Page History

...

High Level Overall Requirements
CI, Blueprint Validation Lab Sub-Committee Requirements
1. Present Pod Topology document.
2. Peering w/LF Jenkins - (Note: peering is an optional requirement)
3. Push logs through Nexus. (Note: This is mandatory for Incubation self-certified and Maturity)
4. Usage of topics for release
  1. Releases >= 1.0 (e.g. 1.xyz, 2.xyz etc) are reserved for BP that have been approved as Core by the TSC (considered ‘GA’ quality).
  2. Releases <1.0 (e.g. 0.xyz etc) are reserved for projects that have not reached the Akraino Core level (i.e. anything that is in Incubation (‘alpha’ quality) and Mature (‘beta’ quality).
5. Enforcement of Static Code Analysis through SonarCloud (SaaS), WIP LF Release Engineering & Security Subcommittee. (Note: This is an optional requirement for Incubation self certified and mandatory for Maturity)
Security Sub-Committee Requirements, please fill in Release 4 Blueprint Scanning Status. Instructions can be found at: Steps To Implement Security Scan Requirements
Blueprint Validation Framework Feature Project Requirements See TSC meeting.
Projects going for Maturity Review please refer to Maturity Criteria defined by Process subcommittee BP Graduation Review Processes and Criteria (Note this is not required for self certification, only required for maturity review)
Documentation Sub-Committee Requirements
User Documents:
The following documentation with the following sections called out should be on the wiki with links to rest of the sections as applicable. We prefer that the entire doc is on the wiki but we do not require it.
Architecture - Blue print Overview and overall architecture
Release Notes – Summary and What is released
Installation Doc – Introduction and deployment architecture
Test Document – Introduction and Overall Test Architecture
Developer Documents:
We are also recommending that Blueprints include via ReadtheDocs, with each Blue Print given their own repo, but we do not require it
API Sub-Committee Requirements (Note: See this link for requirements: Blueprint Projects R4 and R5 API Reporting Requirements)
Community Sub-Committee Requirements (Note: no mandatory requirements for Incubation self-certified or Maturity)
Process Sub-Committee Requirements (Note: See the Process Sub Committee page defining the TSC approved Maturity review process and requirements for those requesting inclusion in R3 at Mature level BP Graduation Review Processes and Criteria)
Upstream Sub-Committee Requirements (Note: no mandatory requirements for Incubation self-certified or Maturity). Here is the R4 release Upstream BP review status, Release Upstream Compliance. Also please refer to the page for the R4 requirement as well.

...

30 Sep All vulnerabilities >9.0 must be fixed or verification provided that no patch currently exists.

CVE-2017-18017 10.0

CVE-2018-15686 10.0

CVE-2019-14901 10.0

CVE-2017-15670 9.8

CVE-2017-15804 9.8

CVE-2018-1000007 9.8

CVE-2018-1000120 9.8

CVE-2018-11236 9.8

CVE-2018-1126 9.8

CVE-2018-12910 9.8

CVE-2018-15688 9.8

CVE-2018-16402 9.8

CVE-2018-18074 9.8

CVE-2018-18751 9.8

CVE-2018-20060 9.8

CVE-2018-6485 9.8

CVE-2019-10126 9.8

CVE-2019-10160 9.8

CVE-2019-14895 9.8

CVE-2019-16746 9.8

CVE-2019-17041 9.8

CVE-2019-17042 9.8

CVE-2019-17133 9.8

CVE-2019-5482 9.8

CVE-2019-9636 9.8

CVE-2016-7913 9.3

CVE-2017-15126 9.3

CVE-2017-16997 9.3

CVE-2017-9725 9.3

CVE-2018-10897 9.3

CVE-2019-12735 9.3

CVE-2018-1000122 9.1

CVE-2018-1000301 9.1

CVE-2019-9948 9.1

CVE-2016-10745 9.0

CVE-2018-19788 9.0

CVE-2019-14287 9.0

____________________________________________________________

30 Sep 2021

Lynis: Need to fix the following vulnerabilities:

(Default umask values): FAILEDResult: found umask 022, which could be improved
(Check OpenSSH option: AllowUsers and AllowGroups): FAILED Suggestion: AllowUsers and AllowGroups should be set

____________________________________________________________

30 Sep 2021

Kube-Hunter:

Pod: The following vulnerability must be corrected.

CAP_NET_RAW Enabled
CAP_NET_RAW is used to open a raw socket and is used by ping. If this is not required CAP_NET_RAW MUST be removed.

