Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Please follow step-by-step instructions on the API Subcommittee API reporting wiki page. If after submitting your API info form (or an updated form, if you are in Class 1 and the form has changed since Release 4) and notifying the subcommittee by e-mail they have questions, then schedule a time when either subcommittee members may attend your weekly BP meeting or you can attend the API subcommittee weekly meeting in order to discuss and resolve the questions. When meeting, please be prepared with architecture and data flow diagrams so the API subcommittee can understand and confirm 1) APIs consumed and offered by your BP, 2) upstream project APIs, and 3) customer-facing demo APIs. This information will be used to update the Akraino website API Map, which makes your BP visible and searchable to customers and entities outside of Akraino, so completeness and accuracy is important.

...

  1. High Level Overall Requirements
  2. CI, Blueprint Validation Lab Sub-Committee Requirements
    1. Present Pod Topology document.
    2. Peering w/LF Jenkins - (Note: peering is an optional requirement)
    3. Push logs through Nexus. (Note: This is mandatory for Incubation self-certified and Maturity)
    4. Usage of topics for release

      1. Releases >= 1.0 (e.g. 1.xyz, 2.xyz etc) are reserved for BP that have been approved as Core by the TSC (considered ‘GA’ quality).

      2. Releases <1.0 (e.g. 0.xyz etc) are reserved for projects that have not reached the Akraino Core level (i.e. anything that is in Incubation (‘alpha’ quality) and Mature (‘beta’ quality).

    5. Enforcement of Static Code Analysis through SonarCloud (SaaS), WIP LF Release Engineering & Security Subcommittee. (Note: This is an optional requirement for Incubation self certified and mandatory for Maturity)

  3. Security Sub-Committee Requirements, please fill in Release 4 Blueprint Scanning Status.  Instructions can be found at:  Steps To Implement Security Scan Requirements
  4. Blueprint Validation Framework Feature Project Requirements See TSC meeting.
  5. Projects going for Maturity Review please refer to Maturity Criteria defined by Process subcommittee BP Graduation Review Processes and Criteria (Note this is not required for self certification, only required for maturity review)
  6. Documentation Sub-Committee Requirements

    User Documents:

    The following documentation with the following sections called out should be on the wiki with links to rest of the sections as applicable. We prefer that the entire doc is on the wiki but we do not require it.

    Architecture  - Blue print Overview and overall architecture

    Release Notes – Summary and What is released

    Installation Doc – Introduction and deployment architecture

    Test Document – Introduction and Overall Test Architecture

    Developer Documents:

    We are also recommending that Blueprints include via ReadtheDocs, with each Blue Print given their own repo, but we do not require it

  7. API Sub-Committee Requirements  (Note: See this link for requirements: Blueprint Projects R4 and R5 API Reporting Requirements)
  8. Community Sub-Committee Requirements  (Note: no mandatory requirements for Incubation self-certified or Maturity)
  9. Process Sub-Committee Requirements (Note: See the Process Sub Committee page defining the TSC approved Maturity review process and requirements for those requesting inclusion in R3 at Mature level BP Graduation Review Processes and Criteria)
  10. Upstream Sub-Committee Requirements (Note: no mandatory requirements for Incubation self-certified or Maturity). Here is the R4 release Upstream BP review status, Release Upstream Compliance. Also please refer to the page for the R4 requirement as well.

...

30 Sep

  Pod:  The following vulnerability must be corrected.

  • CAP_NET_RAW Enabled

    CAP_NET_RAW is used to open a raw socket and is used by ping. If this is not required CAP_NET_RAW MUST be removed.

  Cluster:  Accepted 

All vulnerabilities >9.0 must be fixed or verification provided that no patch currently exists.

