From 9c7db912e90d2d09703aa360ff708d0694af861b Mon Sep 17 00:00:00 2001 From: Huifeng Le Date: Mon, 16 May 2022 17:37:01 +0800 Subject: [PATCH] Update README Signed-off-by: Huifeng Le Change-Id: I38e712b97ef3064893fa6aa4a067ffa30e58b86a Signed-off-by: Huifeng Le --- README.md | 39 +++++++++++++++++++++++++++++---------- 1 file changed, 29 insertions(+), 10 deletions(-) diff --git a/README.md b/README.md index 06fdfcf..19e5e31 100644 --- a/README.md +++ b/README.md @@ -1,11 +1,6 @@ -**NOTICE: This is a PreProd version.** - -**We are actively working on this to make it for Prod release. For now, please DO NOT use it for any Prod environment!** - - # Introduction to Akraino ICN SD-EWAN solution -SD-EWAN main functionality include +SD-EWAN main functionalities include * IPsec tunnels across K8s clusters - Supporting multiple types of K8s clusters "K8s clusters having static public IP address", "K8s clusters having dynamic public @@ -24,12 +19,12 @@ SD-EWAN is based on set of Linux packages ## SD-EWAN in Akraino/ICN -SD-EWAN functionality is realized via CNF (Containerized Network Function) +SD-EWAN functionalities are realized via CNF (Containerized Network Function) and deployed by K8s. SD-EWAN CNF leverages Linux kernel functionality for packet processing of above functions. Actual CNF is set of user space processes consisting of fw3, mwan3, strongswan and others. -SD-EWAN considered as platform feature by ICN. +SD-EWAN is considered as platform feature by ICN. Refer - https://www.linkedin.com/pulse/software-defined-edge-wan-edges-srinivasa-addepalli/ @@ -52,6 +47,10 @@ central-controller's high level design can be found at: https://www.linkedin.com ## Environment Settings Recommendations To make our project work for your solution, please do the environment settings following the best practices that are widely known by the communities and industries. +### Host OS +First of all, please follow the best practices to configure your host operating system. +e.g. keep host OS components up-to-date and minimize host OS attack surface. + ### Docker Image Usage Please follow the best know practices of Docker in your development lifecycle that will give you more productivity and security. @@ -60,6 +59,12 @@ Please follow the best know practices of Docker in your development lifecycle th - [Only Use Trusted Registry Service Like Docker Hub](https://docs.docker.com/docker-hub/) - [Using Docker Hub for CI CD](https://docs.docker.com/ci-cd/best-practices/) +### Kubernetes +Please follow the industry best practices for setting your Kubernetes clusters. +- [Kubernetes Security Tutorial](https://kubernetes.io/docs/tutorials/security/) +- [Kubernetes CIS Benchmark](https://www.aquasec.com/cloud-native-academy/kubernetes-in-production/kubernetes-cis-benchmark-best-practices-in-brief/) +- [Kube Bench](https://github.com/aquasecurity/kube-bench) + ### Etcd Etcd is a is a strongly consistent, distributed key-value store. It's a critical Kubernetes component which stores information on state and secrets, and it should be protected differently from the rest of your cluster. Administrators should always use strong credentials from the API servers to their etcd server, such as mutual auth via TLS client certificates, and it is often recommended to isolate the etcd servers behind a firewall that only the API servers may access. @@ -75,9 +80,23 @@ Please follow the best known practices of MongoDB - [Encrypt Data At Rest](https://www.mongodb.com/docs/manual/core/security-encryption-at-rest/) ### Istio -Our project can be used with Istio to enable a secure running environment. Please follow the general practice of [the Istio Service Mesh](https://istio.io/latest/about/service-mesh/) and [Istio / Security](https://istio.io/latest/docs/concepts/security/) to complete the settings for your own solution. In addition to that, in order to get a general idea or quick impression about the usage, you can also reference our introduction to a [demo](https://github.com/intel-sandbox/akraino-sdewan/tree/main/central-controller/docs/istio). +Our project can be used with Istio to enable a secure running environment. Please follow the general practice of [the Istio Service Mesh](https://istio.io/latest/about/service-mesh/) and [Istio / Security](https://istio.io/latest/docs/concepts/security/) to complete the settings for your own solution. In addition to that, in order to get a general idea or quick impression about the usage, you can also reference our introduction to a [demo](https://github.com/intel-sandbox/akraino-sdewan/tree/main/central-controller/docs/istio). +Please also follow the best practices of Istio for [scalability and performace](https://istio.io/latest/docs/ops/deployment/performance-and-scalability/). + + +## Administration/Operation Guideline +Please follow the best practices for administration or operations. + + +e.g. We recommend you to follow the guidelines about the authentication lifecycle management in [Digital Identity Guidelines](https://pages.nist.gov/800-63-3/sp800-63b.html) that covers a broad range of that topic. Especially, please follow the guidelines in section "5.1.1.2 Memorized Secret Verifiers" in that document when you configure your secret verifiers. + +### Account Management. +Please follow the best practices of industry to manage the accounts. e.g. authentication lockout or throttling, minimum password requirements, password of application should be protected, authentication error should be consistent, avoid authentication timing vulnerabilities, new user should be forced to change password etc. + +### Certificate Management. +Please follow the best practices of industry to manange your certificate. e.g. https://kubernetes.io/docs/setup/best-practices/certificates/ ## Contact Us -For any questions about ovn4nfv k8s , feel free to ask a question in +For any questions about this project, feel free to ask a question in #general in the [ICN slack](https://akraino-icn-admin.herokuapp.com/), or open up a https://jira.opnfv.org/issues/. -- 2.16.6