Cluster: Accepted

https:///iec5_r4/15/

R5 Release Notes of IEC Type 5: SmartNIC for Integrated Edge Cloud (IEC) Blueprint Family

Completed by 8/30/2021

18

https://nexus.akraino.org/content/sites/logs/arm-china/jenkins092/iec-type2-terraform/blueval/k8s/conformance/

https://nexus.akraino.org/content/sites/logs/arm-china/jenkins092/iec-type2-terraform/blueval/k8s/kube-hunter/

Incubation Level Review Results:

17 Sep 2021

Vuls: Accepted with exceptions shown at:

Release 5 Vuls Exception Request

_____28 Sep Here are the updated logs of the test
https://nexus.akraino.org/content/sites/logs/arm-china/jenkins092/iec-type2-terraform/k3s/k3s-logs/

Lynis: Need to fix the following vulnerabilities:

sysctl key fs.suid_dumpable: FAILED Expected value: 0

sysctl key kernel.dmesg_restrict: FAILED Expected value: 1Expected valueThe following as (compiler) - cc (compiler) - g++ (compiler) - /usr/bin/g++gcc (compiler) -

23 Aug 2021

Kube-Hunter:

Cluster: Accepted with exceptions shown at:

Release 5 Blueprint Scanning Status

This issues must be resolved prior to maturity.

Pod: Could the same comparison between k3s and microk8s be provided for the kube-hunter pod.log as was provided for the cluster.log?

The following vulnerabilities must be fixed:

Access to pod's secrets
Suggestion:
https://blog.aquasec.com/managing-kubernetes-secrets
Securing etcdsecret data is stored in etcd. By default, etcd data is not encrypted and neither are your secrets. You should enable encryption at rest, limit access to etcd to admin users only, and safely dispose of disks where etcd data was formerly stored
Use SSL/TLSwhen running etcd in a cluster, you must use secure peer-to-peer communication.
Exposed PodsDescription: An attacker could view sensitive information about pods that are bound to a Node using the /pods endpoint.
KHV043 - Cluster Health DisclosureSuggestion: Disable --enable-debugging-handlers kubelet flag.
KHV007 - Specific Access to Kubernetes API Suggestion: Review the RBAC permissions to Kubernetes API server for the anonymous and default service account
KHV005 - Access to Kubernetes API
KHV002 - Kubernetes version disclosureSuggestion: Disable --enable-debugging-handlers kubelet flag.
KHV050 - Read access to Pod service account token
Suggestion: It is recommended to explicitly specify a Service Account for all of your workloads (serviceAccountName in Pod.Spec), and manage their permissions according to the least privilege principle.
Consider opting out automatic mounting of SA token using automountServiceAccountToken: false on ServiceAccount resource or Pod.spec.
KHV044 - Privileged ContainerSuggestion: Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.

No.	Project Name	TSC Subgroup Release Status	Is this your first release	Blue Print Stage Self-Certify Incubation Mature Core	CD Logs URL to be used for review (Column filled in by PTLs) How to: Push Logs to Nexus Jenkins Master for Private Lab Jenkins Peering Guide Example: KubeEdge BP Test Documents	Link to executive one pager (editable doc format) (Column filled in by PTLs)	API Info Reporting Review (Column filled in by API Subcommittee) (note for PTLs – go here for steps to fill in project API info form)	BluVal Certification Bluval User Guide	Security Certification Provide link to Vuls, Lynis, and Kube-Hunter logs below. Pass/Fail Criteria: Steps To Implement Security Scan Requirements Exception requests should be filed at: Release 5: Akraino CVE Vulnerability Exception Request	Upstream Review (Column filled by Upstream Subcommittee and PTLs) (note PTL can go to Release 5 BP/Feature Upstream Status to find details)	Date ready for TSC review (Column filled in by PTLs)	TSC Review Date (Column filled in by TSC)
1	Connected Vehicle Blueprint Thor Chin Tao Wang		No	Mature	https://nexus.akraino.org/content/sites/logs/parserlabs/r4/jobs/cvb/	CVB_Akraino_R5_blueprint_Datasheet.docx	Per e-mail from WANG Tao (Tucker Wang) 20Aug21, no changes from R4			Completed by 8/24/2021
2	IEC Type 4: AR/VR oriented Edge Stack for Integrated Edge Cloud (IEC) Blueprint Family Bart Dong Thor Chin		No	Mature	https://nexus.akraino.org/content/sites/logs/parserlabs/r4/jobs/iec-type4/	IEC-Type4 Release 5 datasheet.docx	Per e-mail from Bart 7Sep21, no changes from R4
3
4	ICN - Integrated Cloud-Native Family Kuralamudhan Ramakrishnan		No	Incubation	ICN Master Bare Metal Deployment Verifier ICN Master Virtual Deployment Verifier	ICN R5 Datasheet	Per notice from Kural 5Aug21, no change from R4	https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master/20210707-182026/results/os/lynis/ https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master/20210707-182026/results/os/vuls/ https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master/20210707-182026/results/k8s/conformance/ https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master/20210707-182026/results/k8s/kube-hunter/	Filed Release 5: Akraino CVE Vulnerability Exception Request Incubation Level Review Results: 09 Aug 2021 Vuls: Accepted with exceptions shown at: Release 5 Vuls Exception Request ____________________________________________________________ 09 Aug 2021 Lynis: Accepted ____________________________________________________________ 09 Aug 2021 Kube-Hunter: Cluster: Accepted Pod: Accepted	Completed by 8/6/2021
5	ICN - Multi-Tenant Secure Cloud Native Platform Salvador Fuentes		Yes	Incubation	https://nexus.akraino.org/content/sites/logs/intel/ICN_CD_logs/pod11-node5/icn-master-bm-verify-bm_verifer-kata/12/	ICN-MTSCN R5 Datasheet	API form uploaded 24 May e-mail questions exchanged 20Jul21 Scheduled for review by API subcommittee 23 Jul 2021 API subcommittee review completed and info accepted 23 Jul 2021	https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master-kata/20210624-025354/results/os/lynis/ https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master-kata/20210712-025145/results/os/vuls/ https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master-kata/20210624-025354/results/k8s/conformance/ https://nexus.akraino.org/content/sites/logs/intel/bluval_results/icn/master-kata/20210624-025354/results/k8s/kube-hunter/	Filed Release 5: Akraino CVE Vulnerability Exception Request Incubation Level Review Results: 09 Aug 2021 Vuls: Accepted with exceptions shown at: Release 5 Vuls Exception Request ____________________________________________________________ 09 Aug 2021 Lynis: Accepted ____________________________________________________________ 09 Aug 2021 Kube-Hunter: Cluster: Accepted Pod: Accepted	Completed by 8/10/2021
6	ELIOT IoT Gateway Blueprint khemendra kumar		No	Incubation	https://nexus.akraino.org/content/sites/logs/huawei/job/eliot-build/18/home/jenkins/log/	ELIOT R5 IoT-Gateway Datasheet	Per e-mail from Khemendra 26Aug21, no changes from R4	https://nexus.akraino.org/content/sites/logs/huawei/job/eliot-security-validation-build/4/results/ Akraino BluVal Exception Request	Incubation Level Review Results: 19 Jul 2021 Vuls: Accepted with exceptions shown at: Release 5 Vuls Exception Request ____________________________________________________________ 19 Jul 2021 Lynis: Accepted ____________________________________________________________ 16 Aug 2021 Kube-Hunter: Cluster: Accepted Pod: Accepted with exceptions shown at: Release 5 Blueprint Scanning Status	Completed 8/6/2021