CVE-2017-18017 10.0

CVE-2018-15686 10.0

CVE-2019-14901 10.0

CVE-2017-15670 9.8

CVE-2017-15804 9.8

CVE-2018-1000007 9.8

CVE-2018-1000120 9.8

CVE-2018-11236 9.8

CVE-2018-1126 9.8

CVE-2018-12910 9.8

CVE-2018-15688 9.8

CVE-2018-16402 9.8

CVE-2018-18074 9.8

CVE-2018-18751 9.8

CVE-2018-20060 9.8

CVE-2018-6485 9.8

CVE-2019-10126 9.8

CVE-2019-10160 9.8

CVE-2019-14895 9.8

CVE-2019-16746 9.8

CVE-2019-17041 9.8

CVE-2019-17042 9.8

CVE-2019-17133 9.8

CVE-2019-5482 9.8

CVE-2019-9636 9.8

CVE-2016-7913 9.3

CVE-2017-15126 9.3

CVE-2017-16997 9.3

CVE-2017-9725 9.3

CVE-2018-10897 9.3

CVE-2019-12735 9.3

CVE-2018-1000122 9.1

CVE-2018-1000301 9.1

CVE-2019-9948 9.1

CVE-2016-10745 9.0

CVE-2018-19788 9.0

CVE-2019-14287 9.0

____________________________________________________________

Lynis:  Accepted 

____________________________________________________________

Kube-Hunter: 

Incubation/iec5_r4/15/

IEC Release5-SmartNIC datasheet.docx

IEC Release5 SmartNIC System Architecture.pdf

R5 Release Notes of IEC Type 5: SmartNIC for Integrated Edge Cloud (IEC) Blueprint Family

Completed by 8/30/2021

18/myais/validation/2

fix lynis issues.

 

Smart Cities R5 Security Certification

30  _____01 Oct Exception grantedDeepak uploaded API info form , API subcommittee review scheduled for
Wiki page with API info:
R5 API DocumentN/A K8s not used by this BP for R5.  However, in R6 it is planning to use K3s.

https://nexus.akraino.org/content/sites/logs/arm-china/jenkins092/iec-type2-terraform/blueval/k8s/conformance/

https://nexus.akraino.org/content/sites/logs/arm-china/jenkins092/iec-type2-terraform/blueval/k8s/kube-hunter/

Incubation Level Review Results:

VulsAccepted with exceptions shown at:

Release 5 Vuls Exception Request

__________________________________________________________


Here are the updated logs of the Lynis test : 
https://nexus.akraino.org/content/sites/logs/arm-china/jenkins092/iec-type2-terraform/k3s/k3s-logs/

LynisNeed to fix the following vulnerabilities:

  • sysctl key fs.suid_dumpable: FAILED Expected value:  0
  • sysctl key kernel.dmesg_restrict: FAILED Expected value:  1
  • sysctl key net.ipv4.conf.default.accept_source_route: FAILED Expected value:  0
  • The following compilers must be removed:

    as (compiler) - /usr/bin/as

    cc (compiler) - /usr/bin/cc

    g++ (compiler) - /usr/bin/g++

    gcc (compiler) - /usr/bin/gcc

_____________________________________________________

Kube-Hunter: 

  Cluster:  Accepted with exceptions shown at:

Release 5 Blueprint Scanning Status

This issues must be resolved prior to maturity.

  Pod:  Could the same comparison between k3s and microk8s be provided for the kube-hunter pod.log as was provided for the cluster.log?

The following vulnerabilities must be fixed:

  • Access to pod's secrets

    Suggestion: 

    https://blog.aquasec.com/managing-kubernetes-secrets

    Securing etcdsecret data is stored in etcd. By default, etcd data is not encrypted and neither are your secrets. You should enable encryption at rest, limit access to etcd to admin users only, and safely dispose of disks where etcd data was formerly stored

    Use SSL/TLSwhen running etcd in a cluster, you must use secure peer-to-peer communication.

  • Exposed PodsDescription:  An attacker could view sensitive information about pods that are bound to a Node using the /pods endpoint.
  • KHV043 - Cluster Health DisclosureSuggestion:  Disable --enable-debugging-handlers kubelet flag.

  • KHV007 - Specific Access to Kubernetes API Suggestion:  Review the RBAC permissions to Kubernetes API server for the anonymous and default service account

  • KHV005 - Access to Kubernetes API

  • KHV002 - Kubernetes version disclosureSuggestion:  Disable --enable-debugging-handlers kubelet flag.

