Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 3rd of September 2024.

Jira No
SummaryDescriptionStatusSolution

Technical debt

Fiete Ostkamp : Chef dependency in SDC related to Ruby conflict (2.0 is pretty old)  

Jira Legacy
serverSystem Jira
serverId4733707d-2057-3a0f-ae5e-4fd8aff50176
keySDC-4691




Security Event



Policy road to gold badge

Support for Ramesh and Policy team to get gold badge.

List of people to be Policy page editors in the badging - done

started



Issue with merging gerrit code

Ticket opened by Tony: IT-26848 - Tony is checking on it, still has issues?

Issue still exists.

status to be updated



Support for Oslo release
  • On Amy's to do list: updating Java, Python, OS, database and utility versions (Amy) + creating Jira tickets for packages upgrades.

ongoing



Logging modifications proposal

Mateusz Pilat from Tata presented changes in log format for its unification. Change Request will be prepared by Mateusz. Discussion will be followed at the OOM meeting on Wednesday.

RBAC changes could be provided: Improvement for NewDelhi Release

Root access for container need was explained.

  • Maggie, Justin and Andrew Lamb's input: 
    • ONAP application services will run in a namespace whose privilege and security context are restricted via Pod Security Standards Restricted policy to meet the CIS 1.6 benchmark. No workloads in this namespace will ever be permitted to run with privileges or as root within the container.
    • ONAP logging services will run in a separate namespace which allows Pod Security Standards Privileged profiles. Any workload in this namespace will be permitted to run with privileges. To mitigate the risk of such a namespace, the Kubernetes Admission Controller, via Kyverno policies, will enforce strict admission requirements on workloads in this namespace.
    • To be deployed into the privileged namespace, workloads must be running a specific container image with restrictive container startup commands and arguments, as specified in Kyverno policies written by ONAP developers. This will ensure that only ONAP SECCOM approved workloads are ever permitted to run with privileges in this namespace.
  • As a more general SECCOM note, Byung - I discovered in my research that the Kyverno admission validation hook can also (1) enforce minimum versions of container images (which I wish I would have known when trying to keep log4j off my clusters last year) and (2) prevent exec operations into running containers - this would be useful in preventing an insider from accessing the privileged workload once it has already been admitted to the privileged namespace. I did not include these because they seem to be larger design requirements for cluster administrators beyond just the management of ONAP. If you think it would be within ONAP's purview to enforce these mechanisms I'm happy to include them in the next PoC iteration. - Justin
  • Hope in Oslo, we can discuss/explore this further.

Further update will be discussed during Oslo. Tata Communications still plans to do some improvement for Oslo, but no detailed plan yet.




GitHub Actions integration pipeline

LF IT migrating CI pipeline to GitHub actions - may take to the end of fall or later, once ONAP is completed for GitHub Actions , we will do security review. Last update from Matt is that LF IT is continuously shipping one project at a time. 

4/2: in progress

At the TSC Jess mentioned Q4'24? or rather beginning of 2025.

open - WIP



LFN AI/ML use cases

Need to write LF informative position white paper for AI/ML - team to write constituted. Meeting is planned with convenient time for all contributors. Goal is to produce it by DTF.

Structure bulleted paper available on Confluence - https://wiki.lfnetworking.org/pages/viewpage.action?pageId=120652848

China Mobile focus: generative AI. (New Delhi UUI)

China Telecom focus: intent transformation & LLM tuning parameters to create domain specific solutions. (New Delhi UUI)

Both projects are in progress.

Oslo lightweight model 

China Telecom and China Mobile presented at the last TSC their plans for AI/ML use cases with ONAP.

By beginning of August both companies plan to present their plans for Oslo in this domain.

open - sceleton structure of the document

Nephio security working group

Workload  identity and access management in progress. Internal discussions in E/// for next steps for user identity and access management.

Nephio R3, there is an action point, secret management, "sharing secrets across clusters as Skupper generates a secret in one cluster/namespace and that secret has to be shared with another cluster/namespace. To create the tunnel for communication. Now the question is how to share the secrets" It is a narrowed scope of sharing secretes between particular services, which is different from what Nephio SIG Security proposed.

Byung-Woo Jun , The Nephio SIG Security team (Shiv from Accuknox) plans to provide a demo of workload identity with SPIFFE this or next week. I will share the detail after their demo.

LF IT support is needed for SBOM SPDX format generation. Jess has experience with java based projects, and Nephio is Go based.

Byung-Woo Jun , Nephio O-RAN Workload Identity proposal by Nephio SIG Security will be presented to Nephio WG 2 ORAN on May 29th (postponed to June 5the), https://docs.google.com/presentation/d/1kofOHWswM2_OJPfefTcSzVvsBAg0QE3Z7GQITlaPO2w/edit#slide=id.p

Nephio Workload Identity execution plan:

  • Start with PoC / demo to the relevant groups
  • Requirements / user stories to SIG-1
  • Detailed demo / run-through to SIG-Automation

Nephio update 2024-5-28:

  • Signed image handling thru Nephio CI
  • Nephio SGI security team is working on the above execution plan
  • Nephio O-RAN workload identity proposal to Nephio WG 2 ORAN this week
  • ORAN integration discussion (Q&A) further this week

Update xpected on 18th of June - Nephio signed image is a work in progress

Branch selected for Workload Identity - WIP.

Links shared by Muddasar:

https://datatracker.ietf.org/doc/bofreq-richer-wimse/

https://www.ietf.org/archive/id/draft-gilman-wimse-use-cases-00.html

Small demo presented with Vault used for secrets.

https://istio.io/latest/docs/ops/integrations/spire/

The second demo topic on July 23rd, 2024:

  • Spire Server Agent created as part of the Nephio Install
  • Node attestation for nodes in other clusters
  • Node attestation for regional/edge clusters initiated by workload identity reconciler
  • Library getting SVID, authenticating to vault, reading and writing to Vault
  • Secrets CSI controller

Another demo on July 30th, 2024:

  • SPIRE agent installed on all nodes via Damonset - how is registration of new nodes handled at scale?
  • SA token is applied to SPIRE agent
  • Spire-bundle is contained in a configmap for the spire agents to talk to the spire server
  • How to prevent spoofing the SPIFFE ID/SVID? The current mitigation is JWT is 5 mins

Image Modified

Image Modified

New hydration concept = customization of CRD.

ongoing



ONAP Security Implementation Status

Byung-Woo Jun TATA Communications supports RBAC, observability, logging, backup, etc. by leveraging the ONAP currently security mechanism (Ingress, Service Mesh) for their own platform. It is possible they contribute the enhancements they made to the ONAP New Delhi release (TBD).

Share of code most probably in Oslo release. Andreas is working on enhancements for OOM Team.

Tata communication shared which components in Montreal use STDOUT or not, ONAP Logging alignment for Montreal release.xlsx

Postponed to Oslo.




New ISTIO 1.22

Ambient mesh under consideration if stable and memory safe.

Trigger with ISTIO implementation to be detailed.

A plan for eBPF via Cilium, see Andreas' wiki page ONAP "Networking" Options (>=Kohn) For now, it is a consideration only.

DT on hold in general on hold with Ambient mode, for ONAP Andreas will continue.




TSC meeting (August 29th)

Project Status in Oslo Release

TSC voted: TSC recommends all ONAP community members to add links with zoom meeting recording from Dashboard to ONAP Wiki's meeting summaries, so we could avoid an issue of high volume attachments with meeting recordings.




PTL meeting (September 2nd)

US day off- meeting cancelled




LFN-TAC (DTF F2F)

CNTI approved as  project. Paraglide might prepare presentation. - Next meeting on July 10th.

KPIs in project promotion and with health check discussion with every project. Chair and vice Chair election. Security seat and Superblueprint seat.

Proposal: use Tony's 5 year assessment as a baseline.

Planning meeting done last week.

WIP for Superblueprint.

New Use case under consideration (software packaging?)


Muddasar Ahmed to check for document availability on software quality goals.



Quality goals and security goals - no actions taken, so putted back into agenda for this week. 

Criteria for project incubation and graduation to be worked on.

No quorum at the last meeting - planning for the next meeting.

Feedback from Olaf received for quality and security goals. Discussion to be followed this week. 

https://lf-networking.atlassian.net/wiki/spaces/LN/pages/15700616/2024-09-04+TAC+Minutes

Muddasar Ahmed to follow with Jill.

Lack of CLM scans Security Review Page-  TAC page to collaborate:  https://lf-networking.atlassian.net/wiki/spaces/LN/pages/18415618/Security+Review+Matrix. ( May require new login set up, as this site has migrated to web based confluence)


Muddasar Ahmed to follow with Jill.


Lack of CLM scans for NG Portal

Andreas was informed about lack of Jenkins jobs for Nexus-IQ scans. Fiete will work on this as project PTL.

Update from Fiete Ostkamp :

Jira opened by Fiete, ongoing support by LF-IT. Fiete is back from holidays.

Update from Fiete:

onap-portal-ng-preferences:

https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/applicationReport/onap-portal-ng-preferences/b50d4e842a0847bc91437d354075e383/policy

onap-portal-ng-history:

https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/applicationReport/onap-portal-ng-history/03f1fde4f7ea4f029031bbaf9689cfa8/policy

onap-portal-ng-bff:

https://nexus-iq.wl.linuxfoundation.org/assets/index.html#/applicationReport/onap-portal-ng-bff/4d9a28df94eb4bad85d858fe72321dac/policy

Sonarcloud scans for NG Portal available - waiting for a resolution for Nexus-IQ and NG Portal UI.




NEXT SECCOM MEETING CALL WILL BE HELD ON September 10th 2024

Upcoming security events: https://events.linuxfoundation.org/open-source-summit-europe/




Recordings: 

https://zoom.us/rec/play/vTizKeVjjzocS-qcO2YyTBgsdJZdRamnoeNqZmlcun9nRv19OMSeR7CmjPfgBUvE1ria5lwowBLgVH_T.8MTPobaiCn2upE31?canPlayFromShare=true&from=share_recording_detail&continueMode=true&componentName=rec-play&originRequestUrl=https%3A%2F%2Fzoom.us%2Frec%2Fshare%2FmoOY-pntp-1GwRFmtCEvvY2W_3Eq7WV8lX83RGqM0jNwHDj0DrA2Q7iDOS_RJHIH.A5vLw5edJnSYDcap