TELCODOCS#2004: Day 2 Operations - Security Doc #86603
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openshift-ci
bot
added
the
size/L
edge_computing/day_2_core_cnf_clusters/security/telco-security-host-sec.adoc
Outdated
Show resolved
Hide resolved
edge_computing/day_2_core_cnf_clusters/security/telco-security-host-sec.adoc
Outdated
Show resolved
Hide resolved
edge_computing/day_2_core_cnf_clusters/security/telco-security-sec-context-constraints.adoc
Outdated
Show resolved
Hide resolved
sr1kar99
force-pushed
the
2004-telco-sec-doc
branch
from
6f8ad61 to
c696219
Compare
edge_computing/day_2_core_cnf_clusters/security/telco-security-sec-context-constraints.adoc
Outdated
Show resolved
Hide resolved
edge_computing/day_2_core_cnf_clusters/security/telco-security-sec-context-constraints.adoc
Show resolved
Hide resolved
sr1kar99
force-pushed
the
2004-telco-sec-doc
branch
2 times, most recently
from
e97f5b3 to
0bf4138
Compare
edge_computing/day_2_core_cnf_clusters/security/telco-security-basics.adoc
Outdated
Show resolved
Hide resolved
edge_computing/day_2_core_cnf_clusters/security/telco-security-host-sec.adoc
Outdated
Show resolved
Hide resolved
edge_computing/day_2_core_cnf_clusters/security/telco-security-sec-context-constraints.adoc
Show resolved
Hide resolved
sr1kar99
force-pushed
the
2004-telco-sec-doc
branch
from
0bf4138 to
bff68ec
Compare
edge_computing/day_2_core_cnf_clusters/security/telco-security-host-sec.adoc
Outdated
Show resolved
Hide resolved
sr1kar99
force-pushed
the
2004-telco-sec-doc
branch
from
bff68ec to
bef32eb
Compare
edge_computing/day_2_core_cnf_clusters/security/telco-security-host-sec.adoc
Show resolved
Hide resolved
sr1kar99
force-pushed
the
2004-telco-sec-doc
branch
from
bef32eb to
69931a5
Compare
openshift-ci
bot
added
size/XL
edge_computing/day_2_core_cnf_clusters/security/telco-security-basics.adoc
Outdated
Show resolved
Hide resolved
edge_computing/day_2_core_cnf_clusters/security/telco-security-basics.adoc
Outdated
Show resolved
Hide resolved
sr1kar99
force-pushed
the
2004-telco-sec-doc
branch
from
69931a5 to
e1dfe58
Compare
edge_computing/day_2_core_cnf_clusters/security/telco-security-basics.adoc
Show resolved
Hide resolved
edge_computing/day_2_core_cnf_clusters/security/telco-security-basics.adoc
Show resolved
Hide resolved
sr1kar99
force-pushed
the
2004-telco-sec-doc
branch
from
e1dfe58 to
d97a0cf
Compare
|
@sr1kar99: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
/label peer-review-needed |
openshift-ci
bot
added
the
peer-review-needed
xenolinux
added
peer-review-in-progress
xenolinux
reviewed
Jan 2, 2025
|
|
||
| toc::[] | ||
|
|
||
| Security is a critical component of telecommunications deployments on {product-title}, particularly when running containerized network functions (CNFs). This document provides an overview of security considerations for deploying {product-title} in telecommunications (telco) environments, with a focus on securing Containerized Network Functions (CNFs). It is aimed at organizations and users working with high-bandwidth network deployments. |
There was a problem hiding this comment.
Suggested change
| Security is a critical component of telecommunications deployments on {product-title}, particularly when running containerized network functions (CNFs). This document provides an overview of security considerations for deploying {product-title} in telecommunications (telco) environments, with a focus on securing Containerized Network Functions (CNFs). It is aimed at organizations and users working with high-bandwidth network deployments. | |
| Security is a critical component of telecommunications (telco) deployments on {product-title}, particularly when running Cloud-native Network Functions (CNFs). This document provides an overview of security considerations for deploying {product-title} in telco environments, with a focus on securing CNFs. It is aimed at organizations and users working with high-bandwidth network deployments. |
- "This document provides an overview..." sentence needs to be revised as per the guideline: https://redhat-documentation.github.io/supplementary-style-guide/#shortdesc
Avoid self-referential language, such as "This topic covers…" or "Use this procedure to…".
I feel that sentence is redundant. Alternatively, you can consider removing it. If you chose to remove it then: ".....organizations and users working with high-bandwidth network deployments." can be combined in the first sentence. Up to you!
- Repo search gave me -- "Cloud-native Network Functions (CNFs)"
|
|
||
| Security is a critical component of telecommunications deployments on {product-title}, particularly when running containerized network functions (CNFs). This document provides an overview of security considerations for deploying {product-title} in telecommunications (telco) environments, with a focus on securing Containerized Network Functions (CNFs). It is aimed at organizations and users working with high-bandwidth network deployments. | ||
|
|
||
| The document consolidates key information from existing resources and highlights the most current security practices. It serves as a reference for understanding security standards and best practices for telco use cases. |
There was a problem hiding this comment.
