Frankfurt
Integration health checks will automatically perform the following security checks for the Frankfurt release.
- pod_root: Pods must not run as root in Frankfurt.
- Java debug wire protocol (jdpw) port must be closed.
- Update the test to exclude false positives reported by the project teams.
- nodeport_ingress: HTTP ports must be migrated to HTTPS.
- Review the list of the current 20 HTTP ports to determine which ones are necessary (robot, portal-sdk, portal-app, message-router, dmaap-bc, log-kibana, log-es, dmaap-dr-prov, cli , consul-server-ui, sniro-emulator, refrepo , uui, config-binding-service, dashboard, netbox-nginx, music-tomcat, cds-blueprints-processor-http, aaf-fs). The aaf-fs port is a known exception.
- Upgrade test to exclude those HTTP port.
- Review the list of the current 20 HTTP ports to determine which ones are necessary (robot, portal-sdk, portal-app, message-router, dmaap-bc, log-kibana, log-es, dmaap-dr-prov, cli , consul-server-ui, sniro-emulator, refrepo , uui, config-binding-service, dashboard, netbox-nginx, music-tomcat, cds-blueprints-processor-http, aaf-fs). The aaf-fs port is a known exception.
CIS Benchmarks