Release 3 Blueprint Scanning Status (Pre-Approval)
- Integrated Cloud Native (ICN) NFV/App stack family [Kuralamudhan Ramakrishnan, Igor Duarte Cardoso]
- Vuls: High:30 Medium:96 Low:27
- Lynis: https://logs.akraino.org/intel/bluval_results/icn/master/20200529-023728/results/os/lynis/lynis.log
- Kube-Hunter: Only 1 vulnerability found, in "Inside-a-Pod Scanning": CAP_NET_RAW
- Radio Edge Cloud (REC)
- Vuls: High:44 Medium:137 Low:47
- Lynis: https://wiki.akraino.org/download/attachments/18481239/lynis.log?version=1&modificationDate=1590586718000&api=v2
- Kube-Hunter:
- KHV005 Access to API using service account token
- KHV002 Kubernetes Version Disclosure
- KHV050 Read access to pod's service account token
- Local to Pod CAP_NET_RAW Enabled
- Local to Pod Access to pod's secrets
- Connected Vehicle Blueprint [Thor Chin]
- This blueprint did not have output information from vuls, lynis or kube-hunter. I have sent an email to Thor Chin and Tapio Tallgren. This appears to be an issue with BluVal not executing the scans correctly.
- Vuls: https://nexus.akraino.org/content/sites/logs/ampere/cvb/logs/cvb_vuls.log
- Lynis: https://nexus.akraino.org/content/sites/logs/ampere/cvb/logs/cvb_lynis.log
- Kube-Hunter: Don't have K8s
- ELIOT Iot Gateway Blueprint [Khemendra Kumar]
- Vuls: High:104 Medium:352 Low:74 https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/os/vuls/
- Lynis: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/os/lynis/
- Kube-Hunter: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/
- ELIOT SD-WAN/WAN Edge/uCPE Blueprint [Khemendra Kumar]
- Vuls: High:87 Medium:168 Low:62 https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/os/vuls/
- Lynis: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/os/lynis/
- Kube-Hunter: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/uCPE/job/eliot-uCPE-deploy-k8s-centos-virtual-daily-master/378/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/
- KNI Provider Access Edge [Yolanda Robla Mota]
- Running on OKD vs Kubernetes https://wiki.akraino.org/display/AK/KNI+PAE+Architecture+document
- Conformance tests used: https://wiki.akraino.org/display/AK/KNI+PAE+Test+document
- Vuls:
- Lynis:
- Kube-Hunter:
- Micro-MEC
- Scan output files are not currently available at https://wiki.akraino.org/display/AK/Release+3+Planning. I have emailed the PTL, Tapio Tallgren to see if he can provide them.
- Vuls:
- Lynis:
- Kube-Hunter:
- School/Education Video Security Monitoring [Hechun Zhang and Liya Yu]
- This blueprint did not have output information from vuls, lynis or kube-hunter.
- This is the first release for the School/Education Video Security Monitoring blueprint, BluVal is not required.
- I have sent an email to Hechun Zhang and Liya Yu.
- Vuls:
- Lynis:
- Kube-Hunter:
- 5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint [Feng Yang]
- All scan logs: https://nexus.akraino.org/content/sites/logs/tencent/job/5g-mec-cloud-gaming-CD/security_scan/2/
- Vuls:
- Lynis:
- Kube-Hunter:
- Enterprise Applications on Lightweight 5G Telco Edge [Gaurav Agrawal]
- Vuls: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/os/vuls/
- Lynis: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/os/lynis/
- Kube-Hunter: https://nexus.akraino.org/content/sites/logs/huawei/blueprints/ealt-edge/job/ealt-edge-bluval-daily-master/22/results/k8s/kube-hunter/
- Public Cloud Edge Interface (PCEI) Blueprint [Oleg Berzin]
- This blueprint did not have output information from vuls, lynis or kube-hunter.
- This is the first release for the PCEI blueprint, BluVal is not required.
- I have sent an email to Oleg Berzin.
