2023-09-26 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 26th of September 2023.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

Amber Service Mesh

Nephio SIG Security started discussing secure software supply chain and also showed a demo, leveraging Kubearmor for security access.

In the KubeConn, there were some discussions around amber service mesh (a.k.a. sidecarless service mesh).

For NF deployment and management, sidecarless service mesh could be a good option, I think. There were some use cases from MITRE.

ONAP SECCOM position for this to be further discussed.

Nephio SIG member made a demo with Kubearmor. No need to configure sidecar for each network function. Amber Service Mesh seems to be not yet production ready.

Kubearmor was DARPA project, it is used as part of superblueprint. It has policy building and administration function. Enforcement is done by using eBPF.

Presentation could be provided to SECCOM.

started

@Muddasar Ahmed to check with MITRE colleagues on possible presentation for SECCOM on Kuberamor.

 

Oparent

Update from 2023-08-21 PTL meeting

-CPS (@Toine Siebelink): will test building CPS without oparent/pom.xml (results 2023-10-01)

-Integration (@Marek Szwałkiewicz): will perform a test build with the profiles commented out

2023-08-15 SECCOM notes

-Only 2 PTLs responded to Amy’s e-mail

-No objections on Oparent retirement, we have no volunteer to maintain it up to date

-pom.xml contains more than cross project common package dependencies

2023-09-05 SECCOM notes

-Pawel to contact @Marek Szwałkiewicz 

-@Toine Siebelink will provide feedback in early October

-decision on path forward - potentially remove package info - deferred to October

Main problem with testing changes in Oparent it is not possible as it is imported and used in build time and not in run time.

We need to find someone who will upgrade versions in Oparent file. Liam to be contacted for that.

2023/09/26: Liam will update Oparent going forward. SECCOM will provide package update recommendation.

 

Recommendation:

-retain oparent/pom.xml

-Make Andreas Geissler a committer and ask the integration or OOM team to update the file per release

-Proposal:

  • Option 1 (short term): ask the integration or OOM team to update the file per release

  • Option 2 (long term): split into multiple pieces that could be independently maintained: dependencies, build directives, profiles

-Byung will discuss with Andreas and OOM team and report at 8/22 SECCOM (pushed to 8/29 SECCOM meeting)

-Amy will contact @Liam Fallon  and Pam for history

  • Pawel to contact Liam and check if he could update Oparent.

 

AAF Certificate Expiration

AAF-1217: AAF cert service failed to start (expired certificate)In Progress

Review work around proposed by @Andreas Geißler - deferred until @Andreas Geißler returns from holiday

Workaround

Some project containers still experiencing problems: clients using the cert-initializer (e.g. SO, SDC, CDS) still fail.

Need to document certificate management in user docs.

Louis Gamers' AAF cert wiki page: (1) Create AAF CA certificates - Developer Wiki - Confluence (onap.org)

  • Components such as dcaegen2 have their own cert init container with the aaf certificate embedded in the container image. This might be the reason why SO, SDC, and CDS broke if they have their own cert init containers.

  • Unclear why onap-aaf-sms-preload and onap-dmaap-bc-dmaap-provisioning jobs broke in Louis's environment.

 

 

 

Container Signing

Review next steps:

-select signing software (SECCOM + LFIT)

-perform POC with friendly projects (ONAP)

-integrate into build process (LFIT)

Looking for a volunteering project to work with us. Request raised at the 18th September PTL's call but no volunteer so far.

 

@Muddasar Ahmed to analyze which ONAP project has the most frequent changes in its containers.

 

No PTL for AAI, DCAE, OOF

-Andreas Geissler and Thomas Kulik made committers

-They will do the work necessary for the projects to participate in the release

-TSC approved streamlining process (7 September)

-SECCOM will create package upgrade recommendations

-TSC will recruit resources to perform upgrades for AAI, DCAE, OOF

  • need options to move forward

 

-Byung will discuss with Andreas and Thomas to coordinate release tasks such as backlog prioritization

-Muddasar: someone needs to take backlog management role

-Muddasar: no mandated best practice to manage technical debt; call for a statement about code quality – all code will be secure

-Muddasar & Amy: bring mandate for code quality to LFN TAC 2023/8/16

  • Pawel to raise a request to TSC with getting resources for upgrades for AAI, DCAE, OOF

 

ONAP Streamlining

-TSC approved streamlining (7 September)

-Prioritization of vulnerability fixes (see above)

-Prioritization of security enhancements

-Proposal: ONAP projects work with latest version of common components such as Istio, KeyCloak, Kafka

ONAP Streamlining - The Process (Link)

Deck shared with TSC: ONAP - Streamlining the process Report-2023-8-3-v2.pptx (live.com)

Byung shared latest deck presented at last TSC, proposal was approved by TSC.

TSC makes also decisions on resources. List of TSCroles is not exhaustive.

We need to start working on packages upgrade recommendations - Amy's team will support us.

Dan mentioned at the last PTL's meeting that ODL synch is already done for Montreal release. Soon expected some synch meeting with ODL.

 

 

 

CentOS strategy

Discuss multiple paths for CentOS upgrades

 

 

 

TSC meeting (September 21st)

TSC elections coming up

 

 

 

LFN-TAC (September 27th)

Any SECCOM recommendations for the TAC.

Amy shared SECCOM recommendations. TAC would like to have Security Forum to be updated - WiP.

 

@Muddasar Ahmed to share confluence page.

 

NEXT SECCOM MEETING CALL WILL BE HELD ON 3rd of October 2023. 

 

 

 

 

 

 

Recordings: 

2023-09-26_SECCOM_week.mp4