7	ELIOT SD-WAN/WAN Edge/uCPE Blueprint khemendra kumar		NO	Incubation	https://nexus.akraino.org/content/sites/logs/huawei/job/eliot-uCPE-build/15/home/jenkins/log/	ELIOT R5 - SD-WAN / WAN Edge / uCPE Data Sheet	Per e-mail from Khemendra 26Aug21, no changes from R4	https://nexus.akraino.org/content/sites/logs/huawei/job/eliot-uCPE-security-build/10/results/ Akraino BluVal Exception Request	Incubation Level Review Results: 20 Jul 2021 Vuls: Accepted with exceptions shown at: Release 5 Vuls Exception Request ____________________________________________________________ 20 Jul 2021 Lynis: Accepted ____________________________________________________________ 16 Aug 2021 Kube-Hunter: Cluster: Accepted Pod: Accepted with exceptions shown at: Release 5 Blueprint Scanning Status	Completed on 8/6/2021
8	Network Cloud and TF (Tungsten Fabric) Integration Project Sukhdev Kapur	TSC 2021-08-12 (Thursday) 7:00 am Pacific	No	Incubation	https://nexus.akraino.org/content/sites/logs/juniper/validation-2021/	Blueprint Data Sheet	Per e-mail from Sukhdev 5Aug21, no change from R4	Not required as there is no change from Release 4	Not required as there is no change from Release 4	Completed by 8/10/2021	08/12/2021
9	KNI Provider Access Edge Ricardo Noriega		No	Incubation	https://jenkins.akraino.org/job/kni-blueprint-pae-verify-deploy-gcp/69/	Akraino R5 blueprint Datasheet_ KNI PAE.odt	Per e-mail from Ricardo 10Aug21, he uploaded R5 API info forms for both KNI blueprints, with no substantive changes from R4. The API subcommittee has a review scheduled for 20 Aug 2021 of the new API info forms and will update this table afterwards On 20 Aug 2021 the API Subcommittee reviewed and accepted the updated KNI R5 API forms		https://nexus.akraino.org/content/sites/logs/redhat-kni/bluval_results/ Incubation Level Review Results: 17 Sep 2021 Vuls: Accepted with exception. The KNI Provider Access Edge blueprint uses OpenShift as its k8s distribution, which is deployed on Red Hat CoreOS, an immutable OS that is not supported by Vuls. __________________________________________________________ 02 Sep 2021 Lynis: Accepted ____________________________________________________________ 20 Aug 2021 Output manually generated, located at: Release 5 Security Scan Manual Logs Kube-Hunter: Cluster: Accepted Pod: Accepted with exceptions shown at: Release 5 Blueprint Scanning Status	Completed by 8/10/2021	9/16/2021
10	KNI Industrial Edge Ricardo Noriega		No	Incubation	Management Hub: https://logs.akraino.org/production/vex-yul-akraino-jenkins-prod-1/kni-blueprint-management-hub-verify-deploy-gcp/19/ Industrial Edge: https://logs.akraino.org/production/vex-yul-akraino-jenkins-prod-1/kni-blueprint-ie-verify-deploy-gcp/4/	Akraino R5 blueprint Datasheet_ KNI IE.odt	See above note		https://nexus.akraino.org/content/sites/logs/redhat-kni/bluval_results/ Incubation Level Review Results: 17 Sep 2021 Vuls: Accepted with exception. The KNI Provider Access Edge blueprint uses OpenShift as its k8s distribution, which is deployed on Red Hat CoreOS, an immutable OS that is not supported by Vuls. __________________________________________________________ 02 Sep 2021 Lynis: Accepted ____________________________________________________________ 20 Aug 2021 Output manually generated, located at: Release 5 Security Scan Manual Logs Kube-Hunter: Cluster: Accepted Pod: Accepted with exceptions shown at: Release 5 Blueprint Scanning Status	Completed by 8/10/2021	9/16/2021
11	Micro-MEC Ferenc Székely
12	The AI Edge: School/Education Video Security Monitoring Yu, Liya	TSC 2021-09-21 (Tuesday) 7:00 am Pacific	No	incubation	https://nexus.akraino.org/content/sites/logs/baidu/job/aiedge/6/	AIEdge_Akraino R5 blueprint Datasheet.docx	Per e-mail from Liya Yu 21Sep21, no changes from R4	https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/4/result/1	Incubation Level Review Results:	26 Oct 2021 Vuls:	Accepted with exceptions shown at: Release 5 Vuls Exception Request ____________________________________________________________ 27 Oct 2021 Lynis: Accepted ____________________________________________________________ 26 Oct 2021 Kube-Hunter: Pod: Accepted Cluster: Accepted		9/20/2021	9/21/2021
13	The AI Edge: Intelligent Vehicle-Infrastructure Cooperation System(I-VICS) Yu, Liya		No	Incubation	https://nexus.akraino.org/content/sites/logs/fate/job/I-VICS/5/	Intelligent Vehicle-Infrastructure Cooperation System(I-VICS) Datasheet	Per e-mail from Zhuming Zhang (Simmy Zhang) 30Aug21, no changes from R4 Confirmed by Sihui Wang in e-mail 30Aug21	https://nexus.akraino.org/content/sites/logs/fate/job/I-VICS/5/	No new features or bugs have been added after R4 release	Missing Upstream information