  • KHV050 - Read access to Pod service account token

    Suggestion:  It is recommended to explicitly specify a Service Account for all of your workloads (serviceAccountName in Pod.Spec), and manage their permissions according to the least privilege principle.

    Consider opting out automatic mounting of SA token using automountServiceAccountToken: false on ServiceAccount resource or Pod.spec.

  • KHV044 - Privileged ContainerSuggestion:  Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged:  false policy.

Per e-mail , Deepak is in process of uploading API info form

As of , Deepak sent API info form, and expects to the API subcommittee page. The form shows Karmada APIs (CRD) offered inside Kubernetes environment, but no 3rd party APIs offered or consumed.

No.Project NameTSC Subgroup Release StatusIs this your first release 

Blue Print Stage

  • Self-Certify
  • Incubation
  • Mature
  • Core

CD Logs URL to be used for review

(Column filled in by PTLs)

How to: Push Logs to Nexus

Jenkins Master for Private Lab

Jenkins Peering Guide

Example: 

KubeEdge BP Test Documents

Link to executive one pager

(editable doc format)

(Column filled in by PTLs)

API Info Reporting Review

(Column filled in by API Subcommittee)

(note for PTLs – go here for steps to fill in project API info form)

BluVal

Certification

Bluval User Guide

Security

Certification

Provide link to Vuls, Lynis, and Kube-Hunter logs below.

Pass/Fail Criteria:  Steps To Implement Security Scan Requirements

Exception requests should be filed at:

Release 5: Akraino CVE Vulnerability Exception Request

Upstream Review (Column filled by Upstream Subcommittee and PTLs)


(note PTL can go to Release 5 BP/Feature Upstream Status to find details)

Date ready for TSC review

(Column filled in by PTLs)

 TSC Review Date

(Column filled in by TSC)


1
NoMaturehttps://nexus.akraino.org/content/sites/logs/parserlabs/r4/jobs/cvb/CVB_Akraino_R5_blueprint_Datasheet.docxPer e-mail from WANG Tao (Tucker Wang) 20Aug21, no changes from R4

Completed by 8/24/2021


2
NoMaturehttps://nexus.akraino.org/content/sites/logs/parserlabs/r4/jobs/iec-type4/Per e-mail from Bart 7Sep21, no changes from R4





3














4
NoIncubation

ICN Master Bare Metal Deployment Verifier

ICN Master Virtual Deployment Verifier

ICN R5 DatasheetPer notice from Kural 5Aug21, no change from R4

https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master/20210707-182026/results/os/lynis/

https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master/20210707-182026/results/os/vuls/

https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master/20210707-182026/results/k8s/conformance/

https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master/20210707-182026/results/k8s/kube-hunter/

Filed Release 5: Akraino CVE Vulnerability Exception Request

Incubation Level Review Results:

 

VulsAccepted with exceptions shown at:

Release 5 Vuls Exception Request

____________________________________________________________

LynisAccepted 

____________________________________________________________

Kube-Hunter: 

  Cluster:  Accepted 

  Pod:  Accepted 

Completed by 8/6/2021


5
YesIncubationhttps://nexus.akraino.org/content/sites/logs/intel/ICN_CD_logs/pod11-node5/icn-master-bm-verify-bm_verifer-kata/12/ICN-MTSCN R5 Datasheet

API form uploaded 24 May

e-mail questions exchanged 20Jul21

Scheduled for review by API subcommittee  

API subcommittee review completed and info accepted  

https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master-kata/20210624-025354/results/os/lynis/

https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master-kata/20210712-025145/results/os/vuls/

https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master-kata/20210624-025354/results/k8s/conformance/

https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master-kata/20210624-025354/results/k8s/kube-hunter/

Filed Release 5: Akraino CVE Vulnerability Exception Request

Incubation Level Review Results:

 

VulsAccepted with exceptions shown at:

Release 5 Vuls Exception Request

____________________________________________________________

LynisAccepted 

____________________________________________________________

Kube-Hunter: 

  Cluster:  Accepted 

  Pod:  Accepted 

Completed by 8/10/2021


6
NoIncubationhttps://nexus.akraino.org/content/sites/logs/huawei/job/eliot-build/18/home/jenkins/log/Per e-mail from Khemendra 26Aug21, no changes from R4

https://nexus.akraino.org/content/sites/logs/huawei/job/eliot-security-validation-build/4/results/