- Same comment about self-reference and removing this sentence.
IMO, the sentence doesn't provide unique information hence can be removed. If you want to keep this sentence then you can mention something roughly like:
"Review the following security practices for telco use cases."
https://redhat-documentation.github.io/supplementary-style-guide/#shortdesc
Avoid self-referential language, such as "This topic covers…" or "Use this procedure to…".
Comment on lines
+27
to
+32
| [role="_additional-resources"] | ||
| .Additional resources | ||
|
|
||
| include::modules/telco-security-identity-prov-config.adoc[leveloffset=+1] | ||
|
|
||
| xref:../../../authentication/understanding-identity-provider.adoc[Understanding identity provider configuration] |
There was a problem hiding this comment.
Suggested change
| [role="_additional-resources"] | |
| .Additional resources | |
| include::modules/telco-security-identity-prov-config.adoc[leveloffset=+1] | |
| xref:../../../authentication/understanding-identity-provider.adoc[Understanding identity provider configuration] | |
| include::modules/telco-security-identity-prov-config.adoc[leveloffset=+1] | |
| [role="_additional-resources"] | |
| .Additional resources | |
| * xref:../../../authentication/understanding-identity-provider.adoc[Understanding identity provider configuration] |
To fix the preview rendering:
| .Prerequisites | ||
|
|
||
| * You have created a user with `cluster-admin` privileges. | ||
| * You have installed `oc`. |
There was a problem hiding this comment.
Suggested change
| * You have installed `oc`. | |
| * You have installed the OpenShift CLI (`oc`). |
| + | ||
| [NOTE] | ||
| ==== | ||
| Follow your organization's best practices for securing sensitive credentials. |
There was a problem hiding this comment.
Suggested change
| Follow your organization's best practices for securing sensitive credentials. | |
| Follow best practices of your organization for securing sensitive credentials. |
| + | ||
| [IMPORTANT] | ||
| ==== | ||
| The core user ID is initially given `sudo` privilege within the cluster. |
There was a problem hiding this comment.
Is sudo privileges given automatically/by default? If yes, then ignore my comment. If it's something done by user, then the note can be revised.
"You must give sudo....."
| + | ||
| [IMPORTANT] | ||
| ==== | ||
| The core user ID is initially given `sudo` privilege within the cluster. |
There was a problem hiding this comment.
Suggested change
| The core user ID is initially given `sudo` privilege within the cluster. | |
| The core user ID is initially given `sudo` privileges within the cluster. |
Replace singular/plural --- /privilege/privileges
| You must set up a cron job to run frequently to pull any changes into the cluster. | ||
| ==== | ||
|
|
||
| By using an identity provider, you can manage the level of access for specific groups within your organization. Teams requiring cluster-level privileges can be assigned the `cluster-admin` role, while application administrators can be given specific privileges that allow them to manage only their respective projects. Additionally, operational teams can be granted `view` access across the cluster, allowing them to monitor without modifying anything. |
There was a problem hiding this comment.
Consider revising this in an active voice.
| [id="telco-security-sec-considerations-telco_{context}"] | ||
| = Security considerations for telco CNFs | ||
|
|
||
| Telco workloads handle vast amounts of sensitive data and demand high reliability. A single security vulnerability can lead to broader cluster-wide compromises. With numerous components running on a {sno} cluster, each component must be secured to prevent any breach from escalating. Ensuring security across the entire infrastructure, including all components, is vital to maintaining the integrity of the Telco network and avoiding vulnerabilities. |
There was a problem hiding this comment.
Suggested change
| Telco workloads handle vast amounts of sensitive data and demand high reliability. A single security vulnerability can lead to broader cluster-wide compromises. With numerous components running on a {sno} cluster, each component must be secured to prevent any breach from escalating. Ensuring security across the entire infrastructure, including all components, is vital to maintaining the integrity of the Telco network and avoiding vulnerabilities. | |
| Telco workloads handle vast amounts of sensitive data and demand high reliability. A single security vulnerability can lead to broader cluster-wide compromises. With numerous components running on a {sno} cluster, each component must be secured to prevent any breach from escalating. Ensuring security across the entire infrastructure, including all components, is essential to maintaining the integrity of the telco network and avoiding vulnerabilities. |
Mostly "telco" is starting with lower case throughout the PR. Assuming "Telco" should be replaced by "telco" here as well.
| @@ -0,0 +1,96 @@ | |||
| :_mod-docs-content-type: ASSEMBLY | |||
There was a problem hiding this comment.
I think you can consider creating a module for some of the info present in this assembly.
xenolinux
added
peer-review-done
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Version(s):
4.16+
Issue:
TELCODOCS-2004
Link to docs preview:
QE review:
SME and QE reviews completed - https://gitlab.cee.redhat.com/telco-day-2-ops/telco-security-docs/-/merge_requests/4