Congrats to Morgan, Integration and seccom teams. A very good collaborative work within the community
Regards Eric ________________________________ De : [email protected] [[email protected]] de la part de Amy Zwarico [[email protected]] Envoyé : lundi 27 janvier 2020 14:17 À : RICHOMME Morgan TGI/OLN; [email protected]; [email protected] Cc : ROUZAUT Fabian TGI/OLN; [email protected] Objet : Re: [onap-tsc] [ONAP] [CI][Integration] security tests integration in ONAP CI chains Great news! From: [email protected] <[email protected]> Sent: Monday, January 27, 2020 4:44 AM To: [email protected]; [email protected] Cc: ROUZAUT Fabian TGI/OLN <[email protected]>; [email protected]; ZWARICO, AMY <[email protected]> Subject: [ONAP] [CI][Integration] security tests integration in ONAP CI chains Hi I am happy to announce that a new xtesting security docker has been integrated end of last week. This new docker includes 3 new tests dealing with security: - root_pods: we check that the pods are not run as root - unlimitted_pods: we check that limits have been set for each pod - cis_kubernetes: we perform the CIS security suite implemented by aquasecurity based on CIS requirements and defined as a Security requirement by Seccom for Frankfurt (https://jira.onap.org/browse/REQ-243<https://urldefense.proofpoint.com/v2/url?u=https-3A__jira.onap.org_browse_REQ-2D243&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=aZY9BQXXRM88TvgXOQ_5Q_ogCwPwhwx57IF1ENAV_t8&s=W_VHBhtW6vDUR9qjQ9QI3krDSF_m9foHF_-6feuPOMs&e=>) root_pods and unlimitted_pods have been provided by F.Rouzaut involved in Seccom. Additional tests (port scan) are already available (https://git.onap.org/integration/tree/test/security<https://urldefense.proofpoint.com/v2/url?u=https-3A__git.onap.org_integration_tree_test_security&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=aZY9BQXXRM88TvgXOQ_5Q_ogCwPwhwx57IF1ENAV_t8&s=sMsBgJGfR_f-wfOtzl5V-M8yHpO19X3gmkp6vWsES50&e=>) and will be added very soon in the docker to complete the test suite. All the security tests have been declared under the security project in the test DB: http://testresults.opnfv.org/onap/api/v1/projects/security/cases<https://urldefense.proofpoint.com/v2/url?u=http-3A__testresults.opnfv.org_onap_api_v1_projects_security_cases&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=aZY9BQXXRM88TvgXOQ_5Q_ogCwPwhwx57IF1ENAV_t8&s=p_8baEEw__u1SEDy5zM_LO2DFRJpTGgMnWuvzOnFfgU&e=> The good news is that the tests are now integrated and are run in the CI chains - Daily El Alto - Daily Master (future Frankfurt): e.g. https://gitlab.com/Orange-OpenSource/lfn/onap/xtesting-onap/-/jobs/415571519<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_Orange-2DOpenSource_lfn_onap_xtesting-2Donap_-2D_jobs_415571519&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=aZY9BQXXRM88TvgXOQ_5Q_ogCwPwhwx57IF1ENAV_t8&s=XLOzhwrwy6nVSaCXK0jTG6nBVeFh9WWZdfk5elBJL9g&e=> - Gating: e.g. https://gitlab.com/Orange-OpenSource/lfn/onap/xtesting-onap/-/jobs/415455149<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_Orange-2DOpenSource_lfn_onap_xtesting-2Donap_-2D_jobs_415455149&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=aZY9BQXXRM88TvgXOQ_5Q_ogCwPwhwx57IF1ENAV_t8&s=FfYEKWniApTUeZNuhuf7mcKAtjFMl1agz59Ycj1EXPw&e=> For the moment these chains are running on Orange labs (Daily + gating) + Azure (gating). But any lab can add this docker as part of its chains. The bad new is that there are all failing for the moment.. (https://gitlab.com/Orange-OpenSource/lfn/onap/xtesting-onap/-/jobs/415571519/artifacts/download<https://urldefense.proofpoint.com/v2/url?u=https-3A__gitlab.com_Orange-2DOpenSource_lfn_onap_xtesting-2Donap_-2D_jobs_415571519_artifacts_download&d=DwMGaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PJ-KGa4esrIcYgd1dEzHLA&m=aZY9BQXXRM88TvgXOQ_5Q_ogCwPwhwx57IF1ENAV_t8&s=Tp2mXrb-k0RW5srCi9qZDxHXvUMUYdntgd1J03ju6Kc&e=>) - regarding root_pods (135 on 240 pods launched as root) and unlimitted_pods, it is up to the project to fix the issues by modifying their docker build chain (not using root user) and/or fix limit in their helm charts. - regarding cis tests, 34 assertions are fail . It is not directly linked to ONAP but has to be fixed at k8s installation whatever the installer (rke, kubespray) Note port scannings to be added show also some open ports. We may add a topic for the PTL meeting on these new tests and also a topic to remind best practices on Gating /Morgan _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. _________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you. -=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#19830): https://lists.onap.org/g/onap-discuss/message/19830 Mute This Topic: https://lists.onap.org/mt/70153762/21656 Group Owner: [email protected] Unsubscribe: https://lists.onap.org/g/onap-discuss/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