14	5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint Feng Yang	TSC 2021-08-17 (Tuesday) 7:00 am Pacific	No	Incubation	https://nexus.akraino.org/content/sites/logs/tencent/job/tencent_5g_mec/	5G MEC_Akraino R4&5 blueprint Datasheet.docx	Per e-mail from Eagan Fu 15Aug21, no change from R4			Completed by 8/24/2021
15	IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint Family hanyu ding Rajeev Gadgil		No	Incubation			As of 28 Sep 2021, waiting for API info form to be uploaded to API Subcommittee review page (Blueprint Projects API Reporting Requirements) API info form uploaded by Rajeev28 Sep 2021 API info form reviewed 01 Oct 2021, no APIs offered or consumed, as Blueprint constructs and provides an Android cloud run-time environment for user applications Note - would like to further understand this when the BP comes up for review and voting approval during TSC call
16	IEC Type 5: SmartNIC for Integrated Edge Cloud (IEC) Blueprint Family Leo Li	TSC 2021-09-21 (Tuesday) 7:00 am Pacific	No	Incubation	https://nexus.akraino.org/content/sites/logs/cmti/job/iec5_r4/15/	IEC Release5-SmartNIC datasheet.docx IEC Release5 SmartNIC System Architecture.pdf	Per e-mail from Leo Li (Socnoc AI Inc) 11Aug21, no change from R4	Bluval Exception has been accepted for the project. Akraino BluVal Exception Request	No new features or bugs have been added after R4 release	R5 Release Notes of IEC Type 5: SmartNIC for Integrated Edge Cloud (IEC) Blueprint Family Completed by 8/30/2021
17	Enterprise Applications on Lightweight 5G Telco Edge Gaurav Agrawal		No	Incubation	https://	9/20/2021	9/21/2021	13	The AI Edge: Intelligent Vehicle-Infrastructure Cooperation System(I-VICS) Yu, Liya	No	Incubation	https://nexus.akraino.org/content/sites/logs/fatehuawei/job/I-VICS/5/Intelligent Vehicle-Infrastructure Cooperation System(I-VICS) ealt-edge-build/51/home/jenkins/log/	EALTEDGE Release 5 Datasheet	Per e-mail from Zhuming Zhang (Simmy Zhang) 30Aug21Khemendra 20Aug21 (with Gaurav cc'd), no changes from R4 Confirmed by Sihui Wang in e-mail 30Aug21	https://nexus.akraino.org/content/sites/logs/ fate huawei/job/ I-VICS/5/	No new features or bugs have been added after R4 release	Missing Upstream information	14	5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint Feng Yang	TSC 2021-08-17 (Tuesday) 7:00 am Pacific	No	Incubation	https://nexus.akraino.org/content/sites/logs/tencent/job/tencent_5g_mec/	5G MEC_Akraino R4&5 blueprint Datasheet.docx	Per e-mail from Eagan Fu 15Aug21, no change from R4	Completed by 8/24/2021	15	IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint Family hanyu ding Rajeev Gadgil	No	Incubation	As of 28 Sep 2021, waiting for API info form to be uploaded to API Subcommittee review page (Blueprint Projects R4 and R5 API Reporting Requirements)	ealt-security-validation-build/19/results/ Akraino BluVal Exception Request	Incubation Level Review Results: 19 Jul 2021 Vuls: Accepted with exceptions shown at: Release 5 Vuls Exception Request ____________________________________________________________ 19 Jul 2021 Lynis: Accepted ____________________________________________________________ 16 Aug 2021 Kube-Hunter: Cluster: Accepted Pod: Accepted with exceptions shown at: Release 5 Blueprint Scanning Status	R5 - Architecture Documentation of Enterprise Applications on Lightweight 5G Telco Edge Completed by 8/10/2021
18	Public Cloud Edge Interface (PCEI) Blueprint Oleg Berzin	TSC 2021-08-10 (Tuesday) 7:00 am Pacific	No		https://	16	IEC Type 5: SmartNIC for Integrated Edge Cloud (IEC) Blueprint Family Leo Li	No	Incubation	nexus.akraino.org/content/sites/logs/cmti/job	IEC Release4-SmartNIC datasheet.docx	/pcei-daily/	https://wiki.akraino.org/x/lwHkAg	Per API Subcommittee meeting 30Jul21 Per e-mail from Leo Li (Socnoc AI Inc) 11Aug21 , no change from R4	Bluval Exception has been accepted for the project. Akraino BluVal Exception Request	PCEI R5 API Doc: https://wiki.akraino.org/x/qgHkAg	17	Enterprise Applications on Lightweight 5G Telco Edge Gaurav Agrawal	No	Incubation	https://nexus.akraino.org/content/sites/logs/ huawei pcei/job /ealt-edge-build/51/home/jenkins/log/	EALTEDGE Release 5 Datasheet	Per e-mail from Khemendra 20Aug21 (with Gaurav cc'd), no changes from R4	/r5/v1/ 02 Aug 2021 https://nexus.akraino.org/content/sites/logs/pcei/job/r5/v2/ Fixed: fs.suid_dumpable net.ipv4.conf.default.accept_source_route