This is a review of the risk assesment and way forward.

SECCOM-2018-11-29

Risk Assessment Ref. material presented by Robert: we can see that the several different databases used in ONAP lack hardening according to the best practices. Also the Kubernetes in ONAP is not hardened, very low CIS CAT score.

• A side-note: we assume ONAP now ships also Kubernetes, but probably ONAP should not ship it at all because K8s is not part of ONAP (we wrote an action item, suggesting you Steve to check this and if needed propose to exclude K8s from ONAP deliverables).

Action item 1:  ONAP Security User Guide shall describe the K8s platform configuration that has been used in ONAP I&V – it shall have CIS benchmark as the guidance of a hardened configuration. This will be a K8s reference config by ONAP. Target: Dublin

Action item 2: integration project: run all the tests on hardened K8s. Target: Dublin.

Action item 3: any ONAP “common components” (like databases) are responsible to provide a helm chart that deploys the component in a hardened configuration. Such ONAP “common components” don’t much exist today but should be.

Action item 4: contact release manager, if there could be version control per build (maybe not for every build, but at the moment there is nothing).

• CIS CAT tool: free tool, license probably is OK to allow usage in ONAP community (but maybe not publish the results)   - this tool could be part of the CI/CD pipeline, for all the subjects that have a CIS profile (eg, databases)

Way forward: we agreed to have a half day Risk Assessment continuation, focus: risk level rating, co-located with the January F2F developer event. Preparation meeting(s) before that.