Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 7th of December 2021.

Jira No
SummaryDescriptionStatusSolution
Request from the Policy project group (Ramesh and Liam) 

‘cluster-admin’ permission on one of their helm charts in OOM for automate helm chart installation for microservice. 

Requested change in the OOM repository by defining a cluster role binding for the K8s participant (provided by CLAMP repository) in its HELM chart which allows the component to create/update/delete resources on the cluster scope.

K8s participant should have a mechanism that would validate HELM chart before deploying it. Those would be signatures, hashed or signed HELM chart. Service mesh in Jakarta could take part of securing access.

ongoingNeed to have a mechanism to validate the HELM chart and repository from which fetching the HELM chart from.

SECCOM presentations for incoming DDF (January).

Deadline for submission: December 3rd: 

SECCOM topics backlog for DDF (4 bullets we merge into one

presentation: use cases, GRs and BPs

Topic):

  • Logging requirements clarification – Bob
(why, rationale, requirement),
  • /Byung
(how, architecture and design perspective)
- flow matrix importance for authentication between components
    • New requirements for Jakarta – Amy/Pawel – all in one – GR review with David
    • Recommended versions (SECCOM and OOM) – Amy/Pawel/Sylvain
    • Packages upgrades - Jakarta update - Amy/Pawel
  • Unmaintained code handling and its impact on documentation (SECCOM + Documentation) - main session stream Amy/Pawel/Thomas/Eric - Topic
  • Code quality demo - main session stream
- TSC voting process for submitted requirementsDeadline is on 2nd of December.ongoingNo action required on our side
  • Fabian/Kevin/Toine - Topic

Interproject proposals:

  • SBOMs ONAP story – Muddasar/Pawel Topic
ongoing

Fabian to share by e-mail his insight on flow matrix.

Fabian to check with Kevin/Thierry if by DDF we could provide demo.



Jakarta proposed versions update: 

https://wiki.onap.org/display/DW/Database%2C+Java%2C+Python%2C+Docker%2C+Kubernetes%2C+and+Image+Versions

  • for CentoS there is a discrepency between SECCOM proposal and version submitted by Morgan, 
  • SBOMS would help
  • Elasticsearch - probably we are not going to use it? If not, we will remove it from the list.
  • Filebeat (based on Go) in the context of java and python versions - filebeat uses an optional python script for data migration
ongoing

CentOS versionits usage by ONAP community to be elaborated with Fabian.

Column to be added on what applies to container run time and what applies to node


Jakarta basic images

Michal is working for both Java and PythonongoingRecommended versions to be shared with Amy.

SCA analysis

Ongoing - direct dependencies transferred to excel.

Failing Jenkins jobs for AAI.

Jira tickets created per project.

ongoing

PTL meeting update
  • Reminder about SECCOM requirements (slide 11) for Jakarta release :
    • Requirements were created accordingly in Jira,
    • REQ-1070 LOGS MANAGEMENT - PHASE 1: COMMON PLACE FOR DATA – description to be elaborated - done
  • Jakarta M1 date change – December 9th
ongoing

TSC meeting update

SECCOM requirements were approved by TSC.

done

Meeting yesterday on unmaintained projects/repos

We need an audit on project dependencies – current projects that are unmaintained (and repos).

ongoingDavid to lead this audit and bring it to TSC.

Quality gates for code quality improvements 

3 levels under consideration: bronze, silver and gold. Basic level could be reacjing 55% of code coverage.

https://docs.sonarqube.org/latest/user-guide/metric-definitions/

Tables about project maturity (self reported) while we are doing measured approach.

startedTo review levels from sonarqube and tables for project maturity.

SECCOM MEETING CALL WILL BE HELD ON 14th OF DECEMBER'21. 

Quality gates for code quality improvements - continuation of the discussion.

SBOM next steps - which repos/projects to take into account?




Recording: 

View file
name2021-12-07_SECCOM_week.mp4
height150


SECCOM presentation:

View file
name2021-12-07 ONAP Security Meeting - AgendaAndMinutes.pptx
height150