https://nexus.akraino.org/content/sites/logs/huawei/job/ealt-security-validation-build/19/results/ Akraino BluVal Exception Request	Incubation Level Review Results: 19 29 Jul 2021 Vuls: Accepted with exceptions shown at: Release 5 Vuls Exception Request ____________________________________________________________ 19 Jul 16 Aug 2021 Lynis: Accepted Accepted with exceptions shown at: Release 5 Blueprint Scanning Status ____________________________________________________________ 16 Aug 2021 Kube-Hunter: Cluster: Accepted Pod: Accepted with exceptions shown at: Release 5 Blueprint Scanning Status	PCEI R5 Release Notes https://wiki.akraino.org/x/LgLkAg R5 - Architecture Documentation of Enterprise Applications on Lightweight 5G Telco Edge Completed by 8/6/2021	10 / Aug 2021
19	The AI Edge: Federated ML application at edge zifan wu haihui wang Public Cloud Edge Interface (PCEI) Blueprint Oleg Berzin	TSC 2021-08- 10 26 ( Tuesday Thursday) 7:00 am Pacific	No	Incubation	https://nexus.akraino.org/content/sites/logs/cmtifate/job/pcei-daily/	https://wiki.akraino.org/x/lwHkAg	/Fate_test/15/	Akraino R5 Federated ML blueprint datasheet.docx	Per e-mail from Zifan 8Aug21Per API Subcommittee meeting 30Jul21, no change from R4 PCEI R5 API Doc:	~~https://~~ wiki ~~nexus.akraino.org~~ /x/qgHkAg ~~/content/sites/logs/fate/job/fate_security/1~~ 04 Aug 2021 ~~https://nexus.akraino.org/content/sites/logs/~~pcei~~fate/~~job~~fml/~~r5/v12/ 02 17 Aug 2021 ~~https://nexus.akraino.org/content/sites/logs/~~pcei~~fate/~~job/r5/v2/ Fixed: fs.suid_dumpable ~~fml/3~~ ~~Fix Lynis issues and upgrade curl to 7.78.~~ 19 Aug 2021 https://nexus.akraino.org/content/sites/logs/fate/fml/5/ Fixed 3 issues.net.ipv4.conf.default.accept_source_route	Incubation Level Review Results: 29 Jul 20 Aug 2021 Vuls: Accepted with exceptions shown at: Release 5 Vuls Exception Request ____________________________________________________________ 16 20 Aug 2021 Lynis: Accepted with exceptions shown at: Release 5 Blueprint Scanning Status __ Accepted __________________________________________________________ 16 Aug 2021 Kube-Hunter: Cluster Exception granted: Accepted Pod: Accepted with exceptions shown at: Release 5 Blueprint Scanning Status PCEI R5 Release Notes https://wiki.akraino.org/x/LgLkAg Completed by 8/6/2021	10 Aug 2021	K8s not used by this BP.	federated ML Release Notes R5 Federated ML application at edge Release Notes Completed by 8/30/2021
20	KubeEdge Edge Service Blueprint Yin Ding				@Alexande
21	Private LTE/5G ICN Blueprint Prem Sankar G	19	The AI Edge: Federated ML application at edge zifan wu haihui wang	TSC 2021-08- 26 03 ( Thursday Tuesday) 7:00 am Pacific	No	Incubation	https://nexus.akraino.org/content/sites/logs/fatejuniper/job/Fate_testPrivate%205G%20BP/15/	Akraino R5 Federated ML blueprint datasheet.docxPrivate LTE/5G BP Datasheet	Per e-mail from Zifan 8Aug21Prem 27Aug21, no change from R4			https:Completed by 8//nexus.akraino.org/content/sites/logs/fate/job/fate_security/110/2021
22	Rural Edge blueprint for Tami COVID-19 Blueprint Family Surojit Banerjee
23	Smart Cities Olivier Bernard Cindy Xing Alexander Su (alexander@nexcom.com) Jason Wen Jack Liu	TSC 2021-09-21 (Tuesday) 7:00 am Pacific	Yes	Incubation04 Aug 2021	https://nexus.akraino.org/content/sites/logs/myais/fatejob/fmlparsec/10/	Smart Cities R5 Executive One Pager	API info form uploaded29 Sep 2021to API Subcommittee review page (Blueprint Projects API Reporting Requirements). Approved based on informal review 29 Sep 2021 Smart Cities R5 API Document2/17 Aug 2021	~~https://nexus.akraino.org/content/sites/logs/~~ fate ~~myais/validation/~~ fml 1/ 3 ~~Fix Lynis issues and upgrade curl to 7.78.~~ 19 Aug 16 Sep 2021 https://nexus.akraino.org/content/sites/logs/ fate myais/ fml validation/ 5/Fixed 3 2 fix lynis issues. 05 Oct 2021	Smart Cities R5 Security Certification Incubation Level Review Results: 20 Aug 30 Sep 2021 Vuls: Accepted with exceptions shown at: Release 5 Vuls Exception Request __________________________________________________________ 20 Aug 05 Oct 2021 Lynis: Accepted __________________________________________________________ 16 Aug 01 Oct 2021 Kube-Hunter: Exception granted: K8s not used by this BP for R5. federated ML Release Notes R5 Federated ML application at edge Release Notes Completed by 8/30/2021 However, in R6 it is planning to use K3s.	Completed by 9/30/2021 R5 Smart Cities BP release notes: Smart Cities R5 Release Notes	9/20/2021	9/21/2021
24	MEC-based Stable Topology Prediction for Vehicular Networks Asif Mehmood	TSC 2021-09-21	20	KubeEdge Edge Service Blueprint Yin Ding	@Alexande	21	Private LTE/5G ICN Blueprint Prem Sankar G	TSC 2021-08-03 (Tuesday) 7:00 am PacificNo	Yes	Incubation	https://nexus.akraino.org/content/sites/logs/juniperjejunu-pred-vanet-mec/job/Private%205G%20BP/	Akraino Private LTE/5G BP Datasheet	Per e-mail from Prem 27Aug21, no change from R4	Completed by 8/10/2021	push-logs/	one-pager - release-5-1 (v1).docx one-pager - release-5-1 (v1).pdf	API info form uploaded by Asif 22 Sep 2021, scheduled for review by API Subcommittee 24 Sep 2021 Reviewed completed and info accepted 27 Sep 2021				9/20/2021	9/21/2021
25	IEC Type 2 for Integrated Edge Cloud (IEC) Blueprint Family Vinothini Raju ashvin kumar Trevor Tao	22	Rural Edge blueprint for Tami COVID-19 Blueprint Family Surojit Banerjee	23	Smart Cities Olivier Bernard Cindy Xing Alexander Su (alexander@nexcom.com) Jason Wen Jack Liu	TSC 2021-09-21 16 (TuesdayThursday) 7:00 am Pacific	YesNo	Incubation	https://nexus.akraino.org/content/sites/logs/myaisarm-china/job/parsec/10/	Smart Cities R5 Executive One Pager	jenkins092/iec-type2-terraform/cdlogs/	Akraino Light Weight μMEC on AWS.pdf	Ashvin Kumar uploaded API info form07 Sep 2021. API subcommittee review scheduled for 10 Sep 2021 (Note - the form was originally uploaded 27Aug21 but had a file corruption issue) Review completed and info accepted As of 28 Sep 2021, waiting for API info form to be uploaded API info form uploaded29 Sep 2021 to API Subcommittee review page (Blueprint Projects R4 and R5 API Reporting Requirements) . Approved based on informal review 29 Sep 2021 Smart Cities R5 API Document 10 Sep 2021 28 Sep 2021 Here are the updated logs of the Lynis test : https://nexus.akraino.org/content/sites/logs/ myais arm-china/ validation/1/ jenkins092/iec-type2-terraform/k3s/k3s-logs/	https://nexus.akraino.org/content/sites/logs/arm-china/jenkins092/iec-type2-terraform/blueval/k8s/conformance/ https://nexus.akraino.org/content/sites/logs/arm-china/jenkins092/iec-type2-terraform/blueval/k8s/kube-hunter/Smart Cities R5 Security Certification	Incubation Level Review Results: 30 17 Sep 2021 Vuls: Accepted with exceptions shown at: Release 5 Vuls Exception Request __________________________________________________________ 30 Sep 16 Nov 2021 Here are the updated logs of the Lynis : Need to fix the following vulnerabilities: PASS_MAX_DAYS option in /etc/login.defs: FAILEDSuggestion: Configure maximum password age in /etc/login.defs (Default umask values): FAILEDSuggestion: Default umask in /etc/login.defs could be more strict like 027 (Check OpenSSH option: AllowUsers and AllowGroups): FAILED Suggestion: AllowUsers and AllowGroups should be set sysctl key fs.suid_dumpable: FAILED Expected value: 0 sysctl key kernel.dmesg_restrict: FAILED Expected value: 1 sysctl key net.ipv4.conf.default.accept_source_route: FAILED Expected value: 0 The following compilers must be removed: as (compiler) - /usr/bin/as cc (compiler) - /usr/bin/cc g++ (compiler) - /usr/bin/g++ gcc (compiler) - /usr/bin/gcc clang (compiler) - /usr/bin/clang __________ test https://nexus.akraino.org/content/sites/logs/arm-china/jenkins092/iec-type2-terraform/lynis-vuls-nov-16/os/lynis/ Lynis: Accepted _____________________________________________________ ___________ 23 Aug 30 Sep 2021 Kube-Hunter : Does this blueprint use kubernetes? If so kube-hunter cluster.log and pod.log files must be provided.	Completed by 9/30/2021 R5 Smart Cities BP release notes: Smart Cities R5 Release Notes	9/20/2021	9/21/2021	24	MEC-based Stable Topology Prediction for Vehicular Networks Asif Mehmood	TSC 2021-09-21 (Tuesday) 7:00 am Pacific	Yes	Incubation	https://nexus.akraino.org/content/sites/logs/jejunu-pred-vanet-mec/job/push-logs/	one-pager - release-5-1 (v1).docx one-pager - release-5-1 (v1).pdf	API info form uploaded by Asif 22 Sep 2021, scheduled for review by API Subcommittee 24 Sep 2021 Reviewed completed and info accepted 27 Sep 2021	9/20/2021	9/21/2021	25	IEC Type 2 for Integrated Edge Cloud (IEC) Blueprint Family Vinothini Raju ashvin kumar Trevor Tao	TSC 2021-09-16 (Thursday) 7:00 am Pacific	No	Incubation	https://nexus.akraino.org/content/sites/logs/arm-china/jenkins092/iec-type2-terraform/cdlogs/	Akraino Light Weight μMEC on AWS.pdf	Ashvin Kumar uploaded API info form07 Sep 2021. API subcommittee review scheduled for 10 Sep 2021 (Note - the form was originally uploaded 27Aug21 but had a file corruption issue) Review completed and info accepted As of 28 Sep 2021, waiting for API info form to be uploaded to API Subcommittee review page (Blueprint Projects R4 and R5 API Reporting Requirements) 