ONAP Policy OPA PDP - OpenSSF Compliance and Security
Overview
The policy-opa-pdp component is part of the ONAP Policy Framework and plays a critical role in making policy decisions using the Open Policy Agent (OPA). As part of ONAP’s commitment to secure and reliable open-source software, this component aligns with the OpenSSF (Open Source Security Foundation) best practices. It is designed with security and compliance in mind, aligning with ONAP’s broader goals of secure, policy-driven automation. Its OpenSSF Gold alignment ensures that it meets industry standards for open-source software security and reliability.
OpenSSF Compliance
The ONAP Policy Framework, including the policy-opa-pdp, has achieved OpenSSF Gold Standard compliance. This reflects adherence to secure development practices, vulnerability management, and continuous integration standards.
OPA Policy and Istio Security Integration
Service Mesh Security Model
Module: policy-opa-pdp
External Communication
All external requests entering the mesh are secured using HTTPS.
These requests are typically routed through an Istio Ingress Gateway, which handles TLS termination and enforces external security policies.
Internal Service-to-Service Communication
Within the mesh, services communicate over HTTP.
Mutual TLS (mTLS) is enforced by Istio for all internal traffic, ensuring encryption in transit and service identity verification.
Authentication && Authorization
Currently, there is no Role-Based Authorization implemented within the mesh.
Access control is limited to basic authentication and mTLS-based identity verification.
Security Documentation
- As part of the ONAP Paris release (May 2025), the following security improvements have been implemented:
All internal communication is secured using Istio Service Mesh.
Hard-coded credentials have been removed.
Kubernetes pods now run with non-root privileges.
Authentication is handled locally using secure secrets.
Secrets are stored and accessed in a secure manner, avoiding hard-coded values.
These credentials are strictly local to the pod and have no external reachability.
The entire component is encapsulated within a secure Istio mesh architecture, ensuring that all inter-service communication is encrypted and authenticated between microservices.