemo.onap.org (southbound interfaces)
    3. iam.simpledemo.onap.org (keycloak)
    4. api.simpledemo.onap.org (API for OSS/BSS)
  7. Every entrypoint exposed as a separate ingress instance
  8. Every ingress gateway terminates the TSL and re-encrypts the payload before sending to the destination component using mTLS
  9. ISTIO network policy must be configured so that only authorized services can communicate with each other
  10. Auth between services done using certs via mTLS
  11. OpenID Connect used to authenticate user
  12. In testing deployment keycloak is used but can be replaced with anything else compatible with OIDC
  13. Cert-manager and citadel used to retrieve certificates
  14. Kubernetes is configured to use encryption at rest plugin
  15. ISTIO automated sidecar injection is configured in underlying Kubernetes
  16. No root pods
  17. All DB considered external
  18. Documented roles
  19. Ability to integrate with LDAP, Kerberos, AAF as IdP
  20. Ability to retrieve the certificate from external CA



  • No labels

9 Comments

  1. Amy Zwarico

    I made a few minor wording changes.

  2. Amy Zwarico

    Krzysztof Opasiak why wouldn't an external DB be like an OSS or BSS?

    1. Krzysztof Opasiak

      Amy Zwarico

      Could you please clarify what do you mean by that?

      1. Amy Zwarico

        I was assume that an external DB would be something that already exists in the operator environment. Is this assumption different from your assumption?

        1. Krzysztof Opasiak

          Yeah so basically it may be a DB engine that already exist somewhere or for example a DB engine that is deployed in the other namespace using k8s operator FW or even some DBaaS solution in public/private cloud.

          There are 2 levels of integration with this.

          1) Allow to plug in external DB engine

          Components still have a root access to the DB and creates the required DB on its own

          2) Allow to plug in already existing DB in external DB engine

          in this case component is granted only a pair of username and password and name of the DB that should be used and the component is never granted root credentials to the DB

  3. Joseph Zhu

    @ @good

  4. Byung-Woo Jun

    It is a great security architecture plan. The question is how we make ONAP security align with this. 

    1. Krzysztof Opasiak

      Byung-Woo Jun

      Well probably slowly, component by component through a lot of sweat and tears;)

      So for externalizing DB we already have proposed that as a topic for LFN Mentorship program.

      After that is comlete it should be rather straight forward to do the same for contrib components.

      For service Mesh, we have PoC which fulfills most of the principles

      For cert-manager, we've the certInitializer template which should allow to make use of it quite easily but as with SM introduction we'll terminate TLS at ingress we are currently not investing in this direction

  5. Byung-Woo Jun

    Krzysztof Opasiak

    Thanks! A question I have is the scope of externalizing DB. I understood it as not only security DB externalization, ONAP components give up their own databases (e.g., SO catalog, request db and others) and they use the shard databases. Is that right?