Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

ONAP SECCOM and CNTT alignement meetingFirst meeting done between both communities. CNTT reference model has a security chapter. CNTT has Kubernetes  Reference Architecture - a security chapter with a very initial content and goal is to ultimate only testable items. CCNT to review Kubernetes CIS Benchmarks (v.1.4.1)CNTT will check ONAP VNF security requirements. Joint meeting to be organized.

SECCOM F2F meeting Meeting was focussed mainly on Frankfurt status updates in security domain.Coverity scans to be check with fd.io – waiting for a feedback from Jessica.

Interesting discussions with Krzysztof and Robert on password storage in ONAP (we want to avoid storing passwords in the OOM CHART = different master password = different combo passwords in the components, and other topc is passwords that are generated for external components like for Openstack instance) – we should have written proposals that could be reviewed within SECCOM, proposal to use user management from ODL – to be checked. E-mail to be sent to Robert and Krzysztof.  Impact of the selected feature to be checked.

Vault should be introduced to ONAP community for handling secrets.

CIS benchmarkOngoing implementation of Kubebench Should be working by the end of the day and it would be tested every day.Fabian made a script to verify which container runs as root. + pods that are using unlimited resources.

Service Mesh summary by Sylvain Desberaux

Maesh and Kuma do not work very well. For Consul Connect 2 issues opened - one of them still not solved. ISTIO is less greedy than AAF. No tests on the delay.

PoC with core components working in Frankfurt release

.

however:

  • Zookeeper is not in the mesh
  • Kafke still requires some AAF part
  • SDNC HTTP client works only on HTTPS

Guilin "official" support of service mesh. Requirements to be colected to compare Service mesh and AAF. Draft for Authentication and Authorisation to be prepared by Amy.


ONAP - DCAE communication matrix

Meeting with Vijay done on 3rd of January. One subcomponent was missing. Steps that must be done to generate the matrix were discussed with the PTL. First step is to focus on external communication to ONAP, so we could have an exhaustive list of all the ports that must be open externally. Results would be challenged with the existing scripts ouputs. Second step is to check communication inter components. Due to complexity it will not be checked for the moment. External communication is the most exposing to some vulnerabilities. List of aliases could be easily obtained. We need to have a list of external entities, where the service is connecting.Reverse jump host is not prevented as for the moment we have no network security policies – SECCOM should prepare best practices in this area.To be addressed on on of the next SECCOM meetings.

 AAF update Jonathan has left AT&T. No news from John who will most probably replace Jonathan in AAF project – we need to wait for the election process and community acceptance.

CII Badging update - Tony

tlhansen.us/onap/cii.html


Tony is working on Python script.  Script has an error with value update.

Tony will send a summary of answers to David, so ONAP wide answers could be unified accross projects.

JDK11 update – based on PTLs call held on 6th of January

Repository under JJB to be created – Morgan is waiting for approval. From SECCOM perspective we care that standard image is used.
Alpine's alternative is Ubuntu light image - there are images that have Java 11 support. Using already available image is much better option. Waiting for Morgane's feedback.

Recent security issues opened (at the severe level) via security distribution list
    • Vulnerability because Sonar-cube – but it is an open source – jira was opened and passed to Jessica – Krzysztof provided comments on this one. This item was passed to Jessica.
    • Vulnerability on Onap.org – jira was created and sent to David
    • Vulnerability on Onap.org – jira to be created – was also sent to David

Recommendation is to open LF Helpdesk ticket and mark with the security label.

 CNTT common security interestsCNTT is focusing on infrastructure not only Openstack but also Kubernetes, other topics could be CIS benchmark for Kubernetes and Docker. In common we have requirements towards Kubernetes security.
CNTT release should be available for Kubernetes just before F2F- SECCOM should have a look on that.

 Creating jira tickets based on Nexus-IQ Work on jira python script already shared by Krzysztof. Pierre will progress in incoming weeks, as was on long holidays for last few weeks. Attention to some scripts that would not be found in Maven, so capabilities of the script might have to be enlarged to have a look at the other repositories like repository.com. Format proposed: one epic for the project and one user story for the ticket. Another proposal: every finding should have a separate ticket – easier for us to track.


 Recommendations for the developers Zygmunt started some work on guidelines it and it was followed by Harald.
 Status to be reviewed on F2F.

 OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 28TH OF JANUARY'20


...