Akraino BluVal Exception Request

Incubation Level Review Results:

 

VulsAccepted with exceptions shown at:

Release 5 Vuls Exception Request

____________________________________________________________

LynisAccepted 

____________________________________________________________

Kube-Hunter: 

  Cluster:  Accepted 

  Pod:  Accepted with exceptions shown at:

Release 5 Blueprint Scanning Status

Completed 8/6/2021


7
NOIncubationhttps://nexus.akraino.org/content/sites/logs/huawei/job/eliot-uCPE-build/15/home/jenkins/log/ELIOT R5 - SD-WAN / WAN Edge / uCPE Data SheetPer e-mail from Khemendra 26Aug21, no changes from R4

https://nexus.akraino.org/content/sites/logs/huawei/job/eliot-uCPE-security-build/10/results/


Akraino BluVal Exception Request

Incubation Level Review Results:

 

VulsAccepted with exceptions shown at:

Release 5 Vuls Exception Request

____________________________________________________________

LynisAccepted 

____________________________________________________________

Kube-Hunter: 

  Cluster:  Accepted 

  Pod:  Accepted with exceptions shown at:

Release 5 Blueprint Scanning Status

Completed on 8/6/2021


8TSC 2021-08-12 (Thursday) 7:00 am PacificNoIncubation

https://nexus.akraino.org/content/sites/logs/juniper/validation-2021/

Blueprint Data SheetPer e-mail from Sukhdev 5Aug21, no change from R4Not required as there is no change from Release 4Not required as there is no change from Release 4Completed by 8/10/202108/12/2021

9
NoIncubationhttps://jenkins.akraino.org/job/kni-blueprint-pae-verify-deploy-gcp/69/

Per e-mail from Ricardo 10Aug21, he uploaded R5 API info forms for both KNI blueprints, with no substantive changes from R4. The API subcommittee has a review scheduled for of the new API info forms and will update this table afterwards

On the API Subcommittee reviewed and accepted the updated KNI R5 API forms


https://nexus.akraino.org/content/sites/logs/redhat-kni/bluval_results/

Incubation Level Review Results:

Vuls:  Accepted with exception.  The KNI Provider Access Edge blueprint uses OpenShift as its k8s distribution, which is deployed on Red Hat CoreOS, an immutable OS that is not supported by Vuls.

__________________________________________________________

LynisAccepted 

____________________________________________________________

Output manually generated, located at:

Release 5 Security Scan Manual Logs

Kube-Hunter: 

  Cluster:  Accepted 

  Pod:  Accepted with exceptions shown at:

Release 5 Blueprint Scanning Status

Completed by 8/10/20219/16/2021

10
NoIncubation

Management Hub:

https://logs.akraino.org/production/vex-yul-akraino-jenkins-prod-1/kni-blueprint-management-hub-verify-deploy-gcp/19/

Industrial Edge:

https://logs.akraino.org/production/vex-yul-akraino-jenkins-prod-1/kni-blueprint-ie-verify-deploy-gcp/4/

See above note


https://nexus.akraino.org/content/sites/logs/redhat-kni/bluval_results/

Incubation Level Review Results:

Vuls:  Accepted with exception.  The KNI Provider Access Edge blueprint uses OpenShift as its k8s distribution, which is deployed on Red Hat CoreOS, an immutable OS that is not supported by Vuls.

__________________________________________________________

LynisAccepted 

____________________________________________________________

Output manually generated, located at:

Release 5 Security Scan Manual Logs

Kube-Hunter: 

  Cluster:  Accepted 

  Pod:  Accepted with exceptions shown at:

Release 5 Blueprint Scanning Status

Completed by 8/10/20219/16/2021

11

Micro-MEC

Ferenc Székely







 







12TSC 2021-09-21 (Tuesday) 7:00 am PacificNoincubationhttps://nexus.akraino.org/content/sites/logs/baidu/job/aiedge/6/Per e-mail from Liya Yu 21Sep21, no changes from R4https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/4/result/1

Incubation Level Review Results:

9/20/20219/21/202113No

 

Vuls

Accepted with exceptions shown at:

Release 5 Vuls Exception Request

____________________________________________________________

Lynis:  Accepted

____________________________________________________________

Kube-Hunter: 

  Pod:  Accepted 

  Cluster:  Accepted 


9/20/20219/21/2021
13
No
  • Incubation
https://nexus.akraino.org/content/sites/logs/fate/job/I-VICS/5/Intelligent Vehicle-Infrastructure Cooperation System(I-VICS) Datasheet

Per e-mail from Zhuming Zhang (Simmy Zhang) 30Aug21, no changes from R4

Confirmed by Sihui Wang in e-mail 30Aug21

https://nexus.akraino.org/content/sites/logs/fate/job/I-VICS/5/No new features or bugs have been added after R4 releaseMissing Upstream information


14

TSC 2021-08-17 (Tuesday) 7:00 am Pacific

NoIncubationhttps://nexus.akraino.org/content/sites/logs/tencent/job/tencent_5g_mec/Per e-mail from Eagan Fu 15Aug21, no change from R4

Completed by 8/24/2021


15
NoIncubation

As of , waiting for API info form to be uploaded to API Subcommittee review page (Blueprint Projects API Reporting Requirements)

API info form uploaded  by Rajeev 

API info form reviewed , no APIs offered or consumed, as Blueprint constructs and provides an Android cloud run-time environment for user applications

Note - would like to further understand this when the BP comes up for review and voting approval during TSC call







16TSC 2021-09-21 (Tuesday) 7:00 am PacificNoIncubationhttps://nexus.akraino.org/content/sites/logs/cmti/job/iec5_r4/15/Per e-mail from Leo Li (Socnoc AI Inc) 11Aug21, no change from R4

Bluval Exception has been accepted for the project.

Akraino BluVal Exception Request

No new features or bugs have been added after R4 release

R5 Release Notes of IEC Type 5: SmartNIC for Integrated Edge Cloud (IEC) Blueprint Family


Completed by 8/30/2021




17
NoIncubationhttps://nexus.akraino.org/content/sites/logs/fatehuawei/job/I-VICS/5/Intelligent Vehicle-Infrastructure Cooperation System(I-VICS) DatasheetPer e-mail from Zhuming Zhang (Simmy Zhang) 30Aug21ealt-edge-build/51/home/jenkins/log/EALTEDGE Release 5 DatasheetPer e-mail from Khemendra 20Aug21 (with Gaurav cc'd), no changes from R4
Confirmed by Sihui Wang in e-mail 30Aug21
16No

https://nexus.akraino.org/content/sites/logs/

fate

huawei/job/

I-VICS/5/
No new features or bugs have been added after R4 releaseMissing Upstream information14

TSC 2021-08-17 (Tuesday) 7:00 am Pacific

NoIncubationhttps://nexus.akraino.org/content/sites/logs/tencent/job/tencent_5g_mec/Per e-mail from Eagan Fu 15Aug21, no change from R4Completed by 8/24/202115NoIncubation

As of , waiting for API info form to be uploaded to API Subcommittee review page (Blueprint Projects R4 and R5 API Reporting Requirements)

API info form uploaded   

API info form reviewed , no APIs offered or consumed, as Blueprint constructs and provides an Android cloud run-time environment for user applications

Note - would like to further understand this when the BP comes up for review and voting approval during TSC call

ealt-security-validation-build/19/results/


Akraino BluVal Exception Request

Incubation Level Review Results:

 

VulsAccepted with exceptions shown at:

Release 5 Vuls Exception Request

____________________________________________________________

LynisAccepted 

____________________________________________________________

Kube-Hunter: 

  Cluster:  Accepted 

  Pod:  Accepted with exceptions shown at:

Release 5 Blueprint Scanning Status

R5 - Architecture Documentation of Enterprise Applications on Lightweight 5G Telco Edge


Completed by 8/10/2021




18TSC 2021-08-10 (Tuesday) 7:00 am PacificNo
https://nexus.akraino.org/content/sites/logs/cmti/jobPer e-mail from Leo Li (Socnoc AI Inc) 11Aug21, /pcei-daily/https://lf-akraino.atlassian.net/wiki/x/5JLQ

Per API Subcommittee meeting 30Jul21, no change from R4

Bluval Exception has been accepted for the project.

