| Bin Yang | 3638c46 | 2018-07-25 08:11:58 +0000 | [diff] [blame^] | 1 | .. |
| 2 | This work is licensed under a Creative Commons Attribution 4.0 |
| 3 | International License. |
| 4 | |
| 5 | ====================================================== |
| 6 | MultiCloud security enhancement: secured communication |
| 7 | ====================================================== |
| 8 | |
| 9 | To support an ONAP Non-Functional Requirement with regarding to Security: "All internal/external system communications shall be able to be encrypted", MultiCloud project needs to explore the best way to implement it. |
| 10 | |
| 11 | .. |
| 12 | https://wiki.onap.org/display/DW/Casablanca+Release+Requirements#CasablancaReleaseRequirements-NonFunctionalRequirements |
| 13 | |
| 14 | Problems Statement |
| 15 | ================== |
| 16 | |
| 17 | By default all MultiCloud micro-services expose APIs with non-secured endpoints. To fulfill the ONAP security requirement above, either MultiCloud integrate with AAF's CADI SDK or leverage some other technology. |
| 18 | - Integration with AAF's CADI is preferred by the security subcommittee, however, this requires AAF team or someone provides CADI SDK in python binding. So far there is no promising resource to do that and no roadmap yet. |
| 19 | - On the other hands, ISTIO's security feature could fulfill this requirement very well without imposing any modification of MultiCloud source code. MSB project team is exploring the way to implement it for OOM based ONAP deployment. |
| 20 | |
| 21 | |
| 22 | One caveat is that ISTIO approach is only applicable to OOM based ONAP deployment. Hence the question would be: |
| 23 | Whether we should implement this feature for HEAT based ONAP deployment? And if yes, how? |
| 24 | |
| 25 | Proposed Solutions |
| 26 | ================== |
| 27 | |
| 28 | 1, **With respect to HEAT based ONAP deployment**: |
| 29 | |
| 30 | Given the consensus achieved during ONAP Casablanca Forum, HEAT based ONAP deployment is only for Integration test, |
| 31 | and the fact that many other features are only applicable to OOM based ONAP deployment, I do think it does not hurt to decide |
| 32 | that MultiCloud enable this security feature only for OOM based ONAP deployment. |
| 33 | So the answer to the questions above would be: We will not implement this security feature for HEAT based ONAP deployment |
| 34 | |
| 35 | 2, **With respect to OOM based ONAP deployment**: |
| 36 | |
| 37 | it is intended that MultiCloud project will collaborate with MSB project and VFC project to implement this security feature with the approach of ISTIO. |
| 38 | |
| 39 | MultiCloud does not need to change anything, but need to pay attention to following facts: |
| 40 | - The deployment of the PODs of micro-services: MSB,VFC,MultiCloud will be deployed into seperated kubernetes namespace other than the one for those not utilizing ISTIO features. |
| 41 | - All communication across different kubernetes namespace should use either IP or FQDN (Full Qualified Domain Name) |
| 42 | |
| 43 | |
| 44 | Test Use Cases |
| 45 | ================== |
| 46 | |
| 47 | The pariwise and integration testing will be conducted between VFC and MultiCloud in context of VoLTE or vCPE use case. |
| 48 | |