/
2025-04-29 SIG Security Minutes

2025-04-29 SIG Security Minutes

 

Community Attendees:

@Byung-Woo Jun

@Prashant Mishra

@Francois Duthilleul

@Phil Porras

@Rahul Jadhav

Community Attendees:

LF Staff:

Agenda

Antitrust Policy

  • Action Items Review

  • Next steps for Secrets Manager

  • Next steps for IaC scan

  • Nephio DockerHub Container Image scanning

Minutes

  • Secrets Management …. Quick snapshot of where we stand …

    • SIG-Security has been trying hard to decouple the actual vault implementation (Hashicorp, OpenBao, Conjur, etc) from the Nephio implementation.

    • One of the challenge is that there do not exists (atleast we do not know of any) a common tool that can operate on a general secrets/identity based k8s resource model and provide a way for secrets access. One of the requirement would be for this implementation to support SPIFFE based Identity.

    • ESM based implementation was discussed but it is not clear if the implementation can be used for this purpose.

  • Container Image scanning was discussed and the LF ticket was closed due to LF team requiring admin/owner permission to the Nephio Dockerhub account. @Rahul Jadhav to followup with the SIG-Automation on slack.

    • @Byung-Woo Jun After discussion with Amy, we concluded the Nephio team should grant access permissions to the LF IT team for image scanning.

Topic 1

  • Comments

Action items

@Rahul Jadhav to followup with the SIG-Automation for admin/owner access
@Byung-Woo Jun to check with ONAP for their solution for periodic container scanning - done. see the above conclusion.
@Francois Duthilleul to find help for ideas to decouple secrets manager tooling