Akraino BluVal Exception Request


17NoIncubation

PCEI R5 API Doc:

https://lf-akraino.atlassian.net/wiki/x/6JLQ

huaweiealt-edge-build/51/home/jenkins/log/EALTEDGE Release 5 DatasheetPer e-mail from Khemendra 20Aug21 (with Gaurav cc'd), no changes from R4huaweiealt-security-validation-build/19/results/Akraino BluVal Exception Request

r5/v2/

Fixed:

fs.suid_dumpable

net.ipv4.conf.default.accept_source_route


Incubation Level Review Results:

19  

VulsAccepted with exceptions shown at:

Release 5 Vuls Exception Request

____________________________________________________________

19 Jul

Lynis: Accepted __  Accepted with exceptions shown at:

Release 5 Blueprint Scanning Status

____________________________________________________________

Kube-Hunter: 

  Cluster:  Accepted 

  Pod:  Accepted with exceptions shown at:

Release 5 Blueprint Scanning Status

PCEI R5 - Architecture Documentation of Enterprise Applications on Lightweight 5G Telco EdgeRelease Notes

https://lf-akraino.atlassian.net/wiki/x/AZPQ



Completed by 8/6/2021

/

 



19

TSC 2021-08-

10

26 (

Tuesday

Thursday) 7:00 am Pacific

No
  • Incubation
https://nexus.akraino.org/content/sites/logs/cmtifate/job/pcei-daily/https://wiki.akraino.org/x/lwHkAgPer API Subcommittee meeting 30Jul21/Fate_test/15/Akraino R5 Federated ML blueprint datasheet.docxPer e-mail from Zifan 8Aug21, no change from R4
PCEI R5 API Doc:
wiki/x/qgHkAg

/content/sites/logs/fate/job/fate_security/1

 

https://nexus.akraino.org/content/sites/logs/pceifate/jobfml/r5/v12/

02  

https://nexus.akraino.org/content/sites/logs/pceifate/job/r5/v2/

Fixed:

fs.suid_dumpable

net.ipv4.conf.default.accept_source_routefml/3

Fix Lynis issues and upgrade curl to 7.78.

 

https://nexus.akraino.org/content/sites/logs/fate/fml/5/

Fixed 3 issues.



Incubation Level Review Results:

29 Jul  

VulsAccepted with exceptions shown at:

Release 5 Vuls Exception Request

____________________________________________________________

16

Lynis:  Accepted with exceptions shown at:

Release 5 Blueprint Scanning Status

_  Accepted

__________________________________________________________

_

Kube-Hunter: 

  Cluster

Exception granted

Accepted 

  Pod:  Accepted with exceptions shown at:

Release 5 Blueprint Scanning Status

PCEI R5 Release Notes

https://wiki.akraino.org/x/LgLkAg

Completed by 8/6/2021

 

19

The AI Edge: Federated ML application at edge

rolandwu

haihui wang

K8s not used by this BP.

federated ML

Release Notes

R5 Federated ML application at edge Release Notes


Completed by 8/30/2021




20


@Alexande







21

TSC 2021-08-

26

03 (

Thursday

Tuesday) 7:00 am Pacific

NoIncubationhttps://nexus.akraino.org/content/sites/logs/fatejuniper/job/Fate_testPrivate%205G%20BP/15/Akraino R5 Federated ML blueprint datasheet.docxPrivate LTE/5G BP DatasheetPer e-mail from Zifan 8Aug21Prem 27Aug21, no change from R4

https:Completed by 8//nexus.akraino.org/content/sites/logs/fate/job/fate_security/1 10/2021


22











23

TSC 2021-09-21 (Tuesday) 7:00 am Pacific

YesIncubationhttps://nexus.akraino.org/content/sites/logs/myais/fatejob/fmlparsec/2/ 10/

API info form uploadedto API Subcommittee review page (Blueprint Projects API Reporting Requirements). Approved based on informal review

Smart Cities R5 API Document

fatefml3

Fix Lynis issues and upgrade curl to 7.78.

