Versions Compared

Old Version 107

changes.mady.by.user Ysemi

Saved on

compared with

New Version Current

changes.mady.by.user jin peng

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The requirements for the blueprints to be included in release 5 6 are as follows:

Depending upon the situation, the PTLs are suggested to meet the following criteria - 

...

If the blueprint is already part of release 5 and you want this to be included in release 56, please follow the following steps:

...

No API changes expected from R5, per 02  

Result: sysctl key fs.suid_dumpable: FAILED
Result: sysctl key kernel.dmesg_restrict: FAILED
Result: sysctl key net.ipv4.conf.default.accept_source_route: FAILED

vuls results: Accepted

kube-hunter results:

pod:

KHV043 - Cluster Health Disclosure
Disable --enable-debugging-handlers kubelet flag.
KHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy.

No API changes expected from R5, The AI Edge: Intelligent Vehicle-ysemiv1/upload/iec-tox-verify-master_317/ak_resultsnexuscontentsiteslogs/ysemi/job/v1/validation_results_v2/

 

 

lynis results:

Test: Checking PASS_MAX_DAYS option in /etc/login.defs: FAILED
2022-04-17 23:44:10 Result: password aging limits are not configured
2022-04-17 23:44:10 Suggestion: Configure maximum password age in /etc/login.defs [test:AUTH-9286] [details:-] [solution:-]
Performing test ID AUTH-9328 (Default umask values): FAILED
2022-04-17 23:44:10 Result: found umask 022, which could be improved
2022-04-17 23:44:10 Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-]
Performing test ID SSH-7440 (Check OpenSSH option: AllowUsers and AllowGroups): FAILED
2022-04-17 23:44:50 Result: AllowUsers is not set
2022-04-17 23:44:50 Result: AllowGroups is not set
2022-04-17 23:44:50 Result: SSH has no specific user or group limitation. Most likely all valid users can SSH to this machine.
Result: sysctl key fs.suid_dumpable: FAILED
Result: sysctl key kernel.dmesg_restrict: FAILED
Result: sysctl key net.ipv4.conf.default.accept_source_route: FAILED
Performing test ID HRDN-7220 (Check if one or more compilers are installed): FAILED
2022-04-17 23:45:42 Result: found installed compiler. See top of logfile which compilers have been found or use /bin/grep to filter on 'compiler'
2022-04-17 23:37:28 Found known binary: as (compiler) - /usr/bin/as
2022-04-17 23:37:28 Found known binary: cc (compiler) - /usr/bin/cc
2022-04-17 23:37:28 Found known binary: g++ (compiler) - /usr/bin/g++
2022-04-17 23:37:28 Found known binary: gcc (compiler) - /usr/bin/gcc
2022-04-17 23:44:13 Found package: device-tree-compiler (version: 1.4.5-3)
2022-04-17 23:44:21 Found package: protobuf-compiler (version: 3.0.0-9.1ubuntu1)

vuls results:

CVE-2017-12194: failed in scan
CVE-2018-12892: failed in scan
CVE-2019-17113: failed in scan
CVE-2019-19948: failed in scan
CVE-2019-19949: failed in scan

kube-hunter results:

cluster:
KHV002 - Kubernetes version disclosure
Disable --enable-debugging-handlers kubelet flag.

pod:

CAP_NET_RAW Enabled
CAP_NET_RAW is used to open a raw socket and is used by ping. If this is not required CAP_NET_RAW MUST be removed.
https://www.suse.com/c/demystifying-containers-part-iv-container-security/
Access to pod's secrets
https://blog.aquasec.com/managing-kubernetes-secrets
Securing etcdsecret data is stored in etcd. By default, etcd data is not encrypted and neither are your secrets. You should enable encryption at rest, limit access to etcd to admin users only, and safely dispose of disks where etcd data was formerly stored
Use SSL/TLSwhen running etcd in a cluster, you must use secure peer-to-peer communication.
KHV005 - Access to Kubernetes API
KHV002 - Kubernetes version disclosure
Disable --enable-debugging-handlers kubelet flag.
KHV050 - Read access to Pod service account token
It is recommended to explicitly specify a Service Account for all of your workloads (serviceAccountName in Pod.Spec), and manage their permissions according to the least privilege principle.
Consider opting out automatic mounting of SA token using automountServiceAccountToken: false on ServiceAccount resource or Pod.spec.one page linkIncubationhuaweiEaltedge-aio-log/15/Ealtedgesecurity-test26/results/

 

lynis results:

