diff --git a/.github/actions/setup/action.yml b/.github/actions/setup/action.yml index 8edb6b6b2..fdd8a0752 100644 --- a/.github/actions/setup/action.yml +++ b/.github/actions/setup/action.yml @@ -16,7 +16,7 @@ runs: - name: Set up Go 1.21 uses: actions/setup-go@v4 with: - go-version: 1.21.4 + go-version: 1.21.5 cache: false - name: Disable default go problem matcher diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 83a70f93c..db9e08fb4 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -43,16 +43,16 @@ jobs: uses: actions/checkout@v4 - name: Set up Go 1.21 - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: - go-version: 1.21.4 + go-version: 1.21.5 - name: Install ginkgo run: make install-tools # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL - uses: github/codeql-action/init@v2 + uses: github/codeql-action/init@v3 with: languages: ${{ matrix.language }} tools: latest @@ -64,7 +64,7 @@ jobs: # Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # If this step fails, then you should remove it and run the build manually (see below) - name: Autobuild - uses: github/codeql-action/autobuild@v2 + uses: github/codeql-action/autobuild@v3 # ℹ️ Command-line programs to run using the OS shell. # 📚 https://git.io/JvXDl @@ -78,4 +78,4 @@ jobs: # make release - name: Perform CodeQL Analysis - uses: github/codeql-action/analyze@v2 + uses: github/codeql-action/analyze@v3 diff --git a/.github/workflows/merge.yaml b/.github/workflows/merge.yaml index 64855646f..df63ea946 100644 --- a/.github/workflows/merge.yaml +++ b/.github/workflows/merge.yaml @@ -22,9 +22,9 @@ jobs: steps: - name: Set up Go 1.21 - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: - go-version: 1.21.4 + go-version: 1.21.5 - name: Check out code into the Go module directory uses: actions/checkout@v4 diff --git a/.github/workflows/pre-main.yaml b/.github/workflows/pre-main.yaml index fb41f596e..90d034d75 100644 --- a/.github/workflows/pre-main.yaml +++ b/.github/workflows/pre-main.yaml @@ -39,9 +39,9 @@ jobs: steps: - name: Set up Go 1.21 - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: - go-version: 1.21.4 + go-version: 1.21.5 - name: Disable default go problem matcher run: echo "::remove-matcher owner=go::" @@ -111,9 +111,9 @@ jobs: steps: - name: Set up Go 1.21 - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: - go-version: 1.21.4 + go-version: 1.21.5 - name: Disable default go problem matcher run: echo "::remove-matcher owner=go::" @@ -177,9 +177,9 @@ jobs: echo '{ "auths": {} }' >> ${PFLT_DOCKERCONFIG} - name: Set up Go 1.21 - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: - go-version: 1.21.4 + go-version: 1.21.5 - name: Disable default go problem matcher run: echo "::remove-matcher owner=go::" @@ -239,7 +239,7 @@ jobs: run: TNF_LOG_LEVEL=${TNF_SMOKE_TESTS_LOG_LEVEL} ./run-cnf-suites.sh -l "${SMOKE_TESTS_LABELS_FILTER}" - name: Upload smoke test results as an artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 if: always() with: name: smoke-tests @@ -276,7 +276,7 @@ jobs: run: TNF_LOG_LEVEL=${TNF_SMOKE_TESTS_LOG_LEVEL} ./run-cnf-suites.sh -l "preflight" - name: Upload preflight smoke test results as an artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 if: always() with: name: preflight-smoke-tests @@ -332,9 +332,9 @@ jobs: # needed by depends-on-action - name: Set up Go 1.21 - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: - go-version: 1.21.4 + go-version: 1.21.5 @@ -394,7 +394,7 @@ jobs: # working_directory: collector - name: Upload container test results as an artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 if: always() with: name: smoke-tests-container @@ -431,7 +431,7 @@ jobs: run: TNF_LOG_LEVEL=${TNF_SMOKE_TESTS_LOG_LEVEL} ./run-tnf-container.sh ${{ env.TESTING_CMD_PARAMS }} -l "preflight" - name: Upload container preflight test results as an artifact - uses: actions/upload-artifact@v3 + uses: actions/upload-artifact@v4 if: always() with: name: preflight-smoke-tests-container diff --git a/.github/workflows/preflight.yml b/.github/workflows/preflight.yml index 8b55e41c2..c07d54671 100644 --- a/.github/workflows/preflight.yml +++ b/.github/workflows/preflight.yml @@ -18,9 +18,9 @@ jobs: - uses: actions/checkout@v4 - name: Set up Go 1.21 - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: - go-version: 1.21.4 + go-version: 1.21.5 - name: Disable default go problem matcher run: echo "::remove-matcher owner=go::" diff --git a/.github/workflows/qe-hosted.yml b/.github/workflows/qe-hosted.yml index ae00fbdc4..c6e2b28ed 100644 --- a/.github/workflows/qe-hosted.yml +++ b/.github/workflows/qe-hosted.yml @@ -90,6 +90,11 @@ jobs: repository: ${{ env.QE_REPO }} path: cnfcert-tests-verification + - name: Extract dependent Pull Requests + uses: depends-on/depends-on-action@main + with: + token: ${{ secrets.GITHUB_TOKEN }} + - name: Run the tests uses: nick-fields/retry@v2 with: diff --git a/.github/workflows/update-rhcos-mapping.yml b/.github/workflows/update-rhcos-mapping.yml index 08e62c1d6..d8676ce88 100644 --- a/.github/workflows/update-rhcos-mapping.yml +++ b/.github/workflows/update-rhcos-mapping.yml @@ -21,9 +21,9 @@ jobs: run: make update-rhcos-versions - name: Set up Go 1.21 - uses: actions/setup-go@v4 + uses: actions/setup-go@v5 with: - go-version: 1.21.4 + go-version: 1.21.5 # This prevents any failures due to the updated rhcos_versions_map file from # making it into the PR phase. diff --git a/CATALOG.md b/CATALOG.md index 85751f8ba..dedfef03f 100644 --- a/CATALOG.md +++ b/CATALOG.md @@ -76,7 +76,7 @@ Property|Description Unique ID|access-control-cluster-role-bindings Description|Tests that a Pod does not specify ClusterRoleBindings. Suggested Remediation|In most cases, Pod's should not have ClusterRoleBindings. The suggested remediation is to remove the need for ClusterRoleBindings, if possible. Cluster roles and cluster role bindings discouraged unless absolutely needed by CNF (often reserved for cluster admin only). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-security-rbac Exception Process|Exception possible only for workloads that's cluster wide in nature and absolutely needs cluster level roles & role bindings Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -92,7 +92,7 @@ Property|Description Unique ID|access-control-container-host-port Description|Verifies if containers define a hostPort. Suggested Remediation|Remove hostPort configuration from the container. CNF should avoid accessing host resources - containers should not configure HostPort. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-accessing-resource-on-host +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-accessing-resource-on-host Exception Process|Exception for host resource access tests will only be considered in rare cases where it is absolutely needed Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -108,7 +108,7 @@ Property|Description Unique ID|access-control-crd-roles Description|If an application creates CRDs it must supply a role to access those CRDs and no other API resources/permission. This test checks that there is at least one role present in each namespaces under test that only refers to CRDs under test. Suggested Remediation|Roles providing access to CRDs should not refer to any other api or resources. Change the generation of the CRD role accordingly -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-custom-role-to-access-application-crds +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide-guide/#cnf-best-practices-custom-role-to-access-application-crds Exception Process|No exception needed for optional/extended tests. Tags|extended,access-control |**Scenario**|**Optional/Mandatory**| @@ -124,7 +124,7 @@ Property|Description Unique ID|access-control-ipc-lock-capability-check Description|Ensures that containers do not use IPC_LOCK capability. CNF should avoid accessing host resources - spec.HostIpc should be false. Suggested Remediation|Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipc_lock +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipc_lock Exception Process|Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -140,7 +140,7 @@ Property|Description Unique ID|access-control-namespace Description|Tests that all CNF's resources (PUTs and CRs) belong to valid namespaces. A valid namespace meets the following conditions: (1) It was declared in the yaml config file under the targetNameSpaces tag. (2) It does not have any of the following prefixes: default, openshift-, istio- and aspenmesh- Suggested Remediation|Ensure that your CNF utilizes namespaces declared in the yaml config file. Additionally, the namespaces should not start with "default, openshift-, istio- or aspenmesh-". -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requirements-cnf-reqs +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs Exception Process|No exceptions Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -156,7 +156,7 @@ Property|Description Unique ID|access-control-namespace-resource-quota Description|Checks to see if CNF workload pods are running in namespaces that have resource quotas applied. Suggested Remediation|Apply a ResourceQuota to the namespace your CNF is running in. The CNF namespace should have resource quota defined. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-memory-allocation +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-memory-allocation Exception Process|No exception needed for optional/extended tests. Tags|extended,access-control |**Scenario**|**Optional/Mandatory**| @@ -172,7 +172,7 @@ Property|Description Unique ID|access-control-net-admin-capability-check Description|Ensures that containers do not use NET_ADMIN capability. Note: this test also ensures iptables and nftables are not configured by CNF pods: - NET_ADMIN and NET_RAW are required to modify nftables (namespaced) which is not desired inside pods. nftables should be configured by an administrator outside the scope of the CNF. nftables are usually configured by operators, for instance the Performance Addon Operator (PAO) or istio. - Privileged container are required to modify host iptables, which is not safe to perform inside pods. nftables should be configured by an administrator outside the scope of the CNF. iptables are usually configured by operators, for instance the Performance Addon Operator (PAO) or istio. Suggested Remediation|Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-net_admin +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-net_admin Exception Process|Exception will be considered for user plane or networking functions (e.g. SR-IOV, Multicast). Must identify which container requires the capability and detail why. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -188,7 +188,7 @@ Property|Description Unique ID|access-control-net-raw-capability-check Description|Ensures that containers do not use NET_RAW capability. Note: this test also ensures iptables and nftables are not configured by CNF pods: - NET_ADMIN and NET_RAW are required to modify nftables (namespaced) which is not desired inside pods. nftables should be configured by an administrator outside the scope of the CNF. nftables are usually configured by operators, for instance the Performance Addon Operator (PAO) or istio. - Privileged container are required to modify host iptables, which is not safe to perform inside pods. nftables should be configured by an administrator outside the scope of the CNF. iptables are usually configured by operators, for instance the Performance Addon Operator (PAO) or istio. Suggested Remediation|Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-user-plane-cnfs +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-user-plane-cnfs Exception Process|Exception will be considered for user plane or networking functions. Must identify which container requires the capability and detail why. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -220,7 +220,7 @@ Property|Description Unique ID|access-control-one-process-per-container Description|Check that all containers under test have only one process running Suggested Remediation|Launch only one process per container. Should adhere to 1 process per container best practice wherever possible. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-one-process-per-container +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-one-process-per-container Exception Process|No exception needed for optional/extended tests. Not applicable to SNO applications. Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -236,7 +236,7 @@ Property|Description Unique ID|access-control-pod-automount-service-account-token Description|Check that all pods under test have automountServiceAccountToken set to false. Only pods that require access to the kubernetes API server should have automountServiceAccountToken set to true Suggested Remediation|Check that pod has automountServiceAccountToken set to false or pod is attached to service account which has automountServiceAccountToken set to false, unless the pod needs access to the kubernetes API server. Pods which do not need API access should set automountServiceAccountToken to false in pod spec. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-automount-services-for-pods +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-automount-services-for-pods Exception Process|Exception will be considered if container needs to access APIs which OCP does not offer natively. Must document which container requires which API(s) and detail why existing OCP APIs cannot be used. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -252,7 +252,7 @@ Property|Description Unique ID|access-control-pod-host-ipc Description|Verifies that the spec.HostIpc parameter is set to false Suggested Remediation|Set the spec.HostIpc parameter to false in the pod configuration. CNF should avoid accessing host resources - spec.HostIpc should be false. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security Exception Process|Exception for host resource access tests will only be considered in rare cases where it is absolutely needed Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -268,7 +268,7 @@ Property|Description Unique ID|access-control-pod-host-network Description|Verifies that the spec.HostNetwork parameter is not set (not present) Suggested Remediation|Set the spec.HostNetwork parameter to false in the pod configuration. CNF should avoid accessing host resources - spec.HostNetwork should be false. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-the-host-network-namespace +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace Exception Process|Exception for host resource access tests will only be considered in rare cases where it is absolutely needed Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -284,7 +284,7 @@ Property|Description Unique ID|access-control-pod-host-path Description|Verifies that the spec.HostPath parameter is not set (not present) Suggested Remediation|Set the spec.HostPath parameter to false in the pod configuration. CNF should avoid accessing host resources - spec.HostPath should be false. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security Exception Process|Exception for host resource access tests will only be considered in rare cases where it is absolutely needed Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -300,7 +300,7 @@ Property|Description Unique ID|access-control-pod-host-pid Description|Verifies that the spec.HostPid parameter is set to false Suggested Remediation|Set the spec.HostPid parameter to false in the pod configuration. CNF should avoid accessing host resources - spec.HostPid should be false. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security Exception Process|Exception for host resource access tests will only be considered in rare cases where it is absolutely needed Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -316,7 +316,7 @@ Property|Description Unique ID|access-control-pod-role-bindings Description|Ensures that a CNF does not utilize RoleBinding(s) in a non-CNF Namespace. Suggested Remediation|Ensure the CNF is not configured to use RoleBinding(s) in a non-CNF Namespace. Scope of role must <= scope of creator of role. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-security-rbac Exception Process|No exceptions Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -332,7 +332,7 @@ Property|Description Unique ID|access-control-pod-service-account Description|Tests that each CNF Pod utilizes a valid Service Account. Default or empty service account is not valid. Suggested Remediation|Ensure that the each CNF Pod is configured to use a valid Service Account -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-scc-permissions-for-an-application +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-scc-permissions-for-an-application Exception Process|No exceptions Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -348,7 +348,7 @@ Property|Description Unique ID|access-control-requests-and-limits Description|Check that containers have resource requests and limits specified in their spec. Suggested Remediation|Add requests and limits to your container spec. See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requests/limits +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requests/limits Exception Process|There is no documented exception process for this. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -364,7 +364,7 @@ Property|Description Unique ID|access-control-security-context Description|Checks the security context matches one of the 4 categories Suggested Remediation|Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and document why. If the container had the right configuration of the allowed category from the 4 approved list then the test will pass. The 4 categories are defined in Requirement ID 94118 of the Extended Best Practices guide (private repo) -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security Exception Process|no exception needed for optional/extended test Tags|extended,access-control |**Scenario**|**Optional/Mandatory**| @@ -380,7 +380,7 @@ Property|Description Unique ID|access-control-security-context-non-root-user-check Description|Checks the security context runAsUser parameter in pods and containers to make sure it is not set to uid root(0). Pods and containers should not run as root (runAsUser is not set to uid0). Suggested Remediation|Change the pod and containers "runAsUser" uid to something other than root(0) -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security Exception Process|No exceptions - will only be considered under special circumstances. Must identify which container needs access and document why with details. Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -396,7 +396,7 @@ Property|Description Unique ID|access-control-security-context-privilege-escalation Description|Checks if privileged escalation is enabled (AllowPrivilegeEscalation=true). Suggested Remediation|Configure privilege escalation to false. Privileged escalation should not be allowed (AllowPrivilegeEscalation=false). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security Exception Process|No exceptions Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -412,7 +412,7 @@ Property|Description Unique ID|access-control-service-type Description|Tests that each CNF Service does not utilize NodePort(s). Suggested Remediation|Ensure Services are not configured to use NodePort(s).CNF should avoid accessing host resources - tests that each CNF Service does not utilize NodePort(s). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-the-host-network-namespace +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace Exception Process|Exception for host resource access tests will only be considered in rare cases where it is absolutely needed Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -428,7 +428,7 @@ Property|Description Unique ID|access-control-ssh-daemons Description|Check that pods do not run SSH daemons. Suggested Remediation|Ensure that no SSH daemons are running inside a pod. Pods should not run as SSH Daemons (replicaset or statefulset only). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-interaction/configuration +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-interaction/configuration Exception Process|No exceptions - special consideration can be given to certain containers which run as utility tool daemon Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -444,7 +444,7 @@ Property|Description Unique ID|access-control-sys-admin-capability-check Description|Ensures that containers do not use SYS_ADMIN capability Suggested Remediation|Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why. Containers should not use the SYS_ADMIN Linux capability. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-sys_admin +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-sys_admin Exception Process|No exceptions Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -460,7 +460,7 @@ Property|Description Unique ID|access-control-sys-nice-realtime-capability Description|Check that pods running on nodes with realtime kernel enabled have the SYS_NICE capability enabled in their spec. In the case that a CNF is running on a node using the real-time kernel, SYS_NICE will be used to allow DPDK application to switch to SCHED_FIFO. Suggested Remediation|If pods are scheduled to realtime kernel nodes, they must add SYS_NICE capability to their spec. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-sys_nice +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-sys_nice Exception Process|There is no documented exception process for this. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -476,7 +476,7 @@ Property|Description Unique ID|access-control-sys-ptrace-capability Description|Check that if process namespace sharing is enabled for a Pod then the SYS_PTRACE capability is allowed. This capability is required when using Process Namespace Sharing. This is used when processes from one Container need to be exposed to another Container. For example, to send signals like SIGHUP from a process in a Container to another process in another Container. For more information on these capabilities refer to https://cloud.redhat.com/blog/linux-capabilities-in-openshift and https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ Suggested Remediation|Allow the SYS_PTRACE capability when enabling process namespace sharing for a Pod -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-sys_ptrace +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-sys_ptrace Exception Process|There is no documented exception process for this. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -510,7 +510,7 @@ Property|Description Unique ID|affiliated-certification-helm-version Description|Test to check if the helm chart is v3 Suggested Remediation|Check Helm Chart is v3 and not v2 which is not supported due to security risks associated with Tiller. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-helm +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-helm Exception Process|There is no documented exception process for this. Tags|common,affiliated-certification |**Scenario**|**Optional/Mandatory**| @@ -542,7 +542,7 @@ Property|Description Unique ID|affiliated-certification-operator-is-certified Description|Tests whether CNF Operators listed in the configuration file have passed the Red Hat Operator Certification Program (OCP). Suggested Remediation|Ensure that your Operator has passed Red Hat's Operator Certification Program (OCP). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements Exception Process|There is no documented exception process for this.Partner can run CNF Certification test suite before passing other certifications (Container/Operator/HelmChart) but the affiliated certification test cases in CNF Certification test suite must be re-run once the other certifications have been granted. Tags|common,affiliated-certification |**Scenario**|**Optional/Mandatory**| @@ -560,7 +560,7 @@ Property|Description Unique ID|lifecycle-affinity-required-pods Description|Checks that affinity rules are in place if AffinityRequired: 'true' labels are set on Pods. Suggested Remediation|Pods which need to be co-located on the same node need Affinity rules. If a pod/statefulset/deployment is required to use affinity rules, please add AffinityRequired: 'true' as a label. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -573,11 +573,11 @@ Tags|telco,lifecycle Property|Description ---|--- -Unique ID|lifecycle-container-poststart -Description|Ensure that the containers lifecycle postStart management feature is configured. A container must receive important events from the platform and conform/react to these events properly. For example, a container should catch SIGTERM or SIGKILL from the platform and shutdown as quickly as possible. Other typically important events from the platform are PostStart to initialize before servicing requests and PreStop to release resources cleanly before shutting down. -Suggested Remediation|PostStart is normally used to configure the container, set up dependencies, and record the new creation. You could use this event to check that a required API is available before the container’s main work begins. Kubernetes will not change the container’s state to Running until the PostStart script has executed successfully. For details, see https://www.containiq.com/post/kubernetes-container-lifecycle-events-and-hooks and https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks. PostStart is used to configure container, set up dependencies, record new creation. It can also be used to check that a required API is available before the container’s work begins. +Unique ID|lifecycle-container-shutdown +Description|Ensure that the containers lifecycle preStop management feature is configured. The most basic requirement for the lifecycle management of Pods in OpenShift are the ability to start and stop correctly. There are different ways a pod can stop on an OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. When pods are shut down by the platform they are sent a SIGTERM signal which means that the process in the container should start shutting down, closing connections and stopping all activity. If the pod doesn’t shut down within the default 30 seconds then the platform may send a SIGKILL signal which will stop the pod immediately. This method isn’t as clean and the default time between the SIGTERM and SIGKILL messages can be modified based on the requirements of the application. Containers should respond to SIGTERM/SIGKILL with graceful shutdown. +Suggested Remediation|The preStop can be used to gracefully stop the container and clean resources (e.g., DB connection). For details, see https://www.containiq.com/post/kubernetes-container-lifecycle-events-and-hooks and https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks. All pods must respond to SIGTERM signal and shutdown gracefully with a zero exit code. Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cloud-native-design-best-practices -Exception Process|Identify which pod is not conforming to the process and submit information as to why it cannot use a postStart startup specification. +Exception Process|Identify which pod is not conforming to the process and submit information as to why it cannot use a preStop shutdown specification. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| |Extended|Mandatory| @@ -589,11 +589,11 @@ Tags|telco,lifecycle Property|Description ---|--- -Unique ID|lifecycle-container-prestop -Description|Ensure that the containers lifecycle preStop management feature is configured. The most basic requirement for the lifecycle management of Pods in OpenShift are the ability to start and stop correctly. There are different ways a pod can stop on an OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. When pods are shut down by the platform they are sent a SIGTERM signal which means that the process in the container should start shutting down, closing connections and stopping all activity. If the pod doesn’t shut down within the default 30 seconds then the platform may send a SIGKILL signal which will stop the pod immediately. This method isn’t as clean and the default time between the SIGTERM and SIGKILL messages can be modified based on the requirements of the application. Containers should respond to SIGTERM/SIGKILL with graceful shutdown. -Suggested Remediation|The preStop can be used to gracefully stop the container and clean resources (e.g., DB connection). For details, see https://www.containiq.com/post/kubernetes-container-lifecycle-events-and-hooks and https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks. All pods must respond to SIGTERM signal and shutdown gracefully with a zero exit code. +Unique ID|lifecycle-container-startup +Description|Ensure that the containers lifecycle postStart management feature is configured. A container must receive important events from the platform and conform/react to these events properly. For example, a container should catch SIGTERM or SIGKILL from the platform and shutdown as quickly as possible. Other typically important events from the platform are PostStart to initialize before servicing requests and PreStop to release resources cleanly before shutting down. +Suggested Remediation|PostStart is normally used to configure the container, set up dependencies, and record the new creation. You could use this event to check that a required API is available before the container’s main work begins. Kubernetes will not change the container’s state to Running until the PostStart script has executed successfully. For details, see https://www.containiq.com/post/kubernetes-container-lifecycle-events-and-hooks and https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks. PostStart is used to configure container, set up dependencies, record new creation. It can also be used to check that a required API is available before the container’s work begins. Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cloud-native-design-best-practices -Exception Process|Identify which pod is not conforming to the process and submit information as to why it cannot use a preStop shutdown specification. +Exception Process|Identify which pod is not conforming to the process and submit information as to why it cannot use a postStart startup specification. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| |Extended|Mandatory| @@ -608,7 +608,7 @@ Property|Description Unique ID|lifecycle-cpu-isolation Description|CPU isolation requires: For each container within the pod, resource requests and limits must be identical. If cpu requests and limits are not identical and in whole units (Guaranteed pods with exclusive cpus), your pods will not be tested for compliance. The runTimeClassName must be specified. Annotations required disabling CPU and IRQ load-balancing. Suggested Remediation|CPU isolation testing is enabled. Please ensure that all pods adhere to the CPU isolation requirements. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cpu-isolation +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cpu-isolation Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -624,7 +624,7 @@ Property|Description Unique ID|lifecycle-crd-scaling Description|Tests that CNF crd support scale in/out operations. First, the test starts getting the current replicaCount (N) of the crd/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the crd/s. In case of crd that are managed by HPA the test is changing the min and max value to crd Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the crd/s Suggested Remediation|Ensure CNF crd/replica sets can scale in/out successfully. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Not applicable to SNO applications. Tags|common,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -640,7 +640,7 @@ Property|Description Unique ID|lifecycle-deployment-scaling Description|Tests that CNF deployments support scale in/out operations. First, the test starts getting the current replicaCount (N) of the deployment/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the deployment/s. In case of deployments that are managed by HPA the test is changing the min and max value to deployment Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the deployment/s Suggested Remediation|Ensure CNF deployments/replica sets can scale in/out successfully. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Not applicable to SNO applications. Tags|common,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -656,7 +656,7 @@ Property|Description Unique ID|lifecycle-image-pull-policy Description|Ensure that the containers under test are using IfNotPresent as Image Pull Policy. If there is a situation where the container dies and needs to be restarted, the image pull policy becomes important. PullIfNotPresent is recommended so that a loss of image registry access does not prevent the pod from restarting. Suggested Remediation|Ensure that the containers under test are using IfNotPresent as Image Pull Policy. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-use-imagepullpolicy-if-not-present +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-use-imagepullpolicy-if-not-present Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -672,7 +672,7 @@ Property|Description Unique ID|lifecycle-liveness-probe Description|Check that all containers under test have liveness probe defined. The most basic requirement for the lifecycle management of Pods in OpenShift are the ability to start and stop correctly. When starting up, health probes like liveness and readiness checks can be put into place to ensure the application is functioning properly. Suggested Remediation|Add a liveness probe to deployed containers. CNFs shall self-recover from common failures like pod failure, host failure, and network failure. Kubernetes native mechanisms such as health-checks (Liveness, Readiness and Startup Probes) shall be employed at a minimum. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -688,7 +688,7 @@ Property|Description Unique ID|lifecycle-persistent-volume-reclaim-policy Description|Check that the persistent volumes the CNF pods are using have a reclaim policy of delete. Network Functions should clear persistent storage by deleting their PVs when removing their application from a cluster. Suggested Remediation|Ensure that all persistent volumes are using the reclaim policy: delete -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-csi +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-csi Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -704,7 +704,7 @@ Property|Description Unique ID|lifecycle-pod-high-availability Description|Ensures that CNF Pods specify podAntiAffinity rules and replica value is set to more than 1. Suggested Remediation|In high availability cases, Pod podAntiAffinity rule should be specified for pod scheduling and pod replica value is set to more than 1 . -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Not applicable to SNO applications. Tags|common,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -720,7 +720,7 @@ Property|Description Unique ID|lifecycle-pod-owner-type Description|Tests that CNF Pod(s) are deployed as part of a ReplicaSet(s)/StatefulSet(s). Suggested Remediation|Deploy the CNF using ReplicaSet/StatefulSet. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-no-naked-pods +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-no-naked-pods Exception Process|There is no documented exception process for this. Pods should not be deployed as DaemonSet or naked pods. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -736,7 +736,7 @@ Property|Description Unique ID|lifecycle-pod-recreation Description|Tests that a CNF is configured to support High Availability. First, this test cordons and drains a Node that hosts the CNF Pod. Next, the test ensures that OpenShift can re-instantiate the Pod on another Node, and that the actual replica count matches the desired replica count. Suggested Remediation|Ensure that CNF Pod(s) utilize a configuration that supports High Availability. Additionally, ensure that there are available Nodes in the OpenShift cluster that can be utilized in the event that a host Node fails. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-upgrade-expectations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-upgrade-expectations Exception Process|No exceptions - workloads should be able to be restarted/recreated. Tags|common,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -752,7 +752,7 @@ Property|Description Unique ID|lifecycle-pod-scheduling Description|Ensures that CNF Pods do not specify nodeSelector or nodeAffinity. In most cases, Pods should allow for instantiation on any underlying Node. CNFs shall not use node selectors nor taints/tolerations to assign pod location. Suggested Remediation|In most cases, Pod's should not specify their host Nodes through nodeSelector or nodeAffinity. However, there are cases in which CNFs require specialized hardware specific to a particular class of Node. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations Exception Process|Exception will only be considered if application requires specialized hardware. Must specify which container requires special hardware and why. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -768,7 +768,7 @@ Property|Description Unique ID|lifecycle-pod-toleration-bypass Description|Check that pods do not have NoExecute, PreferNoSchedule, or NoSchedule tolerations that have been modified from the default. Suggested Remediation|Do not allow pods to bypass the NoExecute, PreferNoSchedule, or NoSchedule tolerations that are default applied by Kubernetes. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-taints-and-tolerations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-taints-and-tolerations Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -784,7 +784,7 @@ Property|Description Unique ID|lifecycle-readiness-probe Description|Check that all containers under test have readiness probe defined. There are different ways a pod can stop on on OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. In the first case, if the administrator has implemented liveness and readiness checks, OpenShift can stop the pod and either restart it on the same node or a different node in the cluster. For the second case, when the application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem. Suggested Remediation|Add a readiness probe to deployed containers -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -800,7 +800,7 @@ Property|Description Unique ID|lifecycle-startup-probe Description|Check that all containers under test have startup probe defined. CNFs shall self-recover from common failures like pod failure, host failure, and network failure. Kubernetes native mechanisms such as health-checks (Liveness, Readiness and Startup Probes) shall be employed at a minimum. Suggested Remediation|Add a startup probe to deployed containers -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-exit-status +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-exit-status Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -816,7 +816,7 @@ Property|Description Unique ID|lifecycle-statefulset-scaling Description|Tests that CNF statefulsets support scale in/out operations. First, the test starts getting the current replicaCount (N) of the statefulset/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the statefulset/s. In case of statefulsets that are managed by HPA the test is changing the min and max value to statefulset Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the statefulset/s Suggested Remediation|Ensure CNF statefulsets/replica sets can scale in/out successfully. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Not applicable to SNO applications. Tags|common,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -832,7 +832,7 @@ Property|Description Unique ID|lifecycle-storage-provisioner Description|Checks that pods do not place persistent volumes on local storage in multinode clusters. Local storage is recommended for single node clusters, but only one type of local storage should be installed (lvms or noprovisioner). Suggested Remediation|Use a non-local storage (e.g. no kubernetes.io/no-provisioner and no topolvm.io provisioners) in multinode clusters. Local storage are recommended for single node clusters only, but a single local provisioner should be installed. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-local-storage +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-local-storage Exception Process|No exceptions Tags|common,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -850,7 +850,7 @@ Property|Description Unique ID|manageability-container-port-name-format Description|Check that the container's ports name follow the naming conventions. Name field in ContainerPort section must be of form `[-]`. More naming convention requirements may be released in future Suggested Remediation|Ensure that the container's ports name follow our partner naming conventions -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requirements-cnf-reqs +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs Exception Process|No exception needed for optional/extended tests. Tags|extended,manageability |**Scenario**|**Optional/Mandatory**| @@ -866,7 +866,7 @@ Property|Description Unique ID|manageability-containers-image-tag Description|Check that image tag exists on containers. Suggested Remediation|Ensure that all the container images are tagged. Checks containers have image tags (e.g. latest, stable, dev). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-image-tagging +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-image-tagging Exception Process|No exception needed for optional/extended tests. Tags|extended,manageability |**Scenario**|**Optional/Mandatory**| @@ -884,7 +884,7 @@ Property|Description Unique ID|networking-dpdk-cpu-pinning-exec-probe Description|If a CNF is doing CPU pinning, exec probes may not be used. Suggested Remediation|If the CNF is doing CPU pinning and running a DPDK process do not use exec probes (executing a command within the container) as it may pile up and block the node eventually. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cpu-manager-pinning +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cpu-manager-pinning Exception Process|There is no documented exception process for this. Tags|telco,networking |**Scenario**|**Optional/Mandatory**| @@ -900,7 +900,7 @@ Property|Description Unique ID|networking-dual-stack-service Description|Checks that all services in namespaces under test are either ipv6 single stack or dual stack. This test case requires the deployment of the debug daemonset. Suggested Remediation|Configure every CNF services with either a single stack ipv6 or dual stack (ipv4/ipv6) load balancer. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipv4-&-ipv6 +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-&-ipv6 Exception Process|No exception needed for optional/extended tests. Tags|extended,networking |**Scenario**|**Optional/Mandatory**| @@ -916,7 +916,7 @@ Property|Description Unique ID|networking-icmpv4-connectivity Description|Checks that each CNF Container is able to communicate via ICMPv4 on the Default OpenShift network. This test case requires the Deployment of the debug daemonset and at least 2 pods connected to each network under test(one source and one destination). If no network with more than 2 pods exists this test will be skipped. Suggested Remediation|Ensure that the CNF is able to communicate via the Default OpenShift network. In some rare cases, CNFs may require routing table changes in order to communicate over the Default network. To exclude a particular pod from ICMPv4 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipv4-&-ipv6 +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-&-ipv6 Exception Process|No exceptions - must be able to communicate on default network using IPv4 Tags|common,networking |**Scenario**|**Optional/Mandatory**| @@ -932,7 +932,7 @@ Property|Description Unique ID|networking-icmpv4-connectivity-multus Description|Checks that each CNF Container is able to communicate via ICMPv4 on the Multus network(s). This test case requires the Deployment of the debug daemonset and at least 2 pods connected to each network under test(one source and one destination). If no network with more than 2 pods exists this test will be skipped. Suggested Remediation|Ensure that the CNF is able to communicate via the Multus network(s). In some rare cases, CNFs may require routing table changes in order to communicate over the Multus network(s). To exclude a particular pod from ICMPv4 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. Not applicable if MULTUS is not supported. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Tags|telco,networking |**Scenario**|**Optional/Mandatory**| @@ -948,7 +948,7 @@ Property|Description Unique ID|networking-icmpv6-connectivity Description|Checks that each CNF Container is able to communicate via ICMPv6 on the Default OpenShift network. This test case requires the Deployment of the debug daemonset and at least 2 pods connected to each network under test(one source and one destination). If no network with more than 2 pods exists this test will be skipped. Suggested Remediation|Ensure that the CNF is able to communicate via the Default OpenShift network. In some rare cases, CNFs may require routing table changes in order to communicate over the Default network. To exclude a particular pod from ICMPv6 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. Not applicable if IPv6 is not supported. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipv4-&-ipv6 +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-&-ipv6 Exception Process|There is no documented exception process for this. Tags|common,networking |**Scenario**|**Optional/Mandatory**| @@ -964,7 +964,7 @@ Property|Description Unique ID|networking-icmpv6-connectivity-multus Description|Checks that each CNF Container is able to communicate via ICMPv6 on the Multus network(s). This test case requires the Deployment of the debug daemonset and at least 2 pods connected to each network under test(one source and one destination). If no network with more than 2 pods exists this test will be skipped. Suggested Remediation|Ensure that the CNF is able to communicate via the Multus network(s). In some rare cases, CNFs may require routing table changes in order to communicate over the Multus network(s). To exclude a particular pod from ICMPv6 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it.The label value is trivial, only its presence. Not applicable if IPv6/MULTUS is not supported. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Tags|telco,networking |**Scenario**|**Optional/Mandatory**| @@ -980,7 +980,7 @@ Property|Description Unique ID|networking-network-policy-deny-all Description|Check that network policies attached to namespaces running CNF pods contain a default deny-all rule for both ingress and egress traffic Suggested Remediation|Ensure that a NetworkPolicy with a default deny-all is applied. After the default is applied, apply a network policy to allow the traffic your application requires. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-vrfs-aka-routing-instances +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-vrfs-aka-routing-instances Exception Process|No exception needed for optional/extended tests. Tags|common,networking |**Scenario**|**Optional/Mandatory**| @@ -996,7 +996,7 @@ Property|Description Unique ID|networking-ocp-reserved-ports-usage Description|Check that containers do not listen on ports that are reserved by OpenShift Suggested Remediation|Ensure that CNF apps do not listen on ports that are reserved by OpenShift. The following ports are reserved by OpenShift and must NOT be used by any application: 22623, 22624. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ports-reserved-by-openshift +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ports-reserved-by-openshift Exception Process|No exceptions Tags|common,networking |**Scenario**|**Optional/Mandatory**| @@ -1044,7 +1044,7 @@ Property|Description Unique ID|networking-undeclared-container-ports-usage Description|Check that containers do not listen on ports that weren't declared in their specification. Platforms may be configured to block undeclared ports. Suggested Remediation|Ensure the CNF apps do not listen on undeclared containers' ports. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requirements-cnf-reqs +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs Exception Process|No exception needed for optional/extended tests. Tags|extended,networking |**Scenario**|**Optional/Mandatory**| @@ -1062,7 +1062,7 @@ Property|Description Unique ID|observability-container-logging Description|Check that all containers under test use standard input output and standard error when logging. A container must provide APIs for the platform to observe the container health and act accordingly. These APIs include health checks (liveness and readiness), logging to stderr and stdout for log aggregation (by tools such as Logstash or Filebeat), and integrate with tracing and metrics-gathering libraries (such as Prometheus or Metricbeat). Suggested Remediation|Ensure containers are not redirecting stdout/stderr -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-logging +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-logging Exception Process|There is no documented exception process for this. Tags|telco,observability |**Scenario**|**Optional/Mandatory**| @@ -1078,7 +1078,7 @@ Property|Description Unique ID|observability-crd-status Description|Checks that all CRDs have a status sub-resource specification (Spec.versions[].Schema.OpenAPIV3Schema.Properties[“status”]). Suggested Remediation|Ensure that all the CRDs have a meaningful status specification (Spec.versions[].Schema.OpenAPIV3Schema.Properties[“status”]). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,observability |**Scenario**|**Optional/Mandatory**| @@ -1094,7 +1094,7 @@ Property|Description Unique ID|observability-pod-disruption-budget Description|Checks to see if pod disruption budgets have allowed values for minAvailable and maxUnavailable Suggested Remediation|Ensure minAvailable is not zero and maxUnavailable does not equal the number of pods in the replica -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-upgrade-expectations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-upgrade-expectations Exception Process|No exceptions Tags|common,observability |**Scenario**|**Optional/Mandatory**| @@ -1110,7 +1110,7 @@ Property|Description Unique ID|observability-termination-policy Description|Check that all containers are using terminationMessagePolicy: FallbackToLogsOnError. There are different ways a pod can stop on an OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. In the first case, if the administrator has implemented liveness and readiness checks, OpenShift can stop the pod and either restart it on the same node or a different node in the cluster. For the second case, when the application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem. Suggested Remediation|Ensure containers are all using FallbackToLogsOnError in terminationMessagePolicy -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-exit-status +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-exit-status Exception Process|There is no documented exception process for this. Tags|telco,observability |**Scenario**|**Optional/Mandatory**| @@ -1128,7 +1128,7 @@ Property|Description Unique ID|operator-install-source Description|Tests whether a CNF Operator is installed via OLM. Suggested Remediation|Ensure that your Operator is installed via OLM. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1144,7 +1144,7 @@ Property|Description Unique ID|operator-install-status-no-privileges Description|The operator is not installed with privileged rights. Test passes if clusterPermissions is not present in the CSV manifest or is present with no resourceNames under its rules. Suggested Remediation|Ensure all the CNF operators have no privileges on cluster resources. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1160,7 +1160,7 @@ Property|Description Unique ID|operator-install-status-succeeded Description|Ensures that the target CNF operators report "Succeeded" as their installation status. Suggested Remediation|Ensure all the CNF operators have been successfully installed by OLM. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1276,7 +1276,7 @@ Property|Description Unique ID|platform-alteration-base-image Description|Ensures that the Container Base Image is not altered post-startup. This test is a heuristic, and ensures that there are no changes to the following directories: 1) /var/lib/rpm 2) /var/lib/dpkg 3) /bin 4) /sbin 5) /lib 6) /lib64 7) /usr/bin 8) /usr/sbin 9) /usr/lib 10) /usr/lib64 Suggested Remediation|Ensure that Container applications do not modify the Container Base Image. In particular, ensure that the following directories are not modified: 1) /var/lib/rpm 2) /var/lib/dpkg 3) /bin 4) /sbin 5) /lib 6) /lib64 7) /usr/bin 8) /usr/sbin 9) /usr/lib 10) /usr/lib64 Ensure that all required binaries are built directly into the container image, and are not installed post startup. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-image-standards +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-image-standards Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1292,7 +1292,7 @@ Property|Description Unique ID|platform-alteration-boot-params Description|Tests that boot parameters are set through the MachineConfigOperator, and not set manually on the Node. Suggested Remediation|Ensure that boot parameters are set directly through the MachineConfigOperator, or indirectly through the PerformanceAddonOperator. Boot parameters should not be changed directly through the Node, as OpenShift should manage the changes for you. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-host-os +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-host-os Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1324,7 +1324,7 @@ Property|Description Unique ID|platform-alteration-hugepages-2m-only Description|Check that pods using hugepages only use 2Mi size Suggested Remediation|Modify pod to consume 2Mi hugepages only -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-huge-pages +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-huge-pages Exception Process|No exception needed for optional/extended tests. Tags|extended,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1340,7 +1340,7 @@ Property|Description Unique ID|platform-alteration-hugepages-config Description|Checks to see that HugePage settings have been configured through MachineConfig, and not manually on the underlying Node. This test case applies only to Nodes that are configured with the "worker" MachineConfigSet. First, the "worker" MachineConfig is polled, and the Hugepage settings are extracted. Next, the underlying Nodes are polled for configured HugePages through inspection of /proc/meminfo. The results are compared, and the test passes only if they are the same. Suggested Remediation|HugePage settings should be configured either directly through the MachineConfigOperator or indirectly using the PerformanceAddonOperator. This ensures that OpenShift is aware of the special MachineConfig requirements, and can provision your CNF on a Node that is part of the corresponding MachineConfigSet. Avoid making changes directly to an underlying Node, and let OpenShift handle the heavy lifting of configuring advanced settings. This test case applies only to Nodes that are configured with the "worker" MachineConfigSet. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-huge-pages +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-huge-pages Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1372,7 +1372,7 @@ Property|Description Unique ID|platform-alteration-is-selinux-enforcing Description|verifies that all openshift platform/cluster nodes have selinux in "Enforcing" mode. Suggested Remediation|Configure selinux and enable enforcing mode. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-security +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-security Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1388,7 +1388,7 @@ Property|Description Unique ID|platform-alteration-isredhat-release Description|verifies if the container base image is redhat. Suggested Remediation|Build a new container image that is based on UBI (Red Hat Universal Base Image). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-base-images +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-base-images Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1404,7 +1404,7 @@ Property|Description Unique ID|platform-alteration-ocp-lifecycle Description|Tests that the running OCP version is not end of life. Suggested Remediation|Please update your cluster to a version that is generally available. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-k8s +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-k8s Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1420,7 +1420,7 @@ Property|Description Unique ID|platform-alteration-ocp-node-os-lifecycle Description|Tests that the nodes running in the cluster have operating systems that are compatible with the deployed version of OpenShift. Suggested Remediation|Please update your workers to a version that is supported by your version of OpenShift -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-host-os +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-host-os Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1452,7 +1452,7 @@ Property|Description Unique ID|platform-alteration-sysctl-config Description|Tests that no one has changed the node's sysctl configs after the node was created, the tests works by checking if the sysctl configs are consistent with the MachineConfig CR which defines how the node should be configured Suggested Remediation|You should recreate the node or change the sysctls, recreating is recommended because there might be other unknown changes -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1468,7 +1468,7 @@ Property|Description Unique ID|platform-alteration-tainted-node-kernel Description|Ensures that the Node(s) hosting CNFs do not utilize tainted kernels. This test case is especially important to support Highly Available CNFs, since when a CNF is re-instantiated on a backup Node, that Node's kernel may not have the same hacks.' Suggested Remediation|Test failure indicates that the underlying Node's kernel is tainted. Ensure that you have not altered underlying Node(s) kernels in order to run the CNF. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations Exception Process|If taint is necessary, document details of the taint and why it's needed by workload or environment. Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| diff --git a/COMMITMENT b/COMMITMENT deleted file mode 100644 index 47ca828a2..000000000 --- a/COMMITMENT +++ /dev/null @@ -1,46 +0,0 @@ -GPL Cooperation Commitment -Version 1.0 - -Before filing or continuing to prosecute any legal proceeding or claim -(other than a Defensive Action) arising from termination of a Covered -License, we commit to extend to the person or entity ('you') accused -of violating the Covered License the following provisions regarding -cure and reinstatement, taken from GPL version 3. As used here, the -term 'this License' refers to the specific Covered License being -enforced. - - However, if you cease all violation of this License, then your - license from a particular copyright holder is reinstated (a) - provisionally, unless and until the copyright holder explicitly - and finally terminates your license, and (b) permanently, if the - copyright holder fails to notify you of the violation by some - reasonable means prior to 60 days after the cessation. - - Moreover, your license from a particular copyright holder is - reinstated permanently if the copyright holder notifies you of the - violation by some reasonable means, this is the first time you - have received notice of violation of this License (for any work) - from that copyright holder, and you cure the violation prior to 30 - days after your receipt of the notice. - -We intend this Commitment to be irrevocable, and binding and -enforceable against us and assignees of or successors to our -copyrights. - -Definitions - -'Covered License' means the GNU General Public License, version 2 -(GPLv2), the GNU Lesser General Public License, version 2.1 -(LGPLv2.1), or the GNU Library General Public License, version 2 -(LGPLv2), all as published by the Free Software Foundation. - -'Defensive Action' means a legal proceeding or claim that We bring -against you in response to a prior proceeding or claim initiated by -you or your affiliate. - -'We' means each contributor to this repository as of the date of -inclusion of this file, including subsidiaries of a corporate -contributor. - -This work is available under a Creative Commons Attribution-ShareAlike -4.0 International license (https://creativecommons.org/licenses/by-sa/4.0/). \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index b3e25e058..7075d1512 100644 --- a/Dockerfile +++ b/Dockerfile @@ -22,7 +22,7 @@ RUN \ # Install Go binary and set the PATH ENV \ GO_DL_URL=https://golang.org/dl \ - GO_BIN_TAR=go1.21.4.linux-amd64.tar.gz \ + GO_BIN_TAR=go1.21.5.linux-amd64.tar.gz \ GOPATH=/root/go ENV GO_BIN_URL_x86_64=${GO_DL_URL}/${GO_BIN_TAR} RUN \ diff --git a/Makefile b/Makefile index e4ea5492d..792ee8dd5 100644 --- a/Makefile +++ b/Makefile @@ -55,7 +55,7 @@ LINKER_TNF_RELEASE_FLAGS+= -X github.com/test-network-function/cnf-certification LINKER_TNF_RELEASE_FLAGS+= -X github.com/test-network-function/cnf-certification-test/pkg/versions.GitPreviousRelease=${GIT_PREVIOUS_RELEASE} LINKER_TNF_RELEASE_FLAGS+= -X github.com/test-network-function/cnf-certification-test/pkg/versions.ClaimFormatVersion=${CLAIM_FORMAT_VERSION} PARSER_RELEASE=$(shell jq .parserTag version.json) -BASH_SCRIPTS=$(shell find -name "*.sh" -not -path "./.git/*") +BASH_SCRIPTS=$(shell find . -name "*.sh" -not -path "./.git/*") all: build diff --git a/cmd/tnf/claim/show/csv/cnf-type.json b/cmd/tnf/claim/show/csv/cnf-type.json index 22936216f..32566906b 100644 --- a/cmd/tnf/claim/show/csv/cnf-type.json +++ b/cmd/tnf/claim/show/csv/cnf-type.json @@ -1,62 +1,50 @@ { - "advanced-cluster-management": "Telco", - "amq7-interconnect-operator": "Telco", - "amq-broker-rhel8": "Telco", - "amq-online": "Telco", - "amq-streams": "Telco", - "ansible-automation-platform-operator": "Telco", - "bare-metal-event-relay": "Telco", - "bookkeeper-operator": "Telco", - "openshift-cert-manager-operator": "Telco", - "cincinnati-operator": "Telco", - "cloud-native-postgresql": "Telco", - "cluster-logging": "Telco", - "cluster-monitoring-operator": "Telco", - "compliance-operator": "Telco", - "couchbase-enterprise-certified": "Telco", - "crunchy-postgres-operator": "Telco", + "klusterlet-product": "Telco", "elasticsearch-operator": "Telco", - "file-integrity-operator": "Telco", - "gatekeeper-operator-product": "Telco", - "gitlab-operator": "Telco", - "gitlab-runner-operator": "Telco", - "gitops-argocd-operator": "Telco", - "grafana-operator": "Telco", - "ibm-minio-operator": "Telco", - "jaeger-product": "Telco", - "keda": "Telco", - "kiali-ossm": "Telco", - "kubernetes-nmstate-operator": "Telco", - "kubevirt-hyperconverged": "Telco", - "local-storage-operator": "Telco", - "lvms-operator": "Telco", - "mcg-operator": "Telco", - "metalLB": "Telco", - "mongodb-enterprise": "Telco", - "mtc-operator": "Telco", + "mtv-operator": "Telco", + "sandboxed-containers-operator": "Telco", + "sriov-network-operator": "Telco", "multicluster-engine": "Telco", - "nfd": "Telco", - "ocs-operator": "Telco", - "odf-csi-addons-operator": "Telco", - "odf-operator": "Telco", - "openshift-cluster-node-tuning-operator": "Telco", "openshift-gitops-operator": "Telco", + "bare-metal-event-relay": "Telco", + "jaeger-product": "Telco", + "kubevirt-hyperconverged": "Telco", + "clusterresourceoverride": "Telco", + "node-maintenance-operator": "Telco", + "costmanagement-metrics-operator": "Telco", + "loki-operator": "Telco", + "opentelemetry-product": "Telco", + "openshift-secondary-scheduler-operator": "Telco", "openshift-pipelines-operator-rh": "Telco", - "performance-addon-operator": "Telco", - "rhods-prometheus-operator": "Telco", - "PTP Fast Event Notification": "Telco", - "ptp-operator": "Telco", - "pulsar-operator": "Telco", + "dpu-network-operator": "Telco", + "devspaces": "Telco", + "jws-operator": "Telco", + "compliance-operator": "Telco", + "vertical-pod-autoscaler": "Telco", + "nfd": "Telco", "quay-operator": "Telco", + "node-observability-operator": "Telco", + "container-security-operator": "Telco", + "aws-efs-csi-driver-operator": "Telco", "redhat-oadp-operator": "Telco", - "rhacs-operator ": "Telco", + "cluster-logging": "Telco", + "quay-bridge-operator": "Telco", + "web-terminal": "Telco", + "openshift-cert-manager-operator": "Telco", + "aws-load-balancer-operator": "Telco", + "topology-aware-lifecycle-manager": "Telco", + "openshift-custom-metrics-autoscaler-operator": "Telco", + "serverless-operator": "Telco", + "metallb-operator": "Telco", "rhsso-operator": "Telco", + "external-dns-operator": "Telco", + "local-storage-operator": "Telco", + "ptp-operator": "Telco", + "numaresources-operator": "Telco", + "kubernetes-nmstate-operator": "Telco", + "self-node-remediation": "Telco", "servicemeshoperator": "Telco", - "splunk-operator": "Telco", - "sriov-fec": "Telco", - "sriov-network-operator": "Telco", - "strimzi-kafka-operator": "Telco", - "topology-aware-lifecycle-manager": "Telco", - "vault-helm": "Telco", - "zookeeper-operator": "Telco" + "file-integrity-operator": "Telco", + "kiali-ossm": "Telco", + "node-healthcheck-operator": "Telco" } diff --git a/cmd/tnf/claim/show/csv/csv.go b/cmd/tnf/claim/show/csv/csv.go index e4413e579..564c26920 100644 --- a/cmd/tnf/claim/show/csv/csv.go +++ b/cmd/tnf/claim/show/csv/csv.go @@ -143,7 +143,7 @@ func buildCSV(claimScheme *claim.Schema, cnfType string, catalogMap map[string]c // add header if flag is present (defaults to no header) if addHeaderFlag { resultsCSVRecords = append(resultsCSVRecords, []string{ - "CNFName", "testID", "Suite", + "CNFName", "OperatorVersion", "testID", "Suite", "Description", "State", "StartTime", "EndTime", "SkipReason", "CheckDetails", "Output", @@ -152,12 +152,22 @@ func buildCSV(claimScheme *claim.Schema, cnfType string, catalogMap map[string]c }) } + opVers := "" + for i, op := range claimScheme.Claim.Configurations.TestOperators { + if i == 0 { + opVers = op.Version + } else { + opVers = opVers + ", " + op.Version + } + } + for testID := range claimScheme.Claim.Results { // initialize record record := []string{} // creates and appends new CSV record record = append(record, CNFNameFlag, + opVers, testID, claimScheme.Claim.Results[testID].TestID.Suite, claimScheme.Claim.Results[testID].CatalogInfo.Description, diff --git a/cmd/tnf/pkg/claim/claim.go b/cmd/tnf/pkg/claim/claim.go index efbce9e55..26c67a12c 100644 --- a/cmd/tnf/pkg/claim/claim.go +++ b/cmd/tnf/pkg/claim/claim.go @@ -64,9 +64,16 @@ type Nodes struct { CsiDriver interface{} `json:"csiDriver"` } +type TestOperator struct { + Name string `json:"name"` + Namespace string `json:"namespace"` + Version string `json:"version"` +} + type Configurations struct { - Config interface{} `json:"Config"` - AbnormalEvents []interface{} `json:"AbnormalEvents"` + Config interface{} `json:"Config"` + AbnormalEvents []interface{} `json:"AbnormalEvents"` + TestOperators []TestOperator `json:"testOperators"` } type Schema struct { diff --git a/cnf-certification-test/accesscontrol/suite.go b/cnf-certification-test/accesscontrol/suite.go index a2b9b981a..d5c6dec35 100644 --- a/cnf-certification-test/accesscontrol/suite.go +++ b/cnf-certification-test/accesscontrol/suite.go @@ -17,9 +17,12 @@ package accesscontrol import ( + "fmt" "strconv" "strings" + "github.com/operator-framework/api/pkg/operators/v1alpha1" + "github.com/sirupsen/logrus" "github.com/test-network-function/cnf-certification-test/cnf-certification-test/accesscontrol/namespace" "github.com/test-network-function/cnf-certification-test/cnf-certification-test/accesscontrol/rbac" "github.com/test-network-function/cnf-certification-test/cnf-certification-test/accesscontrol/resources" @@ -640,10 +643,70 @@ func testPodClusterRoleBindings(check *checksdb.Check, env *provider.TestEnviron nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is using a cluster role binding", false). AddField(testhelper.ClusterRoleName, roleRefName)) } + + topOwners, err := put.GetTopOwner() + + if err != nil { + nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, fmt.Sprintf("Error getting top owners of this pod, err=%s", err), false). + AddField(testhelper.ClusterRoleName, roleRefName)) + continue + } + + logrus.Debugf("topOwners=%v", topOwners) + + csvNamespace, csvName, isOwnedByClusterWideOperator := OwnedByClusterWideOperator(topOwners, env) + // Pod is using a cluster role binding but is owned by a cluster wide operator, so it is ok + if isOwnedByClusterWideOperator && result { + log.Info("%s is using a cluster role binding but is owned by CSV namespace=%s, name=%s", put.String(), csvNamespace, csvName) + compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is using a cluster role binding but owned by a cluster-wide operator", true)) + continue + } + if result { + // Pod was found to be using a cluster role binding. This is not allowed. + // Flagging this pod as a failed pod. + log.Info("%s is using a cluster role binding", put.String()) + nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is using a cluster role binding", false). + AddField(testhelper.ClusterRoleName, roleRefName)) + continue + } + compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(put.Namespace, put.Name, "Pod is not using a cluster role binding", true)) } check.SetResult(compliantObjects, nonCompliantObjects) } +// Returns true if object identified by namespace and name is a CSV created by a cluster-wide operator +func IsCSVAndClusterWide(aNamespace, name string, env *provider.TestEnvironment) bool { + for _, op := range env.Operators { + if op.Csv != nil && + op.Csv.Namespace == aNamespace && + op.Csv.Name == name && + (op.IsClusterWide || IsInstallModeMultiNamespace(op.Csv.Spec.InstallModes)) { + return true + } + } + return false +} + +// return true if CSV install mode contains multi namespaces or all namespaces +func IsInstallModeMultiNamespace(installModes []v1alpha1.InstallMode) bool { + for i := 0; i < len(installModes); i++ { + if installModes[i].Type == v1alpha1.InstallModeTypeAllNamespaces { + return true + } + } + return false +} + +// Return true if one of the passed topOwners is a CSV that is installed by a cluster-wide operator +func OwnedByClusterWideOperator(topOwners map[string]provider.TopOwner, env *provider.TestEnvironment) (aNamespace, name string, found bool) { + for _, owner := range topOwners { + if IsCSVAndClusterWide(owner.Namespace, owner.Name, env) { + return owner.Namespace, owner.Name, true + } + } + return "", "", false +} + func testAutomountServiceToken(check *checksdb.Check, env *provider.TestEnvironment) { check.LogInfo("Should have automountServiceAccountToken set to false") diff --git a/cnf-certification-test/identifiers/doclinks.go b/cnf-certification-test/identifiers/doclinks.go index d90220bf8..4319c3c7b 100644 --- a/cnf-certification-test/identifiers/doclinks.go +++ b/cnf-certification-test/identifiers/doclinks.go @@ -7,90 +7,90 @@ const ( NoDocLinkTelco = "No Doc Link - Telco" // Networking Suite - TestICMPv4ConnectivityIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipv4-&-ipv6" - TestNetworkPolicyDenyAllIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-vrfs-aka-routing-instances" + TestICMPv4ConnectivityIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-&-ipv6" + TestNetworkPolicyDenyAllIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-vrfs-aka-routing-instances" TestReservedExtendedPartnerPortsDocLink = NoDocLinkExtended - TestDpdkCPUPinningExecProbeDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cpu-manager-pinning" + TestDpdkCPUPinningExecProbeDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cpu-manager-pinning" TestRestartOnRebootLabelOnPodsUsingSRIOVDocLink = NoDocLinkFarEdge TestLimitedUseOfExecProbesIdentifierDocLink = NoDocLinkFarEdge - TestICMPv6ConnectivityIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipv4-&-ipv6" - TestICMPv4ConnectivityMultusIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations" - TestICMPv6ConnectivityMultusIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations" - TestServiceDualStackIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipv4-&-ipv6" - TestUndeclaredContainerPortsUsageDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requirements-cnf-reqs" - TestOCPReservedPortsUsageDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ports-reserved-by-openshift" + TestICMPv6ConnectivityIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-&-ipv6" + TestICMPv4ConnectivityMultusIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" + TestICMPv6ConnectivityMultusIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" + TestServiceDualStackIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-&-ipv6" + TestUndeclaredContainerPortsUsageDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs" + TestOCPReservedPortsUsageDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ports-reserved-by-openshift" // Access Control Suite Test1337UIDIdentifierDocLink = NoDocLinkExtended - TestNetAdminIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-net_admin" - TestSysAdminIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-sys_admin" - TestIpcLockIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipc_lock" - TestNetRawIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-user-plane-cnfs" + TestNetAdminIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-net_admin" + TestSysAdminIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-sys_admin" + TestIpcLockIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipc_lock" + TestNetRawIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-user-plane-cnfs" TestBpfIdentifierDocLink = NoDocLinkTelco - TestSecConNonRootUserIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security" - TestSecContextIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security" - TestSecConPrivilegeEscalationDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security" - TestContainerHostPortDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-accessing-resource-on-host" - TestContainerHostNetworkDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-the-host-network-namespace" - TestPodHostNetworkDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-the-host-network-namespace" - TestPodHostPathDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security" - TestPodHostIPCDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security" - TestPodHostPIDDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security" - TestNamespaceBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requirements-cnf-reqs" - TestPodClusterRoleBindingsBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac" - TestPodRoleBindingsBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac" - TestPodServiceAccountBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-scc-permissions-for-an-application" - TestPodAutomountServiceAccountIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-automount-services-for-pods" - TestServicesDoNotUseNodeportsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-the-host-network-namespace" - TestUnalteredBaseImageIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-image-standards" - TestOneProcessPerContainerIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-one-process-per-container" - TestSYSNiceRealtimeCapabilityIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-sys_nice" - TestSysPtraceCapabilityIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-sys_ptrace" - TestPodRequestsAndLimitsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requests/limits" - TestNamespaceResourceQuotaIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-memory-allocation" - TestNoSSHDaemonsAllowedIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-interaction/configuration" + TestSecConNonRootUserIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" + TestSecContextIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" + TestSecConPrivilegeEscalationDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" + TestContainerHostPortDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-accessing-resource-on-host" + TestContainerHostNetworkDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace" + TestPodHostNetworkDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace" + TestPodHostPathDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" + TestPodHostIPCDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" + TestPodHostPIDDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" + TestNamespaceBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs" + TestPodClusterRoleBindingsBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-security-rbac" + TestPodRoleBindingsBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-security-rbac" + TestPodServiceAccountBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-scc-permissions-for-an-application" + TestPodAutomountServiceAccountIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-automount-services-for-pods" + TestServicesDoNotUseNodeportsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace" + TestUnalteredBaseImageIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-image-standards" + TestOneProcessPerContainerIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-one-process-per-container" + TestSYSNiceRealtimeCapabilityIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-sys_nice" + TestSysPtraceCapabilityIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-sys_ptrace" + TestPodRequestsAndLimitsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requests/limits" + TestNamespaceResourceQuotaIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-memory-allocation" + TestNoSSHDaemonsAllowedIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-interaction/configuration" // Affiliated Certification Suite - TestHelmVersionIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-helm" + TestHelmVersionIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-helm" TestContainerIsCertifiedDigestIdentifierDocLink = "https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/certify-your-application/overview" TestContainerIsCertifiedIdentifierDocLink = "https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/certify-your-application/overview" TestHelmIsCertifiedIdentifierDocLink = "https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/certify-your-application/overview" // Platform Alteration Suite - TestPodHugePages2MDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-huge-pages" + TestPodHugePages2MDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-huge-pages" TestPodHugePages1GDocLink = NoDocLinkFarEdge - TestHugepagesNotManuallyManipulatedDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-huge-pages" - TestNonTaintedNodeKernelsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations" - TestUnalteredStartupBootParamsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-host-os" - TestSysctlConfigsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security" + TestHugepagesNotManuallyManipulatedDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-huge-pages" + TestNonTaintedNodeKernelsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" + TestUnalteredStartupBootParamsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-host-os" + TestSysctlConfigsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" TestServiceMeshIdentifierDocLink = NoDocLinkExtended TestHyperThreadEnableDocLink = NoDocLinkExtended - TestOCPLifecycleIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-k8s" - TestNodeOperatingSystemIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-host-os" - TestIsRedHatReleaseIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-base-images" - TestIsSELinuxEnforcingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-security" + TestOCPLifecycleIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-k8s" + TestNodeOperatingSystemIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-host-os" + TestIsRedHatReleaseIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-base-images" + TestIsSELinuxEnforcingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-security" // Lifecycle Suite - TestAffinityRequiredPodsDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations" - TestStorageProvisionerDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-local-storage" - TestContainerPostStartIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cloud-native-design-best-practices" - TestContainerPrestopIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cloud-native-design-best-practices" - TestPodNodeSelectorAndAffinityBestPracticesDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations" - TestPodHighAvailabilityBestPracticesDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations" - TestPodDeploymentBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-no-naked-pods" - TestDeploymentScalingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations" - TestStateFulSetScalingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations" - TestImagePullPolicyIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-use-imagepullpolicy-if-not-present" - TestPodRecreationIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-upgrade-expectations" - TestLivenessProbeIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations" - TestReadinessProbeIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations" - TestStartupProbeIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-exit-status" + TestAffinityRequiredPodsDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" + TestStorageProvisionerDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-local-storage" + TestContainerPostStartIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cloud-native-design-best-practices" + TestContainerPrestopIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cloud-native-design-best-practices" + TestPodNodeSelectorAndAffinityBestPracticesDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" + TestPodHighAvailabilityBestPracticesDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" + TestPodDeploymentBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-no-naked-pods" + TestDeploymentScalingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" + TestStateFulSetScalingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" + TestImagePullPolicyIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-use-imagepullpolicy-if-not-present" + TestPodRecreationIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-upgrade-expectations" + TestLivenessProbeIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" + TestReadinessProbeIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" + TestStartupProbeIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-exit-status" //nolint:gosec - TestPodTolerationBypassIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-taints-and-tolerations" - TestPersistentVolumeReclaimPolicyIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-csi" - TestCPUIsolationIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cpu-isolation" - TestCrdScalingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations" + TestPodTolerationBypassIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-taints-and-tolerations" + TestPersistentVolumeReclaimPolicyIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-csi" + TestCPUIsolationIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cpu-isolation" + TestCrdScalingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" // Performance Test Suite TestExclusiveCPUPoolIdentifierDocLink = NoDocLinkFarEdge @@ -100,18 +100,18 @@ const ( TestRtAppNoExecProbesDocLink = NoDocLinkFarEdge // Operator Test Suite - TestOperatorInstallStatusSucceededIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements" - TestOperatorNoPrivilegesDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements" - TestOperatorIsCertifiedIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements" - TestOperatorIsInstalledViaOLMIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements" + TestOperatorInstallStatusSucceededIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements" + TestOperatorNoPrivilegesDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements" + TestOperatorIsCertifiedIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements" + TestOperatorIsInstalledViaOLMIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements" // Observability Test Suite - TestLoggingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-logging" - TestTerminationMessagePolicyIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-exit-status" - TestCrdsStatusSubresourceIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements" - TestPodDisruptionBudgetIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-upgrade-expectations" + TestLoggingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-logging" + TestTerminationMessagePolicyIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-exit-status" + TestCrdsStatusSubresourceIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements" + TestPodDisruptionBudgetIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-upgrade-expectations" // Manageability Test Suite - TestContainersImageTagDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-image-tagging" - TestContainerPortNameFormatDocLink = "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requirements-cnf-reqs" + TestContainersImageTagDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-image-tagging" + TestContainerPortNameFormatDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs" ) diff --git a/cnf-certification-test/identifiers/identifiers.go b/cnf-certification-test/identifiers/identifiers.go index a0e5805e1..55b16140d 100644 --- a/cnf-certification-test/identifiers/identifiers.go +++ b/cnf-certification-test/identifiers/identifiers.go @@ -1571,7 +1571,7 @@ tag. (2) It does not have any of the following prefixes: default, openshift-, is "If an application creates CRDs it must supply a role to access those CRDs and no other API resources/permission. This test checks that there is at least one role present in each namespaces under test that only refers to CRDs under test.", "Roles providing access to CRDs should not refer to any other api or resources. Change the generation of the CRD role accordingly", NoExceptionProcessForExtendedTests, - "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-custom-role-to-access-application-crds", + "https://test-network-function.github.io/cnf-best-practices-guide-guide/#cnf-best-practices-custom-role-to-access-application-crds", true, map[string]string{ FarEdge: Optional, diff --git a/cnf-certification-test/lifecycle/podrecreation/podrecreation.go b/cnf-certification-test/lifecycle/podrecreation/podrecreation.go index 59791f989..f4be1d61c 100644 --- a/cnf-certification-test/lifecycle/podrecreation/podrecreation.go +++ b/cnf-certification-test/lifecycle/podrecreation/podrecreation.go @@ -134,8 +134,8 @@ func deletePod(pod *corev1.Pod, mode string, wg *sync.WaitGroup) error { podName := pod.Name namespace := pod.Namespace go func() { + defer wg.Done() waitPodDeleted(namespace, podName, gracePeriodSeconds, watcher) - wg.Done() }() return nil } diff --git a/cnf-certification-test/platform/bootparams/bootparams.go b/cnf-certification-test/platform/bootparams/bootparams.go index b83757704..6dacd6e99 100644 --- a/cnf-certification-test/platform/bootparams/bootparams.go +++ b/cnf-certification-test/platform/bootparams/bootparams.go @@ -1,4 +1,4 @@ -// Copyright (C) 2020-2022 Red Hat, Inc. +// Copyright (C) 2020-2023 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/cnf-certification-test/platform/operatingsystem/files/rhcos_version_map b/cnf-certification-test/platform/operatingsystem/files/rhcos_version_map index 2a777aa7c..ae626e99c 100644 --- a/cnf-certification-test/platform/operatingsystem/files/rhcos_version_map +++ b/cnf-certification-test/platform/operatingsystem/files/rhcos_version_map @@ -137,6 +137,8 @@ 4.11.51 / 411.86.202310091037-0 4.11.52 / 411.86.202310140407-0 4.11.53 / 411.86.202310261237-0 +4.11.54 / 411.86.202311221858-0 +4.11.55 / 411.86.202311302109-0 4.11.6 / 411.86.202209211811-0 4.11.7 / 411.86.202209211811-0 4.11.8 / 411.86.202210032349-0 @@ -190,6 +192,7 @@ 4.12.42 / 412.86.202310302215-0 4.12.43 / 412.86.202311051457-0 4.12.44 / 412.86.202311092041-0 +4.12.45 / 412.86.202311271639-0 4.12.5 / 412.86.202302170236-0 4.12.6 / 412.86.202302282003-0 4.12.7 / 412.86.202303011010-0 @@ -223,6 +226,9 @@ 4.13.21 / 413.92.202310210500-0 4.13.22 / 413.92.202311061658-0 4.13.23 / 413.92.202311151359-0 +4.13.24 / 413.92.202311212041-0 +4.13.25 / 413.92.202311281619-0 +4.13.26 / 413.92.202312042340-0 4.13.3 / 413.92.202306070210-0 4.13.4 / 413.92.202306141213-0 4.13.5 / 413.92.202307140015-0 @@ -247,6 +253,9 @@ 4.14.1 / 414.92.202310270216-0 4.14.2 / 414.92.202311061957-0 4.14.3 / 414.92.202311150705-0 +4.14.4 / 414.92.202311222314-0 +4.14.5 / 414.92.202311281318-0 +4.14.6 / 414.92.202312011602-0 4.4.0 / 44.81.202004260825-0 4.4.0-rc.0 / 44.81.202003110830-0 4.4.0-rc.1 / 44.81.202003130330-0 diff --git a/docs/runtime-env.md b/docs/runtime-env.md index 1d2ecfca6..65a85609c 100644 --- a/docs/runtime-env.md +++ b/docs/runtime-env.md @@ -68,4 +68,4 @@ export TNF_PARTNER_REPO=registry.dfwt5g.lab:5000/testnetworkfunction ``` Note that you can also specify the debug pod image to use with `SUPPORT_IMAGE` -environment variable, default to `debug-partner:4.5.5`. +environment variable, default to `debug-partner:4.5.7`. diff --git a/docs/test-container.md b/docs/test-container.md index 6d90dc6c1..6024c5116 100644 --- a/docs/test-container.md +++ b/docs/test-container.md @@ -112,8 +112,8 @@ Two env vars allow to control the web artifacts and the the new tar.gz file gene ### Build locally ```shell -podman build -t cnf-certification-test:v4.5.5 \ - --build-arg TNF_VERSION=v4.5.5 \ +podman build -t cnf-certification-test:v4.5.7 \ + --build-arg TNF_VERSION=v4.5.7 \ ``` * `TNF_VERSION` value is set to a branch, a tag, or a hash of a commit that will be installed into the image @@ -125,8 +125,8 @@ The unofficial source could be a fork of the TNF repository. Use the `TNF_SRC_URL` build argument to override the URL to a source repository. ```shell -podman build -t cnf-certification-test:v4.5.5 \ - --build-arg TNF_VERSION=v4.5.5 \ +podman build -t cnf-certification-test:v4.5.7 \ + --build-arg TNF_VERSION=v4.5.7 \ --build-arg TNF_SRC_URL=https://github.com/test-network-function/cnf-certification-test . ``` @@ -135,7 +135,7 @@ podman build -t cnf-certification-test:v4.5.5 \ Specify the custom TNF image using the `-i` parameter. ```shell -./run-tnf-container.sh -i cnf-certification-test:v4.5.5 +./run-tnf-container.sh -i cnf-certification-test:v4.5.7 -t ~/tnf/config -o ~/tnf/output -l "networking,access-control" ``` diff --git a/go.mod b/go.mod index 33c8ded75..e481c4565 100644 --- a/go.mod +++ b/go.mod @@ -8,6 +8,7 @@ require ( github.com/sirupsen/logrus v1.9.3 // indirect github.com/spf13/cobra v1.8.0 github.com/stretchr/testify v1.8.4 + github.com/test-network-function/test-network-function-claim v1.0.32 github.com/xeipuuv/gojsonschema v1.2.0 // indirect gopkg.in/yaml.v2 v2.4.0 ) @@ -16,14 +17,13 @@ require k8s.io/client-go v0.28.4 require ( github.com/kelseyhightower/envconfig v1.4.0 - github.com/mittwald/go-helm-client v0.12.3 - github.com/onsi/ginkgo/v2 v2.13.1 // indirect + github.com/mittwald/go-helm-client v0.12.4 + github.com/onsi/ginkgo/v2 v2.13.2 // indirect github.com/openshift/api v0.0.1 github.com/openshift/client-go v0.0.1 - github.com/operator-framework/api v0.19.0 + github.com/operator-framework/api v0.20.0 github.com/operator-framework/operator-lifecycle-manager v0.20.0 github.com/pkg/errors v0.9.1 // indirect - github.com/test-network-function/test-network-function-claim v1.0.32 helm.sh/helm/v3 v3.13.2 k8s.io/api v0.28.4 k8s.io/apimachinery v0.28.4 @@ -163,15 +163,14 @@ require ( go.opentelemetry.io/proto/otlp v1.0.0 // indirect go.starlark.net v0.0.0-20230525235612-a134d8f9ddca // indirect go.uber.org/atomic v1.11.0 // indirect - golang.org/x/crypto v0.14.0 // indirect - golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea // indirect - golang.org/x/mod v0.13.0 // indirect - golang.org/x/net v0.17.0 // indirect + golang.org/x/crypto v0.15.0 // indirect + golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa // indirect + golang.org/x/net v0.18.0 // indirect golang.org/x/oauth2 v0.10.0 // indirect - golang.org/x/sync v0.4.0 // indirect + golang.org/x/sync v0.5.0 // indirect golang.org/x/sys v0.14.0 // indirect - golang.org/x/term v0.13.0 // indirect - golang.org/x/text v0.13.0 // indirect + golang.org/x/term v0.14.0 // indirect + golang.org/x/text v0.14.0 // indirect golang.org/x/time v0.3.0 // indirect golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect gomodules.xyz/jsonpatch/v2 v2.3.0 // indirect @@ -207,7 +206,7 @@ require ( ) require ( - github.com/deckarep/golang-set/v2 v2.3.1 + github.com/deckarep/golang-set/v2 v2.5.0 github.com/fatih/color v1.16.0 github.com/go-logr/logr v1.3.0 github.com/go-logr/stdr v1.2.2 @@ -218,7 +217,7 @@ require ( github.com/redhat-openshift-ecosystem/openshift-preflight v0.0.0-20231018165107-f04b78186455 github.com/robert-nix/ansihtml v1.0.1 github.com/test-network-function/oct v0.0.4 - github.com/test-network-function/privileged-daemonset v1.0.15 + github.com/test-network-function/privileged-daemonset v1.0.16 gopkg.in/yaml.v3 v3.0.1 k8s.io/kubectl v0.28.4 ) diff --git a/go.sum b/go.sum index 88d9430de..69712e63c 100644 --- a/go.sum +++ b/go.sum @@ -132,8 +132,8 @@ github.com/cyphar/filepath-securejoin v0.2.4/go.mod h1:aPGpWjXOXUn2NCNjFvBE6aRxG github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/deckarep/golang-set/v2 v2.3.1 h1:vjmkvJt/IV27WXPyYQpAh4bRyWJc5Y435D17XQ9QU5A= -github.com/deckarep/golang-set/v2 v2.3.1/go.mod h1:VAky9rY/yGXJOLEDv3OMci+7wtDpOF4IN+y82NBOac4= +github.com/deckarep/golang-set/v2 v2.5.0 h1:hn6cEZtQ0h3J8kFrHR/NrzyOoTnjgW1+FmNJzQ7y/sA= +github.com/deckarep/golang-set/v2 v2.5.0/go.mod h1:VAky9rY/yGXJOLEDv3OMci+7wtDpOF4IN+y82NBOac4= github.com/distribution/distribution v2.7.1+incompatible h1:aGFx4EvJWKEh//lHPLwFhFgwFHKH06TzNVPamrMn04M= github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2 h1:aBfCb7iqHmDEIp6fBvC/hQUddQfg+3qdYjwzaiP9Hnc= github.com/distribution/distribution/v3 v3.0.0-20221208165359-362910506bc2/go.mod h1:WHNsWjnIn2V1LYOrME7e8KxSeKunYHsxEm4am0BUtcI= @@ -181,8 +181,6 @@ github.com/frankban/quicktest v1.14.4 h1:g2rn0vABPOOXmZUj+vbmUp0lPoXEMuhTpIluN0X github.com/frankban/quicktest v1.14.4/go.mod h1:4ptaffx2x8+WTWXmUCuVU6aPUX1/Mz7zb5vbUoiM6w0= github.com/fsnotify/fsnotify v1.6.0 h1:n+5WquG0fcWoWp6xPWfHdbskMCQaFnG6PfBrh1Ky4HY= github.com/fsnotify/fsnotify v1.6.0/go.mod h1:sl3t1tCWJFWoRz9R8WJCbQihKKwmorjAbSClcnxKAGw= -github.com/ghodss/yaml v1.0.0 h1:wQHKEahhL6wmXdzwWG11gIVCkOv05bNOh+Rxn0yngAk= -github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04= github.com/glebarez/go-sqlite v1.21.2 h1:3a6LFC4sKahUunAmynQKLZceZCOzUthkRkEAl9gAXWo= github.com/glebarez/go-sqlite v1.21.2/go.mod h1:sfxdZyhQjTM2Wry3gVYWaW072Ri1WMdWJi0k6+3382k= github.com/go-errors/errors v1.4.2 h1:J6MZopCL4uSllY1OfXM374weqZFFItUbrImctkmUxIA= @@ -429,8 +427,8 @@ github.com/mitchellh/mapstructure v1.5.0/go.mod h1:bFUtVrKA4DC2yAKiSyO/QUcy7e+RR github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= -github.com/mittwald/go-helm-client v0.12.3 h1:WlXhuMTT5HUdiYeiYMxlvi3XBxTKoGCNHcSsirLi8ug= -github.com/mittwald/go-helm-client v0.12.3/go.mod h1:lC1Sn912rgRkGQZBUntJO7TOlqa1kK3Idwr3yo1Tco0= +github.com/mittwald/go-helm-client v0.12.4 h1:fHI59uny/9vxGyBfxl8qSH5RD6mRvxNm9vi55Vw+dLY= +github.com/mittwald/go-helm-client v0.12.4/go.mod h1:Cg65orz0i3B2/Uv/7nIK4SzyhMsIS+mDpK0tbw3Cy5Q= github.com/moby/locker v1.0.1 h1:fOXqR41zeveg4fFODix+1Ch4mj/gT0NE1XJbp/epuBg= github.com/moby/locker v1.0.1/go.mod h1:S7SDdo5zpBK84bzzVlKr2V0hz+7x9hWbYC/kq7oQppc= github.com/moby/spdystream v0.2.0 h1:cjW1zVyyoiM0T7b6UoySUFqzXMoqRckQtXwGPiBhOM8= @@ -457,8 +455,8 @@ github.com/nxadm/tail v1.4.8 h1:nPr65rt6Y5JFSKQO7qToXr7pePgD6Gwiw05lkbyAQTE= github.com/nxadm/tail v1.4.8/go.mod h1:+ncqLTQzXmGhMZNUePPaPqPvBxHAIsmXswZKocGu+AU= github.com/onsi/ginkgo v1.16.5 h1:8xi0RTUf59SOSfEtZMvwTvXYMzG4gV23XVHOZiXNtnE= github.com/onsi/ginkgo v1.16.5/go.mod h1:+E8gABHa3K6zRBolWtd+ROzc/U5bkGt0FwiG042wbpU= -github.com/onsi/ginkgo/v2 v2.13.1 h1:LNGfMbR2OVGBfXjvRZIZ2YCTQdGKtPLvuI1rMCCj3OU= -github.com/onsi/ginkgo/v2 v2.13.1/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM= +github.com/onsi/ginkgo/v2 v2.13.2 h1:Bi2gGVkfn6gQcjNjZJVO8Gf0FHzMPf2phUei9tejVMs= +github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM= github.com/onsi/gomega v1.29.0 h1:KIA/t2t5UBzoirT4H9tsML45GEbo3ouUnBHsCfD2tVg= github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= @@ -471,8 +469,8 @@ github.com/openshift/client-go v0.0.1 h1:zJ9NsS9rwBtYkYzLCUECkdmrM6jPit3W7Q0+Pxf github.com/openshift/client-go v0.0.1/go.mod h1:I8qTI1lgErsWc6CVukSjP1PYqpafE7fue0ZPy7A2jiw= github.com/openshift/machine-config-operator v0.0.1-0.20230515070935-49f32d46538e h1:mR9giLRlLXK52kaEGOR96rIQchQRDUkttjMAkyao2XQ= github.com/openshift/machine-config-operator v0.0.1-0.20230515070935-49f32d46538e/go.mod h1:t9dXGgC9WVzI2cNv/4rMetGVYakWtaDxHWQuyN2til8= -github.com/operator-framework/api v0.19.0 h1:QU1CTJU+CufoeneA5rsNlP/uP96s8vDHWUYDFZTauzA= -github.com/operator-framework/api v0.19.0/go.mod h1:SCCslqke6AVOJ5JM+NqNE1CHuAgJLScsL66pnPaSMXs= +github.com/operator-framework/api v0.20.0 h1:A2YCRhr+6s0k3pRJacnwjh1Ue8BqjIGuQ2jvPg9XCB4= +github.com/operator-framework/api v0.20.0/go.mod h1:rXPOhrQ6mMeXqCmpDgt1ALoar9ZlHL+Iy5qut9R99a4= github.com/operator-framework/operator-lifecycle-manager v0.20.0 h1:h8SPePMO492krrRnamt5AepqD4nSWb3RRZdvZdN8x6I= github.com/operator-framework/operator-lifecycle-manager v0.20.0/go.mod h1:sml7etyu98h87eikzA6IKay6BRCzagkwYdcbuisdBTk= github.com/operator-framework/operator-manifest-tools v0.4.0 h1:u/qlCyVA84MtS5Ne016KpTcF0kqWgHyYEeOyFgVrX5k= @@ -575,8 +573,8 @@ github.com/subosito/gotenv v1.4.2 h1:X1TuBLAMDFbaTAChgCBLu3DU3UPyELpnF2jjJ2cz/S8 github.com/subosito/gotenv v1.4.2/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNGqEflhK0= github.com/test-network-function/oct v0.0.4 h1:rU4kps/gbAHkR0rc5WzVtTOcJt/NBcse85RaG7WTuYw= github.com/test-network-function/oct v0.0.4/go.mod h1:oOPuUMnX6YR+cl3usBJfwCllsv7Hphw9jVi7VtniAzo= -github.com/test-network-function/privileged-daemonset v1.0.15 h1:Jgjf3sa4d9OuhZRTj3oLhaaGV7PtQLVeLK/LSd9YgdE= -github.com/test-network-function/privileged-daemonset v1.0.15/go.mod h1:rDiFimleKbW2E501cNgHMYCrR52+w5Sg0a6trF2HZTo= +github.com/test-network-function/privileged-daemonset v1.0.16 h1:p0Gf1nMMJZni7ymGS/PNJDc2dfvWlHuMQSMs4nmPxVs= +github.com/test-network-function/privileged-daemonset v1.0.16/go.mod h1:rLZMATiAMrxYjWNfYuWHX2my+aV+7iTKNIsuctweEMU= github.com/test-network-function/test-network-function-claim v1.0.32 h1:GeUwbHYaXL5Yx785NmbuSQbqby8LVPEWHeW3bFEpQ9g= github.com/test-network-function/test-network-function-claim v1.0.32/go.mod h1:+0c6DMF/ycFmEH3EB5mJ9rSQ+3T/d48NuqmY2aXjrqQ= github.com/urfave/cli v1.22.12/go.mod h1:sSBEIC79qR6OvcmsD4U3KABeOTxDqQtdDnaFuUN30b8= @@ -646,8 +644,8 @@ golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= golang.org/x/crypto v0.0.0-20220722155217-630584e8d5aa/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= -golang.org/x/crypto v0.14.0 h1:wBqGXzWJW6m1XrIKlAH0Hs1JJ7+9KBwnIO8v66Q9cHc= -golang.org/x/crypto v0.14.0/go.mod h1:MVFd36DqK4CsrnJYDkBA3VC4m2GkXAM0PvzMCn4JQf4= +golang.org/x/crypto v0.15.0 h1:frVn1TEaCEaZcn3Tmd7Y2b5KKPaZ+I32Q2OA3kYp5TA= +golang.org/x/crypto v0.15.0/go.mod h1:4ChreQoLWfG3xLDer1WdlH5NdlQ3+mwnQq1YTKY+72g= golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA= golang.org/x/exp v0.0.0-20190510132918-efd6b22b2522/go.mod h1:ZjyILWgesfNpC6sMxTJOJm9Kp84zZh5NQWvqDGG3Qr8= @@ -658,8 +656,8 @@ golang.org/x/exp v0.0.0-20191227195350-da58074b4299/go.mod h1:2RIsYlXP63K8oxa1u0 golang.org/x/exp v0.0.0-20200119233911-0405dc783f0a/go.mod h1:2RIsYlXP63K8oxa1u096TMicItID8zy7Y6sNkU49FU4= golang.org/x/exp v0.0.0-20200207192155-f17229e696bd/go.mod h1:J/WKrq2StrnmMY6+EHIKF9dgMWnmCNThgcyBT1FY9mM= golang.org/x/exp v0.0.0-20200224162631-6cc2880d07d6/go.mod h1:3jZMyOhIsHpP37uCMkUooju7aAi5cS1Q23tOzKc+0MU= -golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea h1:vLCWI/yYrdEHyN2JzIzPO3aaQJHQdp89IZBA/+azVC4= -golang.org/x/exp v0.0.0-20230510235704-dd950f8aeaea/go.mod h1:V1LtkGg67GoY2N1AnLN78QLrzxkLyJw7RJb1gzOOz9w= +golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa h1:FRnLl4eNAQl8hwxVVC17teOw8kdjVDVAiFMtgUdTSRQ= +golang.org/x/exp v0.0.0-20231110203233-9a3e6036ecaa/go.mod h1:zk2irFbV9DP96SEBUUAy67IdHUaZuSnrz1n472HUCLE= golang.org/x/image v0.0.0-20190227222117-0694c2d4d067/go.mod h1:kZ7UVZpmo3dzQBMxlp+ypCbDeSB+sBbTgSJuh5dn5js= golang.org/x/image v0.0.0-20190802002840-cff245a6509b/go.mod h1:FeLwcggjj3mMvU+oOTbSwawSJRM1uh48EjtB4UJZlP0= golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE= @@ -684,8 +682,8 @@ golang.org/x/mod v0.3.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.0/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.4.1/go.mod h1:s0Qsj1ACt9ePp/hMypM3fl4fZqREWJwdYDEqhRiZZUA= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= -golang.org/x/mod v0.13.0 h1:I/DsJXRlw/8l/0c24sM9yb0T4z9liZTduXvdAWYiysY= -golang.org/x/mod v0.13.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= +golang.org/x/mod v0.14.0 h1:dGoOF9QVLYng8IHTm7BAyWqCqSheQ5pYWGhzW00YJr0= +golang.org/x/mod v0.14.0/go.mod h1:hTbmBsO62+eylJbnUtE2MGJUyE7QWk4xUqPFrRgJ+7c= golang.org/x/net v0.0.0-20180724234803-3673e40ba225/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20180826012351-8a410e7b638d/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= golang.org/x/net v0.0.0-20181114220301-adae6a3d119a/go.mod h1:mL1N/T3taQHkDXs73rZJwtUhF3w3ftmwwsq0BUmARs4= @@ -722,8 +720,8 @@ golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y= golang.org/x/net v0.0.0-20220722155237-a158d28d115b/go.mod h1:XRhObCWvk6IyKnWLug+ECip1KBveYUHfp+8e9klMJ9c= golang.org/x/net v0.2.0/go.mod h1:KqCZLdyyvdV855qA2rE3GC2aiw5xGR5TEjj8smXukLY= -golang.org/x/net v0.17.0 h1:pVaXccu2ozPjCXewfr1S7xza/zcXTity9cCdXQYSjIM= -golang.org/x/net v0.17.0/go.mod h1:NxSsAGuq816PNPmqtQdLE42eU2Fs7NoRIZrHJAlaCOE= +golang.org/x/net v0.18.0 h1:mIYleuAkSbHh0tCv7RvjL3F6ZVbLjq4+R7zbOn3Kokg= +golang.org/x/net v0.18.0/go.mod h1:/czyP5RqHAH4odGYxBJ1qz0+CE5WZ+2j1YgoEo8F2jQ= golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U= golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw= @@ -746,8 +744,8 @@ golang.org/x/sync v0.0.0-20200625203802-6e8e738ad208/go.mod h1:RxMgew5VJxzue5/jJ golang.org/x/sync v0.0.0-20201020160332-67f06af15bc9/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20201207232520-09787c993a3a/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= golang.org/x/sync v0.0.0-20220722155255-886fb9371eb4/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM= -golang.org/x/sync v0.4.0 h1:zxkM55ReGkDlKSM+Fu41A+zmbZuaPVbGMzvvdUPznYQ= -golang.org/x/sync v0.4.0/go.mod h1:FU7BRWz2tNW+3quACPkgCx/L+uEAv1htQ0V83Z9Rj+Y= +golang.org/x/sync v0.5.0 h1:60k92dhOjHxJkrqnwsfl8KuaHbn/5dl0lUPUklKo3qE= +golang.org/x/sync v0.5.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk= golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20181116152217-5ac8a444bdc5/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= @@ -803,8 +801,8 @@ golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9sn golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.0.0-20220526004731-065cf7ba2467/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= golang.org/x/term v0.2.0/go.mod h1:TVmDHMZPmdnySmBfhjOoOdhjzdE1h4u1VwSiw2l1Nuc= -golang.org/x/term v0.13.0 h1:bb+I9cTfFazGW51MZqBVmZy7+JEJMouUHTUSKVQLBek= -golang.org/x/term v0.13.0/go.mod h1:LTmsnFJwVN6bCy1rVCoS+qHT1HhALEFxKncY3WNNh4U= +golang.org/x/term v0.14.0 h1:LGK9IlZ8T9jvdy6cTdfKUCltatMFOehAQo9SRC46UQ8= +golang.org/x/term v0.14.0/go.mod h1:TySc+nGkYR6qt8km8wUhuFRTVSMIX3XPR58y2lC8vww= golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= @@ -814,8 +812,8 @@ golang.org/x/text v0.3.4/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= golang.org/x/text v0.4.0/go.mod h1:mrYo+phRRbMaCq/xk9113O4dZlRixOauAjOtrjsXDZ8= -golang.org/x/text v0.13.0 h1:ablQoSUd0tRdKxZewP80B+BaqeKJuVhuRxj/dkrun3k= -golang.org/x/text v0.13.0/go.mod h1:TvPlkZtksWOMsz7fbANvkp4WM8x/WCo/om8BMLbz+aE= +golang.org/x/text v0.14.0 h1:ScX5w1eTa3QqT8oi6+ziP7dTV1S2+ALU0bI+0zXKWiQ= +golang.org/x/text v0.14.0/go.mod h1:18ZOQIKpY8NJVqYksKHtTdi31H5itFRjB5/qKTNYzSU= golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20190308202827-9d24e82272b4/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= golang.org/x/time v0.0.0-20191024005414-555d28b269f0/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ= @@ -871,8 +869,8 @@ golang.org/x/tools v0.0.0-20210106214847-113979e3529a/go.mod h1:emZCQorbCU4vsT4f golang.org/x/tools v0.0.0-20210108195828-e2f9c7f1fc8e/go.mod h1:emZCQorbCU4vsT4fOWvOPXz4eW1wZW4PmDk9uLelYpA= golang.org/x/tools v0.1.0/go.mod h1:xkSsbof2nBLbhDlRMhhhyNLN/zl3eTqcnHD5viDpcZ0= golang.org/x/tools v0.1.12/go.mod h1:hNGJHUnrk76NpqgfD5Aqm5Crs+Hm0VOH/i9J2+nxYbc= -golang.org/x/tools v0.14.0 h1:jvNa2pY0M4r62jkRQ6RwEZZyPcymeL9XZMLBbV7U2nc= -golang.org/x/tools v0.14.0/go.mod h1:uYBEerGOWcJyEORxN+Ek8+TT266gXkNlHdJBwexUsBg= +golang.org/x/tools v0.15.0 h1:zdAyfUGbYmuVokhzVmghFl2ZJh5QhcfebBgmVPFYA+8= +golang.org/x/tools v0.15.0/go.mod h1:hpksKq4dtpQWS1uQ61JkdqWM3LscIS6Slf+VVkm+wQk= golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= diff --git a/internal/clientsholder/clientsholder.go b/internal/clientsholder/clientsholder.go index ff5bf43c5..f67fcf5f0 100644 --- a/internal/clientsholder/clientsholder.go +++ b/internal/clientsholder/clientsholder.go @@ -44,6 +44,7 @@ import ( policyv1 "k8s.io/api/policy/v1" rbacv1 "k8s.io/api/rbac/v1" apiextv1fake "k8s.io/apiextensions-apiserver/pkg/client/clientset/clientset/fake" + metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" k8sFakeClient "k8s.io/client-go/kubernetes/fake" networkingv1 "k8s.io/client-go/kubernetes/typed/networking/v1" "k8s.io/client-go/rest" @@ -64,6 +65,7 @@ type ClientsHolder struct { MachineCfg ocpMachine.Interface KubeConfig []byte ready bool + GroupResources []*metav1.APIResourceList } var clientsHolder = ClientsHolder{} @@ -308,6 +310,12 @@ func newClientsHolder(filenames ...string) (*ClientsHolder, error) { //nolint:fu if err != nil { return nil, fmt.Errorf("cannot instantiate discoveryClient: %s", err) } + + clientsHolder.GroupResources, err = discoveryClient.ServerPreferredResources() + if err != nil { + return nil, fmt.Errorf("cannot get list of resources in cluster: %s", err) + } + resolver := scale.NewDiscoveryScaleKindResolver(discoveryClient) gr, err := restmapper.GetAPIGroupResources(clientsHolder.K8sClient.Discovery()) if err != nil { diff --git a/pkg/diagnostics/diagnostics.go b/pkg/diagnostics/diagnostics.go index 02d675e58..e9b317245 100644 --- a/pkg/diagnostics/diagnostics.go +++ b/pkg/diagnostics/diagnostics.go @@ -1,4 +1,4 @@ -// Copyright (C) 2021-2022 Red Hat, Inc. +// Copyright (C) 2021-2023 Red Hat, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License as published by diff --git a/pkg/provider/pods.go b/pkg/provider/pods.go index d1d6ea399..eba46c01b 100644 --- a/pkg/provider/pods.go +++ b/pkg/provider/pods.go @@ -28,6 +28,8 @@ import ( corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime/schema" + "k8s.io/client-go/dynamic" ) const ( @@ -403,3 +405,68 @@ func (p *Pod) IsRunAsUserID(uid int64) bool { } return *p.Pod.Spec.SecurityContext.RunAsUser == uid } + +// Get the list of top owners of pods +func (p *Pod) GetTopOwner() (topOwners map[string]TopOwner, err error) { + topOwners = make(map[string]TopOwner) + err = followOwnerReferences(clientsholder.GetClientsHolder().GroupResources, clientsholder.GetClientsHolder().DynamicClient, topOwners, p.Namespace, p.OwnerReferences) + if err != nil { + return topOwners, fmt.Errorf("could not get top owners, err=%s", err) + } + return topOwners, nil +} + +// Structure to describe a top owner of a pod +type TopOwner struct { + Kind string + Name string + Namespace string +} + +// Recursively follow the ownership tree to find the top owners +func followOwnerReferences(resourceList []*metav1.APIResourceList, dynamicClient dynamic.Interface, topOwners map[string]TopOwner, namespace string, ownerRefs []metav1.OwnerReference) (err error) { + for _, ownerRef := range ownerRefs { + fmt.Printf("-> Owner: %s/%s\n", ownerRef.Kind, ownerRef.Name) + // Get group resource version + gvr := getResourceSchema(resourceList, ownerRef.APIVersion, ownerRef.Kind) + // Get the owner resources + resource, err := dynamicClient.Resource(gvr).Namespace(namespace).Get(context.Background(), ownerRef.Name, metav1.GetOptions{}) + if err != nil { + return fmt.Errorf("could not get object indicated by owner references") + } + // Get owner references of the unstructured object + ownerReferences := resource.GetOwnerReferences() + if err != nil { + return fmt.Errorf("error getting owner references. err= %s", err) + } + // if no owner references, we have reached the top record it + if len(ownerReferences) == 0 { + topOwners[ownerRef.Name] = TopOwner{Kind: ownerRef.Kind, Name: ownerRef.Name, Namespace: namespace} + } + // if not continue following other branches + err = followOwnerReferences(resourceList, dynamicClient, topOwners, namespace, ownerReferences) + if err != nil { + return fmt.Errorf("error following owners") + } + } + return nil +} + +// Get the Group Version Resource based on APIVersion and kind +func getResourceSchema(resourceList []*metav1.APIResourceList, apiVersion, kind string) (gvr schema.GroupVersionResource) { + const groupVersionComponentsNumber = 2 + for _, gr := range resourceList { + for i := 0; i < len(gr.APIResources); i++ { + if gr.APIResources[i].Kind == kind && gr.GroupVersion == apiVersion { + groupSplit := strings.Split(gr.GroupVersion, "/") + if len(groupSplit) == groupVersionComponentsNumber { + gvr.Group = groupSplit[0] + gvr.Version = groupSplit[1] + gvr.Resource = gr.APIResources[i].Name + } + return gvr + } + } + } + return gvr +} diff --git a/pkg/provider/pods_test.go b/pkg/provider/pods_test.go index e3d06c2d1..0bf4e4cb2 100644 --- a/pkg/provider/pods_test.go +++ b/pkg/provider/pods_test.go @@ -17,19 +17,22 @@ package provider import ( - "testing" - "errors" + "reflect" + "testing" - corev1 "k8s.io/api/core/v1" - v1 "k8s.io/apimachinery/pkg/api/resource" - "k8s.io/apimachinery/pkg/runtime" - + olmv1Alpha "github.com/operator-framework/api/pkg/operators/v1alpha1" "github.com/stretchr/testify/assert" "github.com/test-network-function/cnf-certification-test/internal/clientsholder" + v1app "k8s.io/api/apps/v1" + corev1 "k8s.io/api/core/v1" rbacv1 "k8s.io/api/rbac/v1" + v1 "k8s.io/apimachinery/pkg/api/resource" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" + "k8s.io/apimachinery/pkg/runtime" + k8sDynamicFake "k8s.io/client-go/dynamic/fake" k8sfake "k8s.io/client-go/kubernetes/fake" + k8stesting "k8s.io/client-go/testing" ) func TestPod_CheckResourceOnly2MiHugePages(t *testing.T) { @@ -515,3 +518,80 @@ func TestIsRunAsUserID(t *testing.T) { assert.Equal(t, tc.expectedOutput, tc.testPod.IsRunAsUserID(tc.testUID)) } } + +func Test_followOwnerReferences(t *testing.T) { + type args struct { + topOwners map[string]TopOwner + namespace string + ownerRefs []metav1.OwnerReference + } + + csv1 := &olmv1Alpha.ClusterServiceVersion{ + TypeMeta: metav1.TypeMeta{Kind: "ClusterServiceVersion", APIVersion: "operators.coreos.com/v1alpha1"}, + ObjectMeta: metav1.ObjectMeta{ + Name: "csv1", + Namespace: "ns1", + OwnerReferences: []metav1.OwnerReference{}, + }, + } + dep1 := &v1app.Deployment{ + TypeMeta: metav1.TypeMeta{Kind: "Deployment", APIVersion: "apps/v1"}, + ObjectMeta: metav1.ObjectMeta{ + Name: "dep1", + Namespace: "ns1", + OwnerReferences: []metav1.OwnerReference{{APIVersion: "operators.coreos.com/v1alpha1", Kind: "ClusterServiceVersion", Name: "csv1"}}, + }, + } + rep1 := &v1app.ReplicaSet{ + TypeMeta: metav1.TypeMeta{Kind: "ReplicaSet", APIVersion: "apps/v1"}, + ObjectMeta: metav1.ObjectMeta{ + Name: "rep1", + Namespace: "ns1", + OwnerReferences: []metav1.OwnerReference{{APIVersion: "apps/v1", Kind: "Deployment", Name: "dep1"}}, + }, + } + + resourceList := []*metav1.APIResourceList{ + {GroupVersion: "operators.coreos.com/v1alpha1", APIResources: []metav1.APIResource{{Name: "clusterserviceversions", Kind: "ClusterServiceVersion"}}}, + {GroupVersion: "apps/v1", APIResources: []metav1.APIResource{{Name: "deployments", Kind: "Deployment"}}}, + {GroupVersion: "apps/v1", APIResources: []metav1.APIResource{{Name: "replicasets", Kind: "ReplicaSet"}}}, + {GroupVersion: "apps/v1", APIResources: []metav1.APIResource{{Name: "pods", Kind: "Pod"}}}, + } + + tests := []struct { + name string + args args + wantErr bool + }{ + { + name: "test1", + args: args{topOwners: map[string]TopOwner{"csv1": {Namespace: "ns1", Kind: "ClusterServiceVersion", Name: "csv1"}}, + namespace: "ns1", + ownerRefs: []metav1.OwnerReference{{APIVersion: "apps/v1", Kind: "ReplicaSet", Name: "rep1"}}, + }, + }, + } + + // Spoof the get and update functions + client := k8sDynamicFake.NewSimpleDynamicClient(runtime.NewScheme(), rep1, dep1, csv1) + client.Fake.AddReactor("get", "ClusterServiceVersion", func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) { + return true, csv1, nil + }) + client.Fake.AddReactor("get", "Deployment", func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) { + return true, dep1, nil + }) + client.Fake.AddReactor("get", "ReplicaSet", func(action k8stesting.Action) (handled bool, ret runtime.Object, err error) { + return true, rep1, nil + }) + for _, tt := range tests { + t.Run(tt.name, func(t *testing.T) { + gotResults := map[string]TopOwner{} + if err := followOwnerReferences(resourceList, client, gotResults, tt.args.namespace, tt.args.ownerRefs); (err != nil) != tt.wantErr { + t.Errorf("followOwnerReferences() error = %v, wantErr %v", err, tt.wantErr) + } + if !reflect.DeepEqual(gotResults, tt.args.topOwners) { + t.Errorf("followOwnerReferences() = %v, want %v", gotResults, tt.args.topOwners) + } + }) + } +} diff --git a/pkg/provider/provider.go b/pkg/provider/provider.go index 0006a4467..91e5a0d7f 100644 --- a/pkg/provider/provider.go +++ b/pkg/provider/provider.go @@ -60,7 +60,7 @@ const ( cscosName = "CentOS Stream CoreOS" rhelName = "Red Hat Enterprise Linux" tnfPartnerRepoDef = "quay.io/testnetworkfunction" - supportImageDef = "debug-partner:4.5.5" + supportImageDef = "debug-partner:4.5.7" ) // Node's roles labels. Node is role R if it has **any** of the labels of each list. diff --git a/pkg/provider/provider_test.go b/pkg/provider/provider_test.go index 392369246..a848d1e67 100644 --- a/pkg/provider/provider_test.go +++ b/pkg/provider/provider_test.go @@ -788,7 +788,7 @@ func TestBuildImageWithVersion(t *testing.T) { { repoVar: "", supportImageVar: "", - expectedOutput: "quay.io/testnetworkfunction/debug-partner:4.5.5", + expectedOutput: "quay.io/testnetworkfunction/debug-partner:4.5.7", }, } diff --git a/run-basic-batch-operators-test.sh b/run-basic-batch-operators-test.sh new file mode 100755 index 000000000..404a58429 --- /dev/null +++ b/run-basic-batch-operators-test.sh @@ -0,0 +1,378 @@ +#!/bin/bash +set -o errexit -o nounset -o pipefail + +# Test run timestamp +TIMESTAMP=$(date +"%Y-%m-%d_%H-%M-%S_%Z") + +# Base folder +BASE_DIR=/var/www/html + +# index.html +INDEX_FILE=index2.html + +# INPUTS + +# tnf_config.yaml template file path +CONFIG_YAML_TEMPLATE="$(pwd)"/tnf_config.yml.template + +# Docker config used to pull operator images +DOCKER_CONFIG=config.json + +# Location of telco/non-telco classification file +CNF_TYPE=cmd/tnf/claim/show/csv/cnf-type.json + +# Operator catalog from user +OPERATOR_CATALOG="" + +# Operator from user +OPERATORS_UNDER_TEST="" + +# OUTPUTS + +# Check if DEBUG mode +if [ -n "${DEBUG_RUN+any}" ]; then + echo "DEBUG_RUN is set. Running in debug mode" + # Debug folder + REPORT_FOLDER_RELATIVE="debug_$TIMESTAMP" +else + echo "DEBUG_RUN is not set. Running in non-debug mode" + # Report folder + REPORT_FOLDER_RELATIVE="report_$TIMESTAMP" +fi + +# Report results folder +REPORT_FOLDER="$BASE_DIR"/"$REPORT_FOLDER_RELATIVE" + +# Operator file name +OPERATOR_LIST_FILENAME=operator-list.txt + +# Operator list path in the report +OPERATOR_LIST_PATH="$REPORT_FOLDER"/"$OPERATOR_LIST_FILENAME" + +# VARIABLES + +# Variable to add header only on the first run +addHeaders=-a + +# Create report directory +mkdir "$REPORT_FOLDER" + +cleanup() { + # Workaround for cleaning operator leftovers, see https://access.redhat.com/solutions/6971276 + oc delete mutatingwebhookconfigurations controller.devfile.io || true + oc delete validatingwebhookconfigurations controller.devfile.io || true + + # cleanup any leftovers + # https://docs.openshift.com/container-platform/4.14/operators/admin/olm-deleting-operators-from-cluster.html + oc get csv -n openshift-operators | grep -v packageserver | grep -v NAME | awk '{print "oc delete --wait=true csv " $2 " -n openshift-operators"}' | bash || true + oc get csv -A | grep -v packageserver | grep -v NAME | awk '{print "oc delete --wait=true csv " $2 " -n " $1}' | bash || true + oc get subscriptions -A | grep -v NAME | awk '{print "oc delete --wait=true subscription " $2 " -n " $1}' | bash || true + oc get job,configmap -n openshift-marketplace | grep -v NAME | grep -v "configmap/kube-root-ca.crt" | grep -v "configmap/marketplace-operator-lock" | grep -v "configmap/marketplace-trusted-ca" | grep -v "configmap/openshift-service-ca.crt" | awk '{print "oc delete --wait=true " $1 " -n openshift-marketplace" }' | bash || true +} + +waitDeleteNamespace() { + namespaceDeleting=$1 + # Wait for the CSV to be removed + oc wait csv -l test-network-function.com/operator=target -n "$namespaceDeleting" --for=delete --timeout=300s || true + + # Wait for the namespace to be removed + if [ "$namespaceDeleting" != "openshift-operators" ]; then + + echo "non openshift-operators namespace = $namespaceDeleting, deleting " + oc wait namespace "$namespaceDeleting" --for=delete --timeout=300s || true + forceDeleteNamespaceIfPresent "$namespaceDeleting" + fi +} + +waitForCsvToAppearAndLabel() { + csvNamespace=$1 + timeoutSeconds=300 + startTime=$(date +%s) + while true; do + csvs=$(oc get csv -n "$csvNamespace") + if [ "$csvs" != "" ]; then + # If any CSV is present, break + break + else + currentTime=$(date +%s) + elapsedTime=$((currentTime - startTime)) + # If elapsed time is greater than the timeout report failure + if [ "$elapsedTime" -ge "$timeoutSeconds" ]; then + echo "Timeout reached $timeoutSeconds seconds waiting for CSV." + return 1 + fi + + # Otherwise wait a bit + echo "Waiting for csv to be created in namespace $csvNamespace ..." + sleep 5 + fi + done + + # Label CSV with "test-network-function.com/operator=target" + oc get csv -n "$csvNamespace" -o custom-columns=':.metadata.name,:.metadata.namespace,:.kind' | grep -v openshift-operator-lifecycle-manager | sed '/^ *$/d' | awk '{print "oc label " $3 " -n " $2 " " $1 " test-network-function.com/operator=target "}' | bash + + # Wait for the CSV to be succeeded + status=0 + oc wait csv -l test-network-function.com/operator=target -n "$ns" --for=jsonpath=\{.status.phase\}=Succeeded --timeout=300s || status="$?" + return $status +} + +forceDeleteNamespaceIfPresent() { + aNamespace=$1 + + # Do not delete the redhat-operators namespace + if [ "$aNamespace" = "openshift-operators" ]; then + return 0 + fi + # Delete namespace + oc delete namespace "$aNamespace" --wait=false || true + oc wait namespace "$aNamespace" --for=delete --timeout=30s || true + + # If a namespace with this name does not exist, all is good, exit + if ! oc get namespace "$aNamespace"; then + return 0 + fi + + # Otherwise force delete namespace + oc get namespace "$aNamespace" -ojson | sed '/"kubernetes"/d' >temp.yaml + oc proxy & + pid=$! + echo "PID: $pid" + sleep 5 + curl -H "Content-Type: application/yaml" -X PUT --data-binary @temp.yaml http://127.0.0.1:8001/api/v1/namespaces/"$aNamespace"/finalize + kill -9 "$pid" + oc wait namespace "$aNamespace" --for=delete --timeout=300s || true +} + +# Check if the number of parameters is correct +if [ "$#" -eq 1 ]; then + OPERATOR_CATALOG=$1 + # Get all the packages present in the cluster catalog + oc get packagemanifest -o jsonpath='{range .items[*]}{.metadata.name}{","}{.status.catalogSource}{"\n"}{end}' | grep "$OPERATOR_CATALOG" | head -n -1 >"$OPERATOR_LIST_PATH" + +elif [ "$#" -eq 2 ]; then + OPERATOR_CATALOG=$1 + OPERATORS_UNDER_TEST=$2 + echo "$OPERATORS_UNDER_TEST " | sed 's/ /,'"$OPERATOR_CATALOG"'\n/g' >"$OPERATOR_LIST_PATH" +else + echo 'Wrong parameter count. + Usage: ./run-basic-batch-operators-test.sh [" ... ] + Examples: + ./run-basic-batch-operators-test.sh redhat-operators + ./run-basic-batch-operators-test.sh redhat-operators "file-integrity-operator kiali-ossm"' + exit 1 +fi + +# Check for docker config file +if [ ! -e "$DOCKER_CONFIG" ]; then + echo "Docker config is missing at $DOCKER_CONFIG" + exit 1 +fi + +# Check KUBECONFIG +if [[ ! -v "KUBECONFIG" ]]; then + echo "The environment variable KUBECONFIG is not set." + exit 1 +fi + +# Write config file template +cat <"$CONFIG_YAML_TEMPLATE" +targetNameSpaces: + - name: \$ns +podsUnderTestLabels: + - "test-network-function.com/generic: target" +operatorsUnderTestLabels: + - "test-network-function.com/operator: target" +EOF + +OPERATOR_PAGE=' + + + + + HTTP Link Example' + +# Add per test run links +{ + # Add per operator details link + echo "Time: $TIMESTAMP, catalog: $OPERATOR_CATALOG" + + #Add detailed results + echo ", detailed results: "''"link"'' + + # Add CSV file link + echo ", CSV: " + echo ''"link"'' + + # Add operator list link + echo ", operator list: " + echo ''"link"'' + + # New line + echo "
" +} >>"$BASE_DIR"/"$INDEX_FILE" + +echo "$OPERATOR_PAGE" >>"$REPORT_FOLDER"/"$INDEX_FILE" + +cleanup + +# For each operator in a provided catalog, this script will install the operator and run the CNF test suite. +while IFS=, read -r package_name catalog; do + if [ "$package_name" = "" ]; then + continue + fi + + echo "package=$package_name catalog=$catalog" + + status=0 + tasty install "$package_name" --source "$catalog" --stdout &>/dev/null || status=$? + + # if tasty fails, skip this operator + if [ "$status" != 0 ]; then + # Add per operator links + { + # Add error message + echo "Results for: $package_name, "'Operator installation failed due to tasty internal error, skipping test' + + # Add tnf_config link + echo ", tnf_config: " + echo ''"link"'' + + # New line + echo "
" + } >>"$REPORT_FOLDER"/"$INDEX_FILE" + + cleanup + + continue + fi + + namesCount=$(tasty install "$package_name" --source "$catalog" --stdout | grep -c "name:") + + if [ "$namesCount" = "4" ]; then + # Get namespace from tasty + ns=$(tasty install "$package_name" --source "$catalog" --stdout | grep "name:" | head -n1 | awk '{ print $2 }') + elif [ "$namesCount" = "2" ]; then + ns="openshift-operators" + fi + + echo "namespace=$ns" + + # If a namespace is present, it is probably stuck deleting from previous runs. Force delete it. + forceDeleteNamespaceIfPresent "$ns" + + # Install the operator in a custom namespace + tasty install "$package_name" --source "$catalog" -w + + # Setting report directory + reportDir="$REPORT_FOLDER"/"$package_name" + + # Store the results of CNF test in a new directory + mkdir -p "$reportDir" + + configYaml="$reportDir"/tnf_config.yml + + # Change the targetNameSpace in tng_config file + sed "s/\$ns/$ns/" "$CONFIG_YAML_TEMPLATE" >"$configYaml" + status=0 + # Wait for the CSV to appear + waitForCsvToAppearAndLabel "$ns" || status="$?" + + if [ "$status" != 0 ]; then + # Add per operator links + { + # Add error message + echo "Results for: $package_name, "'Operator installation failed, skipping test' + + # Add tnf_config link + echo ", tnf_config: " + echo ''"link"'' + + # New line + echo "
" + } >>"$REPORT_FOLDER"/"$INDEX_FILE" + # Remove the operator + tasty remove "$package_name" + + cleanup + waitDeleteNamespace "$ns" + + continue + fi + + echo "operator $package_name installed" + + # Label deployments, statefulsets and pods with "test-network-function.com/generic=target" + oc get deployment -n "$ns" -o custom-columns=':.metadata.name,:.metadata.namespace,:.kind' | sed '/^ *$/d' | awk '{print "oc label " $3 " -n " $2 " " $1 " test-network-function.com/generic=target "}' | bash + oc get statefulset -n "$ns" -o custom-columns=':.metadata.name,:.metadata.namespace,:.kind' | sed '/^ *$/d' | awk '{print "oc label " $3 " -n " $2 " " $1 " test-network-function.com/generic=target "}' | bash + oc get pods -n "$ns" -o custom-columns=':.metadata.name,:.metadata.namespace,:.kind' | sed '/^ *$/d' | awk '{print "oc label " $3 " -n " $2 " " $1 " test-network-function.com/generic=target "}' | bash + + # run tnf-container + ./run-tnf-container.sh -k "$KUBECONFIG" -t "$reportDir" -o "$reportDir" -c "$DOCKER_CONFIG" -l all || true + + # Unlabel and uninstall the operator + oc get csv -n "$ns" -o custom-columns=':.metadata.name,:.metadata.namespace,:.kind' | sed '/^ *$/d' | awk '{print "oc label " $3 " -n " $2 " " $1 " test-network-function.com/operator- "}' | bash + + # remove the operator + tasty remove "$package_name" + + cleanup + waitDeleteNamespace "$ns" + + # Check parsing claim file + ./tnf claim show csv -c "$reportDir"/claim.json -n "$package_name" -t "$CNF_TYPE" "$addHeaders" || { + + # if parsing claim file fails, skip this operator + # Add per operator links + { + # Add error message + echo "Results for: $package_name, "'Operator installation failed due to claim parsing error, skipping test' + + # Add tnf_config link + echo ", tnf_config: " + echo ''"link"'' + + # New line + echo "
" + } >>"$REPORT_FOLDER/$INDEX_FILE" + + cleanup + + continue + } + + # merge claim.json from each operator to a single csv file + ./tnf claim show csv -c "$reportDir"/claim.json -n "$package_name" -t "$CNF_TYPE" "$addHeaders" >>"$REPORT_FOLDER"/results.csv + + # extract parser + tar -xvf "$reportDir"/*.tar.gz -C "$reportDir" results.html + + # Add per operator links + { + # Add parser link + echo "Results for: $package_name, parsed details:" + echo ''"link"'' + + # Add log link + echo ", log: " + echo ''"link"'' + + # Add tnf_config link + echo ", tnf_config: " + echo ''"link"'' + + # new line + echo "
" + } >>"$REPORT_FOLDER"/"$INDEX_FILE" + + # Only print headers once + addHeaders="" + +done <"$OPERATOR_LIST_PATH" + +# Resetting project to default +oc project default + +# closing html file +echo '' >>"$REPORT_FOLDER"/"$INDEX_FILE" +echo "DONE" diff --git a/version.json b/version.json index 21a9bd549..535ad72e8 100644 --- a/version.json +++ b/version.json @@ -1,5 +1,5 @@ { - "partner_tag": "v4.5.5", + "partner_tag": "v4.5.7", "claimFormat": "v0.3.0", "parserTag": "v0.3.1" }