Release 4 planning and tracking

R4 Planning.pdf

Release 4 planning.xmind


Tasks:



TaskOwnerStatusDate
1TestFigure out mandatory Tests and security test listHaoDone
Lab set up validationTBD

Test in Futurewei LabTBD

Test in Intel LabTBD

2DocumentationArchitecture (Add Pod Topology)Yin, Jane

Supported Kubernetes native APIYin, Jane

ML Offloading APIHao/Jiafeng, Jane

Installation guideHao

Release NotesYin, Jane

3TSC ReviewDocumentation review


Log review


R4 eligibility



Detailed Test Tasks:

CategoryTaskOwnerStatusETAComments



CI/CD Logs upload to Nexus

Register an LFIDHaoComplete

How to: Push Logs to Nexus

https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2

https://identity.linuxfoundation.org/

https://jira.linuxfoundation.org/plugins/servlet/theme/portal/2/IT-20459

Request permission for Nexus logYin/HaoComplete
Set up CD pipelinesYinIn Progress
Upload CD logs to NexusHaoIn Progress


Bluval

Provision jumpserverYin/HaoComplete

Bluval User Guide

http://gerrit.akraino.org/r/validation

Test set up and run testsHaoIn Progress
Fix issues for failed tests


Report results




Security Scan

Vuls: test set up and run testsHaoIn Progress

Steps To Implement Security Scan Requirements

Reuse the jumpserver for Bluval tests.

Lynis: test set up and run testsHaoIn Progress
Kube-Hunter: test set up and run testsHaoIn Progress
Fix issues for failed testsHaoIn Progress
Upload test results to Nexus



Test Results & Analysis:

TestResultApplied FixesComment
LynisPass27 fixed applied, see Steps To Implement Security Scan RequirementsTo maintain the pass result, need to restart the server if it's required
Vuls8 CVEs with score > 9.0 on Ubuntu 18.04
  1. Performed the Vuls tests on two other distros as well:
  2. Ubuntu 20.04: 4 CVEs with score > 9.0
  3. CentOS 8: 3 CVEs with score > 9.0
  4. Manually installed 0.9.4 libssh to fix https://nvd.nist.gov/vuln/detail/CVE-2019-14889, but Vuls still shows the same CVE.
  5. The bluval code requires all CVEs to be fixed, no matter what the score is.
Kube-Hunter
  1. Remote cluster scan passes
  2. Remote node scan passes
  3. Inside a Pod shows "fail" but not true.

https://aquasecurity.github.io/kube-hunter/kb/KHV002.html

https://aquasecurity.github.io/kube-hunter/kb/KHV050.html

Disabled CAP_NET_RAW for default pod security context (a tough one to fix!)

KubeEdge edgecore only listens on localhost, so log is not available from another machine.

Tried to let edgecore listen on eth0, but kubectl logs still complains about SSL certificate.

Workaround: nginx as a reverse proxy, listens on k8s advertised ip, and pass through the traffic to localhost. Added ssl certificate.

Conformance

  1. Sonobuoy can test v1.19, but bluval conformance can only test up to v1.16: akraino/validation:kube-conformance-v1.16
  2. KubeEdge architecture does not have kubeconfig available at Edge. Workaround is to provide the kubeconfig manually at Edge?