Result: sysctl key fs.suid_dumpable: FAILED
Result: sysctl key kernel.dmesg_restrict: FAILED
Result: sysctl key net.ipv4.conf.default.accept_source_route: FAILED

vuls results: Accepted

kube-hunter results:

pod:

CAP_NET_RAW Enabled
CAP_NET_RAW is used to open a raw socket and is used by ping. If this is not required CAP_NET_RAW MUST be removed.wwwsuse.com/c/demystifying-containers-part-iv-container-security/
KHV043 - Cluster Health Disclosure
Disable --enable-debugging-handlers kubelet flag.
KHV044 - Privileged Container
Minimize the use of privileged containers. Use Pod Security Policies to enforce using privileged: false policy. Berzinwikix/SC0wAw

Revised API info form sent to Oleg per his requirements (see API Subcommittee meeting minutes for details)

Note - PCEI Blueprint R6 API documentation located here (as of ):

https://wiki.akraino.org/x/Qy0wAw

 

nexuscontent/sites/logs/pcei/job/r6/v1/

 

lynis results:

Performing test ID AUTH-9328 (Default umask values): FAILED
2022-04-13 01:07:38 Result: found umask 022, which could be improved
2022-04-13 01:07:38 Suggestion: Default umask in /etc/login.defs could be more strict like 027 [test:AUTH-9328] [details:-] [solution:-]

vuls results: Accepted

kube-hunter results:

pod:

CAP_NET_RAW Enabled
CAP_NET_RAW is used to open a raw socket and is used by ping. If this is not required CAP_NET_RAW MUST be removed.
https://www.suse.com/c/demystifying-containers-part-iv-container-security/Jack Liu/validation/2

fix lynis issue, in pb use k3s, add kube-hunter test.

 

Incubation
No.Project NameTSC Subgroup Release StatusIs this your first release 

Blue Print Stage

  • Self-Certify
  • Incubation
  • Mature
  • Core

CD Logs URL to be used for review

(Column filled in by PTLs)

How to: Push Logs to Nexus

Jenkins Master for Private Lab

Jenkins Peering Guide

Example: 

KubeEdge BP Test Documents

Link to executive one pager

(editable doc format)

(Column filled in by PTLs)

API Info Reporting Review

(Column filled in by API Subcommittee)

(note for PTLs – go here for steps to fill in project API info form)

BluVal

BlueVal Logs or Manual Logs

Bluval User Guide


Security

Certification

(TO be filled by Security Subcommittee)

Pass/Fail Criteria:  Steps To Implement Security Scan Requirements

Exception requests should be filed at:

Release 6: Akraino CVE and KHV Vulnerability Exception Request

Upstream Review (Column filled by Upstream Subcommittee and PTLs)


(note PTL can go to Release 6 Upstream Review Status to find details)

Date ready for TSC review

(Column filled in by PTLs)

 TSC Review Date

(Column filled in by TSC)


1

Connected Vehicle Blueprint

Thor Chin

Tao Wang

Abhimanyu Bhatter


NoMaturehttps://nexus.akraino.org/content/sites/logs/parserlabs/r4/cvb/


https://nexus.akraino.org/content/sites/logs/parserlabs/r4/Approved


2

IEC Type 4: AR/VR oriented Edge Stack for Integrated Edge Cloud (IEC) Blueprint Family

Bart Dong

Thor Chin

Abhimanyu Bhatter


NoMaturehttps://nexus.akraino.org/content/sites/logs/parserlabs/r4/cvb/

IEC-Type4 Release 6 datasheet.docx

No API changes expected from R5, per Bart Dong in TSC meeting . Waiting for e-mail from Bart to confirm this

Bart confirmed by e-mail  


https://nexus.akraino.org/content/sites/logs/parserlabs/r4/Approved


3














4

ICN - Integrated Cloud-Native Family

Kuralamudhan Ramakrishnan


NoIncubationICN R6 Datasheet

No API changes from R5, per e-mail from Kural Ramakrishnan

BluVal Results

  

lynis results: Accepted

vuls results: Accepted

kube-hunter results: Accepted


Approved

 



5

ICN - Multi-Tenant Secure Cloud Native Platform 

Salvador Fuentes

NoIncubation

Status changed to end-of-life (EOL), not participating in R6


NoEOL

No API changes from R5, per e-mail from Salvador Fuentes  



Approved 


6

ELIOT IoT Gateway Blueprint

khemendra kumar


NoIncubationhttps://nexus.akraino.org/content/sites/logs/huawei/job/Eliot-aio-log/19/