10 Sep 2021	: Cluster: Accepted with exceptions shown at: Release 5 Blueprint Scanning Status This issues must be resolved prior to maturity. Pod: Could the same comparison between k3s and microk8s be provided for the kube-hunter pod.log as was provided for the cluster.log? The following vulnerabilities must be fixed: Access to pod's secrets Suggestion: https://blog.aquasec.com/managing-kubernetes-secrets Securing etcdsecret data is stored in etcd. By default, etcd data is not encrypted and neither are your secrets. You should enable encryption at rest, limit access to etcd to admin users only, and safely dispose of disks where etcd data was formerly stored Use SSL/TLSwhen running etcd in a cluster, you must use secure peer-to-peer communication. Exposed PodsDescription: An attacker could view sensitive information about pods that are bound to a Node using the /pods endpoint. KHV043 - Cluster Health DisclosureSuggestion: Disable --enable-debugging-handlers kubelet flag. KHV007 - Specific Access to Kubernetes API Suggestion: Review the RBAC permissions to Kubernetes API server for the anonymous and default service account KHV005 - Access to Kubernetes API KHV002 - Kubernetes version disclosureSuggestion: Disable --enable-debugging-handlers kubelet flag. KHV050 - Read access to Pod service account token Suggestion: It is recommended to explicitly specify a Service Account for all of your workloads (serviceAccountName in Pod.Spec), and manage their permissions according to the least privilege principle. Consider opting out automatic mounting of SA token using automountServiceAccountToken: false on ServiceAccount resource or Pod.spec. KHV044 - Privileged ContainerSuggestion: Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.	Missing Upstream information in IEC Type 2 Release Notes for R5
26	IoT Workloads at the Smart Device Edge - Predictive Maintenance (with a Thermal Imaging Camera, vibration sensors, etc.) V S Aaron Williams		No
27	Federated Multi-Access Edge Cloud Platform Deepak Vij	TSC 2021-10-14 (Thursday) 7:00 am Pacific	Yes	Incubation		R5 Datasheet	Per e-mail 09 Oct 2021, Deepak is in process of uploading API info form As of 13 Oct 2021, Deepak sent API info form, and expects to upload to the API subcommittee page. The form shows Karmada APIs (enabled by CRD method) offered inside Kubernetes environment, but no 3rd party APIs offered or consumed. Deepak uploaded API info form 14 Oct 2021, API subcommittee review scheduled for 15 Oct 2021 API info reviewed and approved by API subcommittee 22 Oct 2021. The subcommittee e-mailed Deepak asking to attend 29Oct (Fri) meeting and give more explanation about ETSI MEC interfaces in their Blueprint Wiki page with API info: R5 API Document	N/A	Incubation Level Review Results: 21 Oct 2021 Vuls: All vulnerabilities >9.0 must be fixed or verification provided that no patch currently exists. CVE-2019-25032 CVE-2019-25034 CVE-2019-25035 CVE-2019-25036 CVE-2019-25038 CVE-2019-25039 CVE-2019-25042 CVE-2019-9169 CVE-2020-27619 CVE-2021-27219 CVE-2021-3177 CVE-2021-3520 CVE-2020-12403 CVE-2020-36242	_____________________________________________________	21 Oct 2021	Lynis	:	Need to fix the following vulnerabilities: Checking PASS_MAX_DAYS option in /etc/login.defs: FAILEDSuggestion: Configure maximum password age in /etc/login.defs Test ID AUTH-9328 (Default umask values): FAILEDSuggestion: Default umask in /etc/profile or /etc/profile.d/custom.sh could be more strict (e.g. 027) Test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups): FAILEDSuggestion: set AllowUsers & AllowGroups sysctl key kernel.dmesg_restrict: FAILEDSuggestion: set value to '1'	sysctl key net.ipv4.conf.default.accept_source_route: FAILED	Suggestion: set value to '0	' Test ID HRDN-7220 (Check if one or more compilers are installed): FAILEDFollowing compilers must be removed:	/usr/bin/as	/usr/bin/cc		/usr/bin/gcc _____________________________________________________	Missing Upstream information in IEC Type 2 Release Notes for R5	26	IoT Workloads at the Smart Device Edge - Predictive Maintenance (with a Thermal Imaging Camera, vibration sensors, etc.) V S Aaron Williams	No	21 Oct 2021 Kube-Hunter: Cluster: Please provide cluster.log file Pod: Please provide pod.log file			10/14/2021	27	Federated Multi-Access Edge Cloud Platform Deepak Vij	Yes

Space shortcuts

Page tree

Versions Compared

Old Version 224

New Version Current

Key

Space shortcuts

Page tree

Page History

Versions Compared

Old Version 224

New Version Current

Key

TSC 2021-08-

03 (

Tuesday) 7:00 am Pacific