Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 35 Next »

R4 Planning.pdf

Release 4 planning.xmind


Tasks:



TaskOwnerStatusDate
1TestFigure out mandatory Tests and security test listHao

Lab set up validationTBD

Test in Futurewei LabTBD

Test in Intel LabTBD

2DocumentationArchitectureYin, Jane

Supported Kubernetes native APIYin, Jane

ML Offloading APIHao/Jiafeng, Jane

Installation guideHao

Release NotesYin, Jane

3TSC ReviewDocumentation review


Log review


R4 eligibility



Detailed Test Tasks:

CategoryTaskOwnerStatusETAComments



CI/CD Logs upload to Nexus

Register an LFIDHaoComplete

How to: Push Logs to Nexus

https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2

https://identity.linuxfoundation.org/

https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-20459

Request permission for Nexus logYin/HaoComplete
Set up CD pipelinesYinIn Progress
Upload CD logs to NexusHaoIn Progress


Bluval

Provision jumpserverYin/HaoComplete

Bluval User Guide

http://gerrit.akraino.org/r/validation

Test set up and run testsHaoIn Progress
Fix issues for failed tests


Report results




Security Scan

Vuls: test set up and run testsHaoIn Progress

Steps To Implement Security Scan Requirements

Reuse the jumpserver for Bluval tests.

Lynis: test set up and run testsHaoIn Progress
Kube-Hunter: test set up and run testsHaoIn Progress
Fix issues for failed testsHaoIn Progress
Upload test results to Nexus



Test Results & Analysis:

TestResultApplied FixesComment
LynisPass27 fixed applied, see Steps To Implement Security Scan RequirementsTo maintain the pass result, need to restart the server if it's required
Vuls8 CVEs with score > 9.0
  1. Performed the Vuls tests on two other distros as well:
  2. Ubuntu 20.04: 4 CVEs with score > 9.0
  3. CentOS 8: 3 CVEs with score > 9.0
  4. Manually installed 0.9.4 libssh to fix https://nvd.nist.gov/vuln/detail/CVE-2019-14889, but Vuls still shows the same CVE.
  5. The bluval code requires all CVEs to be fixed, no matter what the score is.
Kube-Hunter
  1. Remote cluster scan passes
  2. Remote node scan passes
  3. Inside a Pod shows "fail" but not true.

https://aquasecurity.github.io/kube-hunter/kb/KHV002.html

https://aquasecurity.github.io/kube-hunter/kb/KHV050.html

Disabled CAP_NET_RAW for default pod security context

KubeEdge edge croe only listens on localhost, so log is not available from another machine.

Workaround: nginx as a reverse proxy, listens on k8s advertised ip, and pass through the traffic to localhost.

Conformance


  • No labels