...
- Cluster should be configured according to CIS guideline
- Encryption at rest should be properly configured to ensure that secrets are never stored in the plain text
Databases
- Each DB should be configured according to corresponding CIS guideline
- All DB should be already created or ONAP should be provided with user that is capable of creating DB
- If ONAP creates a DB a dedicated user account with privileges limited to that DB should be created. Password used for this user cannot be hardcoded in ONAP source.
...
- North and south interfaces should be separated (ie different instance of ingress controller) to allow to configure operator network policy properly
- All Northbound interfaces has to be protected using TLS
- All Northbound interfaces has to support SSO
- All Northbound interfaces has to support RBAC
- All roles used in ONAP have to be documented
- All forms should validate and sanitize their input provided by the user
- Southbound interfaces has to fulfill VNF security requirements
- ...
Internal ONAP security requirements
- ONAP should not include any user database
- ONAP should not implement RBAC on it's own but depend on external component to provide it
- ONAP should not implement CA functionality but depend on external component to provide it
- ONAP components should use mTLS instead of username/password for authentication between each other
- ONAP should configure network policies so that only desired components can communicate with each other
- ONAP have to store all sensitive material (keys, passwords) in kubernetes secrets
- ONAP docker images have to be hardened
- ONAP can use only approved docker base images
- ONAP should log all important events in the centralized place
- ONAP should log security audit logs to a secure location
- ONAP logs cannot include any secret material
- All ONAP components have to support OIDC
- ...