Infrastructure Security
Basic Nordix security principals:
- Access to all project instances, running ONAP, Kubernetes, openstack etc, shall go through secured jumphost/admin servers
- This includes but not limited to ssh, http(s) and so on. For http(s) access, port forwarding/tunneling through jumphost can be employed.
- The instances shall not have direct ssh access from anywhere but jumphost/admin servers
- The instances shall be put in right/existing security groups depending on the purpose and that have only the required ports open and never into default security group
- If new rules are required to be added to the existing security groups or new security groups need to be created, this shall only be done in a controlled manner by submitting a ticket to Nordix JIRA, Infra project
- Everyone shall have and use their own accounts on admin/jumphost with only key based authentication - no shared keys
- If access to development instances are required, everyone shall use their own ssh key to access them
- Access to the OpenStack API shall be given on a need basis and a record of this access shall be kept
- Access to the CityControl panel shall be given on a need basis and a record of this access shall be kept
- All access requests including but not limited to SSH shall be done on Nordix JIRA, Infra project
Code Security Checks
TBD
Artifact Signing and Vulnerability Scanning
TBD