Versions Compared

Version Old Version 2 New Version Current
Changes made by

Paweł Pawlak

Paweł Pawlak

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Jira No
SummaryDescriptionStatusSolution

Request from the Policy project group (Ramesh and Liam) 

‘cluster-admin’ permission on one of their helm charts in OOM for automate helm chart installation for microservice. 

View file
namek8s-ppnt-cluster-role requirements.pptx
height150

Requested change in the OOM repository by defining a cluster role binding for the K8s participant (provided by CLAMP repository) in its HELM chart which allows the component to create/update/delete resources on the cluster scope.

K8s participant should have a mechanism that would validate HELM chart before deploying it. Those would be signatures, hashed or signed HELM chart. Service mesh in Jakarta could take part of securing access.

ongoingNeed to have a mechanism to validate the HELM chart and repository from which fetching the HELM chart from.ONAP Logging Architecture & design

Byung presented ONAP logging architecture:

In there (page 5), presented an old view of ONAP logging architecture (leveraging filebeat, logstash, others) Option A preferred. There are some reasons we don't want to use the architecture (filebeat not necessary):

1) Since the log sidecar is no longer favored by OOM and others after the global requirement REQ-441 - all ONAP applications generate log events to STDOUT/STDERR; so logging side car is no longer desired

2) LogStash has some license issue that is why Fluentbit (on each node) and FluentD as aggregator proposed

3) new architecture simplifies ONAP logging

Diagrams are editable in Gliffy.

Sylvain shared info on Orange docuementation: https://gitlab.com/Orange-OpenSource/lfn/infra/kubernetes_cofor gating llection

ongoing

Resources supporting this project are welcome.

To elaborate how to assure security for Fluenbit and FluenntD communication - maybe service mesh proxy could be used.

Byung will be back from PTO in January.

Synch of versions with OOM and Integration teams 
  • Kubernetes version synch (1.20 vs. 1.19) for Istanbul, for 1.19 support ended 30 September 2021 - K8s ployments on Azure for gating used - we have no control over the version and with 1.20 Maria DB did not work that is why 1.19 is used. Currently 1.22 for preview only.
  • Helm 3.6.0 vs. 3.6.3 - for Jakarta compatibility issue for HELM 3.7 to deploy and push - name has changed. 
  • Docker 20.10.6 vs. 19.03.x <- do we need to recommend Docker? Lot of K8s deployment are not using Docker but Containerd.
ongoingSylvain to get a monthly e-mail on possible move towards 1.22 and we would start on 1.21.2SECCOM presentations for incoming DDF (January).SECCOM topics backlog for DDF:
  • Logging requirements clarification
    • New requirements for JakartaSECCOM presentations for incoming DDF (January).

    Deadline for submission: December 3rd: 

    • SECCOM topics backlog for DDF (4 bullets we merge into one presentation: use cases, GRs and BPs):
      • Logging requirements clarification – Bob (why, rationale, requirement),/Byung (how, architecture and design perspective) - https://wiki.lfnetworking.org/display/LN/2022-01-DD+-+ONAP%3A+Security+and+Logging - flow matrix importance for authentication between components
      • New requirements for Jakarta – Amy/Pawel – all in one – GR review with David
      • Recommended versions (SECCOM and OOM) – Amy/Pawel/Sylvain
      • Packages upgrades - Jakarta update - Amy/Pawel
      • Unmaintained code handling and its impact on documentation (SECCOM + Documentation) - main session stream Amy/Pawel/Thomas/Eric
      • Code quality demo - main session stream - Fabian/Kevin
    • Interproject proposals:
      • SBOMs ONAP story – Muddasar/Pawel
    		ongoingProposals to be reviewed next SECCOM (last minute)

    Fabian to share by e-mail his insight on flow matrix.

    Fabian to check with Kevin/Thierry if by DDF we could provide demo.


    		TSC voting process for submitted requirementsDeadline is on 2nd of December.ongoingNo action required on our side.

    OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 30th 4th OF NOVEMBERDECEMBER'21. 

    Part 1

    SECCOM proposal for DDF:

    • Logging requiremets clarification
    • New requirements for Jakarta
    • Recommended versions (SECCOM and OOM)
    • Packages upgrades - Jakarta update
    • Umnaintained code handling and its impact on documentation (SECCOM + Documentation) - main session stream
    • Code quality demo - main session stream

    Interproject proposals:

    • SBOMs ONAP story

    SECCOM MEETING CALL WILL BE HELD ON 30th OF NOVEMBER'21. 

    Part 2

    		Request from the Policy project group (Ramesh and Liam) for the ‘cluster-admin’ permission on one of their helm charts in OOM for automate helm chart installation for microservice. Quality gates for code quality improvements.


    Recording: 

    View file
    name2021-11-30_SECCOM_week.mp4
    height150


    SECCOM presentation:


    View file
    name2021-11-30 ONAP Security Meeting - AgendaAndMinutes.pptx
    height150