- Vuls:
- Lynis:
- Kube-Hunter:
Approved Blueprints
| Project Name | Vuls Scan
| Lynis Scan
| Kube-Hunter Scan
| |
|---|---|---|---|---|
| 1 | 5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint |
|
|
|
| 2 | ||||
| 3 | Connected Vehicle Blueprint | High:61 Medium:280 Low:58 https://nexus.akraino.org/content/sites/logs/ampere/cvb/logs/ | Kube-Hunter: Exemption granted, this blueprint does not currently use Kubernetes per Thor Chin on 6/17/2020. | |
| 4 | Edge Video Processing | |||
| 5 | ELIOT: Edge Lightweight and IoT Blueprint Family | |||
| 6 | ||||
| 7 | High:104 Medium:352 Low:74 https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/os/vuls/ | https://nexus.akraino.org/content/sites/logs/huawei/blueprints/iotgateway/job/eliot-iotgateway-deploy-k8s-virtual-daily-master/430/results/os/lynis/ | ||
| 8 | High:87 Medium:168 Low:62 | |||
| 9 | Network Cloud and TF Integration Project | High:84 Medium:281 Low:59 https://nexus.akraino.org/content/sites/logs/juniper/validation/os/vuls/ | https://nexus.akraino.org/content/sites/logs/juniper/validation/os/lynis/ | Approved with exceptions. Upgrading K8s components causes the Airship deployment to fail and the regional controller becomes incompatible. The development team was told to use a specific version of the regional controller and airship (as the older versions are stable and newer are in flux and fragile). When the team upgraded to the new version as per the security team's suggestion, everything else fell apart. Making this change will require several months of work as the development team has to upgrade a component at a time to bring everything to the latest version of code. We will address this in the next release. |
| 10 | Integrated Cloud Native NFV/App stack family (Short term: ICN) |
|
|
|
| 11 | Integrated Edge Cloud (IEC) Blueprint Family | |||
| 12 | ||||
| 13 | ||||
| 14 | High:266 Medium:590 Low:106 | First Release - Kube-Hunter security scan not required. | ||
| 15 | High:61 Medium:280 Low:58 https://nexus.akraino.org/content/sites/logs/ampere/iec-type4/logs/ | Kube-Hunter: Exemption granted, this blueprint does not currently use Kubernetes per Thor Chin on 6/17/2020. | ||
| 16 | High:266 Medium:590 Low:106 https://nexus.akraino.org/content/sites/logs/bytedance/job/type5_security_scan/1/vuls.log | Hardening index : [63] [############ ] https://nexus.akraino.org/content/sites/logs/bytedance/job/type5_security_scan/1/lynis.log | Kube-Hunter: Exemption granted, this blueprint does not currently use Kubernetes. | |
| 17 | Kubernetes-Native Infrastructure (KNI) Blueprint Family | We have RHCOS on our cluster, so vuls doesn't apply to it | lynis.log | Fail. We request for exception as we are running OpenShift and not upstream Kubernetes, so we hit several failures: cluster.log , pod.log https://logs.akraino.org/redhat-kni/bluval_results/blueprint-pae/20200423-071856/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter/cluster.log , https://logs.akraino.org/redhat-kni/bluval_results/blueprint-pae/20200423-071856/results/k8s/kube-hunter/Kube-Hunter.Kube-Hunter |
| 18 | First release - security scan not required. | First release - security scan not required. | First release - security scan not required. | |
| 19 | The AI Edge: School/Education Video Security Monitoring | https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/1/vuls/ | https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/1/lynis/ | https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/1/kube-hunter/ |
| 20 | Network Cloud Blueprint Family | |||
| 21 | StarlingX Far Edge Distributed Cloud | |||
| 22 | Telco Appliance Blueprint Family | |||
| 23 | Fail with Exceptions 0 CVEs are detected with OVA | Pass with Exceptions Tests performed: 287 | Pass with Exceptions All Critical Tests Passed KHV005 Access to API using service account token | |
| 24 | ||||
| 25 | The AI Edge Blueprint Family | |||
| 26 | ||||
| 27 | Public Cloud Edge Interface | Pass with exceptions High:41 Medium:239 Low:32 | Pass with exceptions Hardening index : 62 [############ ] https://nexus.akraino.org/content/sites/logs/cmti/job/lynis/ | No k8s cluster as part of deployment at the moment |
| 28 | Enterprise Applications on Lightweight 5G Telco Edge | High:84 Medium:294 Low:53 | Hardening index : [57] [########### ] | cluster.log KHV002 Information Disclosure pod.log |
| 29 | ||||
| 30 |
Approved Feature Projects
If the program uses only one programming language, in the “Repository” column, just fill in the repo location.
If a project uses multiple programming languages, please list all of them, add a link in "Repository" column for each programming language to show the sample code.
| Project Name | Programming Languages | Repository | SonarQube Enabled | Notes | |
|---|---|---|---|---|---|
| 1 | |||||
| 2 | |||||
| 4 | Akraino Profiling | ||||
| 5 | Akraino Regional Controller | ||||
| 6 | |||||
| 7 | Backup and Restore (Snappy) Feature Project | ||||
| 8 | Cluster Health & Overload Monitoring Platform (CHOMP) Feature Project | ||||
| 9 | MEC API Framework | ||||
| 10 | Support of OVS-DPDK in Airship |