Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Enterprise Applications on Lightweight 5G Telco EdgeRelease 5: Akraino CVE Vulnerability Exception RequestKNI Provider Access EdgeThe following exceptions must be fixed prior to maturity review:

the security issues observed seem to be specific to microk8s cluster. We ran the sonobuoy tests & kube-hunter against k3s and there are no issues in the master setup. We are working with Canonical to review our configuration.

The following exceptions must be fixed prior to maturity review:

  • Information Disclosure:  Exposed pods.   An attacker could view sensitive information about pods that are bound to a Node using the /pods endpoint.
  • KHV043 (Information Disclosure):  Cluster Health Disclosure.  By accessing the open /healthz handler, an attacker could get the cluster health state without authenticating.
  • KHV044  (Access Risk):  Pivileged Container.  A privileged container exists on a node, could expose the node /cluster to unwanted root operations.

    Project Name

    Vuls Scan

    • Pass/Fail
    • Exceptions

    Lynis Scan

    • Pass/Fail
    • Exceptions

    Kube-Hunter Scan

    • Pass/Fail
    • Exceptions
    1ELIOT SD-WAN/WAN Edge/uCPE Blueprint

    The following exceptions must be fixed prior to maturity review:

    1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.




    2

    The following exceptions must be fixed prior to maturity review:

    1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.




    3Public Cloud Edge Interface (PCEI) Blueprint

    The following exceptions must be fixed prior to maturity review:

    1. test ID AUTH-9328 (Default umask values)

    Reason: <Oleg Berzin> Cannot fix AUTH-9328 because changing unmask value to 027 caused lynis test suite to fail (does not run)

    The following exceptions must be fixed prior to maturity review:

    1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.




    4The AI Edge: Federated ML application at edge



    5

    The following exceptions must be fixed prior to maturity review:

    1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.




    6KNI Industrial Edge
    1. CAP_NET_RAW Enabled - CAP_NET_RAW is enabled by default for pods.  If an attacker manages to compromise a pod, they could potentially take advantage of this capability to perform network attacks on other pods running on the same node.




    7IEC Type 2 for Integrated Edge Cloud (IEC) Blueprint Family



    8



    9



    10



    11



    12



    13



    14



    15



    16



    17



    18



    19



    20



    21



    22



    23



    24



    25



    26



    27



    28



    29



    30



    31



    32



    ...