ELIOT R6 IoT-Gateway Datasheet

No API changes from R5, per e-mail from Khemendra Kumar 

Info for ELIOT IOTGateway APIs:

https://wiki.akraino.org/display/AK/ELIOT+R6+IOTGateway+API+documentation

https://nexus.akraino.org/content/sites/logs/huawei/job/Eliot-security-test/31/results/

lynis results: Accepted

vuls results: Accepted

kube-hunter results: Accepted

Approved


7

ELIOT SD-WAN/WAN Edge/uCPE Blueprint

khemendra kumar


NOIncubation
ELIOT R6 - SD-WAN / WAN Edge / uCPE Data Sheet

No API changes from R5, per e-mail from Khemendra Kumar  



Approved


7

ELIOT SD-WAN/WAN Edge/uCPE Blueprint

khemendra kumar

NOIncubation8

Network Cloud and TF (Tungsten Fabric) Integration Project

Sukhdev Kapur


NoMature










9

KNI Provider Access Edge

Ricardo Noriega


NoIncubation








10

KNI Industrial Edge

Ricardo Noriega


NoIncubation










11

Micro-MEC

Ferenc Székely







 







12

The AI Edge: School/Education Video Security Monitoring

Yu, Liya


Noincubationhttps://nexus.akraino.org/content/sites/logs/baidu/job/Video Security Monitoring R6 Datasheet

No API changes expected from R5, per Liya Yu in TSC meeting https://nexus.akraino.org/content/sites/logs/baidu/job/. Waiting for e-mail from Liya to confirm this

.

Confirmed in e-mail sent by Liya  

https://nexus.akraino.org/content/sites/logs/baidu/job/security_scan/aiedge/5/results/
Approved based on R5 Release notes.


13

The AI Edge: Intelligent Vehicle-

13

Infrastructure Cooperation System(I-VICS)

Yu, Liya


No
  • Incubation
No API changes from R5, per e-mail from ZhuMing Zhang  

https://nexus.akraino.org/content/sites/logs/

fate

qianyi/job/

I-VICS/5/		No new features or bugs have been added after R4 release14

5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint

Feng Yang

NoIncubation15

https://wiki.akraino.org/download/attachments/28970342/Intelligent%20Vehicle-Infrastructure%20Cooperation%20System%28I-VICS%29%20Datasheet.docx?version=2&modificationDate=1613872984000&api=v2

No API changes from R5, per e-mail from ZhuMing Zhang  

IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint Family

hanyu ding Rajeev Gadgil Davy Zhang

NoIncubationhttps://nexus.akraino.org/content/sites/logs/fate/job/I-VICS/5/No new features or bugs have been added after R4 releaseYes, with recommendation.


14

5G MEC/Slice System to Support Cloud Gaming, HD Video and Live Broadcasting Blueprint

Feng Yang


NoIncubation


No API changes from R5, per e-mail from Eagan Fu  



Approved based on previous release notes


15

IEC Type 3: Android cloud native applications on Arm servers in edge for Integrated Edge Cloud (IEC) Blueprint Family

hanyu ding Rajeev Gadgil Davy Zhang


NoMaturehttps://wiki.akraino.org/download/attachments/24084647/IEC%20Release3-IEC%20Type3-datasheet.docx?version=5&modificationDate=1591272863000&api=v2

API form uploaded by Davy Zhang , scheduled for review at API subcommittee meeting

Approved by API subcommittee at weekly meeting  

https://nexus.akraino.org/content/sites/logs/ysemi/job/v1/upload/iec-tox-verify-master_334/https://wiki.akraino.org/download/attachments/24084647/IEC%20Release3-IEC%20Type3-datasheet.docx?version=5&modificationDate=1591272863000&api=v2

API form uploaded by Davy Zhang , scheduled for review at API subcommittee meeting

Approved by API subcommittee at weekly meeting  

https://nexus.akraino.org/content/sites/logs/ysemi/job/v1/validation_results_v4/

 

https://nexus.akraino.org/content/sites/logs/ysemi/job/v1/validation_results_v5/

 

https://nexus.akraino.org/content/sites/logs/ysemi/job/v1/validation_results_v6/ 

  

lynis results: Accepted

vuls results: Accepted

kube-hunter results: Accepted

Approved


16

IEC Type 5: SmartNIC for Integrated Edge Cloud (IEC) Blueprint Family

Leo Li jin peng


NoIncubationupload CT log linkshttps://nexus.akraino.org/content/sites/logs/socnoc/job/baseOS/1/SOCNOC Release 6 One pag - Akraino - Akraino Confluence

No API changes expected from R5, per Leo Li in TSC meeting . Waiting for e-mail from Leo to confirm this

17

Enterprise Applications on Lightweight 5G Telco Edge

Gaurav Agrawal

No

Leo confirmed by mail  




https://nexus.akraino.org/content/sites/logs/socnoc/job/EALTEDGE Release 6 Datasheetsecurity_scan/




17

Enterprise Applications on Lightweight 5G Telco Edge

Gaurav Agrawal


NoIncubationNo API changes from R5, per e-mail from Khemendra Kumar  
Info for EALTEdge APIs:
https://wiki.akraino.org/pages/viewpage.action?pageId=53478299		https://nexus.akraino.org/content/sites/logs/huawei/job/Ealtedge-aio-log/15/EALTEDGE Release 6 Datasheet

No API changes from R5, per e-mail from Khemendra Kumar  

Info for EALTEdge APIs:

https://wiki.akraino.org/pages/viewpage.action?pageId=53478299

https://nexus.akraino.org/content/sites/logs/huawei/job/Ealt-edge-security-test/26/results/

 

lynis results: Accepted

vuls results: Accepted

kube-hunter results: Accepted


Approved


18

Public Cloud Edge Interface (PCEI) Blueprint

Oleg

Berzin


TSC 2022-05-12 (Thursday) 7:00 am PacificNoIncubationhttps://nexus.akraino.org/content/sites/logs/cmti/job/pcei-daily/https://wiki.akraino.org/x/SC0wAw

Revised API info form sent to Oleg per his requirements (see API Subcommittee meeting minutes for details)


Note - PCEI Blueprint R6 API documentation located here (as of ):

https://wiki.akraino.org/x/Qy0wAw

 

https://nexus.akraino.org/content/sites/logs/pcei/job/r6/v1/


 

lynis results: Accepted

vuls results: Accepted

kube-hunter results: Accepted


Approved per the upstream review


https://wiki.akraino.org/x/Ui0wAw

 

 


19

The AI Edge: Federated ML application at edge

zifan wu

haihui wang

TSC 2022-03-17 (Thursday) 7:00 am Pacific

No

Mature

https://nexus.akraino.org/content/sites/logs/fate/job/Fate_test/15/Akraino R6 Federated ML blueprint datasheet.docx

No API changes from R5, per e-mail from HaiHui Wang

https://nexus.akraino.org/content/sites/logs/fate/fml/5/



Incubation Level Review Results:

 

VulsAccepted with exceptions shown at:

Release 5 Vuls Exception Request

__________________________________________________________

LynisAccepted

__________________________________________________________

Kube-Hunter:  Exception granted:  K8s not used by this BP.

 

s






20

KubeEdge Edge Service Blueprint

Yin Ding


NoIncubation








21

Private LTE/5G ICN Blueprint

Prem Sankar G

has Has been merged with PCEI blueprint













22

Rural Edge blueprint for Tami COVID-19 Blueprint Family

Surojit Banerjee


YesIncubation








23

Smart Cities

Olivier Bernard Cindy Xing Alexander Su (alexander@nexcom.com)

Jason Wen

Jack Liu

TSC 2022-05-12 (Thursday) 7:00 am Pacific

NoIncubationhttps://nexus.akraino.org/content/sites/logs/myais/job/smartcities/8

Smart Cities R6 Executive One Pager - Akraino - Akraino Confluence

No API changes expected from R5, per TSC meeting discussion . Waiting for e-mail from Jason or Jack to confirm this.

Update - API form uploaded by Jason , scheduled for review at API subcommittee meeting  

Approved by API subcommittee at weekly meeting

https://nexus.akraino.org/content/sites/logs/myais/validation/1/

 

https://nexus.akraino.org/content/sites/logs/myais

/validation/2

fix lynis issue, in pb use k3s, add kube-hunter test.

 

https://nexus.akraino.org/content/sites/logs/myais/validation/3

fix kube-hunter issue ,except CAP_NET_RAW.

 

 

lynis results: Accepted

vuls results: Accepted

kube-hunter results:  Accepted

Smart Cities R6 Upstream.


Approved

 

 


24

MEC-based Stable Topology Prediction for Vehicular Networks

Asif Mehmood

TSC 2022-06-14 (Tuesday) 7:00 am PacificNoIncubationNexus repository where we push CD logs via a privately configured Jenkins

Executive One Pager - R6 (MEC-based)

API info form uploaded by Asif, API subcommittee to review  


Approved by API subcommittee  



Approved

 



25

IEC Type 2 for Integrated Edge Cloud (IEC) Blueprint Family

Vinothini Raju

ashvin kumar Trevor Tao Muhammad Hamza


NoIncubation

https://nexus.akraino.org/content/sites/logs/production/vex-yul-akraino-jenkins-prod-1/iec-tox-verify-master/

IEC Type 2 R6 Executive One Pager

No API changes from R5, per e-mail from Muhammad Hamza   

https://jenkins.akraino.org/view/iec/job/bluval-daily-master/

https://sonarcloud.io/project/overview?id=iec

https://nexus.akraino.org/content/sites/logs/production/vex-yul-akraino-jenkins-prod-1/iec-tox-verify-master/334/


Approved

 

lynis results: Accepted

vuls results: Accepted

kube-hunter results: 

pod:

Access to pod's secrets
https://blog.aquasec.com/managing-kubernetes-secrets
Securing etcdsecret data is stored in etcd. By default, etcd data is not encrypted and neither are your secrets. You should enable encryption at rest, limit access to etcd to admin users only, and safely dispose of disks where etcd data was formerly stored
Use SSL/TLSwhen running etcd in a cluster, you must use secure peer-to-peer communication.

CAP_NET_RAW Enabled
CAP_NET_RAW is used to open a raw socket and is used by ping. If this is not required CAP_NET_RAW MUST be removed.
https://www.suse.com/c/demystifying-containers-part-iv-container-security/

KHV005 - Access to Kubernetes API

KHV002 - Kubernetes version disclosure
Disable --enable-debugging-handlers kubelet flag.

KHV050 - Read access to Pod service account token
It is recommended to explicitly specify a Service Account for all of your workloads (serviceAccountName in Pod.Spec), and manage their permissions according to the least privilege principle.
Consider opting out automatic mounting of SA token using automountServiceAccountToken: false on ServiceAccount resource or Pod.spec.

Smart Cities R6 Upstream24

MEC-based Stable Topology Prediction for Vehicular Networks

Asif Mehmood

NoIncubation25

IEC Type 2 for Integrated Edge Cloud (IEC) Blueprint Family

Vinothini Raju

ashvin kumar Trevor Tao
No



26

IoT Workloads at the Smart Device Edge - Predictive Maintenance (with a Thermal Imaging Camera, vibration sensors, etc.)

V S Aaron Williams


No









27

Federated Multi-Access Edge Cloud Platform

Deepak Vij


NoIncubation








28

Smart Data Transaction

Colin Peters


Yes

Incubation

BluVal:

https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt-bluval/2/

https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt-lynis/3/

https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt-vuls/2/

Other:

https://nexus.akraino.org/content/sites/logs/fujitsu/job/edgex-install/

https://nexus.akraino.org/content/sites/logs/fujitsu/job/edgex-lora/

https://nexus.akraino.org/content/sites/logs/fujitsu/job/lfedge-cluster/

https://nexus.akraino.org/content/sites/logs/fujitsu/job/lfedge-install/

SDT Datasheet.docx

Per e-mail from Colin Peters  , blueprint consumes Kubernetes and EdgeX APIs. They are uploading API info form

API info form uploaded  

Scheduled for review by API subcommittee review 

Reviewed and approved by API subcommittee  

https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt-bluval/2/

https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt-lynis/3/

https://nexus.akraino.org/content/sites/logs/fujitsu/job/sdt-vuls/2/

 

sdt-lynis results: Accepted

sdt-vuls results: Accepted

All Exceptions are granted

Release 6: Akraino CVE Vulnerability Exception Request

Smart Data Transaction for CPS Release Notes

Approved

2022/04/132022/04/14
29

Robot basic architecture based on SSES

Fukano Haruhisa


YesIncubation


https://nexus.akraino.org/content/sites/logs/fujitsu/job/robot-family/sses-lynis/

https://nexus.akraino.org/content/sites/logs/fujitsu/job/robot-family/sses-lynis/

Robot basic architecture based on SSES One Pager

Per e-mail from Inoue Reo , blueprint does not export or consume APIs. They are uploading an API info form to indicate this, along with comments about future / possible API plans

Inoue Reo uploaded an API info form . Review by API subcommittee is scheduled for  

Reviewed and approved by API subcommittee

https://nexus.akraino.org/content/sites/logs/fujitsu/job/robot-family/sses-lynis/

https://nexus.akraino.org/content/sites/logs/fujitsu/job/robot-family/sses-lynis/









  

robot Lynis results: Accepted 

iotgateway Lynis results: Accepted   

robot vuls resultsAccepted
All exceptions are granted

iotgateway vuls resultsAccepted
All exceptions are granted

Release 6: Akraino CVE Vulnerability Exception Request

Approved per the BP upstream review

2022/04/132022/04/14