19 Aug fatefml5/Fixed 3

2

fix lynis issues.

 

Smart Cities R5 Security Certification

Incubation Level Review Results:

20 Aug  

VulsAccepted with exceptions shown at:

Release 5 Vuls Exception Request

__________________________________________________________

20 Aug

Lynis:    Accepted

__________________________________________________________

16 Aug

Kube-Hunter:  Exception granted:  K8s not used by this BP for R5.

federated ML

Release Notes

R5 Federated ML application at edge Release Notes

Completed by 8/30/2021

20@Alexande21TSC 2021-08-03

  However, in R6 it is planning to use K3s.

Completed by 9/30/2021

R5 Smart Cities BP release notes: Smart Cities R5 Release Notes

9/20/20219/21/2021
24

MEC-based Stable Topology Prediction for Vehicular Networks

MalikAsif

TSC 2021-09-21 (Tuesday) 7:00 am PacificNoYesIncubationhttps://nexus.akraino.org/content/sites/logs/juniperjejunu-pred-vanet-mec/job/Private%205G%20BP/Akraino Private LTE/5G BP DatasheetPer e-mail from Prem 27Aug21, no change from R4Completed by 8/10/20212223TSC 2021-09-21 (Tuesdaypush-logs/

API info form uploaded by Asif , scheduled for review by API Subcommittee

Reviewed completed and info accepted  




9/20/20219/21/2021
25TSC 2021-09-16 (Thursday) 7:00 am PacificYesNoIncubationhttps://nexus.akraino.org/content/sites/logs/myaisarm-china/job/parsec/10/API info form uploadedjenkins092/iec-type2-terraform/cdlogs/

Ashvin Kumar uploaded API info form. API subcommittee review scheduled for

(Note - the form was originally uploaded 27Aug21 but had a file corruption issue)

Review completed and info accepted As of , waiting for API info form to be uploaded to API Subcommittee review page (Blueprint Projects

R4 and R5

API Reporting Requirements)

. Approved based on informal review
Smart Cities R5 API Document




Here are the updated logs of the Lynis test : 
https://nexus.akraino.org/content/sites/logs/

myais/validation/1/ 

arm-china/jenkins092/iec-type2-terraform/k3s/k3s-logs/

https://nexus.akraino.org/content/sites/logs

/arm-china/jenkins092/iec-type2-terraform/blueval/k8s/conformance/


https://nexus.akraino.org/content/sites/logs/arm-china/jenkins092/iec-type2-terraform/blueval/k8s/kube-hunter/

Incubation Level Review Results:


VulsAccepted with exceptions shown at:

Release 5 Vuls Exception Request

__________________________________________________________

 
Here are the updated logs of the Lynis test https://nexus.akraino.org/content/sites/logs/arm-china/jenkins092/iec-type2-terraform/lynis-vuls-nov-16/os/lynis/

Lynis:  Accepted

_____________________________________________________

Kube-Hunter: 

 

Cluster

Completed by 9/30/2021

R5 Smart Cities BP release notes: Smart Cities R5 Release Notes

9/20/20219/21/202124

MEC-based Stable Topology Prediction for Vehicular Networks

MalikAsif

TSC 2021-09-21 (Tuesday) 7:00 am PacificYesIncubationhttps://nexus.akraino.org/content/sites/logs/jejunu-pred-vanet-mec/job/push-logs/

API info form uploaded by Asif , scheduled for review by API Subcommittee

Reviewed completed and info accepted  

9/20/20219/21/202125TSC 2021-09-16 (Thursday) 7:00 am PacificNoIncubationhttps://nexus.akraino.org/content/sites/logs/arm-china/jenkins092/iec-type2-terraform/cdlogs/

Ashvin Kumar uploaded API info form. API subcommittee review scheduled for

(Note - the form was originally uploaded 27Aug21 but had a file corruption issue)

Review completed and info accepted As of , waiting for API info form to be uploaded to API Subcommittee review page (Blueprint Projects R4 and R5 API Reporting Requirements)

Missing Upstream information in IEC Type 2 Release Notes for R526No27

Federated Multi-Access Edge Cloud Platform

Deepak Vij

TSC 2021-10-14 (Thursday) 7:00 am PacificYesIncubationR5 Datasheet

 Accepted with exceptions shown at:

Release 5 Blueprint Scanning Status

This issues must be resolved prior to maturity.

