Versions Compared

Old Version 29

changes.mady.by.user Krzysztof Opasiak

Saved on

compared with

New Version 30

changes.mady.by.user Amy Zwarico

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider. 


Each ONAP project shall improve its CII Badging score by improving input validation and documenting it in their CII Badging site.

Key Contacts - Tony Hansen Amy Zwarico Pawel Pawlak

Executive Summary - ONAP project will ensure that input validation is performed on all GUI and API inputs and that the answer to the input validation question in their CII Badging site is answered.  Projects that have already answered this question positively, should verify that the answer is still correct.

Business Impact - Improves the security posture of ONAP by lessening the risk from bad or malicious input. 

Business Markets - All operators and service provider.

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider.


ONAP must complete update of the java language (from v8 -> v11) 

Key Contacts -  Amy Zwarico Pawel Pawlak

Executive Summary - All ONAP projects using java shall reduce the risks associated with no regular support for java v8 software as it causes increase of usage risk, as recommended by SECCOM. 

...

Business Markets - All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider. 


ONAP must complete update of the Python language (from 2.7 -> 3.8)

Key Contacts -  Amy Zwarico Pawel Pawlak

Executive Summary - All ONAP projects using Python shall reduce the risks associated with no community support for Python 2.7 software as it causes increase of usage risk, as recommended by SECCOM. 

...

Business Markets - All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider. 


ONAP shall use STDOUT for logs collection

Key Contacts -  Amy Zwarico Pawel Pawlak

Executive Summary - All ONAP projects should use a common place for logs data - all applications should generate logs that can be collected by Kubernetes in STDOUT, as recommended by SECCOM. 

...

Business Markets - All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies -There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider. 


ONAP Minimum Viable Product (MVP) must be defined

Key Contacts -  fabian rouzaut Natacha Mach

Executive Summary - . a subset of ONAP components should be identified - handling a minimum level of functionnality. This subset would consist in an ONAP baseline.

...

Business Markets All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider. 


Flow management must be activated for ONAP.

Key Contacts -  fabian rouzaut Natacha Mach

Executive Summary - Full map of all the flows - before deploying ONAP in any actor's infrastructure should be defined: protocol type, ports open/closed  with primary focus on outside of ONAP as an ingress.

...

Business Markets All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider. 


ONAP must implement IAM solutions.

Key Contacts -  fabian rouzaut Natacha Mach

Executive Summary - a centralized user access management solution should be proposed, so that any project relies on it. 

...

Business Markets All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider. 

ONAP projects must use only approved and verified base images for their containers

...

Business Markets All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider. 

ONAP container repository (nexus) must not contain upstream docker images

...

Business Markets All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider. 

No root (superuser) access to database from application container

Key Contacts -  Krzysztof Opasiak Pawel Pawlak Amy Zwarico Sylvain Desbureaux

Executive Summary - ONAP application container should not access database using root account. If application requires root access to bootstrap the database an init container or separate kubernetes job should be used.

...

Business Markets All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider. 

Container rootfs has to be mounted readOnly

Key Contacts -  Krzysztof Opasiak Pawel Pawlak Amy Zwarico Sylvain Desbureaux

Executive Summary - By design containers running in kubernetes should be ephemeral and stateless. It's a good security practice to mount their rootfs as a read only

...

Business Markets All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider. 

Application config should be fully prepared before starting the application container

Key Contacts -  Krzysztof Opasiak Pawel Pawlak Amy Zwarico Sylvain Desbureaux

Executive Summary - Editing config files with sed from docker entrypoint script often causes a lot of silent failures in OOM deployments. Instead, config should be either provided as a ConfigMap and templated using helm or generated in the init container before the main application container comes up.

...

Business Markets All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider. 

Continue hardcoded passwords removal

Key Contacts -  Krzysztof Opasiak Pawel Pawlak Amy Zwarico Sylvain Desbureaux

Executive Summary - This effort has been started in F release by eliminating mariadb-galera and postgres hardcoded passwords. This effort should be continued to eliminate next set of passwords hardcoded in helm charts. Apart from working on already existing passwords, as a part of this requirement, all new passwords should use common secret template.

...

Business Markets All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

All containers must run as non-root user

Key Contacts -  Krzysztof Opasiak Pawel Pawlak Amy Zwarico Sylvain Desbureaux

Executive Summary - This effort has been started in F with ONAP containers. Now we want to extend this to all containers that are deployed as a part of OOM.

...

Business Markets All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

ONAP components should be able to run without AAF and MSB

Key Contacts -  Krzysztof Opasiak  Sylvain Desbureaux

Executive Summary - AAF is not the only possible security solution for ONAP. In some cases ONAP may be deployed behind a reverse proxy or using service mesh. That's why components should be able to work (even in degradated mode in example using HTTP instead of HTTP or without authentication) without AAF available. The same for MSB. It's not the most cloud native solution for accessing services in kubernetes thus it should be possible to deploy ONAP without it and access services using for example API gateway.

...

Business Markets All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider

Replace NodePorts with ingress controller as a default deployment option

Key Contacts -  Krzysztof Opasiak  Sylvain Desbureaux

Executive Summary - Nginx-based ingress controller is available in ONAP since F release. It's time to finally eliminate NodePorts which from the very beginning were considered just a temporary and insecure solutions. All components must be able to fully work via ingress.

...

Business Markets All operators, service providers and entities using ONAP.  

Funding/Financial Impacts - N/A

Organization Mgmt, Sales Strategies There is no additional organizational management or sales strategies for this requirement outside of a service providers "normal" ONAP deployment and its attendant organizational resources from a service provider