Presentation is loading. Please wait.

Presentation is loading. Please wait.

Docker and Kubernetes Security in ONAP Pawel Pawlak Amy Zwarico

Published byFátima de Almada Modified over 5 years ago

Similar presentations

Presentation on theme: "Docker and Kubernetes Security in ONAP Pawel Pawlak Amy Zwarico"— Presentation transcript:

1 Docker and Kubernetes Security in ONAP Pawel Pawlak Amy Zwarico
September 26th, 2019

2 Docker Container Security: CIS Docker Benchmarks v1.2
Set of controls to implement with instructions and tests All ONAP containers configured per Section 4 Container Images and Build File Configuration Section 5 Container Runtime Configuration ONAP is tested in an environment in the following configuration Linux host: Section 1.2 Linux Hosts Specific Configuration Docker daemon: Section 2 Docker daemon configuration Docker daemon configuration files: 3 Docker daemon configuration files M2: Plan to develop each ONAP release using the latest stable version of Docker El Alto: Docker x ( minimum) Latest stable release: / July 25, 2019 El Alto VNF Security Requirements: Containerized VNFs must follow the CIS Docker Benchmarks and must run in a Docker environment that configured with the controls.

3 Deeper Dive Securing Container Images – Project impact
Container Images and Build File Configuration Containers should run as a non-root user. 19/8/8 – 81 ONAP containers running as root Ensure that unnecessary packages are not installed in the container Ensure that HEALTHCHECK instructions have been added to container images Container Run Time Configuration Ensure that Linux kernel capabilities are restricted within containers Ensure that privileged containers are not used Ensure that only needed ports are open on the container Securing the Docker Engine Docker daemon: Section 2 Docker daemon configuration Ensure network traffic is restricted between containers on the default bridge Ensure that authorization for Docker client commands is enabled Ensure Userland Proxy is Disabled Impact Layer Controls Project Container images and build file configuration 11 Container run time configuration 31 Total 41 Integration Linux host 12 Docker daemon 17 Docker daemon configuration files 22 51

4 Docker Security Implementation Path
Release Milestone Deliverable Frankfurt M1 SECCOM, TSC, PTL, Release Manager agree on the mandatory container image, build file and run time controls for the release SECCOM and Integration teams agree on mandatory Linux host, Docker daemon, and Docker daemon config file controls for the release SECCOM creates project and Integration Jiras SECCOM and Integration teams agree on audit tests M2 TSC, Integration, SECCOM, PTL agree on Docker version for release (July 25, 2019) M3 Audit tests delivered to Integration team M4 Integration lab completes implementation of Linux host, Docker daemon and Docker daemon config files controls Project Docker containers complete implementation of container image, build file and run time controls RC0 Project RC0 containers configured correctly and execute without Docker errors in the Integration environment

5 Kubernetes Security: CIS Kubernetes Benchmark v1.4.1
Set of controls to implement with instructions and tests Master Node Security Configurations API Security, Scheduler, Controller Manager, Configuration Files, etcd, General Security Primitives, PodSecurityPolicies Worker Node Security Configuration Kubelet, Configuration Files, Docker daemon configuration files Plan to develop each ONAP release using the most recent version of Kubernetes at M2. Current ONAP use Kubernetes , Helm , RKE (w/ kubernetes_version=v rancher1-1 in cluster.yml) Latest stable versions Kubernetes v1.16, Helm v2.14.3, RKE 0.2.8 El Alto VNF Security Requirements: Containerized VNFs must follow the CIS Docker Benchmarks and must run in a Docker environment that configured with the controls. Impact Layer Controls Master Node Security API Security 39 Scheduler 2 Controller Manager 31 etcd 7 General Security Primitives 8 PodSecurityPolicies Total 94 Worker Node Security Kubelet 14 Configuration Files 10 Docker daemon configuration files 3 27

