From fe752d8d1b86c8dca1c19b625733bca923874c65 Mon Sep 17 00:00:00 2001 From: bnshr Date: Mon, 15 Jul 2024 22:14:14 +0200 Subject: [PATCH] Update cnf doc link to k8s doc link --- CATALOG.md | 162 +++++++++--------- .../testdata/claim_access_control.json | 148 ++++++++-------- .../compare/testdata/claim_observability.json | 148 ++++++++-------- .../claim/show/failures/testdata/claim1.json | 8 +- .../claim/show/failures/testdata/claim2.json | 8 +- docs/assets/images/claim-compare-cni.svg | 2 +- docs/assets/images/claim-compare-results.svg | 2 +- tests/identifiers/doclinks.go | 140 +++++++-------- tests/identifiers/identifiers.go | 2 +- 9 files changed, 310 insertions(+), 310 deletions(-) diff --git a/CATALOG.md b/CATALOG.md index f37e3be51..2e05b9331 100644 --- a/CATALOG.md +++ b/CATALOG.md @@ -77,7 +77,7 @@ Property|Description Unique ID|access-control-cluster-role-bindings Description|Tests that a Pod does not specify ClusterRoleBindings. Suggested Remediation|In most cases, Pod's should not have ClusterRoleBindings. The suggested remediation is to remove the need for ClusterRoleBindings, if possible. Cluster roles and cluster role bindings discouraged unless absolutely needed by the workload (often reserved for cluster admin only). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-security-rbac +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac Exception Process|Exception possible only for workloads that's cluster wide in nature and absolutely needs cluster level roles & role bindings Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -93,7 +93,7 @@ Property|Description Unique ID|access-control-container-host-port Description|Verifies if containers define a hostPort. Suggested Remediation|Remove hostPort configuration from the container. Workloads should avoid accessing host resources - containers should not configure HostPort. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-accessing-resource-on-host +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-accessing-resource-on-host Exception Process|Exception for host resource access tests will only be considered in rare cases where it is absolutely needed Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -109,7 +109,7 @@ Property|Description Unique ID|access-control-crd-roles Description|If an application creates CRDs it must supply a role to access those CRDs and no other API resources/permission. This test checks that there is at least one role present in each namespaces under test that only refers to CRDs under test. Suggested Remediation|Roles providing access to CRDs should not refer to any other api or resources. Change the generation of the CRD role accordingly -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide-guide/#cnf-best-practices-custom-role-to-access-application-crds +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide-guide/#k8s-best-practices-custom-role-to-access-application-crds Exception Process|No exception needed for optional/extended tests. Tags|extended,access-control |**Scenario**|**Optional/Mandatory**| @@ -125,7 +125,7 @@ Property|Description Unique ID|access-control-ipc-lock-capability-check Description|Ensures that containers do not use IPC_LOCK capability. Workloads should avoid accessing host resources - spec.HostIpc should be false. Suggested Remediation|Exception possible if a workload uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipc_lock +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipc_lock Exception Process|Exception possible if a workload uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -141,7 +141,7 @@ Property|Description Unique ID|access-control-namespace Description|Tests that all workload resources (PUTs and CRs) belong to valid namespaces. A valid namespace meets the following conditions: (1) It was declared in the yaml config file under the targetNameSpaces tag. (2) It does not have any of the following prefixes: default, openshift-, istio- and aspenmesh- Suggested Remediation|Ensure that your workload utilizes namespaces declared in the yaml config file. Additionally, the namespaces should not start with "default, openshift-, istio- or aspenmesh-". -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requirements-cnf-reqs Exception Process|No exceptions Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -157,7 +157,7 @@ Property|Description Unique ID|access-control-namespace-resource-quota Description|Checks to see if workload pods are running in namespaces that have resource quotas applied. Suggested Remediation|Apply a ResourceQuota to the namespace your workload is running in. The workload's namespace should have resource quota defined. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-memory-allocation +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-memory-allocation Exception Process|No exception needed for optional/extended tests. Tags|extended,access-control |**Scenario**|**Optional/Mandatory**| @@ -173,7 +173,7 @@ Property|Description Unique ID|access-control-net-admin-capability-check Description|Ensures that containers do not use NET_ADMIN capability. Note: this test also ensures iptables and nftables are not configured by workload pods: - NET_ADMIN and NET_RAW are required to modify nftables (namespaced) which is not desired inside pods. nftables should be configured by an administrator outside the scope of the workload. nftables are usually configured by operators, for instance the Performance Addon Operator (PAO) or istio. - Privileged container are required to modify host iptables, which is not safe to perform inside pods. nftables should be configured by an administrator outside the scope of the workload. iptables are usually configured by operators, for instance the Performance Addon Operator (PAO) or istio. Suggested Remediation|Exception possible if a workload uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-net_admin +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-net_admin Exception Process|Exception will be considered for user plane or networking functions (e.g. SR-IOV, Multicast). Must identify which container requires the capability and detail why. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -189,7 +189,7 @@ Property|Description Unique ID|access-control-net-raw-capability-check Description|Ensures that containers do not use NET_RAW capability. Note: this test also ensures iptables and nftables are not configured by workload pods: - NET_ADMIN and NET_RAW are required to modify nftables (namespaced) which is not desired inside pods. nftables should be configured by an administrator outside the scope of the workload. nftables are usually configured by operators, for instance the Performance Addon Operator (PAO) or istio. - Privileged container are required to modify host iptables, which is not safe to perform inside pods. nftables should be configured by an administrator outside the scope of the workload. iptables are usually configured by operators, for instance the Performance Addon Operator (PAO) or istio. Suggested Remediation|Exception possible if a workload uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-user-plane-cnfs +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-user-plane-cnfs Exception Process|Exception will be considered for user plane or networking functions. Must identify which container requires the capability and detail why. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -221,7 +221,7 @@ Property|Description Unique ID|access-control-one-process-per-container Description|Check that all containers under test have only one process running Suggested Remediation|Launch only one process per container. Should adhere to 1 process per container best practice wherever possible. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-one-process-per-container +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-one-process-per-container Exception Process|No exception needed for optional/extended tests. Not applicable to SNO applications. Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -237,7 +237,7 @@ Property|Description Unique ID|access-control-pod-automount-service-account-token Description|Check that all pods under test have automountServiceAccountToken set to false. Only pods that require access to the kubernetes API server should have automountServiceAccountToken set to true Suggested Remediation|Check that pod has automountServiceAccountToken set to false or pod is attached to service account which has automountServiceAccountToken set to false, unless the pod needs access to the kubernetes API server. Pods which do not need API access should set automountServiceAccountToken to false in pod spec. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-automount-services-for-pods +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-automount-services-for-pods Exception Process|Exception will be considered if container needs to access APIs which OCP does not offer natively. Must document which container requires which API(s) and detail why existing OCP APIs cannot be used. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -253,7 +253,7 @@ Property|Description Unique ID|access-control-pod-host-ipc Description|Verifies that the spec.HostIpc parameter is set to false Suggested Remediation|Set the spec.HostIpc parameter to false in the pod configuration. Workloads should avoid accessing host resources - spec.HostIpc should be false. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security Exception Process|Exception for host resource access tests will only be considered in rare cases where it is absolutely needed Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -269,7 +269,7 @@ Property|Description Unique ID|access-control-pod-host-network Description|Verifies that the spec.HostNetwork parameter is not set (not present) Suggested Remediation|Set the spec.HostNetwork parameter to false in the pod configuration. Workloads should avoid accessing host resources - spec.HostNetwork should be false. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-the-host-network-namespace Exception Process|Exception for host resource access tests will only be considered in rare cases where it is absolutely needed Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -285,7 +285,7 @@ Property|Description Unique ID|access-control-pod-host-path Description|Verifies that the spec.HostPath parameter is not set (not present) Suggested Remediation|Set the spec.HostPath parameter to false in the pod configuration. Workloads should avoid accessing host resources - spec.HostPath should be false. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security Exception Process|Exception for host resource access tests will only be considered in rare cases where it is absolutely needed Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -301,7 +301,7 @@ Property|Description Unique ID|access-control-pod-host-pid Description|Verifies that the spec.HostPid parameter is set to false Suggested Remediation|Set the spec.HostPid parameter to false in the pod configuration. Workloads should avoid accessing host resources - spec.HostPid should be false. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security Exception Process|Exception for host resource access tests will only be considered in rare cases where it is absolutely needed Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -317,7 +317,7 @@ Property|Description Unique ID|access-control-pod-role-bindings Description|Ensures that a workload does not utilize RoleBinding(s) in a non-workload Namespace. Suggested Remediation|Ensure the workload is not configured to use RoleBinding(s) in a non-workload Namespace. Scope of role must <= scope of creator of role. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-security-rbac +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac Exception Process|No exceptions Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -333,7 +333,7 @@ Property|Description Unique ID|access-control-pod-service-account Description|Tests that each workload Pod utilizes a valid Service Account. Default or empty service account is not valid. Suggested Remediation|Ensure that the each workload Pod is configured to use a valid Service Account -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-scc-permissions-for-an-application +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-scc-permissions-for-an-application Exception Process|No exceptions Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -349,7 +349,7 @@ Property|Description Unique ID|access-control-requests-and-limits Description|Check that containers have resource requests and limits specified in their spec. Suggested Remediation|Add requests and limits to your container spec. See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requests/limits +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requests/limits Exception Process|There is no documented exception process for this. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -365,7 +365,7 @@ Property|Description Unique ID|access-control-security-context Description|Checks the security context matches one of the 4 categories Suggested Remediation|Exception possible if a workload uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and document why. If the container had the right configuration of the allowed category from the 4 approved list then the test will pass. The 4 categories are defined in Requirement ID 94118 [here](#security-context-categories) -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security Exception Process|no exception needed for optional/extended test Tags|extended,access-control |**Scenario**|**Optional/Mandatory**| @@ -381,7 +381,7 @@ Property|Description Unique ID|access-control-security-context-non-root-user-check Description|Checks the security context runAsUser parameter in pods and containers to make sure it is not set to uid root(0). Pods and containers should not run as root (runAsUser is not set to uid0). Suggested Remediation|Change the pod and containers "runAsUser" uid to something other than root(0) -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security Exception Process|No exceptions - will only be considered under special circumstances. Must identify which container needs access and document why with details. Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -397,7 +397,7 @@ Property|Description Unique ID|access-control-security-context-privilege-escalation Description|Checks if privileged escalation is enabled (AllowPrivilegeEscalation=true). Suggested Remediation|Configure privilege escalation to false. Privileged escalation should not be allowed (AllowPrivilegeEscalation=false). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security Exception Process|No exceptions Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -413,7 +413,7 @@ Property|Description Unique ID|access-control-service-type Description|Tests that each workload Service does not utilize NodePort(s). Suggested Remediation|Ensure Services are not configured to use NodePort(s). Workloads should avoid accessing host resources - tests that each workload Service does not utilize NodePort(s). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-the-host-network-namespace Exception Process|Exception for host resource access tests will only be considered in rare cases where it is absolutely needed Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -429,7 +429,7 @@ Property|Description Unique ID|access-control-ssh-daemons Description|Check that pods do not run SSH daemons. Suggested Remediation|Ensure that no SSH daemons are running inside a pod. Pods should not run as SSH Daemons (replicaset or statefulset only). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-interaction/configuration +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-interaction/configuration Exception Process|No exceptions - special consideration can be given to certain containers which run as utility tool daemon Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -445,7 +445,7 @@ Property|Description Unique ID|access-control-sys-admin-capability-check Description|Ensures that containers do not use SYS_ADMIN capability Suggested Remediation|Exception possible if a workload uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why. Containers should not use the SYS_ADMIN Linux capability. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-sys_admin +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-sys_admin Exception Process|No exceptions Tags|common,access-control |**Scenario**|**Optional/Mandatory**| @@ -461,7 +461,7 @@ Property|Description Unique ID|access-control-sys-nice-realtime-capability Description|Check that pods running on nodes with realtime kernel enabled have the SYS_NICE capability enabled in their spec. In the case that a workolad is running on a node using the real-time kernel, SYS_NICE will be used to allow DPDK application to switch to SCHED_FIFO. Suggested Remediation|If pods are scheduled to realtime kernel nodes, they must add SYS_NICE capability to their spec. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-sys_nice +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-sys_nice Exception Process|There is no documented exception process for this. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -477,7 +477,7 @@ Property|Description Unique ID|access-control-sys-ptrace-capability Description|Check that if process namespace sharing is enabled for a Pod then the SYS_PTRACE capability is allowed. This capability is required when using Process Namespace Sharing. This is used when processes from one Container need to be exposed to another Container. For example, to send signals like SIGHUP from a process in a Container to another process in another Container. For more information on these capabilities refer to https://cloud.redhat.com/blog/linux-capabilities-in-openshift and https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/ Suggested Remediation|Allow the SYS_PTRACE capability when enabling process namespace sharing for a Pod -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-sys_ptrace +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-sys_ptrace Exception Process|There is no documented exception process for this. Tags|telco,access-control |**Scenario**|**Optional/Mandatory**| @@ -511,7 +511,7 @@ Property|Description Unique ID|affiliated-certification-helm-version Description|Test to check if the helm chart is v3 Suggested Remediation|Check Helm Chart is v3 and not v2 which is not supported due to security risks associated with Tiller. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-helm +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-helm Exception Process|There is no documented exception process for this. Tags|common,affiliated-certification |**Scenario**|**Optional/Mandatory**| @@ -543,7 +543,7 @@ Property|Description Unique ID|affiliated-certification-operator-is-certified Description|Tests whether the workload Operators listed in the configuration file have passed the Red Hat Operator Certification Program (OCP). Suggested Remediation|Ensure that your Operator has passed Red Hat's Operator Certification Program (OCP). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements Exception Process|There is no documented exception process for this. A partner can run the Red Hat Best Practices Test Suite before passing other certifications (Container/Operator/HelmChart) but the affiliated certification test cases in the Red Hat Best Practices Test Suite must be re-run once the other certifications have been granted. Tags|common,affiliated-certification |**Scenario**|**Optional/Mandatory**| @@ -561,7 +561,7 @@ Property|Description Unique ID|lifecycle-affinity-required-pods Description|Checks that affinity rules are in place if AffinityRequired: 'true' labels are set on Pods. Suggested Remediation|Pods which need to be co-located on the same node need Affinity rules. If a pod/statefulset/deployment is required to use affinity rules, please add AffinityRequired: 'true' as a label. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -577,7 +577,7 @@ Property|Description Unique ID|lifecycle-container-poststart Description|Ensure that the containers lifecycle postStart management feature is configured. A container must receive important events from the platform and conform/react to these events properly. For example, a container should catch SIGTERM or SIGKILL from the platform and shutdown as quickly as possible. Other typically important events from the platform are PostStart to initialize before servicing requests and PreStop to release resources cleanly before shutting down. Suggested Remediation|PostStart is normally used to configure the container, set up dependencies, and record the new creation. You could use this event to check that a required API is available before the container’s main work begins. Kubernetes will not change the container’s state to Running until the PostStart script has executed successfully. For details, see https://www.containiq.com/post/kubernetes-container-lifecycle-events-and-hooks and https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks. PostStart is used to configure container, set up dependencies, record new creation. It can also be used to check that a required API is available before the container’s work begins. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cloud-native-design-best-practices +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cloud-native-design-best-practices Exception Process|Identify which pod is not conforming to the process and submit information as to why it cannot use a postStart startup specification. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -593,7 +593,7 @@ Property|Description Unique ID|lifecycle-container-prestop Description|Ensure that the containers lifecycle preStop management feature is configured. The most basic requirement for the lifecycle management of Pods in OpenShift are the ability to start and stop correctly. There are different ways a pod can stop on an OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. When pods are shut down by the platform they are sent a SIGTERM signal which means that the process in the container should start shutting down, closing connections and stopping all activity. If the pod doesn’t shut down within the default 30 seconds then the platform may send a SIGKILL signal which will stop the pod immediately. This method isn’t as clean and the default time between the SIGTERM and SIGKILL messages can be modified based on the requirements of the application. Containers should respond to SIGTERM/SIGKILL with graceful shutdown. Suggested Remediation|The preStop can be used to gracefully stop the container and clean resources (e.g., DB connection). For details, see https://www.containiq.com/post/kubernetes-container-lifecycle-events-and-hooks and https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks. All pods must respond to SIGTERM signal and shutdown gracefully with a zero exit code. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cloud-native-design-best-practices +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cloud-native-design-best-practices Exception Process|Identify which pod is not conforming to the process and submit information as to why it cannot use a preStop shutdown specification. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -609,7 +609,7 @@ Property|Description Unique ID|lifecycle-cpu-isolation Description|CPU isolation requires: For each container within the pod, resource requests and limits must be identical. If cpu requests and limits are not identical and in whole units (Guaranteed pods with exclusive cpus), your pods will not be tested for compliance. The runTimeClassName must be specified. Annotations required disabling CPU and IRQ load-balancing. Suggested Remediation|CPU isolation testing is enabled. Please ensure that all pods adhere to the CPU isolation requirements. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cpu-isolation +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cpu-isolation Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -625,7 +625,7 @@ Property|Description Unique ID|lifecycle-crd-scaling Description|Tests that a workload's CRD support scale in/out operations. First, the test starts getting the current replicaCount (N) of the crd/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the crd/s. In case of crd that are managed by HPA the test is changing the min and max value to crd Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the crd/s Suggested Remediation|Ensure the workload's CRDs can scale in/out successfully. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Not applicable to SNO applications. Tags|common,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -641,7 +641,7 @@ Property|Description Unique ID|lifecycle-deployment-scaling Description|Tests that workload deployments support scale in/out operations. First, the test starts getting the current replicaCount (N) of the deployment/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the deployment/s. In case of deployments that are managed by HPA the test is changing the min and max value to deployment Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the deployment/s Suggested Remediation|Ensure the workload's deployments/replica sets can scale in/out successfully. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Not applicable to SNO applications. Tags|common,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -657,7 +657,7 @@ Property|Description Unique ID|lifecycle-image-pull-policy Description|Ensure that the containers under test are using IfNotPresent as Image Pull Policy. If there is a situation where the container dies and needs to be restarted, the image pull policy becomes important. PullIfNotPresent is recommended so that a loss of image registry access does not prevent the pod from restarting. Suggested Remediation|Ensure that the containers under test are using IfNotPresent as Image Pull Policy. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-use-imagepullpolicy-if-not-present +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-use-imagepullpolicy-if-not-present Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -673,7 +673,7 @@ Property|Description Unique ID|lifecycle-liveness-probe Description|Check that all containers under test have liveness probe defined. The most basic requirement for the lifecycle management of Pods in OpenShift are the ability to start and stop correctly. When starting up, health probes like liveness and readiness checks can be put into place to ensure the application is functioning properly. Suggested Remediation|Add a liveness probe to deployed containers. workloads shall self-recover from common failures like pod failure, host failure, and network failure. Kubernetes native mechanisms such as health-checks (Liveness, Readiness and Startup Probes) shall be employed at a minimum. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -689,7 +689,7 @@ Property|Description Unique ID|lifecycle-persistent-volume-reclaim-policy Description|Check that the persistent volumes the workloads pods are using have a reclaim policy of delete. Network Functions should clear persistent storage by deleting their PVs when removing their application from a cluster. Suggested Remediation|Ensure that all persistent volumes are using the reclaim policy: delete -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-csi +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-csi Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -705,7 +705,7 @@ Property|Description Unique ID|lifecycle-pod-high-availability Description|Ensures that workloads Pods specify podAntiAffinity rules and replica value is set to more than 1. Suggested Remediation|In high availability cases, Pod podAntiAffinity rule should be specified for pod scheduling and pod replica value is set to more than 1 . -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Not applicable to SNO applications. Tags|common,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -721,7 +721,7 @@ Property|Description Unique ID|lifecycle-pod-owner-type Description|Tests that the workload Pods are deployed as part of a ReplicaSet(s)/StatefulSet(s). Suggested Remediation|Deploy the workload using ReplicaSet/StatefulSet. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-no-naked-pods +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-no-naked-pods Exception Process|There is no documented exception process for this. Pods should not be deployed as DaemonSet or naked pods. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -737,7 +737,7 @@ Property|Description Unique ID|lifecycle-pod-recreation Description|Tests that a workload is configured to support High Availability. First, this test cordons and drains a Node that hosts the workload Pod. Next, the test ensures that OpenShift can re-instantiate the Pod on another Node, and that the actual replica count matches the desired replica count. Suggested Remediation|Ensure that the workloads Pods utilize a configuration that supports High Availability. Additionally, ensure that there are available Nodes in the OpenShift cluster that can be utilized in the event that a host Node fails. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-upgrade-expectations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-upgrade-expectations Exception Process|No exceptions - workloads should be able to be restarted/recreated. Tags|common,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -753,7 +753,7 @@ Property|Description Unique ID|lifecycle-pod-scheduling Description|Ensures that workload Pods do not specify nodeSelector or nodeAffinity. In most cases, Pods should allow for instantiation on any underlying Node. Workloads shall not use node selectors nor taints/tolerations to assign pod location. Suggested Remediation|In most cases, Pod's should not specify their host Nodes through nodeSelector or nodeAffinity. However, there are cases in which workloads require specialized hardware specific to a particular class of Node. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations Exception Process|Exception will only be considered if application requires specialized hardware. Must specify which container requires special hardware and why. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -769,7 +769,7 @@ Property|Description Unique ID|lifecycle-pod-toleration-bypass Description|Check that pods do not have NoExecute, PreferNoSchedule, or NoSchedule tolerations that have been modified from the default. Suggested Remediation|Do not allow pods to bypass the NoExecute, PreferNoSchedule, or NoSchedule tolerations that are default applied by Kubernetes. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-taints-and-tolerations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-taints-and-tolerations Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -785,7 +785,7 @@ Property|Description Unique ID|lifecycle-readiness-probe Description|Check that all containers under test have readiness probe defined. There are different ways a pod can stop on on OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. In the first case, if the administrator has implemented liveness and readiness checks, OpenShift can stop the pod and either restart it on the same node or a different node in the cluster. For the second case, when the application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem. Suggested Remediation|Add a readiness probe to deployed containers -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -801,7 +801,7 @@ Property|Description Unique ID|lifecycle-startup-probe Description|Check that all containers under test have startup probe defined. Workloads shall self-recover from common failures like pod failure, host failure, and network failure. Kubernetes native mechanisms such as health-checks (Liveness, Readiness and Startup Probes) shall be employed at a minimum. Suggested Remediation|Add a startup probe to deployed containers -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-exit-status +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-exit-status Exception Process|There is no documented exception process for this. Tags|telco,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -817,7 +817,7 @@ Property|Description Unique ID|lifecycle-statefulset-scaling Description|Tests that workload statefulsets support scale in/out operations. First, the test starts getting the current replicaCount (N) of the statefulset/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the statefulset/s. In case of statefulsets that are managed by HPA the test is changing the min and max value to statefulset Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the statefulset/s Suggested Remediation|Ensure the workload's statefulsets/replica sets can scale in/out successfully. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Not applicable to SNO applications. Tags|common,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -833,7 +833,7 @@ Property|Description Unique ID|lifecycle-storage-provisioner Description|Checks that pods do not place persistent volumes on local storage in multinode clusters. Local storage is recommended for single node clusters, but only one type of local storage should be installed (lvms or noprovisioner). Suggested Remediation|Use a non-local storage (e.g. no kubernetes.io/no-provisioner and no topolvm.io provisioners) in multinode clusters. Local storage are recommended for single node clusters only, but a single local provisioner should be installed. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-local-storage +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-local-storage Exception Process|No exceptions Tags|common,lifecycle |**Scenario**|**Optional/Mandatory**| @@ -851,7 +851,7 @@ Property|Description Unique ID|manageability-container-port-name-format Description|Check that the container's ports name follow the naming conventions. Name field in ContainerPort section must be of form `[-]`. More naming convention requirements may be released in future Suggested Remediation|Ensure that the container's ports name follow our partner naming conventions -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requirements-cnf-reqs Exception Process|No exception needed for optional/extended tests. Tags|extended,manageability |**Scenario**|**Optional/Mandatory**| @@ -867,7 +867,7 @@ Property|Description Unique ID|manageability-containers-image-tag Description|Check that image tag exists on containers. Suggested Remediation|Ensure that all the container images are tagged. Checks containers have image tags (e.g. latest, stable, dev). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-image-tagging +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-image-tagging Exception Process|No exception needed for optional/extended tests. Tags|extended,manageability |**Scenario**|**Optional/Mandatory**| @@ -885,7 +885,7 @@ Property|Description Unique ID|networking-dpdk-cpu-pinning-exec-probe Description|If a workload is doing CPU pinning, exec probes may not be used. Suggested Remediation|If the workload is doing CPU pinning and running a DPDK process do not use exec probes (executing a command within the container) as it may pile up and block the node eventually. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cpu-manager-pinning +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cpu-manager-pinning Exception Process|There is no documented exception process for this. Tags|telco,networking |**Scenario**|**Optional/Mandatory**| @@ -901,7 +901,7 @@ Property|Description Unique ID|networking-dual-stack-service Description|Checks that all services in namespaces under test are either ipv6 single stack or dual stack. This test case requires the deployment of the debug daemonset. Suggested Remediation|Configure every workload service with either a single stack ipv6 or dual stack (ipv4/ipv6) load balancer. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-&-ipv6 +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipv4-&-ipv6 Exception Process|No exception needed for optional/extended tests. Tags|extended,networking |**Scenario**|**Optional/Mandatory**| @@ -917,7 +917,7 @@ Property|Description Unique ID|networking-icmpv4-connectivity Description|Checks that each workload Container is able to communicate via ICMPv4 on the Default OpenShift network. This test case requires the Deployment of the debug daemonset and at least 2 pods connected to each network under test(one source and one destination). If no network with more than 2 pods exists this test will be skipped. Suggested Remediation|Ensure that the workload is able to communicate via the Default OpenShift network. In some rare cases, workloads may require routing table changes in order to communicate over the Default network. To exclude a particular pod from ICMPv4 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-&-ipv6 +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipv4-&-ipv6 Exception Process|No exceptions - must be able to communicate on default network using IPv4 Tags|common,networking |**Scenario**|**Optional/Mandatory**| @@ -933,7 +933,7 @@ Property|Description Unique ID|networking-icmpv4-connectivity-multus Description|Checks that each workload Container is able to communicate via ICMPv4 on the Multus network(s). This test case requires the Deployment of the debug daemonset and at least 2 pods connected to each network under test(one source and one destination). If no network with more than 2 pods exists this test will be skipped. Suggested Remediation|Ensure that the workload is able to communicate via the Multus network(s). In some rare cases, workloads may require routing table changes in order to communicate over the Multus network(s). To exclude a particular pod from ICMPv4 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. Not applicable if MULTUS is not supported. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Tags|telco,networking |**Scenario**|**Optional/Mandatory**| @@ -949,7 +949,7 @@ Property|Description Unique ID|networking-icmpv6-connectivity Description|Checks that each workload Container is able to communicate via ICMPv6 on the Default OpenShift network. This test case requires the Deployment of the debug daemonset and at least 2 pods connected to each network under test(one source and one destination). If no network with more than 2 pods exists this test will be skipped. Suggested Remediation|Ensure that the workload is able to communicate via the Default OpenShift network. In some rare cases, workloads may require routing table changes in order to communicate over the Default network. To exclude a particular pod from ICMPv6 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. Not applicable if IPv6 is not supported. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-&-ipv6 +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipv4-&-ipv6 Exception Process|There is no documented exception process for this. Tags|common,networking |**Scenario**|**Optional/Mandatory**| @@ -965,7 +965,7 @@ Property|Description Unique ID|networking-icmpv6-connectivity-multus Description|Checks that each workload Container is able to communicate via ICMPv6 on the Multus network(s). This test case requires the Deployment of the debug daemonset and at least 2 pods connected to each network under test(one source and one destination). If no network with more than 2 pods exists this test will be skipped. Suggested Remediation|Ensure that the workload is able to communicate via the Multus network(s). In some rare cases, workloads may require routing table changes in order to communicate over the Multus network(s). To exclude a particular pod from ICMPv6 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it.The label value is trivial, only its presence. Not applicable if IPv6/MULTUS is not supported. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations Exception Process|There is no documented exception process for this. Tags|telco,networking |**Scenario**|**Optional/Mandatory**| @@ -981,7 +981,7 @@ Property|Description Unique ID|networking-network-policy-deny-all Description|Check that network policies attached to namespaces running workload pods contain a default deny-all rule for both ingress and egress traffic Suggested Remediation|Ensure that a NetworkPolicy with a default deny-all is applied. After the default is applied, apply a network policy to allow the traffic your application requires. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-vrfs-aka-routing-instances +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-vrfs-aka-routing-instances Exception Process|No exception needed for optional/extended tests. Tags|common,networking |**Scenario**|**Optional/Mandatory**| @@ -997,7 +997,7 @@ Property|Description Unique ID|networking-ocp-reserved-ports-usage Description|Check that containers do not listen on ports that are reserved by OpenShift Suggested Remediation|Ensure that workload's apps do not listen on ports that are reserved by OpenShift. The following ports are reserved by OpenShift and must NOT be used by any application: 22623, 22624. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ports-reserved-by-openshift +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ports-reserved-by-openshift Exception Process|No exceptions Tags|common,networking |**Scenario**|**Optional/Mandatory**| @@ -1045,7 +1045,7 @@ Property|Description Unique ID|networking-undeclared-container-ports-usage Description|Check that containers do not listen on ports that weren't declared in their specification. Platforms may be configured to block undeclared ports. Suggested Remediation|Ensure the workload's apps do not listen on undeclared containers' ports. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requirements-cnf-reqs Exception Process|No exception needed for optional/extended tests. Tags|extended,networking |**Scenario**|**Optional/Mandatory**| @@ -1063,7 +1063,7 @@ Property|Description Unique ID|observability-container-logging Description|Check that all containers under test use standard input output and standard error when logging. A container must provide APIs for the platform to observe the container health and act accordingly. These APIs include health checks (liveness and readiness), logging to stderr and stdout for log aggregation (by tools such as Logstash or Filebeat), and integrate with tracing and metrics-gathering libraries (such as Prometheus or Metricbeat). Suggested Remediation|Ensure containers are not redirecting stdout/stderr -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-logging +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-logging Exception Process|There is no documented exception process for this. Tags|telco,observability |**Scenario**|**Optional/Mandatory**| @@ -1079,7 +1079,7 @@ Property|Description Unique ID|observability-crd-status Description|Checks that all CRDs have a status sub-resource specification (Spec.versions[].Schema.OpenAPIV3Schema.Properties[“status”]). Suggested Remediation|Ensure that all the CRDs have a meaningful status specification (Spec.versions[].Schema.OpenAPIV3Schema.Properties[“status”]). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,observability |**Scenario**|**Optional/Mandatory**| @@ -1095,7 +1095,7 @@ Property|Description Unique ID|observability-pod-disruption-budget Description|Checks to see if pod disruption budgets have allowed values for minAvailable and maxUnavailable Suggested Remediation|Ensure minAvailable is not zero and maxUnavailable does not equal the number of pods in the replica -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-upgrade-expectations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-upgrade-expectations Exception Process|No exceptions Tags|common,observability |**Scenario**|**Optional/Mandatory**| @@ -1111,7 +1111,7 @@ Property|Description Unique ID|observability-termination-policy Description|Check that all containers are using terminationMessagePolicy: FallbackToLogsOnError. There are different ways a pod can stop on an OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. In the first case, if the administrator has implemented liveness and readiness checks, OpenShift can stop the pod and either restart it on the same node or a different node in the cluster. For the second case, when the application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem. Suggested Remediation|Ensure containers are all using FallbackToLogsOnError in terminationMessagePolicy -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-exit-status +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-exit-status Exception Process|There is no documented exception process for this. Tags|telco,observability |**Scenario**|**Optional/Mandatory**| @@ -1129,7 +1129,7 @@ Property|Description Unique ID|operator-automount-tokens Description|Tests that check that the pods disable the automount service account token." Suggested Remediation|Ensure that the pods have the automount service account token disabled. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1145,7 +1145,7 @@ Property|Description Unique ID|operator-crd-openapi-schema Description|Tests whether an application Operator CRD is defined with OpenAPI spec. Suggested Remediation|Ensure that the Operator CRD is defined with OpenAPI spec. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1161,7 +1161,7 @@ Property|Description Unique ID|operator-crd-versioning Description|Tests whether the Operator CRD has a valid versioning. Suggested Remediation|Ensure that the Operator CRD has a valid version. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1177,7 +1177,7 @@ Property|Description Unique ID|operator-install-source Description|Tests whether a workload Operator is installed via OLM. Suggested Remediation|Ensure that your Operator is installed via OLM. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1193,7 +1193,7 @@ Property|Description Unique ID|operator-install-status-no-privileges Description|Checks whether the operator needs access to Security Context Constraints. Test passes if clusterPermissions is not present in the CSV manifest or is present with no RBAC rules related to SCCs. Suggested Remediation|Ensure all the workload's operators have no privileges on cluster resources. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1209,7 +1209,7 @@ Property|Description Unique ID|operator-install-status-succeeded Description|Ensures that the target workload operators report "Succeeded" as their installation status. Suggested Remediation|Ensure all the workload's operators have been successfully installed by OLM. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1225,7 +1225,7 @@ Property|Description Unique ID|operator-read-only-file-system Description|Tests that check that the pods have the read-only root filesystem setting enabled. Suggested Remediation|Ensure that the pods have the read-only root filesystem setting enabled. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1241,7 +1241,7 @@ Property|Description Unique ID|operator-run-as-non-root Description|Tests that checks the pods ensure they are run as non root. Suggested Remediation|Ensure that the pods are running as non root. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1257,7 +1257,7 @@ Property|Description Unique ID|operator-run-as-user-id Description|Tests that checks the user id of the pods ensure it is not 0. Suggested Remediation|Ensure that the user ID of the pods is not 0. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1273,7 +1273,7 @@ Property|Description Unique ID|operator-semantic-versioning Description|Tests whether an application Operator has a valid semantic versioning. Suggested Remediation|Ensure that the Operator has a valid semantic versioning. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1289,7 +1289,7 @@ Property|Description Unique ID|operator-single-crd-owner Description|Tests whether a CRD is owned by a single Operator. Suggested Remediation|Ensure that a CRD is owned by only one Operator -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements Exception Process|No exceptions Tags|common,operator |**Scenario**|**Optional/Mandatory**| @@ -1405,7 +1405,7 @@ Property|Description Unique ID|platform-alteration-base-image Description|Ensures that the Container Base Image is not altered post-startup. This test is a heuristic, and ensures that there are no changes to the following directories: 1) /var/lib/rpm 2) /var/lib/dpkg 3) /bin 4) /sbin 5) /lib 6) /lib64 7) /usr/bin 8) /usr/sbin 9) /usr/lib 10) /usr/lib64 Suggested Remediation|Ensure that Container applications do not modify the Container Base Image. In particular, ensure that the following directories are not modified: 1) /var/lib/rpm 2) /var/lib/dpkg 3) /bin 4) /sbin 5) /lib 6) /lib64 7) /usr/bin 8) /usr/sbin 9) /usr/lib 10) /usr/lib64 Ensure that all required binaries are built directly into the container image, and are not installed post startup. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-image-standards +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-image-standards Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1421,7 +1421,7 @@ Property|Description Unique ID|platform-alteration-boot-params Description|Tests that boot parameters are set through the MachineConfigOperator, and not set manually on the Node. Suggested Remediation|Ensure that boot parameters are set directly through the MachineConfigOperator, or indirectly through the PerformanceAddonOperator. Boot parameters should not be changed directly through the Node, as OpenShift should manage the changes for you. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-host-os +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-host-os Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1453,7 +1453,7 @@ Property|Description Unique ID|platform-alteration-hugepages-2m-only Description|Check that pods using hugepages only use 2Mi size Suggested Remediation|Modify pod to consume 2Mi hugepages only -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-huge-pages +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-huge-pages Exception Process|No exception needed for optional/extended tests. Tags|extended,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1469,7 +1469,7 @@ Property|Description Unique ID|platform-alteration-hugepages-config Description|Checks to see that HugePage settings have been configured through MachineConfig, and not manually on the underlying Node. This test case applies only to Nodes that are configured with the "worker" MachineConfigSet. First, the "worker" MachineConfig is polled, and the Hugepage settings are extracted. Next, the underlying Nodes are polled for configured HugePages through inspection of /proc/meminfo. The results are compared, and the test passes only if they are the same. Suggested Remediation|HugePage settings should be configured either directly through the MachineConfigOperator or indirectly using the PerformanceAddonOperator. This ensures that OpenShift is aware of the special MachineConfig requirements, and can provision your workload on a Node that is part of the corresponding MachineConfigSet. Avoid making changes directly to an underlying Node, and let OpenShift handle the heavy lifting of configuring advanced settings. This test case applies only to Nodes that are configured with the "worker" MachineConfigSet. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-huge-pages +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-huge-pages Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1501,7 +1501,7 @@ Property|Description Unique ID|platform-alteration-is-selinux-enforcing Description|verifies that all openshift platform/cluster nodes have selinux in "Enforcing" mode. Suggested Remediation|Configure selinux and enable enforcing mode. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-security +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-security Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1517,7 +1517,7 @@ Property|Description Unique ID|platform-alteration-isredhat-release Description|verifies if the container base image is redhat. Suggested Remediation|Build a new container image that is based on UBI (Red Hat Universal Base Image). -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-base-images +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-base-images Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1533,7 +1533,7 @@ Property|Description Unique ID|platform-alteration-ocp-lifecycle Description|Tests that the running OCP version is not end of life. Suggested Remediation|Please update your cluster to a version that is generally available. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-k8s +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-k8s Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1549,7 +1549,7 @@ Property|Description Unique ID|platform-alteration-ocp-node-os-lifecycle Description|Tests that the nodes running in the cluster have operating systems that are compatible with the deployed version of OpenShift. Suggested Remediation|Please update your workers to a version that is supported by your version of OpenShift -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-host-os +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-host-os Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1581,7 +1581,7 @@ Property|Description Unique ID|platform-alteration-sysctl-config Description|Tests that no one has changed the node's sysctl configs after the node was created, the tests works by checking if the sysctl configs are consistent with the MachineConfig CR which defines how the node should be configured Suggested Remediation|You should recreate the node or change the sysctls, recreating is recommended because there might be other unknown changes -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security Exception Process|No exceptions Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| @@ -1597,7 +1597,7 @@ Property|Description Unique ID|platform-alteration-tainted-node-kernel Description|Ensures that the Node(s) hosting workloads do not utilize tainted kernels. This test case is especially important to support Highly Available workloads, since when a workload is re-instantiated on a backup Node, that Node's kernel may not have the same hacks.' Suggested Remediation|Test failure indicates that the underlying Node's kernel is tainted. Ensure that you have not altered underlying Node(s) kernels in order to run the workload. -Best Practice Reference|https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations +Best Practice Reference|https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations Exception Process|If taint is necessary, document details of the taint and why it's needed by workload or environment. Tags|common,platform-alteration |**Scenario**|**Optional/Mandatory**| diff --git a/cmd/certsuite/claim/compare/testdata/claim_access_control.json b/cmd/certsuite/claim/compare/testdata/claim_access_control.json index c7ae2d296..350ac8c0f 100644 --- a/cmd/certsuite/claim/compare/testdata/claim_access_control.json +++ b/cmd/certsuite/claim/compare/testdata/claim_access_control.json @@ -9269,7 +9269,7 @@ "access-control-cluster-role-bindings": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is not using a cluster role binding\",\"tnf\",\"test-0\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is not using a cluster role binding\",\"tnf\",\"test-1\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is not using a cluster role binding\",\"tnf\",\"test-765d6b8dcf-gbvsd\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is not using a cluster role binding\",\"tnf\",\"test-765d6b8dcf-s768n\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is not using a cluster role binding\",\"tnf\",\"xdp\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac", "description": "Tests that a Pod does not specify ClusterRoleBindings.", "exceptionProcess": "Exception possible only for workloads that's cluster wide in nature and absolutely needs cluster level roles \u0026 role bindings", "remediation": "In most cases, Pod's should not have ClusterRoleBindings. The suggested remediation is to remove the need for ClusterRoleBindings, if possible. Cluster roles and cluster role bindings discouraged unless absolutely needed by CNF (often reserved for cluster admin only)." @@ -9296,7 +9296,7 @@ "access-control-container-host-port": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Host port is not configured\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Host port is not configured\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Host port is not configured\",\"tnf\",\"test-765d6b8dcf-gbvsd\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Host port is not configured\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-accessing-resource-on-host", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-accessing-resource-on-host", "description": "Verifies if containers define a hostPort.", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Remove hostPort configuration from the container. CNF should avoid accessing host resources - containers should not configure HostPort." @@ -9323,7 +9323,7 @@ "access-control-crd-roles": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-custom-role-to-access-application-crds", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-custom-role-to-access-application-crds", "description": "If an application creates CRDs it must supply a role to access those CRDs and no other API resources/permission. This test checks that there is at least one role present in each namespaces under test that only refers to CRDs under test.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Roles providing access to CRDs should not refer to any other api or resources. Change the generation of the CRD role accordingly" @@ -9350,7 +9350,7 @@ "access-control-ipc-lock-capability-check": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-765d6b8dcf-gbvsd\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"xdp\",\"xdp-c\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipc_lock", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipc_lock", "description": "Ensures that containers do not use IPC_LOCK capability. CNF should avoid accessing host resources - spec.HostIpc should be false.", "exceptionProcess": "Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why.", "remediation": "Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why." @@ -9377,7 +9377,7 @@ "access-control-namespace": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Namespace\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\"],\"ObjectFieldsValues\":[\"Namespace has valid prefix\",\"tnf\"]},{\"ObjectType\":\"Namespace\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\"],\"ObjectFieldsValues\":[\"Namespace has valid prefix\",\"tnf\"]},{\"ObjectType\":\"Namespace\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\"],\"ObjectFieldsValues\":[\"Namespace has valid prefix\",\"tnf\"]},{\"ObjectType\":\"Namespace\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\"],\"ObjectFieldsValues\":[\"Namespace has valid prefix\",\"tnf\"]},{\"ObjectType\":\"Namespace\",\"ObjectFieldsKeys\":[\"Reason For Compliance\"],\"ObjectFieldsValues\":[\"CRs are in the configured namespaces\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requirements-cnf-reqs", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requirements-cnf-reqs", "description": "Tests that all CNF's resources (PUTs and CRs) belong to valid namespaces. A valid namespace meets\nthe following conditions: (1) It was declared in the yaml config file under the targetNameSpaces\ntag. (2) It does not have any of the following prefixes: default, openshift-, istio- and aspenmesh-", "exceptionProcess": "No exceptions", "remediation": "Ensure that your CNF utilizes namespaces declared in the yaml config file. Additionally, the namespaces should not start with \"default, openshift-, istio- or aspenmesh-\"." @@ -9404,7 +9404,7 @@ "access-control-namespace-resource-quota": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is running in a namespace that has a ResourceQuota applied\",\"tnf\",\"test-0\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is running in a namespace that has a ResourceQuota applied\",\"tnf\",\"test-1\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is running in a namespace that has a ResourceQuota applied\",\"tnf\",\"test-765d6b8dcf-gbvsd\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is running in a namespace that has a ResourceQuota applied\",\"tnf\",\"test-765d6b8dcf-s768n\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is running in a namespace that has a ResourceQuota applied\",\"tnf\",\"xdp\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-memory-allocation", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-memory-allocation", "description": "Checks to see if CNF workload pods are running in namespaces that have resource quotas applied.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Apply a ResourceQuota to the namespace your CNF is running in. The CNF namespace should have resource quota defined." @@ -9431,7 +9431,7 @@ "access-control-net-admin-capability-check": { "capturedTestOutput": "Non compliant [NET_ADMIN container: test pod: test-765d6b8dcf-gbvsd ns: tnf \u0026Capabilities{Add:[NET_ADMIN],Drop:[],}] capability detected in container %!s(MISSING). All container caps: %!s(MISSING)\nNon compliant [NET_ADMIN container: test pod: test-765d6b8dcf-s768n ns: tnf \u0026Capabilities{Add:[NET_ADMIN],Drop:[],}] capability detected in container %!s(MISSING). All container caps: %!s(MISSING)\nNon compliant [NET_ADMIN container: xdp-c pod: xdp ns: tnf \u0026Capabilities{Add:[BPF PERFMON NET_ADMIN],Drop:[],}] capability detected in container %!s(MISSING). All container caps: %!s(MISSING)\n{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-1\",\"test\"]}],\"NonCompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\",\"SCC Capability\"],\"ObjectFieldsValues\":[\"Non compliant capability detected in container\",\"tnf\",\"test-765d6b8dcf-gbvsd\",\"test\",\"NET_ADMIN\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\",\"SCC Capability\"],\"ObjectFieldsValues\":[\"Non compliant capability detected in container\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\",\"NET_ADMIN\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\",\"SCC Capability\"],\"ObjectFieldsValues\":[\"Non compliant capability detected in container\",\"tnf\",\"xdp\",\"xdp-c\",\"NET_ADMIN\"]}]}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-net_admin", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-net_admin", "description": "Ensures that containers do not use NET_ADMIN capability. Note: this test also ensures iptables and nftables are not configured by CNF pods:\n- NET_ADMIN and NET_RAW are required to modify nftables (namespaced) which is not desired inside pods.\nnftables should be configured by an administrator outside the scope of the CNF. nftables are usually configured\nby operators, for instance the Performance Addon Operator (PAO) or istio.\n- Privileged container are required to modify host iptables, which is not safe to perform inside pods. nftables\nshould be configured by an administrator outside the scope of the CNF. iptables are usually configured by operators,\nfor instance the Performance Addon Operator (PAO) or istio.", "exceptionProcess": "Exception will be considered for user plane or networking functions (e.g. SR-IOV, Multicast). Must identify which container requires the capability and detail why.", "remediation": "Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why." @@ -9458,7 +9458,7 @@ "access-control-net-raw-capability-check": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-765d6b8dcf-gbvsd\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"xdp\",\"xdp-c\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-user-plane-cnfs", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-user-plane-cnfs", "description": "Ensures that containers do not use NET_RAW capability. Note: this test also ensures iptables and nftables are not configured by CNF pods:\n- NET_ADMIN and NET_RAW are required to modify nftables (namespaced) which is not desired inside pods.\nnftables should be configured by an administrator outside the scope of the CNF. nftables are usually configured\nby operators, for instance the Performance Addon Operator (PAO) or istio.\n- Privileged container are required to modify host iptables, which is not safe to perform inside pods. nftables\nshould be configured by an administrator outside the scope of the CNF. iptables are usually configured by operators,\nfor instance the Performance Addon Operator (PAO) or istio.", "exceptionProcess": "Exception will be considered for user plane or networking functions. Must identify which container requires the capability and detail why.", "remediation": "Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why." @@ -9512,7 +9512,7 @@ "access-control-one-process-per-container": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container has only one process running\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container has only one process running\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container has only one process running\",\"tnf\",\"test-765d6b8dcf-gbvsd\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container has only one process running\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container has only one process running\",\"tnf\",\"xdp\",\"xdp-c\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-one-process-per-container", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-one-process-per-container", "description": "Check that all containers under test have only one process running", "exceptionProcess": "No exception needed for optional/extended tests. Not applicable to SNO applications.", "remediation": "Launch only one process per container. Should adhere to 1 process per container best practice wherever possible." @@ -9539,7 +9539,7 @@ "access-control-pod-automount-service-account-token": { "capturedTestOutput": "Pod [xdp] has been found with default service account name.\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-automount-services-for-pods", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-automount-services-for-pods", "description": "Check that all pods under test have automountServiceAccountToken set to false. Only pods that require access to the kubernetes API server should have automountServiceAccountToken set to true", "exceptionProcess": "Exception will be considered if container needs to access APIs which OCP does not offer natively. Must document which container requires which API(s) and detail why existing OCP APIs cannot be used.", "remediation": "Check that pod has automountServiceAccountToken set to false or pod is attached to service account which has automountServiceAccountToken set to false, unless the pod needs access to the kubernetes API server. Pods which do not need API access should set automountServiceAccountToken to false in pod spec." @@ -9566,7 +9566,7 @@ "access-control-pod-host-ipc": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"HostIpc is not set to true\",\"tnf\",\"test-0\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"HostIpc is not set to true\",\"tnf\",\"test-1\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"HostIpc is not set to true\",\"tnf\",\"test-765d6b8dcf-gbvsd\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"HostIpc is not set to true\",\"tnf\",\"test-765d6b8dcf-s768n\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"HostIpc is not set to true\",\"tnf\",\"xdp\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Verifies that the spec.HostIpc parameter is set to false", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Set the spec.HostIpc parameter to false in the pod configuration. CNF should avoid accessing host resources - spec.HostIpc should be false." @@ -9593,7 +9593,7 @@ "access-control-pod-host-network": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Host network is not set to true\",\"tnf\",\"test-0\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Host network is not set to true\",\"tnf\",\"test-1\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Host network is not set to true\",\"tnf\",\"test-765d6b8dcf-gbvsd\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Host network is not set to true\",\"tnf\",\"test-765d6b8dcf-s768n\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Host network is not set to true\",\"tnf\",\"xdp\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-the-host-network-namespace", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-the-host-network-namespace", "description": "Verifies that the spec.HostNetwork parameter is not set (not present)", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Set the spec.HostNetwork parameter to false in the pod configuration. CNF should avoid accessing host resources - spec.HostNetwork should be false." @@ -9620,7 +9620,7 @@ "access-control-pod-host-path": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Hostpath path is not set\",\"tnf\",\"xdp\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Verifies that the spec.HostPath parameter is not set (not present)", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Set the spec.HostPath parameter to false in the pod configuration. CNF should avoid accessing host resources - spec.HostPath should be false." @@ -9647,7 +9647,7 @@ "access-control-pod-host-pid": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"HostPid is not set to true\",\"tnf\",\"test-0\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"HostPid is not set to true\",\"tnf\",\"test-1\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"HostPid is not set to true\",\"tnf\",\"test-765d6b8dcf-gbvsd\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"HostPid is not set to true\",\"tnf\",\"test-765d6b8dcf-s768n\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"HostPid is not set to true\",\"tnf\",\"xdp\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Verifies that the spec.HostPid parameter is set to false", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Set the spec.HostPid parameter to false in the pod configuration. CNF should avoid accessing host resources - spec.HostPid should be false." @@ -9674,7 +9674,7 @@ "access-control-pod-role-bindings": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"All the role bindings used by this pod (applied by the service accounts) live in the same namespace\",\"tnf\",\"test-0\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"All the role bindings used by this pod (applied by the service accounts) live in the same namespace\",\"tnf\",\"test-1\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"All the role bindings used by this pod (applied by the service accounts) live in the same namespace\",\"tnf\",\"test-765d6b8dcf-gbvsd\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"All the role bindings used by this pod (applied by the service accounts) live in the same namespace\",\"tnf\",\"test-765d6b8dcf-s768n\"]}],\"NonCompliantObjectsOut\":[{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"The serviceAccountName is either empty or default\",\"tnf\",\"xdp\"]}]}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac", "description": "Ensures that a CNF does not utilize RoleBinding(s) in a non-CNF Namespace.", "exceptionProcess": "No exceptions", "remediation": "Ensure the CNF is not configured to use RoleBinding(s) in a non-CNF Namespace. Scope of role must \u003c= scope of creator of role." @@ -9701,7 +9701,7 @@ "access-control-pod-service-account": { "capturedTestOutput": "Pod [xdp tnf] (ns: %!s(MISSING)) does not have a valid service account name.\n{\"CompliantObjectsOut\":[{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod has a service account name\",\"tnf\",\"test-0\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod has a service account name\",\"tnf\",\"test-1\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod has a service account name\",\"tnf\",\"test-765d6b8dcf-gbvsd\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod has a service account name\",\"tnf\",\"test-765d6b8dcf-s768n\"]}],\"NonCompliantObjectsOut\":[{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod does not have a valid service account name\",\"tnf\",\"xdp\"]}]}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-scc-permissions-for-an-application", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-scc-permissions-for-an-application", "description": "Tests that each CNF Pod utilizes a valid Service Account. Default or empty service account is not valid.", "exceptionProcess": "No exceptions", "remediation": "Ensure that the each CNF Pod is configured to use a valid Service Account" @@ -9728,7 +9728,7 @@ "access-control-projected-volume-service-account-token": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"the pod is not using a projected volume for service account access\",\"tnf\",\"test-0\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"the pod is not using a projected volume for service account access\",\"tnf\",\"test-1\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"the pod is not using a projected volume for service account access\",\"tnf\",\"test-765d6b8dcf-gbvsd\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"the pod is not using a projected volume for service account access\",\"tnf\",\"test-765d6b8dcf-s768n\"]}],\"NonCompliantObjectsOut\":[{\"ObjectType\":\"ProjectedVolume\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Projected Volume Name\",\"Projected Volume SA Token\",\"Projected Volume SA Token\",\"Projected Volume SA Token\",\"Projected Volume SA Token\"],\"ObjectFieldsValues\":[\"the projected volume Service account token field is not nil\",\"tnf\",\"xdp\",\"kube-api-access-t8lpx\",\"\\u0026ServiceAccountTokenProjection{Audience:,ExpirationSeconds:*3607,Path:token,}\",\"nil\",\"nil\",\"nil\"]}]}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-automount-services-for-pods", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-automount-services-for-pods", "description": "Checks that pods do not use projected volumes and service account tokens", "exceptionProcess": "Exception will be considered if container needs to access APIs which OCP does not offer natively. Must document which container requires which API(s) and detail why existing OCP APIs cannot be used.", "remediation": "Ensure that pods do not use projected volumes and service account tokens" @@ -9755,7 +9755,7 @@ "access-control-requests-and-limits": { "capturedTestOutput": "Container has been found missing resource limits: [container: xdp-c pod: xdp ns: tnf]\nContainer has been found missing resource requests: [container: xdp-c pod: xdp ns: tnf]\n{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container has resource requests and limits\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container has resource requests and limits\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container has resource requests and limits\",\"tnf\",\"test-765d6b8dcf-gbvsd\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container has resource requests and limits\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\"]}],\"NonCompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is missing resource requests or limits\",\"tnf\",\"xdp\",\"xdp-c\"]}]}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requests/limits", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requests/limits", "description": "Check that containers have resource requests and limits specified in their spec.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Add requests and limits to your container spec. See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits" @@ -9782,7 +9782,7 @@ "access-control-security-context": { "capturedTestOutput": "containerSCC [container: test pod: test-0 ns: tnf {false false false false false true false true false true true true CategoryID1(limited access granted automatically) true true}] is %!v(MISSING)\nTesting if pod belongs to category [CategoryID1(limited access granted automatically)]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [true] - OK\nRunAsNonRoot = [true false] but expected %!s(MISSING) - NOK\nFsGroupPresent = [true] - OK\nDropCapabilities list - OK\n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent is not nil - OK\n%!(EXTRA []interface {}=[])CapabilitiesCategory list is as expected [CategoryID1(limited access granted automatically)] - OK\nTesting if pod belongs to category [CategoryID1NoUID0(automatically granted, basic rights with mesh networks)]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [true] - OK\nRunAsNonRoot = [true] - OK\nFsGroupPresent = [true] - OK\nDropCapabilities list - OK\n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent is not nil - OK\n%!(EXTRA []interface {}=[])CapabilitiesCategory list is as expected [CategoryID1(limited access granted automatically)] - OK\nTesting if pod belongs to category1NoUID0 \n%!(EXTRA []interface {}=[])containerSCC [container: test pod: test-1 ns: tnf {false false false false false true false true false true true true CategoryID1(limited access granted automatically) true true}] is %!v(MISSING)\nTesting if pod belongs to category [CategoryID1(limited access granted automatically)]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [true] - OK\nRunAsNonRoot = [true false] but expected %!s(MISSING) - NOK\nFsGroupPresent = [true] - OK\nDropCapabilities list - OK\n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent is not nil - OK\n%!(EXTRA []interface {}=[])CapabilitiesCategory list is as expected [CategoryID1(limited access granted automatically)] - OK\nTesting if pod belongs to category [CategoryID1NoUID0(automatically granted, basic rights with mesh networks)]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [true] - OK\nRunAsNonRoot = [true] - OK\nFsGroupPresent = [true] - OK\nDropCapabilities list - OK\n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent is not nil - OK\n%!(EXTRA []interface {}=[])CapabilitiesCategory list is as expected [CategoryID1(limited access granted automatically)] - OK\nTesting if pod belongs to category1NoUID0 \n%!(EXTRA []interface {}=[])containerSCC [container: test pod: test-765d6b8dcf-gbvsd ns: tnf {false false false false false false false false false false false true CategoryID2(advanced networking (vlan tag, dscp, priority)) false true}] is %!v(MISSING)\nTesting if pod belongs to category [CategoryID1(limited access granted automatically)]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [false true] but expected %!s(MISSING) - NOK\nRunAsNonRoot = [false] - OK\nFsGroupPresent = [false true] but expected %!s(MISSING) - NOK\nRequiredDropCapabilitiesPresent = [false true] but expected %!s(MISSING) - NOK\nits didnt have all the required (MKNOD, SETUID, SETGID, KILL)/(ALL) drop value \n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent is not nil - OK\n%!(EXTRA []interface {}=[])CapabilitiesCategory = [CategoryID2(advanced networking (vlan tag, dscp, priority)) CategoryID1(limited access granted automatically)] but expected %!s(MISSING) - NOK\nTesting if pod belongs to category [CategoryID1NoUID0(automatically granted, basic rights with mesh networks)]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [false true] but expected %!s(MISSING) - NOK\nRunAsNonRoot = [false] - OK\nFsGroupPresent = [false true] but expected %!s(MISSING) - NOK\nRequiredDropCapabilitiesPresent = [false true] but expected %!s(MISSING) - NOK\nits didnt have all the required (MKNOD, SETUID, SETGID, KILL)/(ALL) drop value \n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent is not nil - OK\n%!(EXTRA []interface {}=[])CapabilitiesCategory = [CategoryID2(advanced networking (vlan tag, dscp, priority)) CategoryID1(limited access granted automatically)] but expected %!s(MISSING) - NOK\nTesting if pod belongs to category [CategoryID2(advanced networking (vlan tag, dscp, priority))]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [false true] but expected %!s(MISSING) - NOK\nRunAsNonRoot = [false] - OK\nFsGroupPresent = [false true] but expected %!s(MISSING) - NOK\nRequiredDropCapabilitiesPresent = [false true] but expected %!s(MISSING) - NOK\nits didnt have all the required (MKNOD, SETUID, SETGID, KILL)/(ALL) drop value \n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent is not nil - OK\n%!(EXTRA []interface {}=[])CapabilitiesCategory list is as expected [CategoryID2(advanced networking (vlan tag, dscp, priority))] - OK\nTesting if pod belongs to category [CategoryID3(SRIOV and DPDK)]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [false true] but expected %!s(MISSING) - NOK\nRunAsNonRoot = [false] - OK\nFsGroupPresent = [false true] but expected %!s(MISSING) - NOK\nRequiredDropCapabilitiesPresent = [false true] but expected %!s(MISSING) - NOK\nits didnt have all the required (MKNOD, SETUID, SETGID, KILL)/(ALL) drop value \n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent is not nil - OK\n%!(EXTRA []interface {}=[])CapabilitiesCategory = [CategoryID2(advanced networking (vlan tag, dscp, priority)) CategoryID3(SRIOV and DPDK)] but expected %!s(MISSING) - NOK\ncontainerSCC [container: test pod: test-765d6b8dcf-s768n ns: tnf {false false false false false false false false false false false true CategoryID2(advanced networking (vlan tag, dscp, priority)) false true}] is %!v(MISSING)\nTesting if pod belongs to category [CategoryID1(limited access granted automatically)]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [false true] but expected %!s(MISSING) - NOK\nRunAsNonRoot = [false] - OK\nFsGroupPresent = [false true] but expected %!s(MISSING) - NOK\nRequiredDropCapabilitiesPresent = [false true] but expected %!s(MISSING) - NOK\nits didnt have all the required (MKNOD, SETUID, SETGID, KILL)/(ALL) drop value \n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent is not nil - OK\n%!(EXTRA []interface {}=[])CapabilitiesCategory = [CategoryID2(advanced networking (vlan tag, dscp, priority)) CategoryID1(limited access granted automatically)] but expected %!s(MISSING) - NOK\nTesting if pod belongs to category [CategoryID1NoUID0(automatically granted, basic rights with mesh networks)]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [false true] but expected %!s(MISSING) - NOK\nRunAsNonRoot = [false] - OK\nFsGroupPresent = [false true] but expected %!s(MISSING) - NOK\nRequiredDropCapabilitiesPresent = [false true] but expected %!s(MISSING) - NOK\nits didnt have all the required (MKNOD, SETUID, SETGID, KILL)/(ALL) drop value \n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent is not nil - OK\n%!(EXTRA []interface {}=[])CapabilitiesCategory = [CategoryID2(advanced networking (vlan tag, dscp, priority)) CategoryID1(limited access granted automatically)] but expected %!s(MISSING) - NOK\nTesting if pod belongs to category [CategoryID2(advanced networking (vlan tag, dscp, priority))]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [false true] but expected %!s(MISSING) - NOK\nRunAsNonRoot = [false] - OK\nFsGroupPresent = [false true] but expected %!s(MISSING) - NOK\nRequiredDropCapabilitiesPresent = [false true] but expected %!s(MISSING) - NOK\nits didnt have all the required (MKNOD, SETUID, SETGID, KILL)/(ALL) drop value \n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent is not nil - OK\n%!(EXTRA []interface {}=[])CapabilitiesCategory list is as expected [CategoryID2(advanced networking (vlan tag, dscp, priority))] - OK\nTesting if pod belongs to category [CategoryID3(SRIOV and DPDK)]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [false true] but expected %!s(MISSING) - NOK\nRunAsNonRoot = [false] - OK\nFsGroupPresent = [false true] but expected %!s(MISSING) - NOK\nRequiredDropCapabilitiesPresent = [false true] but expected %!s(MISSING) - NOK\nits didnt have all the required (MKNOD, SETUID, SETGID, KILL)/(ALL) drop value \n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent is not nil - OK\n%!(EXTRA []interface {}=[])CapabilitiesCategory = [CategoryID2(advanced networking (vlan tag, dscp, priority)) CategoryID3(SRIOV and DPDK)] but expected %!s(MISSING) - NOK\ncontainerSCC [container: xdp-c pod: xdp ns: tnf {false false false false false false false false false false false false CategoryID4(anything not matching lower category) false true}] is %!v(MISSING)\nTesting if pod belongs to category [CategoryID1(limited access granted automatically)]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [false true] but expected %!s(MISSING) - NOK\nRunAsNonRoot = [false] - OK\nFsGroupPresent = [false true] but expected %!s(MISSING) - NOK\nRequiredDropCapabilitiesPresent = [false true] but expected %!s(MISSING) - NOK\nits didnt have all the required (MKNOD, SETUID, SETGID, KILL)/(ALL) drop value \n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent = [false true] but expected %!s(MISSING) expected to be non nil - NOK\nCapabilitiesCategory = [CategoryID4(anything not matching lower category) CategoryID1(limited access granted automatically)] but expected %!s(MISSING) - NOK\nTesting if pod belongs to category [CategoryID1NoUID0(automatically granted, basic rights with mesh networks)]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [false true] but expected %!s(MISSING) - NOK\nRunAsNonRoot = [false] - OK\nFsGroupPresent = [false true] but expected %!s(MISSING) - NOK\nRequiredDropCapabilitiesPresent = [false true] but expected %!s(MISSING) - NOK\nits didnt have all the required (MKNOD, SETUID, SETGID, KILL)/(ALL) drop value \n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent = [false true] but expected %!s(MISSING) expected to be non nil - NOK\nCapabilitiesCategory = [CategoryID4(anything not matching lower category) CategoryID1(limited access granted automatically)] but expected %!s(MISSING) - NOK\nTesting if pod belongs to category [CategoryID2(advanced networking (vlan tag, dscp, priority))]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [false true] but expected %!s(MISSING) - NOK\nRunAsNonRoot = [false] - OK\nFsGroupPresent = [false true] but expected %!s(MISSING) - NOK\nRequiredDropCapabilitiesPresent = [false true] but expected %!s(MISSING) - NOK\nits didnt have all the required (MKNOD, SETUID, SETGID, KILL)/(ALL) drop value \n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent = [false true] but expected %!s(MISSING) expected to be non nil - NOK\nCapabilitiesCategory = [CategoryID4(anything not matching lower category) CategoryID2(advanced networking (vlan tag, dscp, priority))] but expected %!s(MISSING) - NOK\nTesting if pod belongs to category [CategoryID3(SRIOV and DPDK)]\nAllVolumeAllowed = [true] - OK\nRunAsUserPresent = [false true] but expected %!s(MISSING) - NOK\nRunAsNonRoot = [false] - OK\nFsGroupPresent = [false true] but expected %!s(MISSING) - NOK\nRequiredDropCapabilitiesPresent = [false true] but expected %!s(MISSING) - NOK\nits didnt have all the required (MKNOD, SETUID, SETGID, KILL)/(ALL) drop value \n%!(EXTRA []interface {}=[])HostDirVolumePluginPresent = [false] - OK\nHostIPC = [false] - OK\nHostNetwork = [false] - OK\nHostPID = [false] - OK\nHostPorts = [false] - OK\nHostNetwork = [false] - OK\nPrivilegedContainer = [false] - OK\nReadOnlyRootFilesystem = [false] - OK\nSeLinuxContextPresent = [false true] but expected %!s(MISSING) expected to be non nil - NOK\nCapabilitiesCategory = [CategoryID4(anything not matching lower category) CategoryID3(SRIOV and DPDK)] but expected %!s(MISSING) - NOK\n{\"CompliantObjectsOut\":[{\"ObjectType\":\"ContainerCategory\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\",\"Category\"],\"ObjectFieldsValues\":[\"container category is category 1 or category NoUID0\",\"tnf\",\"test-0\",\"test\",\"CategoryID1NoUID0(automatically granted, basic rights with mesh networks)\"]},{\"ObjectType\":\"ContainerCategory\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\",\"Category\"],\"ObjectFieldsValues\":[\"container category is category 1 or category NoUID0\",\"tnf\",\"test-1\",\"test\",\"CategoryID1NoUID0(automatically granted, basic rights with mesh networks)\"]},{\"ObjectType\":\"Cnf\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Category\"],\"ObjectFieldsValues\":[\"Overall CNF category\",\"CategoryID4(anything not matching lower category)\"]}],\"NonCompliantObjectsOut\":[{\"ObjectType\":\"ContainerCategory\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\",\"Category\"],\"ObjectFieldsValues\":[\"container category is NOT category 1 or category NoUID0\",\"tnf\",\"test-765d6b8dcf-gbvsd\",\"test\",\"CategoryID4(anything not matching lower category)\"]},{\"ObjectType\":\"ContainerCategory\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\",\"Category\"],\"ObjectFieldsValues\":[\"container category is NOT category 1 or category NoUID0\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\",\"CategoryID4(anything not matching lower category)\"]},{\"ObjectType\":\"ContainerCategory\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\",\"Category\"],\"ObjectFieldsValues\":[\"container category is NOT category 1 or category NoUID0\",\"tnf\",\"xdp\",\"xdp-c\",\"CategoryID4(anything not matching lower category)\"]}]}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Checks the security context matches one of the 4 categories", "exceptionProcess": "no exception needed for optional/extended test", "remediation": "Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and document why. If the container had the right configuration of the allowed category from the 4 approved list then the test will pass. The 4 categories are defined in Requirement ID 94118 of the Extended Best Practices guide (private repo)" @@ -9809,7 +9809,7 @@ "access-control-security-context-non-root-user-check": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Root User not detected (RunAsUser uid=0)\",\"tnf\",\"test-0\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Root User not detected (RunAsUser uid=0)\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Root User not detected (RunAsUser uid=0)\",\"tnf\",\"test-1\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Root User not detected (RunAsUser uid=0)\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Root User not detected (RunAsUser uid=0)\",\"tnf\",\"test-765d6b8dcf-gbvsd\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Root User not detected (RunAsUser uid=0)\",\"tnf\",\"test-765d6b8dcf-s768n\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Root User not detected (RunAsUser uid=0)\",\"tnf\",\"xdp\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Checks the security context runAsUser parameter in pods and containers to make sure it is not set to uid root(0). Pods and containers should not run as root (runAsUser is not set to uid0).", "exceptionProcess": "No exceptions - will only be considered under special circumstances. Must identify which container needs access and document why with details.", "remediation": "Change the pod and containers \"runAsUser\" uid to something other than root(0)" @@ -9836,7 +9836,7 @@ "access-control-security-context-privilege-escalation": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"AllowPrivilegeEscalation is set to false\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"AllowPrivilegeEscalation is set to false\",\"tnf\",\"test-1\",\"test\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Checks if privileged escalation is enabled (AllowPrivilegeEscalation=true).", "exceptionProcess": "No exceptions", "remediation": "Configure privilege escalation to false. Privileged escalation should not be allowed (AllowPrivilegeEscalation=false)." @@ -9863,7 +9863,7 @@ "access-control-service-type": { "capturedTestOutput": "{\"CompliantObjectsOut\":null,\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-the-host-network-namespace", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-the-host-network-namespace", "description": "Tests that each CNF Service does not utilize NodePort(s).", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Ensure Services are not configured to use NodePort(s).CNF should avoid accessing host resources - tests that each CNF Service does not utilize NodePort(s)." @@ -9890,7 +9890,7 @@ "access-control-ssh-daemons": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is not running an SSH daemon\",\"tnf\",\"test-0\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is not running an SSH daemon\",\"tnf\",\"test-1\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is not running an SSH daemon\",\"tnf\",\"test-765d6b8dcf-gbvsd\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is not running an SSH daemon\",\"tnf\",\"test-765d6b8dcf-s768n\"]},{\"ObjectType\":\"Pod\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\"],\"ObjectFieldsValues\":[\"Pod is not running an SSH daemon\",\"tnf\",\"xdp\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-interaction/configuration", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-interaction/configuration", "description": "Check that pods do not run SSH daemons.", "exceptionProcess": "No exceptions - special consideration can be given to certain containers which run as utility tool daemon", "remediation": "Ensure that no SSH daemons are running inside a pod. Pods should not run as SSH Daemons (replicaset or statefulset only)." @@ -9917,7 +9917,7 @@ "access-control-sys-admin-capability-check": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-765d6b8dcf-gbvsd\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"No forbidden capabilities detected in container\",\"tnf\",\"xdp\",\"xdp-c\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-sys_admin", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-sys_admin", "description": "Ensures that containers do not use SYS_ADMIN capability", "exceptionProcess": "No exceptions", "remediation": "Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why. Containers should not use the SYS_ADMIN Linux capability." @@ -9944,7 +9944,7 @@ "access-control-sys-nice-realtime-capability": { "capturedTestOutput": "[container: test pod: test-0 ns: tnf] has been found running on a realtime kernel enabled node without SYS_NICE capability.\n[container: test pod: test-1 ns: tnf] has been found running on a realtime kernel enabled node without SYS_NICE capability.\n[container: test pod: test-765d6b8dcf-gbvsd ns: tnf] has been found running on a realtime kernel enabled node without SYS_NICE capability.\n[container: test pod: test-765d6b8dcf-s768n ns: tnf] has been found running on a realtime kernel enabled node without SYS_NICE capability.\n[container: xdp-c pod: xdp ns: tnf] has been found running on a realtime kernel enabled node without SYS_NICE capability.\n{\"CompliantObjectsOut\":null,\"NonCompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is running on a realtime kernel enabled node without SYS_NICE capability\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is running on a realtime kernel enabled node without SYS_NICE capability\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is running on a realtime kernel enabled node without SYS_NICE capability\",\"tnf\",\"test-765d6b8dcf-gbvsd\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is running on a realtime kernel enabled node without SYS_NICE capability\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is running on a realtime kernel enabled node without SYS_NICE capability\",\"tnf\",\"xdp\",\"xdp-c\"]}]}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-sys_nice", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-sys_nice", "description": "Check that pods running on nodes with realtime kernel enabled have the SYS_NICE capability enabled in their spec. In the case that a CNF is running on a node using the real-time kernel, SYS_NICE will be used to allow DPDK application to switch to SCHED_FIFO.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "If pods are scheduled to realtime kernel nodes, they must add SYS_NICE capability to their spec." @@ -9971,7 +9971,7 @@ "access-control-sys-ptrace-capability": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-sys_ptrace", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-sys_ptrace", "description": "Check that if process namespace sharing is enabled for a Pod then the SYS_PTRACE capability is allowed. This capability is required when using Process Namespace Sharing. This is used when processes from one Container need to be exposed to another Container. For example, to send signals like SIGHUP from a process in a Container to another process in another Container. For more information on these capabilities refer to https://cloud.redhat.com/blog/linux-capabilities-in-openshift and https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Allow the SYS_PTRACE capability when enabling process namespace sharing for a Pod" @@ -10052,7 +10052,7 @@ "affiliated-certification-helm-version": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-helm", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-helm", "description": "Test to check if the helm chart is v3", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Check Helm Chart is v3 and not v2 which is not supported due to security risks associated with Tiller." @@ -10106,7 +10106,7 @@ "affiliated-certification-operator-is-certified": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements", "description": "Tests whether CNF Operators listed in the configuration file have passed the Red Hat Operator Certification Program (OCP).", "exceptionProcess": "There is no documented exception process for this.Partner can run CNF Certification test suite before passing other certifications (Container/Operator/HelmChart) but the affiliated certification test cases in CNF Certification test suite must be re-run once the other certifications have been granted.", "remediation": "Ensure that your Operator has passed Red Hat's Operator Certification Program (OCP)." @@ -10133,7 +10133,7 @@ "lifecycle-affinity-required-pods": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Checks that affinity rules are in place if AffinityRequired: 'true' labels are set on Pods.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Pods which need to be co-located on the same node need Affinity rules. If a pod/statefulset/deployment is required to use affinity rules, please add AffinityRequired: 'true' as a label." @@ -10160,7 +10160,7 @@ "lifecycle-container-shutdown": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cloud-native-design-best-practices", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cloud-native-design-best-practices", "description": "Ensure that the containers lifecycle preStop management feature is configured. The most basic requirement for the lifecycle management of Pods in OpenShift are the ability to start and stop correctly. There are different ways a pod can stop on an OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. When pods are shut down by the platform they are sent a SIGTERM signal which means that the process in the container should start shutting down, closing connections and stopping all activity. If the pod doesn’t shut down within the default 30 seconds then the platform may send a SIGKILL signal which will stop the pod immediately. This method isn’t as clean and the default time between the SIGTERM and SIGKILL messages can be modified based on the requirements of the application. Containers should respond to SIGTERM/SIGKILL with graceful shutdown.", "exceptionProcess": "Identify which pod is not conforming to the process and submit information as to why it cannot use a preStop shutdown specification.", "remediation": "The preStop can be used to gracefully stop the container and clean resources (e.g., DB connection). For details, see https://www.containiq.com/post/kubernetes-container-lifecycle-events-and-hooks and https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks. All pods must respond to SIGTERM signal and shutdown gracefully with a zero exit code." @@ -10187,7 +10187,7 @@ "lifecycle-container-startup": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cloud-native-design-best-practices", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cloud-native-design-best-practices", "description": "Ensure that the containers lifecycle postStart management feature is configured. A container must receive important events from the platform and conform/react to these events properly. For example, a container should catch SIGTERM or SIGKILL from the platform and shutdown as quickly as possible. Other typically important events from the platform are PostStart to initialize before servicing requests and PreStop to release resources cleanly before shutting down.", "exceptionProcess": "Identify which pod is not conforming to the process and submit information as to why it cannot use a postStart startup specification.", "remediation": "PostStart is normally used to configure the container, set up dependencies, and record the new creation. You could use this event to check that a required API is available before the container’s main work begins. Kubernetes will not change the container’s state to Running until the PostStart script has executed successfully. For details, see https://www.containiq.com/post/kubernetes-container-lifecycle-events-and-hooks and https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks. PostStart is used to configure container, set up dependencies, record new creation. It can also be used to check that a required API is available before the container’s work begins." @@ -10214,7 +10214,7 @@ "lifecycle-cpu-isolation": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cpu-isolation", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cpu-isolation", "description": "CPU isolation requires: For each container within the pod, resource requests and limits must be identical. Request and Limits are in the form of whole CPUs. The runTimeClassName must be specified. Annotations required disabling CPU and IRQ load-balancing.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "CPU isolation testing is enabled. Please ensure that all pods adhere to the CPU isolation requirements." @@ -10241,7 +10241,7 @@ "lifecycle-crd-scaling": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Tests that CNF crd support scale in/out operations. First, the test starts getting the current replicaCount (N) of the crd/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the crd/s. In case of crd that are managed by HPA the test is changing the min and max value to crd Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the crd/s", "exceptionProcess": "There is no documented exception process for this. Not applicable to SNO applications.", "remediation": "Ensure CNF crd/replica sets can scale in/out successfully." @@ -10268,7 +10268,7 @@ "lifecycle-deployment-scaling": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Tests that CNF deployments support scale in/out operations. First, the test starts getting the current replicaCount (N) of the deployment/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the deployment/s. In case of deployments that are managed by HPA the test is changing the min and max value to deployment Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the deployment/s", "exceptionProcess": "There is no documented exception process for this. Not applicable to SNO applications.", "remediation": "Ensure CNF deployments/replica sets can scale in/out successfully." @@ -10295,7 +10295,7 @@ "lifecycle-image-pull-policy": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-use-imagepullpolicy-if-not-present", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-use-imagepullpolicy-if-not-present", "description": "Ensure that the containers under test are using IfNotPresent as Image Pull Policy. If there is a situation where the container dies and needs to be restarted, the image pull policy becomes important. PullIfNotPresent is recommended so that a loss of image registry access does not prevent the pod from restarting.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure that the containers under test are using IfNotPresent as Image Pull Policy." @@ -10322,7 +10322,7 @@ "lifecycle-liveness-probe": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Check that all containers under test have liveness probe defined. The most basic requirement for the lifecycle management of Pods in OpenShift are the ability to start and stop correctly. When starting up, health probes like liveness and readiness checks can be put into place to ensure the application is functioning properly.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Add a liveness probe to deployed containers. CNFs shall self-recover from common failures like pod failure, host failure, and network failure. Kubernetes native mechanisms such as health-checks (Liveness, Readiness and Startup Probes) shall be employed at a minimum." @@ -10349,7 +10349,7 @@ "lifecycle-persistent-volume-reclaim-policy": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-csi", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-csi", "description": "Check that the persistent volumes the CNF pods are using have a reclaim policy of delete. Network Functions should clear persistent storage by deleting their PVs when removing their application from a cluster.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure that all persistent volumes are using the reclaim policy: delete" @@ -10376,7 +10376,7 @@ "lifecycle-pod-high-availability": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Ensures that CNF Pods specify podAntiAffinity rules and replica value is set to more than 1.", "exceptionProcess": "There is no documented exception process for this. Not applicable to SNO applications.", "remediation": "In high availability cases, Pod podAntiAffinity rule should be specified for pod scheduling and pod replica value is set to more than 1 ." @@ -10403,7 +10403,7 @@ "lifecycle-pod-owner-type": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-no-naked-pods", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-no-naked-pods", "description": "Tests that CNF Pod(s) are deployed as part of a ReplicaSet(s)/StatefulSet(s).", "exceptionProcess": "There is no documented exception process for this. Pods should not be deployed as DaemonSet or naked pods.", "remediation": "Deploy the CNF using ReplicaSet/StatefulSet." @@ -10430,7 +10430,7 @@ "lifecycle-pod-recreation": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-upgrade-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-upgrade-expectations", "description": "Tests that a CNF is configured to support High Availability. First, this test cordons and drains a Node that hosts the CNF Pod. Next, the test ensures that OpenShift can re-instantiate the Pod on another Node, and that the actual replica count matches the desired replica count.", "exceptionProcess": "No exceptions - workloads should be able to be restarted/recreated.", "remediation": "Ensure that CNF Pod(s) utilize a configuration that supports High Availability. Additionally, ensure that there are available Nodes in the OpenShift cluster that can be utilized in the event that a host Node fails." @@ -10457,7 +10457,7 @@ "lifecycle-pod-scheduling": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Ensures that CNF Pods do not specify nodeSelector or nodeAffinity. In most cases, Pods should allow for instantiation on any underlying Node. CNFs shall not use node selectors nor taints/tolerations to assign pod location.", "exceptionProcess": "Exception will only be considered if application requires specialized hardware. Must specify which container requires special hardware and why.", "remediation": "In most cases, Pod's should not specify their host Nodes through nodeSelector or nodeAffinity. However, there are cases in which CNFs require specialized hardware specific to a particular class of Node." @@ -10484,7 +10484,7 @@ "lifecycle-pod-toleration-bypass": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-taints-and-tolerations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-taints-and-tolerations", "description": "Check that pods do not have NoExecute, PreferNoSchedule, or NoSchedule tolerations that have been modified from the default.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Do not allow pods to bypass the NoExecute, PreferNoSchedule, or NoSchedule tolerations that are default applied by Kubernetes." @@ -10511,7 +10511,7 @@ "lifecycle-readiness-probe": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Check that all containers under test have readiness probe defined. There are different ways a pod can stop on on OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. In the first case, if the administrator has implemented liveness and readiness checks, OpenShift can stop the pod and either restart it on the same node or a different node in the cluster. For the second case, when the application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Add a readiness probe to deployed containers" @@ -10538,7 +10538,7 @@ "lifecycle-startup-probe": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-exit-status", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-exit-status", "description": "Check that all containers under test have startup probe defined. CNFs shall self-recover from common failures like pod failure, host failure, and network failure. Kubernetes native mechanisms such as health-checks (Liveness, Readiness and Startup Probes) shall be employed at a minimum.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Add a startup probe to deployed containers" @@ -10565,7 +10565,7 @@ "lifecycle-statefulset-scaling": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Tests that CNF statefulsets support scale in/out operations. First, the test starts getting the current replicaCount (N) of the statefulset/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the statefulset/s. In case of statefulsets that are managed by HPA the test is changing the min and max value to statefulset Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the statefulset/s", "exceptionProcess": "There is no documented exception process for this. Not applicable to SNO applications.", "remediation": "Ensure CNF statefulsets/replica sets can scale in/out successfully." @@ -10592,7 +10592,7 @@ "lifecycle-storage-required-pods": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-local-storage", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-local-storage", "description": "Checks that pods do not place persistent volumes on local storage.", "exceptionProcess": "No exceptions", "remediation": "If pod is StatefulSet, make sure servicename is not local-storage (persistent volumes should not be on local storage)." @@ -10619,7 +10619,7 @@ "manageability-container-port-name-format": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requirements-cnf-reqs", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requirements-cnf-reqs", "description": "Check that the container's ports name follow the naming conventions. Name field in ContainerPort section must be of form `\u003cprotocol\u003e[-\u003csuffix\u003e]`. More naming convention requirements may be released in future", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Ensure that the container's ports name follow our partner naming conventions" @@ -10646,7 +10646,7 @@ "manageability-containers-image-tag": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-image-tagging", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-image-tagging", "description": "Check that image tag exists on containers.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Ensure that all the container images are tagged. Checks containers have image tags (e.g. latest, stable, dev)." @@ -10673,7 +10673,7 @@ "networking-dpdk-cpu-pinning-exec-probe": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cpu-manager-pinning", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cpu-manager-pinning", "description": "If a CNF is doing CPU pinning, exec probes may not be used.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "If the CNF is doing CPU pinning and running a DPDK process do not use exec probes (executing a command within the container) as it may pile up and block the node eventually." @@ -10700,7 +10700,7 @@ "networking-dual-stack-service": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipv4-\u0026-ipv6", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipv4-\u0026-ipv6", "description": "Checks that all services in namespaces under test are either ipv6 single stack or dual stack. This test case requires the deployment of the debug daemonset.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Configure every CNF services with either a single stack ipv6 or dual stack (ipv4/ipv6) load balancer." @@ -10727,7 +10727,7 @@ "networking-icmpv4-connectivity": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipv4-\u0026-ipv6", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipv4-\u0026-ipv6", "description": "Checks that each CNF Container is able to communicate via ICMPv4 on the Default OpenShift network. This test case requires the Deployment of the debug daemonset.", "exceptionProcess": "No exceptions - must be able to communicate on default network using IPv4", "remediation": "Ensure that the CNF is able to communicate via the Default OpenShift network. In some rare cases, CNFs may require routing table changes in order to communicate over the Default network. To exclude a particular pod from ICMPv4 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence." @@ -10754,7 +10754,7 @@ "networking-icmpv4-connectivity-multus": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Checks that each CNF Container is able to communicate via ICMPv4 on the Multus network(s). This test case requires the Deployment of the debug daemonset.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure that the CNF is able to communicate via the Multus network(s). In some rare cases, CNFs may require routing table changes in order to communicate over the Multus network(s). To exclude a particular pod from ICMPv4 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. Not applicable if MULTUS is not supported." @@ -10781,7 +10781,7 @@ "networking-icmpv6-connectivity": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipv4-\u0026-ipv6", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipv4-\u0026-ipv6", "description": "Checks that each CNF Container is able to communicate via ICMPv6 on the Default OpenShift network. This test case requires the Deployment of the debug daemonset.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure that the CNF is able to communicate via the Default OpenShift network. In some rare cases, CNFs may require routing table changes in order to communicate over the Default network. To exclude a particular pod from ICMPv6 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. Not applicable if IPv6 is not supported." @@ -10808,7 +10808,7 @@ "networking-icmpv6-connectivity-multus": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Checks that each CNF Container is able to communicate via ICMPv6 on the Multus network(s). This test case requires the Deployment of the debug daemonset.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure that the CNF is able to communicate via the Multus network(s). In some rare cases, CNFs may require routing table changes in order to communicate over the Multus network(s). To exclude a particular pod from ICMPv6 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it.The label value is trivial, only its presence. Not applicable if IPv6/MULTUS is not supported." @@ -10835,7 +10835,7 @@ "networking-network-policy-deny-all": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-vrfs-aka-routing-instances", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-vrfs-aka-routing-instances", "description": "Check that network policies attached to namespaces running CNF pods contain a default deny-all rule for both ingress and egress traffic", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Ensure that a NetworkPolicy with a default deny-all is applied. After the default is applied, apply a network policy to allow the traffic your application requires." @@ -10862,7 +10862,7 @@ "networking-ocp-reserved-ports-usage": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ports-reserved-by-openshift", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ports-reserved-by-openshift", "description": "Check that containers do not listen on ports that are reserved by OpenShift", "exceptionProcess": "No exceptions", "remediation": "Ensure that CNF apps do not listen on ports that are reserved by OpenShift. The following ports are reserved by OpenShift and must NOT be used by any application: 22623, 22624." @@ -10943,7 +10943,7 @@ "networking-undeclared-container-ports-usage": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requirements-cnf-reqs", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requirements-cnf-reqs", "description": "Check that containers do not listen on ports that weren't declared in their specification. Platforms may be configured to block undeclared ports.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Ensure the CNF apps do not listen on undeclared containers' ports." @@ -10970,7 +10970,7 @@ "observability-container-logging": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-logging", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-logging", "description": "Check that all containers under test use standard input output and standard error when logging. A container must provide APIs for the platform to observe the container health and act accordingly. These APIs include health checks (liveness and readiness), logging to stderr and stdout for log aggregation (by tools such as Logstash or Filebeat), and integrate with tracing and metrics-gathering libraries (such as Prometheus or Metricbeat).", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure containers are not redirecting stdout/stderr" @@ -10997,7 +10997,7 @@ "observability-crd-status": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements", "description": "Checks that all CRDs have a status sub-resource specification (Spec.versions[].Schema.OpenAPIV3Schema.Properties[“status”]).", "exceptionProcess": "No exceptions", "remediation": "Ensure that all the CRDs have a meaningful status specification (Spec.versions[].Schema.OpenAPIV3Schema.Properties[“status”])." @@ -11024,7 +11024,7 @@ "observability-pod-disruption-budget": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-upgrade-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-upgrade-expectations", "description": "Checks to see if pod disruption budgets have allowed values for minAvailable and maxUnavailable", "exceptionProcess": "No exceptions", "remediation": "Ensure minAvailable is not zero and maxUnavailable does not equal the number of pods in the replica" @@ -11051,7 +11051,7 @@ "observability-termination-policy": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-exit-status", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-exit-status", "description": "Check that all containers are using terminationMessagePolicy: FallbackToLogsOnError. There are different ways a pod can stop on an OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. In the first case, if the administrator has implemented liveness and readiness checks, OpenShift can stop the pod and either restart it on the same node or a different node in the cluster. For the second case, when the application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure containers are all using FallbackToLogsOnError in terminationMessagePolicy" @@ -11078,7 +11078,7 @@ "operator-install-source": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements", "description": "Tests whether a CNF Operator is installed via OLM.", "exceptionProcess": "No exceptions", "remediation": "Ensure that your Operator is installed via OLM." @@ -11105,7 +11105,7 @@ "operator-install-status-no-privileges": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements", "description": "The operator is not installed with privileged rights. Test passes if clusterPermissions is not present in the CSV manifest or is present with no resourceNames under its rules.", "exceptionProcess": "No exceptions", "remediation": "Ensure all the CNF operators have no privileges on cluster resources." @@ -11132,7 +11132,7 @@ "operator-install-status-succeeded": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements", "description": "Ensures that the target CNF operators report \"Succeeded\" as their installation status.", "exceptionProcess": "No exceptions", "remediation": "Ensure all the CNF operators have been successfully installed by OLM." @@ -11321,7 +11321,7 @@ "platform-alteration-base-image": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-image-standards", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-image-standards", "description": "Ensures that the Container Base Image is not altered post-startup. This test is a heuristic, and ensures that there are no changes to the following directories: 1) /var/lib/rpm 2) /var/lib/dpkg 3) /bin 4) /sbin 5) /lib 6) /lib64 7) /usr/bin 8) /usr/sbin 9) /usr/lib 10) /usr/lib64", "exceptionProcess": "No exceptions", "remediation": "Ensure that Container applications do not modify the Container Base Image. In particular, ensure that the following directories are not modified: 1) /var/lib/rpm 2) /var/lib/dpkg 3) /bin 4) /sbin 5) /lib 6) /lib64 7) /usr/bin 8) /usr/sbin 9) /usr/lib 10) /usr/lib64 Ensure that all required binaries are built directly into the container image, and are not installed post startup." @@ -11348,7 +11348,7 @@ "platform-alteration-boot-params": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-host-os", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-host-os", "description": "Tests that boot parameters are set through the MachineConfigOperator, and not set manually on the Node.", "exceptionProcess": "No exceptions", "remediation": "Ensure that boot parameters are set directly through the MachineConfigOperator, or indirectly through the PerformanceAddonOperator. Boot parameters should not be changed directly through the Node, as OpenShift should manage the changes for you." @@ -11402,7 +11402,7 @@ "platform-alteration-hugepages-2m-only": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-huge-pages", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-huge-pages", "description": "Check that pods using hugepages only use 2Mi size", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Modify pod to consume 2Mi hugepages only" @@ -11429,7 +11429,7 @@ "platform-alteration-hugepages-config": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-huge-pages", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-huge-pages", "description": "Checks to see that HugePage settings have been configured through MachineConfig, and not manually on the underlying Node. This test case applies only to Nodes that are configured with the \"worker\" MachineConfigSet. First, the \"worker\" MachineConfig is polled, and the Hugepage settings are extracted. Next, the underlying Nodes are polled for configured HugePages through inspection of /proc/meminfo. The results are compared, and the test passes only if they are the same.", "exceptionProcess": "No exceptions", "remediation": "HugePage settings should be configured either directly through the MachineConfigOperator or indirectly using the PerformanceAddonOperator. This ensures that OpenShift is aware of the special MachineConfig requirements, and can provision your CNF on a Node that is part of the corresponding MachineConfigSet. Avoid making changes directly to an underlying Node, and let OpenShift handle the heavy lifting of configuring advanced settings. This test case applies only to Nodes that are configured with the \"worker\" MachineConfigSet." @@ -11483,7 +11483,7 @@ "platform-alteration-is-selinux-enforcing": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-security", "description": "verifies that all openshift platform/cluster nodes have selinux in \"Enforcing\" mode.", "exceptionProcess": "No exceptions", "remediation": "Configure selinux and enable enforcing mode." @@ -11510,7 +11510,7 @@ "platform-alteration-isredhat-release": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-base-images", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-base-images", "description": "verifies if the container base image is redhat.", "exceptionProcess": "No exceptions", "remediation": "Build a new container image that is based on UBI (Red Hat Universal Base Image)." @@ -11537,7 +11537,7 @@ "platform-alteration-ocp-lifecycle": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-k8s", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-k8s", "description": "Tests that the running OCP version is not end of life.", "exceptionProcess": "No exceptions", "remediation": "Please update your cluster to a version that is generally available." @@ -11564,7 +11564,7 @@ "platform-alteration-ocp-node-os-lifecycle": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-host-os", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-host-os", "description": "Tests that the nodes running in the cluster have operating systems that are compatible with the deployed version of OpenShift.", "exceptionProcess": "No exceptions", "remediation": "Please update your workers to a version that is supported by your version of OpenShift" @@ -11618,7 +11618,7 @@ "platform-alteration-sysctl-config": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Tests that no one has changed the node's sysctl configs after the node was created, the tests works by checking if the sysctl configs are consistent with the MachineConfig CR which defines how the node should be configured", "exceptionProcess": "No exceptions", "remediation": "You should recreate the node or change the sysctls, recreating is recommended because there might be other unknown changes" @@ -11645,7 +11645,7 @@ "platform-alteration-tainted-node-kernel": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Ensures that the Node(s) hosting CNFs do not utilize tainted kernels. This test case is especially important to support Highly Available CNFs, since when a CNF is re-instantiated on a backup Node, that Node's kernel may not have the same hacks.'", "exceptionProcess": "If taint is necessary, document details of the taint and why it's needed by workload or environment.", "remediation": "Test failure indicates that the underlying Node's kernel is tainted. Ensure that you have not altered underlying Node(s) kernels in order to run the CNF." diff --git a/cmd/certsuite/claim/compare/testdata/claim_observability.json b/cmd/certsuite/claim/compare/testdata/claim_observability.json index 7af64a06d..94745f9e0 100644 --- a/cmd/certsuite/claim/compare/testdata/claim_observability.json +++ b/cmd/certsuite/claim/compare/testdata/claim_observability.json @@ -9295,7 +9295,7 @@ "access-control-cluster-role-bindings": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac", "description": "Tests that a Pod does not specify ClusterRoleBindings.", "exceptionProcess": "Exception possible only for workloads that's cluster wide in nature and absolutely needs cluster level roles \u0026 role bindings", "remediation": "In most cases, Pod's should not have ClusterRoleBindings. The suggested remediation is to remove the need for ClusterRoleBindings, if possible. Cluster roles and cluster role bindings discouraged unless absolutely needed by CNF (often reserved for cluster admin only)." @@ -9322,7 +9322,7 @@ "access-control-container-host-port": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-accessing-resource-on-host", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-accessing-resource-on-host", "description": "Verifies if containers define a hostPort.", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Remove hostPort configuration from the container. CNF should avoid accessing host resources - containers should not configure HostPort." @@ -9349,7 +9349,7 @@ "access-control-crd-roles": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-custom-role-to-access-application-crds", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-custom-role-to-access-application-crds", "description": "If an application creates CRDs it must supply a role to access those CRDs and no other API resources/permission. This test checks that there is at least one role present in each namespaces under test that only refers to CRDs under test.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Roles providing access to CRDs should not refer to any other api or resources. Change the generation of the CRD role accordingly" @@ -9376,7 +9376,7 @@ "access-control-ipc-lock-capability-check": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipc_lock", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipc_lock", "description": "Ensures that containers do not use IPC_LOCK capability. CNF should avoid accessing host resources - spec.HostIpc should be false.", "exceptionProcess": "Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why.", "remediation": "Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why." @@ -9403,7 +9403,7 @@ "access-control-namespace": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requirements-cnf-reqs", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requirements-cnf-reqs", "description": "Tests that all CNF's resources (PUTs and CRs) belong to valid namespaces. A valid namespace meets\nthe following conditions: (1) It was declared in the yaml config file under the targetNameSpaces\ntag. (2) It does not have any of the following prefixes: default, openshift-, istio- and aspenmesh-", "exceptionProcess": "No exceptions", "remediation": "Ensure that your CNF utilizes namespaces declared in the yaml config file. Additionally, the namespaces should not start with \"default, openshift-, istio- or aspenmesh-\"." @@ -9430,7 +9430,7 @@ "access-control-namespace-resource-quota": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-memory-allocation", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-memory-allocation", "description": "Checks to see if CNF workload pods are running in namespaces that have resource quotas applied.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Apply a ResourceQuota to the namespace your CNF is running in. The CNF namespace should have resource quota defined." @@ -9457,7 +9457,7 @@ "access-control-net-admin-capability-check": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-net_admin", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-net_admin", "description": "Ensures that containers do not use NET_ADMIN capability. Note: this test also ensures iptables and nftables are not configured by CNF pods:\n- NET_ADMIN and NET_RAW are required to modify nftables (namespaced) which is not desired inside pods.\nnftables should be configured by an administrator outside the scope of the CNF. nftables are usually configured\nby operators, for instance the Performance Addon Operator (PAO) or istio.\n- Privileged container are required to modify host iptables, which is not safe to perform inside pods. nftables\nshould be configured by an administrator outside the scope of the CNF. iptables are usually configured by operators,\nfor instance the Performance Addon Operator (PAO) or istio.", "exceptionProcess": "Exception will be considered for user plane or networking functions (e.g. SR-IOV, Multicast). Must identify which container requires the capability and detail why.", "remediation": "Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why." @@ -9484,7 +9484,7 @@ "access-control-net-raw-capability-check": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-user-plane-cnfs", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-user-plane-cnfs", "description": "Ensures that containers do not use NET_RAW capability. Note: this test also ensures iptables and nftables are not configured by CNF pods:\n- NET_ADMIN and NET_RAW are required to modify nftables (namespaced) which is not desired inside pods.\nnftables should be configured by an administrator outside the scope of the CNF. nftables are usually configured\nby operators, for instance the Performance Addon Operator (PAO) or istio.\n- Privileged container are required to modify host iptables, which is not safe to perform inside pods. nftables\nshould be configured by an administrator outside the scope of the CNF. iptables are usually configured by operators,\nfor instance the Performance Addon Operator (PAO) or istio.", "exceptionProcess": "Exception will be considered for user plane or networking functions. Must identify which container requires the capability and detail why.", "remediation": "Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why." @@ -9538,7 +9538,7 @@ "access-control-one-process-per-container": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-one-process-per-container", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-one-process-per-container", "description": "Check that all containers under test have only one process running", "exceptionProcess": "No exception needed for optional/extended tests. Not applicable to SNO applications.", "remediation": "Launch only one process per container. Should adhere to 1 process per container best practice wherever possible." @@ -9565,7 +9565,7 @@ "access-control-pod-automount-service-account-token": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-automount-services-for-pods", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-automount-services-for-pods", "description": "Check that all pods under test have automountServiceAccountToken set to false. Only pods that require access to the kubernetes API server should have automountServiceAccountToken set to true", "exceptionProcess": "Exception will be considered if container needs to access APIs which OCP does not offer natively. Must document which container requires which API(s) and detail why existing OCP APIs cannot be used.", "remediation": "Check that pod has automountServiceAccountToken set to false or pod is attached to service account which has automountServiceAccountToken set to false, unless the pod needs access to the kubernetes API server. Pods which do not need API access should set automountServiceAccountToken to false in pod spec." @@ -9592,7 +9592,7 @@ "access-control-pod-host-ipc": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Verifies that the spec.HostIpc parameter is set to false", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Set the spec.HostIpc parameter to false in the pod configuration. CNF should avoid accessing host resources - spec.HostIpc should be false." @@ -9619,7 +9619,7 @@ "access-control-pod-host-network": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-the-host-network-namespace", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-the-host-network-namespace", "description": "Verifies that the spec.HostNetwork parameter is not set (not present)", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Set the spec.HostNetwork parameter to false in the pod configuration. CNF should avoid accessing host resources - spec.HostNetwork should be false." @@ -9646,7 +9646,7 @@ "access-control-pod-host-path": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Verifies that the spec.HostPath parameter is not set (not present)", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Set the spec.HostPath parameter to false in the pod configuration. CNF should avoid accessing host resources - spec.HostPath should be false." @@ -9673,7 +9673,7 @@ "access-control-pod-host-pid": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Verifies that the spec.HostPid parameter is set to false", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Set the spec.HostPid parameter to false in the pod configuration. CNF should avoid accessing host resources - spec.HostPid should be false." @@ -9700,7 +9700,7 @@ "access-control-pod-role-bindings": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac", "description": "Ensures that a CNF does not utilize RoleBinding(s) in a non-CNF Namespace.", "exceptionProcess": "No exceptions", "remediation": "Ensure the CNF is not configured to use RoleBinding(s) in a non-CNF Namespace. Scope of role must \u003c= scope of creator of role." @@ -9727,7 +9727,7 @@ "access-control-pod-service-account": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-scc-permissions-for-an-application", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-scc-permissions-for-an-application", "description": "Tests that each CNF Pod utilizes a valid Service Account. Default or empty service account is not valid.", "exceptionProcess": "No exceptions", "remediation": "Ensure that the each CNF Pod is configured to use a valid Service Account" @@ -9754,7 +9754,7 @@ "access-control-projected-volume-service-account-token": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-automount-services-for-pods", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-automount-services-for-pods", "description": "Checks that pods do not use projected volumes and service account tokens", "exceptionProcess": "Exception will be considered if container needs to access APIs which OCP does not offer natively. Must document which container requires which API(s) and detail why existing OCP APIs cannot be used.", "remediation": "Ensure that pods do not use projected volumes and service account tokens" @@ -9781,7 +9781,7 @@ "access-control-requests-and-limits": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requests/limits", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requests/limits", "description": "Check that containers have resource requests and limits specified in their spec.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Add requests and limits to your container spec. See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits" @@ -9808,7 +9808,7 @@ "access-control-security-context": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Checks the security context matches one of the 4 categories", "exceptionProcess": "no exception needed for optional/extended test", "remediation": "Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and document why. If the container had the right configuration of the allowed category from the 4 approved list then the test will pass. The 4 categories are defined in Requirement ID 94118 of the Extended Best Practices guide (private repo)" @@ -9835,7 +9835,7 @@ "access-control-security-context-non-root-user-check": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Checks the security context runAsUser parameter in pods and containers to make sure it is not set to uid root(0). Pods and containers should not run as root (runAsUser is not set to uid0).", "exceptionProcess": "No exceptions - will only be considered under special circumstances. Must identify which container needs access and document why with details.", "remediation": "Change the pod and containers \"runAsUser\" uid to something other than root(0)" @@ -9862,7 +9862,7 @@ "access-control-security-context-privilege-escalation": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Checks if privileged escalation is enabled (AllowPrivilegeEscalation=true).", "exceptionProcess": "No exceptions", "remediation": "Configure privilege escalation to false. Privileged escalation should not be allowed (AllowPrivilegeEscalation=false)." @@ -9889,7 +9889,7 @@ "access-control-service-type": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-the-host-network-namespace", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-the-host-network-namespace", "description": "Tests that each CNF Service does not utilize NodePort(s).", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Ensure Services are not configured to use NodePort(s).CNF should avoid accessing host resources - tests that each CNF Service does not utilize NodePort(s)." @@ -9916,7 +9916,7 @@ "access-control-ssh-daemons": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-interaction/configuration", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-interaction/configuration", "description": "Check that pods do not run SSH daemons.", "exceptionProcess": "No exceptions - special consideration can be given to certain containers which run as utility tool daemon", "remediation": "Ensure that no SSH daemons are running inside a pod. Pods should not run as SSH Daemons (replicaset or statefulset only)." @@ -9943,7 +9943,7 @@ "access-control-sys-admin-capability-check": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-avoid-sys_admin", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-sys_admin", "description": "Ensures that containers do not use SYS_ADMIN capability", "exceptionProcess": "No exceptions", "remediation": "Exception possible if CNF uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why. Containers should not use the SYS_ADMIN Linux capability." @@ -9970,7 +9970,7 @@ "access-control-sys-nice-realtime-capability": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-sys_nice", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-sys_nice", "description": "Check that pods running on nodes with realtime kernel enabled have the SYS_NICE capability enabled in their spec. In the case that a CNF is running on a node using the real-time kernel, SYS_NICE will be used to allow DPDK application to switch to SCHED_FIFO.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "If pods are scheduled to realtime kernel nodes, they must add SYS_NICE capability to their spec." @@ -9997,7 +9997,7 @@ "access-control-sys-ptrace-capability": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-sys_ptrace", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-sys_ptrace", "description": "Check that if process namespace sharing is enabled for a Pod then the SYS_PTRACE capability is allowed. This capability is required when using Process Namespace Sharing. This is used when processes from one Container need to be exposed to another Container. For example, to send signals like SIGHUP from a process in a Container to another process in another Container. For more information on these capabilities refer to https://cloud.redhat.com/blog/linux-capabilities-in-openshift and https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Allow the SYS_PTRACE capability when enabling process namespace sharing for a Pod" @@ -10078,7 +10078,7 @@ "affiliated-certification-helm-version": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-helm", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-helm", "description": "Test to check if the helm chart is v3", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Check Helm Chart is v3 and not v2 which is not supported due to security risks associated with Tiller." @@ -10132,7 +10132,7 @@ "affiliated-certification-operator-is-certified": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements", "description": "Tests whether CNF Operators listed in the configuration file have passed the Red Hat Operator Certification Program (OCP).", "exceptionProcess": "There is no documented exception process for this.Partner can run CNF Certification test suite before passing other certifications (Container/Operator/HelmChart) but the affiliated certification test cases in CNF Certification test suite must be re-run once the other certifications have been granted.", "remediation": "Ensure that your Operator has passed Red Hat's Operator Certification Program (OCP)." @@ -10159,7 +10159,7 @@ "lifecycle-affinity-required-pods": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Checks that affinity rules are in place if AffinityRequired: 'true' labels are set on Pods.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Pods which need to be co-located on the same node need Affinity rules. If a pod/statefulset/deployment is required to use affinity rules, please add AffinityRequired: 'true' as a label." @@ -10186,7 +10186,7 @@ "lifecycle-container-shutdown": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cloud-native-design-best-practices", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cloud-native-design-best-practices", "description": "Ensure that the containers lifecycle preStop management feature is configured. The most basic requirement for the lifecycle management of Pods in OpenShift are the ability to start and stop correctly. There are different ways a pod can stop on an OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. When pods are shut down by the platform they are sent a SIGTERM signal which means that the process in the container should start shutting down, closing connections and stopping all activity. If the pod doesn’t shut down within the default 30 seconds then the platform may send a SIGKILL signal which will stop the pod immediately. This method isn’t as clean and the default time between the SIGTERM and SIGKILL messages can be modified based on the requirements of the application. Containers should respond to SIGTERM/SIGKILL with graceful shutdown.", "exceptionProcess": "Identify which pod is not conforming to the process and submit information as to why it cannot use a preStop shutdown specification.", "remediation": "The preStop can be used to gracefully stop the container and clean resources (e.g., DB connection). For details, see https://www.containiq.com/post/kubernetes-container-lifecycle-events-and-hooks and https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks. All pods must respond to SIGTERM signal and shutdown gracefully with a zero exit code." @@ -10213,7 +10213,7 @@ "lifecycle-container-startup": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cloud-native-design-best-practices", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cloud-native-design-best-practices", "description": "Ensure that the containers lifecycle postStart management feature is configured. A container must receive important events from the platform and conform/react to these events properly. For example, a container should catch SIGTERM or SIGKILL from the platform and shutdown as quickly as possible. Other typically important events from the platform are PostStart to initialize before servicing requests and PreStop to release resources cleanly before shutting down.", "exceptionProcess": "Identify which pod is not conforming to the process and submit information as to why it cannot use a postStart startup specification.", "remediation": "PostStart is normally used to configure the container, set up dependencies, and record the new creation. You could use this event to check that a required API is available before the container’s main work begins. Kubernetes will not change the container’s state to Running until the PostStart script has executed successfully. For details, see https://www.containiq.com/post/kubernetes-container-lifecycle-events-and-hooks and https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks. PostStart is used to configure container, set up dependencies, record new creation. It can also be used to check that a required API is available before the container’s work begins." @@ -10240,7 +10240,7 @@ "lifecycle-cpu-isolation": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cpu-isolation", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cpu-isolation", "description": "CPU isolation requires: For each container within the pod, resource requests and limits must be identical. Request and Limits are in the form of whole CPUs. The runTimeClassName must be specified. Annotations required disabling CPU and IRQ load-balancing.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "CPU isolation testing is enabled. Please ensure that all pods adhere to the CPU isolation requirements." @@ -10267,7 +10267,7 @@ "lifecycle-crd-scaling": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Tests that CNF crd support scale in/out operations. First, the test starts getting the current replicaCount (N) of the crd/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the crd/s. In case of crd that are managed by HPA the test is changing the min and max value to crd Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the crd/s", "exceptionProcess": "There is no documented exception process for this. Not applicable to SNO applications.", "remediation": "Ensure CNF crd/replica sets can scale in/out successfully." @@ -10294,7 +10294,7 @@ "lifecycle-deployment-scaling": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Tests that CNF deployments support scale in/out operations. First, the test starts getting the current replicaCount (N) of the deployment/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the deployment/s. In case of deployments that are managed by HPA the test is changing the min and max value to deployment Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the deployment/s", "exceptionProcess": "There is no documented exception process for this. Not applicable to SNO applications.", "remediation": "Ensure CNF deployments/replica sets can scale in/out successfully." @@ -10321,7 +10321,7 @@ "lifecycle-image-pull-policy": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-use-imagepullpolicy-if-not-present", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-use-imagepullpolicy-if-not-present", "description": "Ensure that the containers under test are using IfNotPresent as Image Pull Policy. If there is a situation where the container dies and needs to be restarted, the image pull policy becomes important. PullIfNotPresent is recommended so that a loss of image registry access does not prevent the pod from restarting.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure that the containers under test are using IfNotPresent as Image Pull Policy." @@ -10348,7 +10348,7 @@ "lifecycle-liveness-probe": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Check that all containers under test have liveness probe defined. The most basic requirement for the lifecycle management of Pods in OpenShift are the ability to start and stop correctly. When starting up, health probes like liveness and readiness checks can be put into place to ensure the application is functioning properly.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Add a liveness probe to deployed containers. CNFs shall self-recover from common failures like pod failure, host failure, and network failure. Kubernetes native mechanisms such as health-checks (Liveness, Readiness and Startup Probes) shall be employed at a minimum." @@ -10375,7 +10375,7 @@ "lifecycle-persistent-volume-reclaim-policy": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-csi", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-csi", "description": "Check that the persistent volumes the CNF pods are using have a reclaim policy of delete. Network Functions should clear persistent storage by deleting their PVs when removing their application from a cluster.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure that all persistent volumes are using the reclaim policy: delete" @@ -10402,7 +10402,7 @@ "lifecycle-pod-high-availability": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Ensures that CNF Pods specify podAntiAffinity rules and replica value is set to more than 1.", "exceptionProcess": "There is no documented exception process for this. Not applicable to SNO applications.", "remediation": "In high availability cases, Pod podAntiAffinity rule should be specified for pod scheduling and pod replica value is set to more than 1 ." @@ -10429,7 +10429,7 @@ "lifecycle-pod-owner-type": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-no-naked-pods", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-no-naked-pods", "description": "Tests that CNF Pod(s) are deployed as part of a ReplicaSet(s)/StatefulSet(s).", "exceptionProcess": "There is no documented exception process for this. Pods should not be deployed as DaemonSet or naked pods.", "remediation": "Deploy the CNF using ReplicaSet/StatefulSet." @@ -10456,7 +10456,7 @@ "lifecycle-pod-recreation": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-upgrade-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-upgrade-expectations", "description": "Tests that a CNF is configured to support High Availability. First, this test cordons and drains a Node that hosts the CNF Pod. Next, the test ensures that OpenShift can re-instantiate the Pod on another Node, and that the actual replica count matches the desired replica count.", "exceptionProcess": "No exceptions - workloads should be able to be restarted/recreated.", "remediation": "Ensure that CNF Pod(s) utilize a configuration that supports High Availability. Additionally, ensure that there are available Nodes in the OpenShift cluster that can be utilized in the event that a host Node fails." @@ -10483,7 +10483,7 @@ "lifecycle-pod-scheduling": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Ensures that CNF Pods do not specify nodeSelector or nodeAffinity. In most cases, Pods should allow for instantiation on any underlying Node. CNFs shall not use node selectors nor taints/tolerations to assign pod location.", "exceptionProcess": "Exception will only be considered if application requires specialized hardware. Must specify which container requires special hardware and why.", "remediation": "In most cases, Pod's should not specify their host Nodes through nodeSelector or nodeAffinity. However, there are cases in which CNFs require specialized hardware specific to a particular class of Node." @@ -10510,7 +10510,7 @@ "lifecycle-pod-toleration-bypass": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-taints-and-tolerations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-taints-and-tolerations", "description": "Check that pods do not have NoExecute, PreferNoSchedule, or NoSchedule tolerations that have been modified from the default.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Do not allow pods to bypass the NoExecute, PreferNoSchedule, or NoSchedule tolerations that are default applied by Kubernetes." @@ -10537,7 +10537,7 @@ "lifecycle-readiness-probe": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Check that all containers under test have readiness probe defined. There are different ways a pod can stop on on OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. In the first case, if the administrator has implemented liveness and readiness checks, OpenShift can stop the pod and either restart it on the same node or a different node in the cluster. For the second case, when the application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Add a readiness probe to deployed containers" @@ -10564,7 +10564,7 @@ "lifecycle-startup-probe": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-exit-status", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-exit-status", "description": "Check that all containers under test have startup probe defined. CNFs shall self-recover from common failures like pod failure, host failure, and network failure. Kubernetes native mechanisms such as health-checks (Liveness, Readiness and Startup Probes) shall be employed at a minimum.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Add a startup probe to deployed containers" @@ -10591,7 +10591,7 @@ "lifecycle-statefulset-scaling": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Tests that CNF statefulsets support scale in/out operations. First, the test starts getting the current replicaCount (N) of the statefulset/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the statefulset/s. In case of statefulsets that are managed by HPA the test is changing the min and max value to statefulset Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the statefulset/s", "exceptionProcess": "There is no documented exception process for this. Not applicable to SNO applications.", "remediation": "Ensure CNF statefulsets/replica sets can scale in/out successfully." @@ -10618,7 +10618,7 @@ "lifecycle-storage-required-pods": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-local-storage", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-local-storage", "description": "Checks that pods do not place persistent volumes on local storage.", "exceptionProcess": "No exceptions", "remediation": "If pod is StatefulSet, make sure servicename is not local-storage (persistent volumes should not be on local storage)." @@ -10645,7 +10645,7 @@ "manageability-container-port-name-format": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requirements-cnf-reqs", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requirements-cnf-reqs", "description": "Check that the container's ports name follow the naming conventions. Name field in ContainerPort section must be of form `\u003cprotocol\u003e[-\u003csuffix\u003e]`. More naming convention requirements may be released in future", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Ensure that the container's ports name follow our partner naming conventions" @@ -10672,7 +10672,7 @@ "manageability-containers-image-tag": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-image-tagging", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-image-tagging", "description": "Check that image tag exists on containers.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Ensure that all the container images are tagged. Checks containers have image tags (e.g. latest, stable, dev)." @@ -10699,7 +10699,7 @@ "networking-dpdk-cpu-pinning-exec-probe": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cpu-manager-pinning", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cpu-manager-pinning", "description": "If a CNF is doing CPU pinning, exec probes may not be used.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "If the CNF is doing CPU pinning and running a DPDK process do not use exec probes (executing a command within the container) as it may pile up and block the node eventually." @@ -10726,7 +10726,7 @@ "networking-dual-stack-service": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipv4-\u0026-ipv6", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipv4-\u0026-ipv6", "description": "Checks that all services in namespaces under test are either ipv6 single stack or dual stack. This test case requires the deployment of the debug daemonset.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Configure every CNF services with either a single stack ipv6 or dual stack (ipv4/ipv6) load balancer." @@ -10753,7 +10753,7 @@ "networking-icmpv4-connectivity": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipv4-\u0026-ipv6", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipv4-\u0026-ipv6", "description": "Checks that each CNF Container is able to communicate via ICMPv4 on the Default OpenShift network. This test case requires the Deployment of the debug daemonset.", "exceptionProcess": "No exceptions - must be able to communicate on default network using IPv4", "remediation": "Ensure that the CNF is able to communicate via the Default OpenShift network. In some rare cases, CNFs may require routing table changes in order to communicate over the Default network. To exclude a particular pod from ICMPv4 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence." @@ -10780,7 +10780,7 @@ "networking-icmpv4-connectivity-multus": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Checks that each CNF Container is able to communicate via ICMPv4 on the Multus network(s). This test case requires the Deployment of the debug daemonset.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure that the CNF is able to communicate via the Multus network(s). In some rare cases, CNFs may require routing table changes in order to communicate over the Multus network(s). To exclude a particular pod from ICMPv4 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. Not applicable if MULTUS is not supported." @@ -10807,7 +10807,7 @@ "networking-icmpv6-connectivity": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ipv4-\u0026-ipv6", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipv4-\u0026-ipv6", "description": "Checks that each CNF Container is able to communicate via ICMPv6 on the Default OpenShift network. This test case requires the Deployment of the debug daemonset.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure that the CNF is able to communicate via the Default OpenShift network. In some rare cases, CNFs may require routing table changes in order to communicate over the Default network. To exclude a particular pod from ICMPv6 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. Not applicable if IPv6 is not supported." @@ -10834,7 +10834,7 @@ "networking-icmpv6-connectivity-multus": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Checks that each CNF Container is able to communicate via ICMPv6 on the Multus network(s). This test case requires the Deployment of the debug daemonset.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure that the CNF is able to communicate via the Multus network(s). In some rare cases, CNFs may require routing table changes in order to communicate over the Multus network(s). To exclude a particular pod from ICMPv6 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it.The label value is trivial, only its presence. Not applicable if IPv6/MULTUS is not supported." @@ -10861,7 +10861,7 @@ "networking-network-policy-deny-all": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-vrfs-aka-routing-instances", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-vrfs-aka-routing-instances", "description": "Check that network policies attached to namespaces running CNF pods contain a default deny-all rule for both ingress and egress traffic", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Ensure that a NetworkPolicy with a default deny-all is applied. After the default is applied, apply a network policy to allow the traffic your application requires." @@ -10888,7 +10888,7 @@ "networking-ocp-reserved-ports-usage": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-ports-reserved-by-openshift", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ports-reserved-by-openshift", "description": "Check that containers do not listen on ports that are reserved by OpenShift", "exceptionProcess": "No exceptions", "remediation": "Ensure that CNF apps do not listen on ports that are reserved by OpenShift. The following ports are reserved by OpenShift and must NOT be used by any application: 22623, 22624." @@ -10969,7 +10969,7 @@ "networking-undeclared-container-ports-usage": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-requirements-cnf-reqs", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requirements-cnf-reqs", "description": "Check that containers do not listen on ports that weren't declared in their specification. Platforms may be configured to block undeclared ports.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Ensure the CNF apps do not listen on undeclared containers' ports." @@ -10997,7 +10997,7 @@ { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Found log line to stderr/stdout\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Found log line to stderr/stdout\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Found log line to stderr/stdout\",\"tnf\",\"test-765d6b8dcf-gbvsd\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Found log line to stderr/stdout\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Found log line to stderr/stdout\",\"tnf\",\"xdp\",\"xdp-c\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-logging", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-logging", "description": "Check that all containers under test use standard input output and standard error when logging. A container must provide APIs for the platform to observe the container health and act accordingly. These APIs include health checks (liveness and readiness), logging to stderr and stdout for log aggregation (by tools such as Logstash or Filebeat), and integrate with tracing and metrics-gathering libraries (such as Prometheus or Metricbeat).", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure containers are not redirecting stdout/stderr" @@ -11024,7 +11024,7 @@ "observability-crd-status": { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Custom Resource Definition\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Custom Resource Definition Name\",\"Custom Resource Definition Version\"],\"ObjectFieldsValues\":[\"Crd has a status sub resource set\",\"crdexamples.test-network-function.com\",\"v1\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements", "description": "Checks that all CRDs have a status sub-resource specification (Spec.versions[].Schema.OpenAPIV3Schema.Properties[“status”]).", "exceptionProcess": "No exceptions", "remediation": "Ensure that all the CRDs have a meaningful status specification (Spec.versions[].Schema.OpenAPIV3Schema.Properties[“status”])." @@ -11052,7 +11052,7 @@ { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"StatefulSet\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"StatefulSet\",\"Pod Disruption Budget Reference\"],\"ObjectFieldsValues\":[\"StatefulSet: references PodDisruptionBudget\",\"test\",\"test-pdb-max\"]}],\"NonCompliantObjectsOut\":null}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-upgrade-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-upgrade-expectations", "description": "Checks to see if pod disruption budgets have allowed values for minAvailable and maxUnavailable", "exceptionProcess": "No exceptions", "remediation": "Ensure minAvailable is not zero and maxUnavailable does not equal the number of pods in the replica" @@ -11080,7 +11080,7 @@ { "capturedTestOutput": "FAILURE: [container: xdp-c pod: xdp ns: tnf] does not have a TerminationMessagePolicy: FallbackToLogsOnError\n{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-765d6b8dcf-gbvsd\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\"]}],\"NonCompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"TerminationMessagePolicy is not FallbackToLogsOnError\",\"tnf\",\"xdp\",\"xdp-c\"]}]}\n%!(EXTRA []interface {}=[])", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-exit-status", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-exit-status", "description": "Check that all containers are using terminationMessagePolicy: FallbackToLogsOnError. There are different ways a pod can stop on an OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. In the first case, if the administrator has implemented liveness and readiness checks, OpenShift can stop the pod and either restart it on the same node or a different node in the cluster. For the second case, when the application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure containers are all using FallbackToLogsOnError in terminationMessagePolicy" @@ -11107,7 +11107,7 @@ "operator-install-source": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements", "description": "Tests whether a CNF Operator is installed via OLM.", "exceptionProcess": "No exceptions", "remediation": "Ensure that your Operator is installed via OLM." @@ -11134,7 +11134,7 @@ "operator-install-status-no-privileges": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements", "description": "The operator is not installed with privileged rights. Test passes if clusterPermissions is not present in the CSV manifest or is present with no resourceNames under its rules.", "exceptionProcess": "No exceptions", "remediation": "Ensure all the CNF operators have no privileges on cluster resources." @@ -11161,7 +11161,7 @@ "operator-install-status-succeeded": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements", "description": "Ensures that the target CNF operators report \"Succeeded\" as their installation status.", "exceptionProcess": "No exceptions", "remediation": "Ensure all the CNF operators have been successfully installed by OLM." @@ -11350,7 +11350,7 @@ "platform-alteration-base-image": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-image-standards", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-image-standards", "description": "Ensures that the Container Base Image is not altered post-startup. This test is a heuristic, and ensures that there are no changes to the following directories: 1) /var/lib/rpm 2) /var/lib/dpkg 3) /bin 4) /sbin 5) /lib 6) /lib64 7) /usr/bin 8) /usr/sbin 9) /usr/lib 10) /usr/lib64", "exceptionProcess": "No exceptions", "remediation": "Ensure that Container applications do not modify the Container Base Image. In particular, ensure that the following directories are not modified: 1) /var/lib/rpm 2) /var/lib/dpkg 3) /bin 4) /sbin 5) /lib 6) /lib64 7) /usr/bin 8) /usr/sbin 9) /usr/lib 10) /usr/lib64 Ensure that all required binaries are built directly into the container image, and are not installed post startup." @@ -11377,7 +11377,7 @@ "platform-alteration-boot-params": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-host-os", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-host-os", "description": "Tests that boot parameters are set through the MachineConfigOperator, and not set manually on the Node.", "exceptionProcess": "No exceptions", "remediation": "Ensure that boot parameters are set directly through the MachineConfigOperator, or indirectly through the PerformanceAddonOperator. Boot parameters should not be changed directly through the Node, as OpenShift should manage the changes for you." @@ -11431,7 +11431,7 @@ "platform-alteration-hugepages-2m-only": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-huge-pages", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-huge-pages", "description": "Check that pods using hugepages only use 2Mi size", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Modify pod to consume 2Mi hugepages only" @@ -11458,7 +11458,7 @@ "platform-alteration-hugepages-config": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-huge-pages", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-huge-pages", "description": "Checks to see that HugePage settings have been configured through MachineConfig, and not manually on the underlying Node. This test case applies only to Nodes that are configured with the \"worker\" MachineConfigSet. First, the \"worker\" MachineConfig is polled, and the Hugepage settings are extracted. Next, the underlying Nodes are polled for configured HugePages through inspection of /proc/meminfo. The results are compared, and the test passes only if they are the same.", "exceptionProcess": "No exceptions", "remediation": "HugePage settings should be configured either directly through the MachineConfigOperator or indirectly using the PerformanceAddonOperator. This ensures that OpenShift is aware of the special MachineConfig requirements, and can provision your CNF on a Node that is part of the corresponding MachineConfigSet. Avoid making changes directly to an underlying Node, and let OpenShift handle the heavy lifting of configuring advanced settings. This test case applies only to Nodes that are configured with the \"worker\" MachineConfigSet." @@ -11512,7 +11512,7 @@ "platform-alteration-is-selinux-enforcing": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-security", "description": "verifies that all openshift platform/cluster nodes have selinux in \"Enforcing\" mode.", "exceptionProcess": "No exceptions", "remediation": "Configure selinux and enable enforcing mode." @@ -11539,7 +11539,7 @@ "platform-alteration-isredhat-release": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-base-images", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-base-images", "description": "verifies if the container base image is redhat.", "exceptionProcess": "No exceptions", "remediation": "Build a new container image that is based on UBI (Red Hat Universal Base Image)." @@ -11566,7 +11566,7 @@ "platform-alteration-ocp-lifecycle": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-k8s", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-k8s", "description": "Tests that the running OCP version is not end of life.", "exceptionProcess": "No exceptions", "remediation": "Please update your cluster to a version that is generally available." @@ -11593,7 +11593,7 @@ "platform-alteration-ocp-node-os-lifecycle": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-host-os", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-host-os", "description": "Tests that the nodes running in the cluster have operating systems that are compatible with the deployed version of OpenShift.", "exceptionProcess": "No exceptions", "remediation": "Please update your workers to a version that is supported by your version of OpenShift" @@ -11647,7 +11647,7 @@ "platform-alteration-sysctl-config": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security", "description": "Tests that no one has changed the node's sysctl configs after the node was created, the tests works by checking if the sysctl configs are consistent with the MachineConfig CR which defines how the node should be configured", "exceptionProcess": "No exceptions", "remediation": "You should recreate the node or change the sysctls, recreating is recommended because there might be other unknown changes" @@ -11674,7 +11674,7 @@ "platform-alteration-tainted-node-kernel": { "capturedTestOutput": "", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations", "description": "Ensures that the Node(s) hosting CNFs do not utilize tainted kernels. This test case is especially important to support Highly Available CNFs, since when a CNF is re-instantiated on a backup Node, that Node's kernel may not have the same hacks.'", "exceptionProcess": "If taint is necessary, document details of the taint and why it's needed by workload or environment.", "remediation": "Test failure indicates that the underlying Node's kernel is tainted. Ensure that you have not altered underlying Node(s) kernels in order to run the CNF." diff --git a/cmd/certsuite/claim/show/failures/testdata/claim1.json b/cmd/certsuite/claim/show/failures/testdata/claim1.json index 7312662c2..ad28d4d91 100644 --- a/cmd/certsuite/claim/show/failures/testdata/claim1.json +++ b/cmd/certsuite/claim/show/failures/testdata/claim1.json @@ -16,7 +16,7 @@ "tags": "common" }, "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac", "description": "Ensures that containers do not use SYS_ADMIN capability", "exceptionProcess": "Exception possible only for workloads that's cluster wide in nature and absolutely needs cluster level roles \u0026 role bindings", "remediation": "In most cases, Pod's should not have ClusterRoleBindings. The suggested remediation is to remove the need for ClusterRoleBindings, if possible. Cluster roles and cluster role bindings discouraged unless absolutely needed by CNF (often reserved for cluster admin only)." @@ -43,7 +43,7 @@ "tags": "telco" }, "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac", "description": "Check that pods running on nodes with realtime kernel enabled have the SYS_NICE capability enabled in their spec. In the case that a CNF is running on a node using the real-time kernel, SYS_NICE will be used to allow DPDK application to switch to SCHED_FIFO.", "exceptionProcess": "Exception possible only for workloads that's cluster wide in nature and absolutely needs cluster level roles \u0026 role bindings", "remediation": "In most cases, Pod's should not have ClusterRoleBindings. The suggested remediation is to remove the need for ClusterRoleBindings, if possible. Cluster roles and cluster role bindings discouraged unless absolutely needed by CNF (often reserved for cluster admin only)." @@ -70,7 +70,7 @@ "tags": "common" }, "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac", "description": "Tests that no one has changed the node's sysctl configs after the node was created, the tests works by checking if the sysctl configs are consistent with the MachineConfig CR which defines how the node should be configured", "exceptionProcess": "Exception possible only for workloads that's cluster wide in nature and absolutely needs cluster level roles \u0026 role bindings", "remediation": "In most cases, Pod's should not have ClusterRoleBindings. The suggested remediation is to remove the need for ClusterRoleBindings, if possible. Cluster roles and cluster role bindings discouraged unless absolutely needed by CNF (often reserved for cluster admin only)." @@ -97,7 +97,7 @@ "tags": "common" }, "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac", "description": "Ensures that the Node(s) hosting CNFs do not utilize tainted kernels. This test case is especially important to support Highly Available CNFs, since when a CNF is re-instantiated on a backup Node, that Node's kernel may not have the same hacks.", "exceptionProcess": "Exception possible only for workloads that's cluster wide in nature and absolutely needs cluster level roles \u0026 role bindings", "remediation": "In most cases, Pod's should not have ClusterRoleBindings. The suggested remediation is to remove the need for ClusterRoleBindings, if possible. Cluster roles and cluster role bindings discouraged unless absolutely needed by CNF (often reserved for cluster admin only)." diff --git a/cmd/certsuite/claim/show/failures/testdata/claim2.json b/cmd/certsuite/claim/show/failures/testdata/claim2.json index 5090e0708..9902229c9 100644 --- a/cmd/certsuite/claim/show/failures/testdata/claim2.json +++ b/cmd/certsuite/claim/show/failures/testdata/claim2.json @@ -16,7 +16,7 @@ "tags": "common" }, "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac", "description": "Ensures that containers do not use SYS_ADMIN capability", "exceptionProcess": "Exception possible only for workloads that's cluster wide in nature and absolutely needs cluster level roles \u0026 role bindings", "remediation": "In most cases, Pod's should not have ClusterRoleBindings. The suggested remediation is to remove the need for ClusterRoleBindings, if possible. Cluster roles and cluster role bindings discouraged unless absolutely needed by CNF (often reserved for cluster admin only)." @@ -43,7 +43,7 @@ "tags": "telco" }, "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac", "description": "Check that pods running on nodes with realtime kernel enabled have the SYS_NICE capability enabled in their spec. In the case that a CNF is running on a node using the real-time kernel, SYS_NICE will be used to allow DPDK application to switch to SCHED_FIFO.", "exceptionProcess": "Exception possible only for workloads that's cluster wide in nature and absolutely needs cluster level roles \u0026 role bindings", "remediation": "In most cases, Pod's should not have ClusterRoleBindings. The suggested remediation is to remove the need for ClusterRoleBindings, if possible. Cluster roles and cluster role bindings discouraged unless absolutely needed by CNF (often reserved for cluster admin only)." @@ -70,7 +70,7 @@ "tags": "common" }, "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac", "description": "Tests that no one has changed the node's sysctl configs after the node was created, the tests works by checking if the sysctl configs are consistent with the MachineConfig CR which defines how the node should be configured", "exceptionProcess": "Exception possible only for workloads that's cluster wide in nature and absolutely needs cluster level roles \u0026 role bindings", "remediation": "In most cases, Pod's should not have ClusterRoleBindings. The suggested remediation is to remove the need for ClusterRoleBindings, if possible. Cluster roles and cluster role bindings discouraged unless absolutely needed by CNF (often reserved for cluster admin only)." @@ -97,7 +97,7 @@ "tags": "common" }, "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac", "description": "Ensures that the Node(s) hosting CNFs do not utilize tainted kernels. This test case is especially important to support Highly Available CNFs, since when a CNF is re-instantiated on a backup Node, that Node's kernel may not have the same hacks.", "exceptionProcess": "Exception possible only for workloads that's cluster wide in nature and absolutely needs cluster level roles \u0026 role bindings", "remediation": "In most cases, Pod's should not have ClusterRoleBindings. The suggested remediation is to remove the need for ClusterRoleBindings, if possible. Cluster roles and cluster role bindings discouraged unless absolutely needed by CNF (often reserved for cluster admin only)." diff --git a/docs/assets/images/claim-compare-cni.svg b/docs/assets/images/claim-compare-cni.svg index a47bed88d..7aff2df46 100644 --- a/docs/assets/images/claim-compare-cni.svg +++ b/docs/assets/images/claim-compare-cni.svg @@ -250,5 +250,5 @@ - $ $ c $ cl $ cle $ clea $ clear $ clear $ $ v $ vi $ vim $ vim $ vim c $ vim cl $ vim cla $ vim clai $ vim claim $ vim claim2 $ vim claim2. $ vim claim2.j $ vim claim2.json $ vim claim2.json "claim2.json""claim2.json" 11888L, 553715B 11195 "Telco": "Mandatory"11196 }, 11197 "duration": 111202, 11198 "endTime": "2023-09-04 09:18:08.856076584 -0500 CDT m=+20.598088352",11199 "failureLineContent": "",11200 "failureLocation": ":0",11201 "failureReason": "",11202 "startTime": "2023-09-04 09:18:08.855965389 -0500 CDT m=+20.597977150",11203 "state": "failed",11204 "testID": {11205 "id": "observability-pod-disruption-budget",11206 "suite": "observability",11207 "tags": "common"11208 }11209 }11210 ],11211 "observability-termination-policy": ["claim2.json" 11888L, 553715B11203,11 94%11203 "state": "failed",/ /c 11203 "state": "failed",11207 "tags": "common"11212 {/c /cn 11213 "capturedTestOutput": "FAILURE: [container: xdp-c pod: xdp ns: tnf] does not have a TerminationMessagePolicy: FallbackToLogsOnError\n{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namesp ace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\ ace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"C ontainer Name\"],\"ObjectFieldsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"Obj ectFieldsValues\":[\" ectFieldsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-765d6b8dcf-gbvsd\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFiel dsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\"]}],\"NonCompliantObjectsOut\":[{\"ObjectType\":\"Container\" dsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\"]}],\"NonCompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Cont ainer Name\"],\"ObjectFieldsValues\":[\"TerminationMessagePolicy is not FallbackToLogsOnError\",\"tnf\",\"xdp\",\"xdp-c\"]}]}\n%!(EXTRA []interface {}=[])",11214 "catalogInfo": {11215 "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-pod-exit-status",11216 "description": "Check that all containers are using terminationMes11216 "description": "Check that all containers are using terminationMessagePolicy: FallbackToLogsOnError. There are different ways a pod can stop on an OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is t hat the pod can crash and become non-functional. In the first case, if the administrator has implemented liveness and readiness checks, OpenShift can stop the pod and either restart it on the same node or a different node in the cluster. For the second ca se, when the application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem.",11217 "exceptionProcess": "There is no documented exception process for this.",11218 "remediation": "Ensure containers are all using FallbackToLogsOnError in terminationMessagePolicy"/cn /cni 86 ] 87 } 88 }, 89 "metadata": { 90 "endTime": "2023-09-04T14:18:08+00:00", 91 "startTime": "2023-09-04T14:17:48+00:00" 92 }, 93 "nodes": { 94 "cniPlugins": { 95 "clus0-0": [ 96 { 97 "cniVersion": "1.0.0", 98 "name": "crio", 99 "plugins": [ 100 application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem.", 100 { 101 "bridge": "cni0", 102 "hairpinMode": true, /cni /cniP 94 "cniPlugins": { /cniP /cniPl 94 "cniPlugins": { /cniPl /cniPlu 94 "cniPlugins": { /cniPlu /cniPlug 94 "cniPlugins": { /cniPlug /cniPlug 94 "cniPlugins": { search hit BOTTOM, continuing at TOP 94,8 0% 94 "cniPlugins": { 95 "clus0-0": [ search hit BOTTOM, continuing at TOP 95,8 0% 96 { search hit BOTTOM, continuing at TOP 96,8 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,8 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,13 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,14 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,24 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,27 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,28 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,29 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,30 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,31 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,32 0% 97 "cniVersion": "1.0.1", 97 "cniVersion": "1.0.1", : :w :wq :wq "claim2.json" 11888L, 553715B written $ $ . $ ./ $ ./t $ ./tn $ ./tnf $ ./tnf $ ./tnf c $ ./tnf cl $ ./tnf cla $ ./tnf clai $ ./tnf claim $ ./tnf claim $ ./tnf claim c $ ./tnf claim co $ ./tnf claim com $ ./tnf claim comp $ ./tnf claim compa $ ./tnf claim compar $ ./tnf claim compare $ ./tnf claim compare $ ./tnf claim compare - $ ./tnf claim compare -1 $ ./tnf claim compare -1 $ ./tnf claim compare -1 c $ ./tnf claim compare -1 cl $ ./tnf claim compare -1 cla $ ./tnf claim compare -1 clai $ ./tnf claim compare -1 claim $ ./tnf claim compare -1 claim. $ ./tnf claim compare -1 claim.1 $ ./tnf claim compare -1 claim.1j $ ./tnf claim compare -1 claim.1js $ ./tnf claim compare -1 claim.1jso $ ./tnf claim compare -1 claim.1json $ ./tnf claim compare -1 claim1 $ ./tnf claim compare -1 claim1. $ ./tnf claim compare -1 claim1.j $ ./tnf claim compare -1 claim1.json $ ./tnf claim compare -1 claim1.json - $ ./tnf claim compare -1 claim1.json -2 $ ./tnf claim compare -1 claim1.json -2 $ ./tnf claim compare -1 claim1.json -2 c $ ./tnf claim compare -1 claim1.json -2 cl $ ./tnf claim compare -1 claim1.json -2 cla $ ./tnf claim compare -1 claim1.json -2 clai $ ./tnf claim compare -1 claim1.json -2 claim $ ./tnf claim compare -1 claim1.json -2 claim2 $ ./tnf claim compare -1 claim1.json -2 claim2.json $ ./tnf claim compare -1 claim1.json -2 claim2.json | $ ./tnf claim compare -1 claim1.json -2 claim2.json | $ ./tnf claim compare -1 claim1.json -2 claim2.json | l $ ./tnf claim compare -1 claim1.json -2 claim2.json | le $ ./tnf claim compare -1 claim1.json -2 claim2.json | les $ ./tnf claim compare -1 claim1.json -2 claim2.json | less $ ./tnf claim compare -1 claim1.json -2 claim2.json | less VERSIONS: Differences FIELD CLAIM 1 CLAIM 2 <none> VERSIONS: Only in CLAIM 1 VERSIONS: Only in CLAIM 2 <none> RESULTS SUMMARY --------------- STATUS # in CLAIM-1 # in CLAIM-2 passed 3 2 skipped 86 86 failed 1 2RESULTS DIFFERENCES ------------------- TEST CASE NAME CLAIM-1 CLAIM-2 observability-pod-disruption-budget passed failed CONFIGURATIONS -------------- CNF Cert Suite Configuration: Differences CNF Cert Suite Configuration: Only in CLAIM 1 CNF Cert Suite Configuration: Only in CLAIM 2 Cluster abnormal events count CLAIM 1 CLAIM 2 1 1 CLUSTER NODES DIFFERENCES ------------------------- Nodes: Differences Nodes: Only in CLAIM 1 Nodes: Only in CLAIM 2 CNIs: Differences FIELD CLAIM 1 CLAIM 2 /clus0-0/0/cniVersion 1.0.0 1.0.1 CNIs: Only in CLAIM 1 CNIs: Only in CLAIM 2 $ e $ ex $ exi $ exit $ exit exit + $ $ c $ cl $ cle $ clea $ clear $ clear $ $ v $ vi $ vim $ vim $ vim c $ vim cl $ vim cla $ vim clai $ vim claim $ vim claim2 $ vim claim2. $ vim claim2.j $ vim claim2.json $ vim claim2.json "claim2.json""claim2.json" 11888L, 553715B 11195 "Telco": "Mandatory"11196 }, 11197 "duration": 111202, 11198 "endTime": "2023-09-04 09:18:08.856076584 -0500 CDT m=+20.598088352",11199 "failureLineContent": "",11200 "failureLocation": ":0",11201 "failureReason": "",11202 "startTime": "2023-09-04 09:18:08.855965389 -0500 CDT m=+20.597977150",11203 "state": "failed",11204 "testID": {11205 "id": "observability-pod-disruption-budget",11206 "suite": "observability",11207 "tags": "common"11208 }11209 }11210 ],11211 "observability-termination-policy": ["claim2.json" 11888L, 553715B11203,11 94%11203 "state": "failed",/ /c 11203 "state": "failed",11207 "tags": "common"11212 {/c /cn 11213 "capturedTestOutput": "FAILURE: [container: xdp-c pod: xdp ns: tnf] does not have a TerminationMessagePolicy: FallbackToLogsOnError\n{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namesp ace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\ ace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"C ontainer Name\"],\"ObjectFieldsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"Obj ectFieldsValues\":[\" ectFieldsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-765d6b8dcf-gbvsd\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFiel dsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\"]}],\"NonCompliantObjectsOut\":[{\"ObjectType\":\"Container\" dsValues\":[\"TerminationMessagePolicy is FallbackToLogsOnError\",\"tnf\",\"test-765d6b8dcf-s768n\",\"test\"]}],\"NonCompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Non Compliance\",\"Namespace\",\"Pod Name\",\"Cont ainer Name\"],\"ObjectFieldsValues\":[\"TerminationMessagePolicy is not FallbackToLogsOnError\",\"tnf\",\"xdp\",\"xdp-c\"]}]}\n%!(EXTRA []interface {}=[])",11214 "catalogInfo": {11215 "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#k8s-best-practices-pod-exit-status",11216 "description": "Check that all containers are using terminationMes11216 "description": "Check that all containers are using terminationMessagePolicy: FallbackToLogsOnError. There are different ways a pod can stop on an OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is t hat the pod can crash and become non-functional. In the first case, if the administrator has implemented liveness and readiness checks, OpenShift can stop the pod and either restart it on the same node or a different node in the cluster. For the second ca se, when the application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem.",11217 "exceptionProcess": "There is no documented exception process for this.",11218 "remediation": "Ensure containers are all using FallbackToLogsOnError in terminationMessagePolicy"/cn /cni 86 ] 87 } 88 }, 89 "metadata": { 90 "endTime": "2023-09-04T14:18:08+00:00", 91 "startTime": "2023-09-04T14:17:48+00:00" 92 }, 93 "nodes": { 94 "cniPlugins": { 95 "clus0-0": [ 96 { 97 "cniVersion": "1.0.0", 98 "name": "crio", 99 "plugins": [ 100 application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem.", 100 { 101 "bridge": "cni0", 102 "hairpinMode": true, /cni /cniP 94 "cniPlugins": { /cniP /cniPl 94 "cniPlugins": { /cniPl /cniPlu 94 "cniPlugins": { /cniPlu /cniPlug 94 "cniPlugins": { /cniPlug /cniPlug 94 "cniPlugins": { search hit BOTTOM, continuing at TOP 94,8 0% 94 "cniPlugins": { 95 "clus0-0": [ search hit BOTTOM, continuing at TOP 95,8 0% 96 { search hit BOTTOM, continuing at TOP 96,8 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,8 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,13 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,14 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,24 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,27 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,28 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,29 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,30 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,31 0% 97 "cniVersion": "1.0.0", search hit BOTTOM, continuing at TOP 97,32 0% 97 "cniVersion": "1.0.1", 97 "cniVersion": "1.0.1", : :w :wq :wq "claim2.json" 11888L, 553715B written $ $ . $ ./ $ ./t $ ./tn $ ./tnf $ ./tnf $ ./tnf c $ ./tnf cl $ ./tnf cla $ ./tnf clai $ ./tnf claim $ ./tnf claim $ ./tnf claim c $ ./tnf claim co $ ./tnf claim com $ ./tnf claim comp $ ./tnf claim compa $ ./tnf claim compar $ ./tnf claim compare $ ./tnf claim compare $ ./tnf claim compare - $ ./tnf claim compare -1 $ ./tnf claim compare -1 $ ./tnf claim compare -1 c $ ./tnf claim compare -1 cl $ ./tnf claim compare -1 cla $ ./tnf claim compare -1 clai $ ./tnf claim compare -1 claim $ ./tnf claim compare -1 claim. $ ./tnf claim compare -1 claim.1 $ ./tnf claim compare -1 claim.1j $ ./tnf claim compare -1 claim.1js $ ./tnf claim compare -1 claim.1jso $ ./tnf claim compare -1 claim.1json $ ./tnf claim compare -1 claim1 $ ./tnf claim compare -1 claim1. $ ./tnf claim compare -1 claim1.j $ ./tnf claim compare -1 claim1.json $ ./tnf claim compare -1 claim1.json - $ ./tnf claim compare -1 claim1.json -2 $ ./tnf claim compare -1 claim1.json -2 $ ./tnf claim compare -1 claim1.json -2 c $ ./tnf claim compare -1 claim1.json -2 cl $ ./tnf claim compare -1 claim1.json -2 cla $ ./tnf claim compare -1 claim1.json -2 clai $ ./tnf claim compare -1 claim1.json -2 claim $ ./tnf claim compare -1 claim1.json -2 claim2 $ ./tnf claim compare -1 claim1.json -2 claim2.json $ ./tnf claim compare -1 claim1.json -2 claim2.json | $ ./tnf claim compare -1 claim1.json -2 claim2.json | $ ./tnf claim compare -1 claim1.json -2 claim2.json | l $ ./tnf claim compare -1 claim1.json -2 claim2.json | le $ ./tnf claim compare -1 claim1.json -2 claim2.json | les $ ./tnf claim compare -1 claim1.json -2 claim2.json | less $ ./tnf claim compare -1 claim1.json -2 claim2.json | less VERSIONS: Differences FIELD CLAIM 1 CLAIM 2 <none> VERSIONS: Only in CLAIM 1 VERSIONS: Only in CLAIM 2 <none> RESULTS SUMMARY --------------- STATUS # in CLAIM-1 # in CLAIM-2 passed 3 2 skipped 86 86 failed 1 2RESULTS DIFFERENCES ------------------- TEST CASE NAME CLAIM-1 CLAIM-2 observability-pod-disruption-budget passed failed CONFIGURATIONS -------------- CNF Cert Suite Configuration: Differences CNF Cert Suite Configuration: Only in CLAIM 1 CNF Cert Suite Configuration: Only in CLAIM 2 Cluster abnormal events count CLAIM 1 CLAIM 2 1 1 CLUSTER NODES DIFFERENCES ------------------------- Nodes: Differences Nodes: Only in CLAIM 1 Nodes: Only in CLAIM 2 CNIs: Differences FIELD CLAIM 1 CLAIM 2 /clus0-0/0/cniVersion 1.0.0 1.0.1 CNIs: Only in CLAIM 1 CNIs: Only in CLAIM 2 $ e $ ex $ exi $ exit $ exit exit \ No newline at end of file diff --git a/docs/assets/images/claim-compare-results.svg b/docs/assets/images/claim-compare-results.svg index 9eac3d3ff..3f24e3e11 100644 --- a/docs/assets/images/claim-compare-results.svg +++ b/docs/assets/images/claim-compare-results.svg @@ -250,5 +250,5 @@ - $ $ c $ cl $ cle $ clea $ clear $ clear $ $ c $ cp $ cp $ cp c $ cp cl $ cp cla $ cp clai $ cp claim $ cp claim. $ cp claim.j $ cp claim.js $ cp claim.jso $ cp claim.json $ cp claim.json $ cp claim.json c $ cp claim.json cl $ cp claim.json cla $ cp claim.json clai $ cp claim.json claim $ cp claim.json claim1 $ cp claim.json claim1. $ cp claim.json claim1.j $ cp claim.json claim1.js $ cp claim.json claim1.jso $ cp claim.json claim1.json $ cp claim.json claim1.json$ cp $ cp $ cp claim.json claim2 $ cp claim.json claim2. $ cp claim.json claim2.j $ cp claim.json claim2.js $ cp claim.json claim2.jso $ cp claim.json claim2.json $ cp claim.json claim2.json$ v $ vi $ vim $ vim $ vim c $ vim cl $ vim cla $ vim clai $ vim claim $ vim claim2 $ vim claim2. $ vim claim2.j $ vim claim2.js $ vim claim2.jso $ vim claim2.json $ vim claim2.json "claim2.json""claim2.json" [noeol] 11888L, 553714B11872 "id": "platform-alteration-tainted-node-kernel",11873 "suite": "platform-alteration", 11874 "tags": "common" 11875 }11876 }11877 ]11878 },11879 "versions": {11880 "claimFormat": "v0.1.0",11881 "k8s": "v1.26.4+c343423",11882 "ocClient": "n/a, (not using oc or kubectl client)",11883 "ocp": "4.13.1",11884 "tnf": "Unreleased build post v4.3.2",11885 "tnfGitCommit": "1b968e53b79fd8e81e48b761c3efd7a808d4567e"11886 }11887 }11888 }"claim2.json" [noeol] 11888L, 553714B11883,7Bot11883 "ocp": "4.13.1",? ?p 11868 "failureReason": "",11869 "startTime": "2023-09-04 09:18:08.857303112 -0500 CDT m=+20.599314872",11870 "state": "skipped",11871 "testID": {11873 "suite": "platform-alteration", 11875 }11883 "ocp": "4.13.1",?p ?pa 11788 } 11789 } 11790 ], 11791 "platform-alteration-service-mesh-usage": [11792 { 11793 "capturedTestOutput": "", 11794 "catalogInfo": { 11795 "bestPracticeReference": "No Doc Link - Extended",11796 "description": "Checks if the istio namespace (\"istio-system\") is present. If it is present, checks that the istio sidecar is present in all pods under test.",11797 "exceptionProcess": "No exception needed for optional/extended tests.",11798 "remediation": "Ensure all the CNF pods are using service mesh 11798 "remediation": "Ensure all the CNF pods are using service mesh if the cluster provides it."11799 }, 11800 "categoryClassification": {11801 "Extended": "Optional",11802 "FarEdge": "Optional", 11803 "NonTelco": "Optional",11804 "Telco": "Optional" ?pa ?pas 11615 } 11616 ], 11617 "platform-alteration-hugepages-config": [ 11618 { 11619 "capturedTestOutput": "", 11620 "catalogInfo": { 11621 "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-huge-pages", 11622 "description": "Checks to see that HugePage settings have been configured through MachineConfig, and not manually on the underlying Node. This test case applies only to Nodes that are configured with the \"worker\" MachineConfigSet. First, the \"worker\" MachineConfig is polled, and the Hugepage settings are extracted. Next, the underlying Nodes , checks that the istio sidecar is present in all pods under test.", \"worker\" MachineConfig is polled, and the Hugepage settings are extracted. Next, the underlying Nodes are polled for configured HugePages through inspection of /proc/meminfo. The results are compared, and the test passes only if they are the same.",11623 "exceptionProcess": "No exceptions", 11624 "remediation": "HugePage settings should be configured either directly through the MachineConfigOperator or indirectly using the PerformanceAddonOperator. This ensures that OpenShift is aware of the special MachineConfig requirements, and can provision your CNF on a Node that is part of the corresponding MachineConfigSet. Avoid making changes directly to an underlying Node, and let OpenShift handle the heavy lifting of configuring advanced settings. This test case applies only to Nodes that ar e configured with the \"worker\" MachineConfigSet."11625 }, 11626 "categoryClassification": 11626 "categoryClassification": { 11627 "Extended": "Mandatory",11628 "FarEdge": "Mandatory", ?pas ?pass \"worker\" MachineConfig is polled, and the Hugepage settings are extracted. Next, the underlying Nodes are polled for configured HugePages through inspection of /proc/meminfo. The results are compared, and the test passes only if they are the same.",?pass ?passe \"worker\" MachineConfig is polled, and the Hugepage settings are extracted. Next, the underlying Nodes are polled for configured HugePages through inspection of /proc/meminfo. The results are compared, and the test passes only if they are the same.",?passe ?passed 11195 "Telco": "Mandatory" 11196 }, 11197 "duration": 111202, 11198 "endTime": "2023-09-04 09:18:08.856076584 -0500 CDT m=+20.598088352", 11199 "failureLineContent": "", 11200 "failureLocation": ":0", 11201 "failureReason": "", 11202 "startTime": "2023-09-04 09:18:08.855965389 -0500 CDT m=+20.597977150", 11203 "state": "passed", 11204 "testID": { 11205 "id": "observability-pod-disruption-budget", 11206 "suite": "observability", 11207 "tags the \"worker\" MachineConfigSet."11207 "tags": "common" 11208 } 11209 } 11210 ], 11211 "observability-termination-policy": [ ?passed 11203 "state": "passed", ?passed 11203,21 94% 11203 "state": "", -- INSERT -- 11203,21 94% 11203 "state": "f", -- INSERT -- 11203,22 94% 11203 "state": "fa", -- INSERT -- 11203,23 94% 11203 "state": "fai", -- INSERT -- 11203,24 94% 11203 "state": "fail", -- INSERT -- 11203,25 94% 11203 "state": "faile", -- INSERT -- 11203,26 94% 11203 "state": "failed", -- INSERT -- 11203,27 94% 11203 "state": "failed", 11203 "state": "failed", : :w :wq :wq "claim2.json" 11888L, 553715B written $ $ . $ ./ $ ./t $ ./tn $ ./tnf $ ./tnf $ ./tnf c $ ./tnf cl $ ./tnf cla $ ./tnf clai $ ./tnf claim $ ./tnf claim $ ./tnf claim c $ ./tnf claim co $ ./tnf claim com $ ./tnf claim comp $ ./tnf claim compa $ ./tnf claim compar $ ./tnf claim compare $ ./tnf claim compare $ ./tnf claim compare - $ ./tnf claim compare -1 $ ./tnf claim compare -1 $ ./tnf claim compare -1 c $ ./tnf claim compare -1 cl $ ./tnf claim compare -1 cla $ ./tnf claim compare -1 clai $ ./tnf claim compare -1 claim $ ./tnf claim compare -1 claim1 $ ./tnf claim compare -1 claim1. $ ./tnf claim compare -1 claim1.j $ ./tnf claim compare -1 claim1.js $ ./tnf claim compare -1 claim1.json $ ./tnf claim compare -1 claim1.json - $ ./tnf claim compare -1 claim1.json -2 $ ./tnf claim compare -1 claim1.json -2 $ ./tnf claim compare -1 claim1.json -2 c $ ./tnf claim compare -1 claim1.json -2 cl $ ./tnf claim compare -1 claim1.json -2 cla $ ./tnf claim compare -1 claim1.json -2 clai $ ./tnf claim compare -1 claim1.json -2 claim $ ./tnf claim compare -1 claim1.json -2 claim2 $ ./tnf claim compare -1 claim1.json -2 claim2. $ ./tnf claim compare -1 claim1.json -2 claim2.j $ ./tnf claim compare -1 claim1.json -2 claim2.json $ ./tnf claim compare -1 claim1.json -2 claim2.json | $ ./tnf claim compare -1 claim1.json -2 claim2.json | $ ./tnf claim compare -1 claim1.json -2 claim2.json | l $ ./tnf claim compare -1 claim1.json -2 claim2.json | le $ ./tnf claim compare -1 claim1.json -2 claim2.json | les $ ./tnf claim compare -1 claim1.json -2 claim2.json | less $ ./tnf claim compare -1 claim1.json -2 claim2.json | less VERSIONS: Differences FIELD CLAIM 1 CLAIM 2 <none> VERSIONS: Only in CLAIM 1 VERSIONS: Only in CLAIM 2 RESULTS SUMMARY --------------- STATUS # in CLAIM-1 # in CLAIM-2 passed 3 2 skipped 86 86 failed 1 2RESULTS DIFFERENCES ------------------- TEST CASE NAME CLAIM-1 CLAIM-2 observability-pod-disruption-budget passed failed CONFIGURATIONS -------------- CNF Cert Suite Configuration: Differences $ $ e $ ex $ exi $ exit $ exit exit + $ $ c $ cl $ cle $ clea $ clear $ clear $ $ c $ cp $ cp $ cp c $ cp cl $ cp cla $ cp clai $ cp claim $ cp claim. $ cp claim.j $ cp claim.js $ cp claim.jso $ cp claim.json $ cp claim.json $ cp claim.json c $ cp claim.json cl $ cp claim.json cla $ cp claim.json clai $ cp claim.json claim $ cp claim.json claim1 $ cp claim.json claim1. $ cp claim.json claim1.j $ cp claim.json claim1.js $ cp claim.json claim1.jso $ cp claim.json claim1.json $ cp claim.json claim1.json$ cp $ cp $ cp claim.json claim2 $ cp claim.json claim2. $ cp claim.json claim2.j $ cp claim.json claim2.js $ cp claim.json claim2.jso $ cp claim.json claim2.json $ cp claim.json claim2.json$ v $ vi $ vim $ vim $ vim c $ vim cl $ vim cla $ vim clai $ vim claim $ vim claim2 $ vim claim2. $ vim claim2.j $ vim claim2.js $ vim claim2.jso $ vim claim2.json $ vim claim2.json "claim2.json""claim2.json" [noeol] 11888L, 553714B11872 "id": "platform-alteration-tainted-node-kernel",11873 "suite": "platform-alteration", 11874 "tags": "common" 11875 }11876 }11877 ]11878 },11879 "versions": {11880 "claimFormat": "v0.1.0",11881 "k8s": "v1.26.4+c343423",11882 "ocClient": "n/a, (not using oc or kubectl client)",11883 "ocp": "4.13.1",11884 "tnf": "Unreleased build post v4.3.2",11885 "tnfGitCommit": "1b968e53b79fd8e81e48b761c3efd7a808d4567e"11886 }11887 }11888 }"claim2.json" [noeol] 11888L, 553714B11883,7Bot11883 "ocp": "4.13.1",? ?p 11868 "failureReason": "",11869 "startTime": "2023-09-04 09:18:08.857303112 -0500 CDT m=+20.599314872",11870 "state": "skipped",11871 "testID": {11873 "suite": "platform-alteration", 11875 }11883 "ocp": "4.13.1",?p ?pa 11788 } 11789 } 11790 ], 11791 "platform-alteration-service-mesh-usage": [11792 { 11793 "capturedTestOutput": "", 11794 "catalogInfo": { 11795 "bestPracticeReference": "No Doc Link - Extended",11796 "description": "Checks if the istio namespace (\"istio-system\") is present. If it is present, checks that the istio sidecar is present in all pods under test.",11797 "exceptionProcess": "No exception needed for optional/extended tests.",11798 "remediation": "Ensure all the CNF pods are using service mesh 11798 "remediation": "Ensure all the CNF pods are using service mesh if the cluster provides it."11799 }, 11800 "categoryClassification": {11801 "Extended": "Optional",11802 "FarEdge": "Optional", 11803 "NonTelco": "Optional",11804 "Telco": "Optional" ?pa ?pas 11615 } 11616 ], 11617 "platform-alteration-hugepages-config": [ 11618 { 11619 "capturedTestOutput": "", 11620 "catalogInfo": { 11621 "bestPracticeReference": "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-huge-pages", 11622 "description": "Checks to see that HugePage settings have been configured through MachineConfig, and not manually on the underlying Node. This test case applies only to Nodes that are configured with the \"worker\" MachineConfigSet. First, the \"worker\" MachineConfig is polled, and the Hugepage settings are extracted. Next, the underlying Nodes , checks that the istio sidecar is present in all pods under test.", \"worker\" MachineConfig is polled, and the Hugepage settings are extracted. Next, the underlying Nodes are polled for configured HugePages through inspection of /proc/meminfo. The results are compared, and the test passes only if they are the same.",11623 "exceptionProcess": "No exceptions", 11624 "remediation": "HugePage settings should be configured either directly through the MachineConfigOperator or indirectly using the PerformanceAddonOperator. This ensures that OpenShift is aware of the special MachineConfig requirements, and can provision your CNF on a Node that is part of the corresponding MachineConfigSet. Avoid making changes directly to an underlying Node, and let OpenShift handle the heavy lifting of configuring advanced settings. This test case applies only to Nodes that ar e configured with the \"worker\" MachineConfigSet."11625 }, 11626 "categoryClassification": 11626 "categoryClassification": { 11627 "Extended": "Mandatory",11628 "FarEdge": "Mandatory", ?pas ?pass \"worker\" MachineConfig is polled, and the Hugepage settings are extracted. Next, the underlying Nodes are polled for configured HugePages through inspection of /proc/meminfo. The results are compared, and the test passes only if they are the same.",?pass ?passe \"worker\" MachineConfig is polled, and the Hugepage settings are extracted. Next, the underlying Nodes are polled for configured HugePages through inspection of /proc/meminfo. The results are compared, and the test passes only if they are the same.",?passe ?passed 11195 "Telco": "Mandatory" 11196 }, 11197 "duration": 111202, 11198 "endTime": "2023-09-04 09:18:08.856076584 -0500 CDT m=+20.598088352", 11199 "failureLineContent": "", 11200 "failureLocation": ":0", 11201 "failureReason": "", 11202 "startTime": "2023-09-04 09:18:08.855965389 -0500 CDT m=+20.597977150", 11203 "state": "passed", 11204 "testID": { 11205 "id": "observability-pod-disruption-budget", 11206 "suite": "observability", 11207 "tags the \"worker\" MachineConfigSet."11207 "tags": "common" 11208 } 11209 } 11210 ], 11211 "observability-termination-policy": [ ?passed 11203 "state": "passed", ?passed 11203,21 94% 11203 "state": "", -- INSERT -- 11203,21 94% 11203 "state": "f", -- INSERT -- 11203,22 94% 11203 "state": "fa", -- INSERT -- 11203,23 94% 11203 "state": "fai", -- INSERT -- 11203,24 94% 11203 "state": "fail", -- INSERT -- 11203,25 94% 11203 "state": "faile", -- INSERT -- 11203,26 94% 11203 "state": "failed", -- INSERT -- 11203,27 94% 11203 "state": "failed", 11203 "state": "failed", : :w :wq :wq "claim2.json" 11888L, 553715B written $ $ . $ ./ $ ./t $ ./tn $ ./tnf $ ./tnf $ ./tnf c $ ./tnf cl $ ./tnf cla $ ./tnf clai $ ./tnf claim $ ./tnf claim $ ./tnf claim c $ ./tnf claim co $ ./tnf claim com $ ./tnf claim comp $ ./tnf claim compa $ ./tnf claim compar $ ./tnf claim compare $ ./tnf claim compare $ ./tnf claim compare - $ ./tnf claim compare -1 $ ./tnf claim compare -1 $ ./tnf claim compare -1 c $ ./tnf claim compare -1 cl $ ./tnf claim compare -1 cla $ ./tnf claim compare -1 clai $ ./tnf claim compare -1 claim $ ./tnf claim compare -1 claim1 $ ./tnf claim compare -1 claim1. $ ./tnf claim compare -1 claim1.j $ ./tnf claim compare -1 claim1.js $ ./tnf claim compare -1 claim1.json $ ./tnf claim compare -1 claim1.json - $ ./tnf claim compare -1 claim1.json -2 $ ./tnf claim compare -1 claim1.json -2 $ ./tnf claim compare -1 claim1.json -2 c $ ./tnf claim compare -1 claim1.json -2 cl $ ./tnf claim compare -1 claim1.json -2 cla $ ./tnf claim compare -1 claim1.json -2 clai $ ./tnf claim compare -1 claim1.json -2 claim $ ./tnf claim compare -1 claim1.json -2 claim2 $ ./tnf claim compare -1 claim1.json -2 claim2. $ ./tnf claim compare -1 claim1.json -2 claim2.j $ ./tnf claim compare -1 claim1.json -2 claim2.json $ ./tnf claim compare -1 claim1.json -2 claim2.json | $ ./tnf claim compare -1 claim1.json -2 claim2.json | $ ./tnf claim compare -1 claim1.json -2 claim2.json | l $ ./tnf claim compare -1 claim1.json -2 claim2.json | le $ ./tnf claim compare -1 claim1.json -2 claim2.json | les $ ./tnf claim compare -1 claim1.json -2 claim2.json | less $ ./tnf claim compare -1 claim1.json -2 claim2.json | less VERSIONS: Differences FIELD CLAIM 1 CLAIM 2 <none> VERSIONS: Only in CLAIM 1 VERSIONS: Only in CLAIM 2 RESULTS SUMMARY --------------- STATUS # in CLAIM-1 # in CLAIM-2 passed 3 2 skipped 86 86 failed 1 2RESULTS DIFFERENCES ------------------- TEST CASE NAME CLAIM-1 CLAIM-2 observability-pod-disruption-budget passed failed CONFIGURATIONS -------------- CNF Cert Suite Configuration: Differences $ $ e $ ex $ exi $ exit $ exit exit \ No newline at end of file diff --git a/tests/identifiers/doclinks.go b/tests/identifiers/doclinks.go index 4fc070a47..e6343e0f0 100644 --- a/tests/identifiers/doclinks.go +++ b/tests/identifiers/doclinks.go @@ -8,90 +8,90 @@ const ( NoDocLink = "No Doc Link" // Networking Suite - TestICMPv4ConnectivityIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-&-ipv6" - TestNetworkPolicyDenyAllIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-vrfs-aka-routing-instances" + TestICMPv4ConnectivityIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipv4-&-ipv6" + TestNetworkPolicyDenyAllIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-vrfs-aka-routing-instances" TestReservedExtendedPartnerPortsDocLink = NoDocLinkExtended - TestDpdkCPUPinningExecProbeDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cpu-manager-pinning" + TestDpdkCPUPinningExecProbeDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cpu-manager-pinning" TestRestartOnRebootLabelOnPodsUsingSRIOVDocLink = NoDocLinkFarEdge TestLimitedUseOfExecProbesIdentifierDocLink = NoDocLinkFarEdge - TestICMPv6ConnectivityIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-&-ipv6" - TestICMPv4ConnectivityMultusIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" - TestICMPv6ConnectivityMultusIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" - TestServiceDualStackIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-&-ipv6" - TestUndeclaredContainerPortsUsageDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs" - TestOCPReservedPortsUsageDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ports-reserved-by-openshift" + TestICMPv6ConnectivityIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipv4-&-ipv6" + TestICMPv4ConnectivityMultusIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations" + TestICMPv6ConnectivityMultusIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations" + TestServiceDualStackIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipv4-&-ipv6" + TestUndeclaredContainerPortsUsageDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requirements-cnf-reqs" + TestOCPReservedPortsUsageDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ports-reserved-by-openshift" // Access Control Suite Test1337UIDIdentifierDocLink = NoDocLinkExtended - TestNetAdminIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-net_admin" - TestSysAdminIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-sys_admin" - TestIpcLockIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipc_lock" - TestNetRawIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-user-plane-cnfs" + TestNetAdminIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-net_admin" + TestSysAdminIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-sys_admin" + TestIpcLockIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-ipc_lock" + TestNetRawIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-user-plane-cnfs" TestBpfIdentifierDocLink = NoDocLinkTelco - TestSecConNonRootUserIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" - TestSecContextIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" - TestSecConPrivilegeEscalationDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" - TestContainerHostPortDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-accessing-resource-on-host" - TestContainerHostNetworkDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace" - TestPodHostNetworkDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace" - TestPodHostPathDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" - TestPodHostIPCDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" - TestPodHostPIDDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" - TestNamespaceBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs" - TestPodClusterRoleBindingsBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-security-rbac" - TestPodRoleBindingsBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-security-rbac" - TestPodServiceAccountBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-scc-permissions-for-an-application" - TestPodAutomountServiceAccountIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-automount-services-for-pods" - TestServicesDoNotUseNodeportsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace" - TestUnalteredBaseImageIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-image-standards" - TestOneProcessPerContainerIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-one-process-per-container" - TestSYSNiceRealtimeCapabilityIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-sys_nice" - TestSysPtraceCapabilityIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-sys_ptrace" - TestPodRequestsAndLimitsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requests/limits" - TestNamespaceResourceQuotaIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-memory-allocation" - TestNoSSHDaemonsAllowedIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-interaction/configuration" + TestSecConNonRootUserIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security" + TestSecContextIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security" + TestSecConPrivilegeEscalationDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security" + TestContainerHostPortDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-accessing-resource-on-host" + TestContainerHostNetworkDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-the-host-network-namespace" + TestPodHostNetworkDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-the-host-network-namespace" + TestPodHostPathDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security" + TestPodHostIPCDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security" + TestPodHostPIDDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security" + TestNamespaceBestPracticesIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requirements-cnf-reqs" + TestPodClusterRoleBindingsBestPracticesIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac" + TestPodRoleBindingsBestPracticesIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-security-rbac" + TestPodServiceAccountBestPracticesIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-scc-permissions-for-an-application" + TestPodAutomountServiceAccountIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-automount-services-for-pods" + TestServicesDoNotUseNodeportsIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-avoid-the-host-network-namespace" + TestUnalteredBaseImageIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-image-standards" + TestOneProcessPerContainerIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-one-process-per-container" + TestSYSNiceRealtimeCapabilityIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-sys_nice" + TestSysPtraceCapabilityIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-sys_ptrace" + TestPodRequestsAndLimitsIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requests/limits" + TestNamespaceResourceQuotaIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-memory-allocation" + TestNoSSHDaemonsAllowedIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-interaction/configuration" // Affiliated Certification Suite - TestHelmVersionIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-helm" + TestHelmVersionIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-helm" TestContainerIsCertifiedDigestIdentifierDocLink = "https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/certify-your-application/overview" TestContainerIsCertifiedIdentifierDocLink = "https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/certify-your-application/overview" TestHelmIsCertifiedIdentifierDocLink = "https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/certify-your-application/overview" // Platform Alteration Suite - TestPodHugePages2MDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-huge-pages" + TestPodHugePages2MDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-huge-pages" TestPodHugePages1GDocLink = NoDocLinkFarEdge - TestHugepagesNotManuallyManipulatedDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-huge-pages" - TestNonTaintedNodeKernelsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" - TestUnalteredStartupBootParamsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-host-os" - TestSysctlConfigsIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security" + TestHugepagesNotManuallyManipulatedDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-huge-pages" + TestNonTaintedNodeKernelsIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations" + TestUnalteredStartupBootParamsIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-host-os" + TestSysctlConfigsIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-security" TestServiceMeshIdentifierDocLink = NoDocLinkExtended TestHyperThreadEnableDocLink = NoDocLinkExtended - TestOCPLifecycleIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-k8s" - TestNodeOperatingSystemIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-host-os" - TestIsRedHatReleaseIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-base-images" - TestIsSELinuxEnforcingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-security" + TestOCPLifecycleIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-k8s" + TestNodeOperatingSystemIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-host-os" + TestIsRedHatReleaseIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-base-images" + TestIsSELinuxEnforcingIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-security" // Lifecycle Suite - TestAffinityRequiredPodsDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" - TestStorageProvisionerDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-local-storage" - TestContainerPostStartIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cloud-native-design-best-practices" - TestContainerPrestopIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cloud-native-design-best-practices" - TestPodNodeSelectorAndAffinityBestPracticesDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" - TestPodHighAvailabilityBestPracticesDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" - TestPodDeploymentBestPracticesIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-no-naked-pods" - TestDeploymentScalingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" - TestStateFulSetScalingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" - TestImagePullPolicyIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-use-imagepullpolicy-if-not-present" - TestPodRecreationIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-upgrade-expectations" - TestLivenessProbeIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" - TestReadinessProbeIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" - TestStartupProbeIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-exit-status" + TestAffinityRequiredPodsDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations" + TestStorageProvisionerDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-local-storage" + TestContainerPostStartIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cloud-native-design-best-practices" + TestContainerPrestopIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cloud-native-design-best-practices" + TestPodNodeSelectorAndAffinityBestPracticesDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations" + TestPodHighAvailabilityBestPracticesDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations" + TestPodDeploymentBestPracticesIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-no-naked-pods" + TestDeploymentScalingIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations" + TestStateFulSetScalingIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations" + TestImagePullPolicyIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-use-imagepullpolicy-if-not-present" + TestPodRecreationIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-upgrade-expectations" + TestLivenessProbeIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations" + TestReadinessProbeIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations" + TestStartupProbeIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-exit-status" //nolint:gosec - TestPodTolerationBypassIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-taints-and-tolerations" - TestPersistentVolumeReclaimPolicyIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-csi" - TestCPUIsolationIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cpu-isolation" - TestCrdScalingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations" + TestPodTolerationBypassIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-taints-and-tolerations" + TestPersistentVolumeReclaimPolicyIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-csi" + TestCPUIsolationIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cpu-isolation" + TestCrdScalingIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-high-level-cnf-expectations" // Performance Test Suite TestExclusiveCPUPoolIdentifierDocLink = NoDocLinkFarEdge @@ -101,7 +101,7 @@ const ( TestRtAppNoExecProbesDocLink = NoDocLinkFarEdge // Operator Test Suite - DocOperatorRequirement = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements" + DocOperatorRequirement = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements" TestOperatorInstallStatusSucceededIdentifierDocLink = DocOperatorRequirement TestOperatorNoPrivilegesDocLink = DocOperatorRequirement TestOperatorIsCertifiedIdentifierDocLink = DocOperatorRequirement @@ -116,12 +116,12 @@ const ( TestOperatorReadOnlyFilesystemDocLink = DocOperatorRequirement // Observability Test Suite - TestLoggingIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-logging" - TestTerminationMessagePolicyIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-exit-status" - TestCrdsStatusSubresourceIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements" - TestPodDisruptionBudgetIdentifierDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-upgrade-expectations" + TestLoggingIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-logging" + TestTerminationMessagePolicyIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-pod-exit-status" + TestCrdsStatusSubresourceIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-cnf-operator-requirements" + TestPodDisruptionBudgetIdentifierDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-upgrade-expectations" // Manageability Test Suite - TestContainersImageTagDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-image-tagging" - TestContainerPortNameFormatDocLink = "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs" + TestContainersImageTagDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-image-tagging" + TestContainerPortNameFormatDocLink = "https://test-network-function.github.io/k8s-best-practices-guide/#k8s-best-practices-requirements-cnf-reqs" ) diff --git a/tests/identifiers/identifiers.go b/tests/identifiers/identifiers.go index 8a0b17ba6..314eb85de 100644 --- a/tests/identifiers/identifiers.go +++ b/tests/identifiers/identifiers.go @@ -1709,7 +1709,7 @@ that Node's kernel may not have the same hacks.'`, "If an application creates CRDs it must supply a role to access those CRDs and no other API resources/permission. This test checks that there is at least one role present in each namespaces under test that only refers to CRDs under test.", "Roles providing access to CRDs should not refer to any other api or resources. Change the generation of the CRD role accordingly", NoExceptionProcessForExtendedTests, - "https://test-network-function.github.io/cnf-best-practices-guide-guide/#cnf-best-practices-custom-role-to-access-application-crds", + "https://test-network-function.github.io/k8s-best-practices-guide-guide/#k8s-best-practices-custom-role-to-access-application-crds", true, map[string]string{ FarEdge: Optional,