  Pod:  Could the same comparison between k3s and microk8s be provided for the kube-hunter pod.log as was provided for the cluster.log?

The following vulnerabilities must be fixed:

  • Access to pod's secrets

    Suggestion: 

    https://blog.aquasec.com/managing-kubernetes-secrets

    Securing etcdsecret data is stored in etcd. By default, etcd data is not encrypted and neither are your secrets. You should enable encryption at rest, limit access to etcd to admin users only, and safely dispose of disks where etcd data was formerly stored

    Use SSL/TLSwhen running etcd in a cluster, you must use secure peer-to-peer communication.

  • Exposed PodsDescription:  An attacker could view sensitive information about pods that are bound to a Node using the /pods endpoint.
  • KHV043 - Cluster Health DisclosureSuggestion:  Disable --enable-debugging-handlers kubelet flag.

  • KHV007 - Specific Access to Kubernetes API Suggestion:  Review the RBAC permissions to Kubernetes API server for the anonymous and default service account

  • KHV005 - Access to Kubernetes API

  • KHV002 - Kubernetes version disclosureSuggestion:  Disable --enable-debugging-handlers kubelet flag.

  • KHV050 - Read access to Pod service account token

    Suggestion:  It is recommended to explicitly specify a Service Account for all of your workloads (serviceAccountName in Pod.Spec), and manage their permissions according to the least privilege principle.

    Consider opting out automatic mounting of SA token using automountServiceAccountToken: false on ServiceAccount resource or Pod.spec.

  • KHV044 - Privileged ContainerSuggestion:  Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged:  false policy.

Missing Upstream information in IEC Type 2 Release Notes for R5


26
No









27

Federated Multi-Access Edge Cloud Platform

Deepak Vij

TSC 2021-10-14 (Thursday) 7:00 am PacificYesIncubation
R5 Datasheet

Per e-mail , Deepak is in process of uploading API info form

As of , Deepak sent API info form, and expects to upload to the API subcommittee page. The form shows Karmada APIs (enabled by CRD method) offered inside Kubernetes environment, but no 3rd party APIs offered or consumed.

Deepak uploaded API info form , API subcommittee review scheduled for

API info reviewed and approved by API subcommittee . The subcommittee e-mailed Deepak asking to attend 29Oct (Fri) meeting and give more explanation about ETSI MEC interfaces in their Blueprint

Wiki page with API info:

R5 API Document

N/A

Incubation Level Review Results:

 

VulsAll vulnerabilities >9.0 must be fixed or verification provided that no patch currently exists.

CVE-2019-25032

CVE-2019-25034

CVE-2019-25035

CVE-2019-25036

CVE-2019-25038

CVE-2019-25039

CVE-2019-25042

CVE-2019-9169

CVE-2020-27619

CVE-2021-27219

CVE-2021-3177

CVE-2021-3520

CVE-2020-12403

CVE-2020-36242

_____________________________________________________

LynisNeed to fix the following vulnerabilities:

  • Checking PASS_MAX_DAYS option in /etc/login.defs: FAILEDSuggestion: Configure maximum password age in /etc/login.defs
  • Test ID AUTH-9328 (Default umask values): FAILEDSuggestion: Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027)
  • Test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups): FAILEDSuggestion:  set AllowUsers & AllowGroups
  • sysctl key kernel.dmesg_restrict: FAILEDSuggestion:  set value to '1'
  • sysctl key net.ipv4.conf.default.accept_source_route: FAILEDSuggestion:  set value to '0'
  • Test ID HRDN-7220 (Check if one or more compilers are installed): FAILEDFollowing compilers must be removed:
    • /usr/bin/as
    • /usr/bin/cc
    • /usr/bin/gcc

_____________________________________________________

Kube-Hunter: 

  Cluster:  Please provide cluster.log file

  Pod:  Please provide pod.log file



10/14/2021