Versions Compared

Old Version 2

changes.mady.by.user Paweł Pawlak

Saved on

compared with

New Version Current

changes.mady.by.user Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

E-mail was sent to Fabian to clarify whether logs from ONAP to SIEM be considered as ONAP only or xNFs logs only or maybe both. 

Jira No
SummaryDescriptionStatusSolution

SECCOM electionsPlease validate your company representative status to be able to vote as requested by Kenny in his e-mail.ongoingPlease check this site.

Last PTL's meeting (24th 31st of August) update-Packageupgrade and Java 11

ongoing

Subversions for Java 11 could be pushed for future release (Honolulu) for a common version (as of today 11.0.8).

Guilin priorities

Automated security testing - to be checked for status.

Some updates appreciated from Krzysztof.

Honolulu SECCOM SoW

Continue packages upgrades in direct dependencies

After Service Mesh PoC - new requirements might arrive.

Harbor requirement. In Harbor:

  • you can sign the image and you can share the key with an application that has an account to pull or to push the image
  • possibility to scan the image all the time and send warning
  • Harbor deployed in run time while Whitesource and Nexus-IQ during the development.

Logs management:

  • common place for data - all applications should generate logs that can be collected by Kubernetes (target for next release)
  • common format for data - format of minimum data that we want that is useful (target for next+1 release)

SIEM integration:

  • integration like for the other applications with SIEM, have the same protocol used
  • logs from ONAP to SIEM, falco tool to be considered (IDS for Kubernetes)
  • alarms when security issue

CII Badging - session planned on the PTLs call.

ongoingTSC meeting outputs 

No actions for SECCOM.

Long discussion on a repo creation and add

Takeaway from Pawel W. script run:

For a number of containers version checker finds  with multiple versions either Java or Python. Example conatainer is running both Python 2 and 3. It has to do with an image that has preloaded Python 2 and then developers go with Python 3 they need to run but not eliminate old Python 2.

Numbers are not as good as we would expected but will improve by M4 milestone - people are in theprocess of delivering into the master branch. 

Some containers appear as out of scope ones -example hearbeat.

Stay tuned by Friday Pawel will get an another copy o fthe script.


ongoing




Requirement owners please update your M4 statuses in Jira by 10th of September. 


Service Mesh PoC update by Krzysztof

Slowly but moving forward: we are ready in therms of Service Mesh itself. We know the design, we know that it work sat least for test appliction. What is left: to put that together with ONAP components.

All depends how much ONAP community wouldlike to go into this direction. Instead of PoC naming aarchitectural change could be considered.

Mostly it is about the authentication.

Impact of architectural change into operators using now extensively AAF.

Cert Initializer moved away from the projects to OOM and switch available to either use it or Service Mesh.


It might be that operators could need a more time to support Service Mesh architectural change = Istambul release.



Reach Architecture Subcommittee and TSC. 

List of project is critical to represent who is going to do the work.


HELMv2 EoL

https://helm.sh/blog/helm-v2-deprecation-timeline/

Amount of work to validate charts copmatibility to be evaluated based on Intern from Samsung.


Charts to be tested for their compatibilty with version 3.

Krzysztof plans to first discuss it on OOM call.


Open Networking & Edge Summit North America 2020
September 28 & 29, 2020 (Virtual Event)




LFN Fall Technical Meetings October 13 - 15, 2020

Topics from SECCOM: Service Mesh and packges upgrades.


Fabian to share outputs from Service Mesh and flow matrix.

Guilin priorities

For secrets management some support from the community.- patches coming to fix hardcoded passwords. 

For no root access at least 3 components working to eliminte this issue.

For All config files inside the main container should be ReadOnly - one project working hard on it.

Automated security testing - still to be checked for status.

MVP requirement is in the backlog.

SIEM inegration for ONAP logs collection

Some updates appreciated from Krzysztof.

CII Badging - session planned on the PTLs call. in 2+ weeks.




OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 1st 8th OF SEPTEMBER'20. 

Topics proposed:

  • What is next for Honolulu in the context of Service Mesh PoC?
    • What is the impact of Service Mesh usage on runtime environment?



    Recording


    View file
    name2020-09-01_SECCOM_week.mp4
    height150

    SECCOM presentation

    View file
    name2020-09-01 ONAP Security Meeting - AgendaAndMinutes.pptx
    height150

    ...