Versions Compared

Old Version 14

changes.mady.by.user Krzysztof Opasiak

Saved on

compared with

New Version 15

changes.mady.by.user Krzysztof Opasiak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. ONAP should not include any user database
  2. ONAP should not implement RBAC on it's own but depend on external component to provide it
  3. ONAP should not implement CA functionality but depend on external component to provide it
  4. ONAP components should use mTLS instead of username/password for authentication between each other
  5. ONAP should configure network policies so that only desired components can communicate with each other
  6. ONAP have to store all sensitive material (keys, passwords) in kubernetes secrets
  7. ONAP docker images have to be hardened
  8. ONAP can use only approved docker base images
  9. ONAP should log all important events in the centralized place
  10. ONAP should log security audit logs to a secure location
  11. ONAP logs cannot include any secret material
  12. All ONAP components have to support OIDC
  13. ...

Current ONAP security model

Cloud-Native ONAP security model

  1. Every component in it's own namespace
  2. All "common" components in separate namespaces
  3. No implicit dependencies between common components and ONAP
  4. No nodeports unless really required
  5. istio-ingress used as ingress controller
  6. Up to 4 entrypoints for deployment. For example
    1. simpledemo.onap.org (UI)
    2. south.simpledemo.onap.org (southbound interfaces)
    3. iam.simpledemo.onap.org (keycloak)
    4. api.simpledemo.onap.org (API for OSS/BSS)
  7. Every entrypoint exposed as a separate ingress instance
  8. Every ingress gateway does the SSL termination and reencrypts the traffic and send to the component using mTLS
  9. Istio network policy configured in a way that only desired services can communicate with each other
  10. Auth between services done using certs (mTLS)
  11. OpenID Connect used to authenticate user
  12. In testing deployment keycloak is used but can be replaced with anything else compatible with OIDC
  13. Cert-manager and citadel used to retrieve certificates
  14. Kubernetes is configured to use encryption at rest plugin
  15. ISTIO automated sidecar injection is configured in underlying kubernetes
  16. No root pods
  17. All DB are considered as external
  18. Documented roles
  19. Ability to integrate with LDAP, Kerberos, AAF as IdP
  20. Ability to retrieve the certificate from external CA