2020-11-10 Security Subcommittee Meeting Notes

Please find below the Minutes of Meetings and recording for the SECCOM meeting that was held on 10th of November 2020.

Jira No

Summary

Description

Status

Solution

Jira No

Summary

Description

Status

Solution

 

SECCOM requirements for Honolulu

Commitments are  expected from the companies to provide resources to support the requirement, otherwise all of the requirements are no go for the moment. Discussion with Andreas and commitment on Michal’s suport for Python upgrades.

For CII Badging work with the integration team to have scripts that would validate.

ongoing

Amy waiting for a feedback from Catherine on the actions on our side to perform packages upgrades.

 

 

Harbor update

  1. Harbor is a reference solution of a container registry for ONAP SW: Harbor is verified along with ONAP SW test cases, and ONAP also provides a reference configuration of Harbor.
    But Harbor itself is not part of ONAP release / deliverables.

  2. In addition to number 1 items: Harbor is part of ONAP release, it is packaged as one of the ONAP deliverables along with a reference configuration.

2 ways of Harbor onboarding: run and development. More information about the job and key requirement. In dev phase Nexu-IQ will be kept.

Signing of code releases by LFN. Fabian considers Notary for that. 

ongoing

 

 

Secrets management update

Different types of secrets exist in ONAP:

  1. Passwords to databases - they can not be replaced with teh service mesh

  2. Certificates - used to be hardcoded

  3. Passwords used for communication between ONAP services

  4. Passwords related to user management

  5. Passwords related to external systems (like for OpenStack)

For every cathegory above different solution should apply:

Ad 1: common secrets templates, 3-5 components still needs tobe updated like etcd, Cassandra.

Ad 2: Cert initializer for https as a starting point, new backend considered apart from Certman (from AAF) like Certificate Manager from upstream.

Fabian manages certificates with reverse proxy, as Bell Canada does.

ONAP components are not yet ready for Ingress.

Ad 3: service mesh solution with proper access rights or any other security framework.

Ad 4: authentication in ingress, passwords externalized to keycloak.

Ad 5: for now should be placed in secrets, in long future will needa secret store. Fabian proposed to keep secretes in Vault but outside of Kubernetes but then how to access it? secret zero problem exists.

 

 

 

Flow matrix

Fabian had a meeting with Sebatien..

ongoing

 

 

Guilin version highlights 

  1. Packages upgrades progress 

  2. Java (v8 → 11) and Python (v2.7 → v3.6) migrations

  3. Progress in packages not running as root - decrease

  4. Migrations to https as dafault best practice

ongoing

Information was shared with David and Catherine.

 

CII Badging requirements

Description part was updated by Tony.

done

 

 

CII Dashboard

3 projects that are silver now:, and even one of those projects is 65% of gold (VVP) and 2 other are at 57 % of gold (Policy) and AAF, CLAMP is 96% silver and over 40 % gold. 

Progress was shared with the next PTLs call.

ongoing

 

 

OUR NEXT SECCOM MEETING CALL WILL BE HELD ON 17th OF NOVEMBER'20. 

 

 

 

 

Recording:

 

SECCOM presentation: