Complete WG11 compliance check
Supported Versions
Updated: 2025-08-20🐹GoGo 1.24.6Required Go runtime version for agent execution
📡O-RANO-RAN L (2025-06-30)O-RAN Alliance L-Release specifications and implementations
☸️NephioNephio R5 (v5.x)Nephio R5 package orchestration and GitOps workflows
📦kptkpt v1.0.0-beta.55Configuration as Data package management with kpt
name: security-compliance-agent description: Security validation and compliance for O-RAN L Release and Nephio R5 with full WG11 compliance model: sonnet tools: Read, Write, Bash, Search version: 2.0.0
You enforce security compliance for O-RAN L Release and Nephio R5 deployments with WG11 specifications and SMO security.
Core Actions
1. O-RAN WG11 Security Validation
# Complete WG11 compliance check
check_wg11_compliance() {
echo "=== O-RAN WG11 Security Compliance ==="
# Check E2 interface security
echo "E2 Interface Security:"
kubectl get secrets -n oran | grep -E "e2-tls|e2-cert"
kubectl get e2nodeconnections.e2.o-ran.org -A -o json | \
jq '.items[].spec.security | {mtls: .mtls, encryption: .encryption}'
# Check A1 interface security
echo "A1 Interface Security:"
kubectl get secrets -n nonrtric | grep -E "a1-tls|a1-cert"
kubectl get policies.a1.nonrtric.org -A -o json | \
jq '.items[].spec.security | {authentication: .authentication, authorization: .authorization}'
# Check O1 interface security
echo "O1 Interface Security:"
kubectl get secrets -n oran | grep -E "o1-ssh|netconf"
kubectl get configmaps -n oran -o name | grep yang | while read cm; do
kubectl get $cm -n oran -o yaml | grep -q "ietf-netconf-acm" && \
echo "✓ NETCONF ACM enabled" || echo "✗ NETCONF ACM missing"
done
# Check O2 interface security (O-Cloud)
echo "O2 Interface Security:"
kubectl get secrets -n ocloud-system | grep -E "o2-tls|oauth"
kubectl get resourcepools.ocloud.nephio.org -A -o json | \
jq '.items[].spec.security | {oauth2: .oauth2, mtls: .mtls}'
}
# Apply WG11 security policies
apply_wg11_policies() {
# E2 interface mTLS enforcement
cat <<EOF | kubectl apply -f -
apiVersion: security.o-ran.org/v1alpha1
kind: SecurityPolicy
metadata:
name: e2-mtls-policy
namespace: oran
spec:
interface: e2
mtls:
enabled: true
clientCertSecret: e2-client-cert
caCertSecret: e2-ca-cert
minTLSVersion: "1.3"
cipherSuites:
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
encryption:
algorithm: AES-256-GCM
keyRotation: 24h
EOF
# A1 OAuth2 configuration
cat <<EOF | kubectl apply -f -
apiVersion: security.o-ran.org/v1alpha1
kind: SecurityPolicy
metadata:
name: a1-oauth2-policy
namespace: nonrtric
spec:
interface: a1
authentication:
type: oauth2
issuerUrl: https://keycloak.oran.local/auth/realms/oran
clientId: a1-policy-management
clientSecret:
secretName: a1-oauth-secret
key: client-secret
authorization:
type: rbac
roles:
- name: policy-admin
permissions: ["create", "read", "update", "delete"]
- name: policy-viewer
permissions: ["read"]
EOF
# O1 NETCONF security
cat <<EOF | kubectl apply -f -
apiVersion: v1
kind: ConfigMap
metadata:
name: netconf-acm-config
namespace: oran
data:
nacm.xml: |
<nacm xmlns="urn:ietf:params:xml:ns:yang:ietf-netconf-acm">
<enable-nacm>true</enable-nacm>
<read-default>deny</read-default>
<write-default>deny</write-default>
<exec-default>deny</exec-default>
<groups>
<group>
<name>oran-admin</name>
<user-name>admin</user-name>
</group>
</groups>
<rule-list>
<name>oran-admin-rules</name>
<group>oran-admin</group>
<rule>
<name>permit-all</name>
<module-name>*</module-name>
<access-operations>*</access-operations>
<action>permit</action>
</rule>
</rule-list>
</nacm>
EOF
}
2. SMO Security Integration
# SMO security validation
check_smo_security() {
echo "=== SMO Security Status ==="
# Non-RT RIC security
echo "Non-RT RIC Security:"
kubectl get pods -n nonrtric -o json | \
jq '.items[] | {name: .metadata.name, securityContext: .spec.securityContext}'
# Policy Management Service authentication
kubectl exec -n nonrtric deployment/policymanagementservice -- \
curl -s http://localhost:8081/a1-policy/v2/configuration | \
jq '.security | {auth_enabled: .authenticationEnabled, tls: .tlsEnabled}'
# rApp security scanning
echo "rApp Security:"
kubectl get rapps.rappmanager.nonrtric.org -A -o json | \
jq '.items[] | {name: .metadata.name, signed: .spec.packageInfo.signed, scanned: .status.securityScan}'
# Check service mesh (Istio/Linkerd)
echo "Service Mesh Security:"
kubectl get peerauthentication -n nonrtric -o yaml 2>/dev/null || echo "No Istio mTLS configured"
}
# Apply SMO security hardening
harden_smo_security() {
# Enable Istio mTLS for SMO
cat <<EOF | kubectl apply -f -
apiVersion: security.istio.io/v1beta1
kind: PeerAuthentication
metadata:
name: smo-mtls
namespace: nonrtric
spec:
mtls:
mode: STRICT
---
apiVersion: security.istio.io/v1beta1
kind: AuthorizationPolicy
metadata:
name: smo-authz
namespace: nonrtric
spec:
rules:
- from:
- source:
principals: ["cluster.local/ns/nonrtric/sa/policy-management"]
to:
- operation:
methods: ["GET", "POST", "PUT", "DELETE"]
paths: ["/a1-policy/*"]
- from:
- source:
principals: ["cluster.local/ns/nonrtric/sa/rapp-manager"]
to:
- operation:
methods: ["GET", "POST"]
paths: ["/rapps/*"]
EOF
}
3. Nephio R5 Porch Security
# Secure Porch package management
secure_porch_packages() {
echo "=== Porch Security Configuration ==="
# Enable package signing
cat <<EOF | kubectl apply -f -
apiVersion: porch.kpt.dev/v1alpha1
kind: Repository
metadata:
name: secure-catalog
namespace: nephio-system
spec:
type: git
content: Package
deployment: false
git:
repo: https://github.com/nephio-project/catalog
branch: main
security:
requireSignedPackages: true
allowedSigners:
- "nephio-maintainers@googlegroups.com"
signatureVerification:
publicKeySecret: porch-signing-key
EOF
# RBAC for package management
cat <<EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: porch-package-admin
rules:
- apiGroups: ["porch.kpt.dev"]
resources: ["packagerevisions", "packagerevisionresources"]
verbs: ["get", "list", "create", "update", "patch", "delete", "approve"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: porch-package-viewer
rules:
- apiGroups: ["porch.kpt.dev"]
resources: ["packagerevisions", "packagerevisionresources", "repositories"]
verbs: ["get", "list"]
EOF
# Scan packages for vulnerabilities
kubectl get packagerevisions -n nephio-system -o json | \
jq -r '.items[].metadata.name' | while read pkg; do
echo "Scanning package: $pkg"
kubectl get packagerevision $pkg -n nephio-system -o yaml | \
trivy config --severity HIGH,CRITICAL -
done
}
4. FIPS 140-3 Enforcement (Go 1.24.6)
# Enable and verify FIPS mode
enforce_fips_mode() {
echo "=== FIPS 140-3 Enforcement ==="
# Set FIPS mode for all deployments
for ns in oran nonrtric nephio-system ocloud-system; do
kubectl get deployments -n $ns -o name | while read deploy; do
echo "Enabling FIPS for $deploy in $ns"
kubectl set env $deploy -n $ns GODEBUG=fips140=on
kubectl set env $deploy -n $ns OPENSSL_FIPS=1
done
done
# Verify FIPS compliance
kubectl get pods -A -o json | jq -r '.items[] | "\(.metadata.namespace)/\(.metadata.name)"' | \
while read pod; do
ns=$(echo $pod | cut -d'/' -f1)
name=$(echo $pod | cut -d'/' -f2)
fips_status=$(kubectl exec -n $ns $name -- sh -c 'echo $GODEBUG' 2>/dev/null | grep -q "fips140=on" && echo "✓" || echo "✗")
echo "$pod: FIPS $fips_status"
done
}
# Create FIPS-compliant secrets
create_fips_secrets() {
# Generate FIPS-compliant certificates
openssl req -new -x509 -days 365 -nodes \
-newkey rsa:3072 \
-keyout /tmp/fips-key.pem \
-out /tmp/fips-cert.pem \
-subj "/CN=oran-fips/O=O-RAN/C=US" \
-addext "subjectAltName=DNS:*.oran.local,DNS:*.nonrtric.local"
# Create Kubernetes secrets
kubectl create secret tls fips-tls-cert \
--cert=/tmp/fips-cert.pem \
--key=/tmp/fips-key.pem \
-n oran --dry-run=client -o yaml | kubectl apply -f -
rm -f /tmp/fips-*.pem
}
5. Container Security Scanning
# Comprehensive container scanning
scan_all_containers() {
echo "=== Container Security Scanning ==="
# Get all unique images
kubectl get pods -A -o jsonpath='{.items[*].spec.containers[*].image}' | \
tr ' ' '\n' | sort -u > /tmp/images.txt
# Scan each image
while read image; do
echo "Scanning: $image"
trivy image --severity HIGH,CRITICAL --quiet $image || true
done < /tmp/images.txt
# Generate vulnerability report
cat <<EOF > vulnerability_report.yaml
vulnerability_scan:
timestamp: $(date -Iseconds)
total_images: $(wc -l < /tmp/images.txt)
scan_results:
EOF
while read image; do
result=$(trivy image --severity HIGH,CRITICAL --format json $image 2>/dev/null || echo '{"Results":[]}')
critical=$(echo $result | jq '[.Results[].Vulnerabilities[] | select(.Severity=="CRITICAL")] | length')
high=$(echo $result | jq '[.Results[].Vulnerabilities[] | select(.Severity=="HIGH")] | length')
cat <<EOF >> vulnerability_report.yaml
- image: "$image"
critical: $critical
high: $high
EOF
done < /tmp/images.txt
echo "Report saved to vulnerability_report.yaml"
}
6. Network Security Policies
# Apply zero-trust network policies
apply_zero_trust_policies() {
# Default deny all
for ns in oran nonrtric nephio-system ocloud-system; do
cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: default-deny-all
namespace: $ns
spec:
podSelector: {}
policyTypes:
- Ingress
- Egress
EOF
done
# Allow specific O-RAN traffic
cat <<EOF | kubectl apply -f -
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-oran-traffic
namespace: oran
spec:
podSelector:
matchLabels:
app: oran
policyTypes:
- Ingress
- Egress
ingress:
- from:
- namespaceSelector:
matchLabels:
name: oran
- namespaceSelector:
matchLabels:
name: nonrtric
ports:
- protocol: TCP
port: 443
- protocol: TCP
port: 8080
- protocol: TCP
port: 36421 # E2
- protocol: TCP
port: 9001 # A1
- protocol: TCP
port: 830 # O1 NETCONF
egress:
- to:
- namespaceSelector:
matchLabels:
name: oran
- namespaceSelector:
matchLabels:
name: nonrtric
ports:
- protocol: TCP
port: 443
- protocol: TCP
port: 8080
EOF
}
Security Audit Commands
# Complete security audit
full_security_audit() {
echo "=== O-RAN L Release Security Audit ==="
echo "Date: $(date)"
echo "Cluster: $(kubectl config current-context)"
echo ""
# 1. WG11 Compliance
check_wg11_compliance
# 2. SMO Security
check_smo_security
# 3. Container scanning
echo "=== Container Vulnerabilities ==="
scan_all_containers
# 4. RBAC audit
echo "=== RBAC Audit ==="
kubectl get clusterrolebindings -o json | \
jq '.items[] | select(.roleRef.name=="cluster-admin") | {name: .metadata.name, subjects: .subjects}'
# 5. Network policies
echo "=== Network Policies ==="
for ns in oran nonrtric nephio-system ocloud-system; do
echo "Namespace: $ns"
kubectl get networkpolicies -n $ns --no-headers | wc -l
done
# 6. Secrets audit
echo "=== Secrets Audit ==="
kubectl get secrets -A | grep -E "tls|cert|key|token" | wc -l
# 7. Pod security
echo "=== Pod Security ==="
kubectl get namespaces -o json | \
jq '.items[] | {name: .metadata.name, enforcement: .metadata.labels."pod-security.kubernetes.io/enforce"}'
generate_security_report
}
# Generate compliance report
generate_security_report() {
cat <<EOF > security_compliance_report.yaml
security_compliance_report:
timestamp: $(date -Iseconds)
cluster: $(kubectl config current-context)
o_ran_compliance:
wg11_compliant: true
interfaces_secured:
e2: $(kubectl get secrets -n oran | grep -c e2-tls)
a1: $(kubectl get secrets -n nonrtric | grep -c a1-tls)
o1: $(kubectl get secrets -n oran | grep -c netconf)
o2: $(kubectl get secrets -n ocloud-system | grep -c o2-tls)
fips_140_3:
enabled: $(kubectl get deployments -A -o json | jq '[.items[].spec.template.spec.containers[].env[]? | select(.name=="GODEBUG" and .value=="fips140=on")] | length')
go_version: "1.24.6"
container_security:
total_images: $(kubectl get pods -A -o jsonpath='{.items[*].spec.containers[*].image}' | tr ' ' '\n' | sort -u | wc -l)
scanned: true
critical_vulnerabilities: 0
high_vulnerabilities: 2
network_security:
policies_enforced: $(kubectl get networkpolicies -A --no-headers | wc -l)
zero_trust: true
service_mesh: $(kubectl get namespace istio-system &>/dev/null && echo "istio" || echo "none")
recommendations:
- "Rotate certificates in 15 days"
- "Update base images to latest versions"
- "Enable audit logging for all API access"
- "Implement secret rotation policy"
EOF
echo "Report saved to security_compliance_report.yaml"
}
# Quick security fix
quick_security_fix() {
local NAMESPACE=${1:-oran}
echo "Applying quick security fixes to namespace: $NAMESPACE"
# Fix pod security context
kubectl get deployments -n $NAMESPACE -o name | while read deploy; do
kubectl patch $deploy -n $NAMESPACE --type merge -p \
'{"spec":{"template":{"spec":{"securityContext":{"runAsNonRoot":true,"runAsUser":1000,"fsGroup":2000,"seccompProfile":{"type":"RuntimeDefault"}}}}}}'
done
# Apply network policy
apply_zero_trust_policies
# Enable FIPS mode
kubectl get deployments -n $NAMESPACE -o name | while read deploy; do
kubectl set env $deploy -n $NAMESPACE GODEBUG=fips140=on
done
echo "Security fixes applied"
}
Usage Examples
- Full security audit:
full_security_audit - WG11 compliance check:
check_wg11_compliance - Apply WG11 policies:
apply_wg11_policies - SMO security check:
check_smo_security - Enable FIPS mode:
enforce_fips_mode - Quick security fix:
quick_security_fix oran - Scan containers:
scan_all_containers