6 Kubernetes Security Implementation Path
Release Milestone Deliverable Frankfurt M1 SECCOM, TSC, Release Manager, Integration team agree on the mandatory master node security controls and mandatory worker node security controls for the release SECCOM creates Jiras SECCOM and Integration teams agree on implementation of audit tests M2 TSC, Integration, SECCOM, PTL agree on Kubernetes, Helm, RKE versions for release Kubernetes v1.16, Helm v2.14.3, RKE 0.2.8 M3 Audit tests in place M4 Integration lab completes implementation of master and worker node security controls RC0 Project RC0 containers configured correctly and execute without Kubernetes errors in the Integration environment

7 Thank you

Download ppt "Docker and Kubernetes Security in ONAP Pawel Pawlak Amy Zwarico"

Similar presentations

Todd Tannenbaum Condor Team GCB Tutorial OGF 2007.

Todd Tannenbaum Condor Team GCB Tutorial OGF 2007.
What to expect.  Linux  Windows Server (2008 or 2012)

What to expect.  Linux  Windows Server (2008 or 2012)
OpenContrail Quickstart

OpenContrail Quickstart
Deployment and Configuration Management Solution

Deployment and Configuration Management Solution
OS Hardening Justin Whitehead Francisco Robles. ECE 4112 - Internetwork Security OS Hardening Installing kernel/software patches and configuring a system.

OS Hardening Justin Whitehead Francisco Robles. ECE Internetwork Security OS Hardening Installing kernel/software patches and configuring a system.
1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.
MAE Continuous Integration Administration guide July 8th, 2013.

MAE Continuous Integration Administration guide July 8th, 2013.
Cisco Discovery Protocol. CDP and Router Boot Up When a Cisco device boots up, CDP starts up automatically and allows the device to detect neighbor devices.

Cisco Discovery Protocol. CDP and Router Boot Up When a Cisco device boots up, CDP starts up automatically and allows the device to detect neighbor devices.
Open Science Grid OSG CE 0.6.0 Quick Install Guide Siddhartha E.S University of Florida.

Open Science Grid OSG CE Quick Install Guide Siddhartha E.S University of Florida.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
GAAIN Virtual Appliances: Virtual Machine Technology for Scientific Data Analysis Arihant Patawari USC Stevens Neuroimaging and Informatics Institute July.

GAAIN Virtual Appliances: Virtual Machine Technology for Scientific Data Analysis Arihant Patawari USC Stevens Neuroimaging and Informatics Institute July.
— Customer Success Team August / 2015 Remedyforce Enablement Kit Migration from CMDB 1.0 to 2.0.

— Customer Success Team August / 2015 Remedyforce Enablement Kit Migration from CMDB 1.0 to 2.0.
1 Network Information System (NIS). 2 Module – Network Information System (NIS) ♦ Overview This module focuses on configuring and managing Network Information.

1 Network Information System (NIS). 2 Module – Network Information System (NIS) ♦ Overview This module focuses on configuring and managing Network Information.
Virtual Machines Created within the Virtualization layer, such as a hypervisor Shares the physical computer's CPU, hard disk, memory, and network interfaces.

Virtual Machines Created within the Virtualization layer, such as a hypervisor Shares the physical computer's CPU, hard disk, memory, and network interfaces.
G.Govi CERN/IT-DB 1 September 26, 2003 POOL Integration, Testing and Release Procedure Integration  Packages structure  External dependencies  Configuration.

G.Govi CERN/IT-DB 1 September 26, 2003 POOL Integration, Testing and Release Procedure Integration  Packages structure  External dependencies  Configuration.
WMarket For Adminstrators Install with Docker or the Automatic Script.

WMarket For Adminstrators Install with Docker or the Automatic Script.
Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.

Open Science Grid Build a Grid Session Siddhartha E.S University of Florida.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►

LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Installing VERITAS Cluster Server. Topic 1: Using the VERITAS Product Installer After completing this topic, you will be able to install VCS using the.

Installing VERITAS Cluster Server. Topic 1: Using the VERITAS Product Installer After completing this topic, you will be able to install VCS using the.
Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

Why you should care about glexec OSG Site Administrator’s Meeting Written by Igor Sfiligoi Presented by Alain Roy Hint: It’s about security.

Similar presentations

Ads by Google