...
| Jira No | Summary | Description | Status | Solution | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Amber Service Mesh | Nephio SIG Security started discussing secure software supply chain and also showed a demo, leveraging Kubearmor for security access. In the KubeConn, there were some discussions around amber service mesh (a.k.a. sidecarless service mesh). For NF deployment and management, sidecarless service mesh could be a good option, I think. There were some use cases from MITRE. ONAP SECCOM position for this to be further discussed. Nephio SIG member made a demo with Kubearmor. No need to configure sidecar for each network function. Amber Service Mesh seems to be not yet production ready. Kubearmor was DARPA project, it is used as part of superblueprint. It has policy building and administration function. Enforcement is done by using eBPF. Presentation by Rahul Jadhav: | started | Muddasar Ahmed to check with MITRE colleagues on possible presentation for SECCOM on Kuberamor. Rahul Jhadav Jadhav (Accuknox cofounder, and Kubarmor KubeArmor dev lead) scheduled for 10-10-23 SecCom Meeting presenting eBPF, LSM, Kubarmor KubeArmor and run time Zero Trust Trust via granular access control policy development and enforcement) Presentation recording and slides at the bottom of the page. | |||||||||||||
| Support for CPS to get gold badge | OJSI distribution list participants were updated with Amy's and Jess's support. 2FA ongoing by Jess and Eric for CPS and OJSI distribution list. | |||||||||||||||
| Nephio update by Byung | Next week event in Silicon Valey. Workshop also planned for HELP chart support and Flox (built in HELM controller) and architecture review on East/West/South/North interfaces. | |||||||||||||||
| AAF Certificate Expiration |
Review work around proposed by Andreas Geissler - deferred until Andreas Geissler returns from holiday Some project containers still experiencing problems: clients using the cert-initializer (e.g. SO, SDC, CDS) still fail. Need to document certificate management in user docs. Louis Gamers' AAF cert wiki page: (1) Create AAF CA certificates - Developer Wiki - Confluence (onap.org)
Discussion with China Telecom done - they could check potentially next week and they worked independently on this issue, Aaarna Networks commited to check Andreas's patch. | Pawel Pawlak to send an e-mail notification to China Telecom about the script prepared by Andreas and associated Wiki documenting it. | ||||||||||||||
| Container Signing | Review next steps: -select signing software (SECCOM + LFIT) -perform POC with friendly projects (ONAP) -integrate into build process (LFIT) Looking for a volunteering project to work with us. Request raised at the 18th September PTL's call but no volunteer so far. | Muddasar Ahmed to analyze which ONAP project has the most frequent changes in its containers. Muddasar reached out to LF-IT, Jess and her team are analyzing what enhancement has to be made with CI jobs to allow for Container signing. Further updates will be provided when scope and efforts have been assessed. | ||||||||||||||
| No PTL for AAI, DCAE, OOF | -Andreas Geissler and Thomas Kulik made committers -They will do the work necessary for the projects to participate in the release -TSC approved streamlining process (7 September) -SECCOM will create package upgrade recommendations -TSC will recruit resources to perform upgrades for AAI, DCAE, OOF
Kenny's reply is that we could benefit from Mentorship program. We have to define job description and skills needed. | -Byung will discuss with Andreas and Thomas to coordinate release tasks such as backlog prioritization -Muddasar: someone needs to take backlog management role -Muddasar: no mandated best practice to manage technical debt; call for a statement about code quality – all code will be secure -Muddasar & Amy: bring mandate for code quality to LFN TAC 2023/8/16
| ||||||||||||||
| CentOS strategy | Discuss multiple paths for CentOS upgrades Feedback from Amy: 7.9 is the final release of centOS. CentOS users should upgrade to Rocky Linux 8 or 9. | |||||||||||||||
TSC meeting (October 5th) | TSC self-nominations completed. | |||||||||||||||
PTL meeting (October 9th) | Marek shared the progress with Matt. We wait for his return from PTO. Kevin was added into the exchanges with Jess for 2FA for OJSI. Need to validate that it is already enabled. New CVEs related to curl CVE-2023-38545, CVE-2023-38546: - potentially low impact on ONAP. Packages upgrades - please expect Jira tickets per projects with recommended packages on the restricted Wiki. | |||||||||||||||
LFN-TAC (September 27th) | Any SECCOM recommendations for the TAC. Amy shared SECCOM recommendations. TAC would like to have Security Forum to be updated - WiP. Discussion about goal statement on code quality and security. At the LFN level we shall have inspiring vision and strategy around this topic. | Muddasar Ahmed to share confluence page. LFN Security Forum https://wiki.lfnetworking.org/display/LN/LFN+Security+Forum Security Best Practices (ONAP SecCom driven effort) https://wiki.lfnetworking.org/display/LN/Security+Best+Practices Roadshow could be prepared to present to other LFN projects security achievements. DTF could be good place... TAC needs to prioritize. | ||||||||||||||
NEXT SECCOM MEETING CALL WILL BE HELD ON 24th of October 2023. | We no not run the meeting on 17th as Pawel is on PTO. |
...