Dear Keong Lim,
On 08.05.2019 03:57, Keong Lim wrote:
Hi Seccom,So actually we are expecting that in 1-2 releases there will be no plain
text and no API ports exposed outside of the k8s cluster.
Please let me clarify. The tickets that you mentioned here are related
to NodePorts which means ports exposed outside of the Kubernetes Cluster
and this is what we are trying to get fixed.
To provide the minimal level of security and privacy all the
communication between end user and ONAP should happen via HTTPS.
My understanding of your email is that you are concern about component
to component communication which doesn't require exposing port outside
of the cluster but may be achieved using ClusterIP.
Obviously in the endo of the day we would like to secure also component
to component communication but it's a next step. First let's try to
achieve the very basic security of the external communication.
Should this be considered for El Alto release?We are discussing deferring those issues that you mentioned to the El
Alto release but we need to remember that this has a certain consequences:
1. We require projects to clearly document this as a vulnerability in
their security release notes.
2. Projects should change their answer to all CII badging questions
related to secure communication from Met to Unmet which will influence
their CII badging score.
Samsung R&D Institute Poland