You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Goal:

Is to prove that ISTIO is applicable for ONAP.

Prove ISTIO service mesh technology with Multi-Cloud project.

Once proven come back to ONAP wider community on the need for separating the security from the applications.


Current challenges with ONAP

We feel that user management, creating roles, RBAC of resources with roles is basic for any project. ONAP is not very well secured on this aspect.

Proposal:

Since Multi-Cloud project did not implement any security aspects yet, it was felt that this could be a POC project for ISTIO.

Proposal items:

  • ISTIO-ingress and MetalLB for ingress connections (connections to Multi-Cloud project from other projects) – Secure at least with one project (SO) and non-secure with others.
  • User Management with OAUTH2 server with local userDB.
  • RBAC as per ISTIO RBAC
  • ISTIO (with envoy)for inter-service communication of containers within the Multi-Cloud project.
  • ISTIO CA for certificate enrollment of internal services.
  • Manual certificates for external communication
  • Certificate credential storage using TPM
  • Improve performance of Envoy with hardware crypto accelerators



  • No labels