Versions Compared

Old Version 4

changes.mady.by.user Todd Malsbary

Saved on

compared with

New Version Current

changes.mady.by.user Kuralamudhan Ramakrishnan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

ICN Master Bare Metal Deployment Verifier

Image Modified

(image source: https://gerrit.akraino.org/r/gitweb?p=icn.git;a=blob;f=doc/pod11-topology.png)

...

ICN Master Virtual Deployment Verifier

...

Image Added

(image source: https://gerrit.akraino.org/r/gitweb?p=icn.git;a=blob;f=doc/vm-topology.png)

  • Baremetal network is used as control plane for K8s, used by OVN and Calico for overlay network with NAT's Internet access
  • Provisioning network used by Ironic to do inspection and server OS images
  • Redfish protocol is executed over baremetal network using sushy-emulator

Bare metal deployment

Hostname

CPU Model

Memory

BMC 

Firmware

Storage

1GbE: NIC#, VLAN,

(Connected

Extreme 480 switch)

10GbE: NIC# VLAN, Network

(Connected with IZ1 switch)

40GbE: NIC#

pod11-node5 (jump)

Intel

2xE5-2699

64GB

 1.46.9995

3TB (Sata)
180 (SSD)

IF0: VLAN 110 (DMZ)
IF1: VLAN 111 (Admin)

IF2: VLAN 112 (Private)
VLAN 114 (Management)
IF3: VLAN 113 (Storage)
VLAN 1115 (Public)


pod11-node2

Intel

2xE5-2699

64GB

1.46.9995

3TB (Sata)
180 (SSD)

IF0: VLAN 110 (DMZ)
IF1: VLAN 111 (Admin)

IF2: VLAN 112 (Private)
VLAN 114 (Management)
IF3: VLAN 113 (Storage)
VLAN 1115 (Public)


pod11-node3

Intel

2xE5-2699

64GB

1.46.9995

3TB (Sata)
180 (SSD)

IF0:  VLAN 110 (DMZ)
IF1: VLAN 111 (Admin)

IF2: VLAN 112 (Private)
VLAN 114 (Management)
IF3: VLAN 113 (Storage)
VLAN 1115 (Public)

IF4: SRIOV

...

  • Nodus provide Provider networks using VLAN networking and Service Function Chaining.
  • After the pod is up and running we will be able to attach to the pod and check for multiple interfaces created inside the container. 
  • Nodus networking is setup and created
Nodus Validation and test case results
ToolsLogs
Synk

synk logs data

BDBA

BDBA log data

CheckMarx

Nodus Checkmarx data

Fuzzing tool(Radamsa) 

Fuzzing testing shell script

Fuzzing test with 100 iterations

Kube-hunterKube hunter logs
kube-benchKube bench logs
Node Feature Discovery
  • Node Feature Discovery for Kubernetes detects hardware features available on each node in a Kubernetes cluster and advertises those features using node labels.
  • Create a pod with specific label information in the case the pods are scheduled only on nodes whose major kernel version is 3 and above. Since the NFD master and worker daemonset is already running, the master has all the label information about the nodes which is collected by the worker.
  • If the OS version matches, the Pod will be scheduled and up. Otherwise, the Pod will be in a pending state in case there are no nodes with matching labels that are requested by the Pod

...

  • Use KUD to setup 3 clusters (sdewan-hub, edge-a, edge-b)
  • Run the SDEWAN CRD Controller in each clusters.
  • Create SDEWAN CNF instance and dummy pod (using httpbin instead) in edge-a, SDEWAN CNF instance and httpbin pod in edge-b
  • Create IPSec CR to configure sdewan-hub as responder to provide virtual IP addresses to any authenticated party requesting for IP addresses through SDEWAN CRD Controller.
  • Create IPSec CR to configure edge-a and edge-b IPSec configuration to get the IP addresses through SDEWAN CRD Controller.
  • Establish edge-a tunnel to sdewan-hub, edge-b tunnel to sdewan-hub, and hub XFRM policies will automatically route traffic between edge-a and edge-b
  • Create SNAT CR to establish SNAT rule in edge-a and DNAT CR to establish DNAT rule in edge-b which will enable TCP connection from edge-a to edge-b's httpbin service.
  • Verify curl command is successful from edge-a dummy pod (using httpbin instead) to edge-b's httpbin service. The function of the curl command is to return back the ip address of the requester.

BluVal Testing

Status as of July 7th 2021:

...

Layer

...

Result

...

Comments

...

os/lynis

...

PASS with exceptions

...

Exceptions:

  • USB-2000
  • SSH-7408: Checking MaxSessions, Checking Port
  • KRNL-6000: net.ipv4.conf.all.forwarding

...

os/vuls

...

PASS with exceptions

...

Exceptions:

  • CVE-2016-1585
  • CVE-2017-18342
  • CVE-2017-8283
  • CVE-2018-20839
  • CVE-2019-17041
  • CVE-2019-17042
  • CVE-2019-19814

...

k8s/conformance

...

PASS with exceptions

...

Exceptions:

  • Sonobuoy v0.16.1 does not support Kubernetes v1.18.9

...

k8s/kube-hunter

...

PASS

...

With aquasec/kube-hunter:edge image

...

Release 6 Blueprint Scanning Status

OS Vuls Scan

  • Pass/Fail
  • Exceptions

OS Lynis Scan

  • Pass/Fail
  • Exceptions

Kube-Hunter Scan

  • Pass/Fail
  • Exceptions

See results here

Exceptions requested for the following:

  • CVE-2021-33574
  • CVE-2019-19814
  • CVE-2021-35942

Exception requests


See results here

Exceptions requested for the following:

  • BOOT-5122: GRUB boot password interferes with the unattended reboot during OS provisioning.
  • USB-2000: USB hubs and HID device must be enabled for BMC Console Redirection.
  • SSH-7408: MaxSessions of 2 prevents lynis from running under Bluval.  Lynis, etc. robot files need to be updated to handle a different port.
  • KRNL-6000: Kernel module loading required by accelerator drivers.  Forwarding required by k8s.

See results here

Pass

...

Akraino CVE Vulnerability Exception Request

Akraino BluVal Exception Request

CD logs

...

ICN Master Bare Metal Deployment Verifier

ICN Master Virtual Deployment Verifier

ICN SDEWAN Master End2End Testing

...