As agreed to by the TSC and documented in the approved Nephio Community Document, this SIG group focuses on security of code, images, deployment, and the runtime environment; development of CRDs, Operators, related tooling & reference Implementation; and packaging and security verification of components of Nephio.
Most activity is coordinated over the #sig-security slack channel.
For details on meetings and links to other resources see the SIG Security wiki page.
Considerations for the SIG as a group:
Security practices should not deter or cause friction in the release processes. As far as possible the aim should be to fail the CI early in the lifecycle (for e.g., when the PR is raised) as opposed to when the release is triggered.
Focus on security intent than on tooling. It should be possible to replace the tool, if needed, at a future date.
The SIG should consider holistic security i.e., the scope should include securing all stages including dev, release, deploy, runtime.
sig-security needs to work with other projects/sub-projects and ensure security goals are met across the nephio-project organization.
Opportunity for the SIG: Differentiate Nephio as a "Secure Telco Automation Framework".
Following high-level security focus areas could be considered:
For each subproject, we list a lead and the scope of the subproject, as well as the primary skills involved in participating in that subproject. As an open community, we do not "require" any specific skills for contributors to participate in the subproject. We hope to find ways for anyone to contribute, and to build the necessary skills. However, it can be useful to list the primary skills and areas of expertise involved in each group, to help people decide where they may wish to participate.
Subproject Lead: TBA
Scope
OSSF security practices
OSSF security score > 7
OSSF badges on prominent repos
CI security practices to adopt for every subproject
Secrets/Key scanning
License scanning
Linting/Code smell scanning
Supply Chain Security
Image Signing & verification
For every code repo in nephio-project github organization, it would be important to follow code/repo security scanning best practices. Depending on the development language used, the tooling might differ for individual repos. It would be better to use common github actions across all repos in the organization that would internally use appropriate secret tokens defined as part of github secrets.
This subproject will focus on:
Continuously improving OSSF score
Achieving SLSA levels and coordinating with individual projects to handle desired project changes
Automating OSSF/SLSA/Code-scanning coverage using Github actions. Any new project/repo added should automatically import common github actions and should require setting up the CI actions infrastructure from scratch.
Subproject should highlight security risks of individual projects
Primary Skills
Kubernetes Basics, Kubernetes Resource Model (KRM)
Subproject Lead: TBA
Scope
Deployment best practices
No privileged containers
TLS best practices for k8s service endpoints
Mandatory resource request specification
Workload isolation requirements (certain workloads such as secrets manager may not share the nodes)
Helping projects handle the "Deployment security checklist"
Primary Skills
Kubernetes Basics, Kubernetes Resource Model (KRM)
Kubernetes CRD and Controller Design
Subproject Lead: TBA
Scope Once the workloads are deployed in the target environments, securing the workloads at runtime becomes crucial. Following runtime security use-cases needs to be taken into consideration:
Network Security
Workload hardening
Service Mesh security (includes transport and API security)
Secrets management
Primary Skills
TBD
Subproject Lead: TBA
This group will study and propose how a k8s security operator could improve and maintain the security posture of the target depoyment. The scope includes:
Defining the intent spec for security operator
Defining a high level architecture and call flow for sample use-cases
Defining how the tooling will be loosely coupled with the security intent
Primary Skills
Golang dev
k8s controller/operator dev
Design/Architecture
Subproject Lead: TBA
This group will study and propose how the Nephio components can achieve Zero Trust security and subsequently the full lifecycle to maintain the Zero Trust security posture. The scope includes:
Defining the security dimensions to consider for Zero Trust
Defining tooling to be used in the context
Defining how the zero trust security posture would be retained across platform and workload code/config updates
Primary Skills
Security background with understanding of deploying zero trust based security elements
k8s controller/operator dev
Design/Architecture
References: