From 941a1cb4f6053c2354cedcc595899c279476c76a Mon Sep 17 00:00:00 2001 From: Brandon Palm Date: Wed, 7 Aug 2024 12:27:14 -0500 Subject: [PATCH] Rename to 'certsuite-claim' --- README.md | 16 +- cmd/generate/generate.go | 4 +- go.mod | 2 +- internal/generate/doc.go | 2 +- pkg/claim/schema.go | 14 +- pkg/claim/schema_test.go | 4 +- .../claim-invalid-additional-property.json | 2 +- .../testdata/claim-invalid-bool-results.json | 2 +- pkg/claim/testdata/claim-valid.json | 174 +++++++++--------- schemas/claim.example.json | 46 ++--- schemas/claim.schema.json | 16 +- 11 files changed, 141 insertions(+), 141 deletions(-) diff --git a/README.md b/README.md index 08f22c0..e6f7731 100644 --- a/README.md +++ b/README.md @@ -1,13 +1,13 @@ -# test-network-function-claim ![build](https://github.com/test-network-function/test-network-function-claim/actions/workflows/merge.yml/badge.svg) [![Go Report Card](https://goreportcard.com/badge/github.com/test-network-function/test-network-function-claim)](https://goreportcard.com/report/github.com/test-network-function/test-network-function-claim) +# certsuite-claim ![build](https://github.com/redhat-best-practices-for-k8s/certsuite-claim/actions/workflows/merge.yml/badge.svg) [![Go Report Card](https://goreportcard.com/badge/github.com/redhat-best-practices-for-k8s/certsuite-claim)](https://goreportcard.com/report/github.com/redhat-best-practices-for-k8s/certsuite-claim) -`test-network-function-claim` provides the definition for a -[test-network-function](https://github.com/test-network-function/test-network-function) claim. +`certsuite-claim` provides the definition for a +[redhat-best-practices-for-k8s](https://github.com/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s) claim. A claim contains: -* The `test-network-function` version used for testing. *Note*: The claim keeps track of only the -`test-network-function` version, and not individual test versions. For the current offering, the tests included in a -`test-network-function` release are immutable, and the source for all included tests is public. Any changes to provided -tests require a subsequent `test-network-function` release. +* The `redhat-best-practices-for-k8s` version used for testing. *Note*: The claim keeps track of only the +`redhat-best-practices-for-k8s` version, and not individual test versions. For the current offering, the tests included in a +`redhat-best-practices-for-k8s` release are immutable, and the source for all included tests is public. Any changes to provided +tests require a subsequent `redhat-best-practices-for-k8s` release. * A start time for the claim evaluation. * A description of the Hardware System(s) Under Test * All test configurations used by tests. @@ -16,7 +16,7 @@ tests require a subsequent `test-network-function` release. `schemas/claim.schema.json` defines the claim schema using [JSON Schema Draft-07](https://json-schema.org/draft-07/json-schema-release-notes.html). JSON Schema serves as the -only definition language for a `test-network-function` claim. In other words, even though other language bindings are +only definition language for a `redhat-best-practices-for-k8s` claim. In other words, even though other language bindings are possible (and some provided), the ultimate claim definition is `claim.schema.json`. In the unfortunate event of ambiguity between `claim.schema.json` and a particular language binding, the former rules. diff --git a/cmd/generate/generate.go b/cmd/generate/generate.go index 0035d32..db4ed05 100644 --- a/cmd/generate/generate.go +++ b/cmd/generate/generate.go @@ -20,7 +20,7 @@ import ( "time" "github.com/a-h/generate" - igenerate "github.com/test-network-function/test-network-function-claim/internal/generate" + igenerate "github.com/redhat-best-practices-for-k8s/certsuite-claim/internal/generate" ) const ( @@ -57,7 +57,7 @@ func prependCustomCodeGenerationMessage(w io.Writer) error { "", "", "//", - "// Code generated by `test-network-function-claim/cmd/generate/generate.go` on: " + currentTime.String(), + "// Code generated by `certsuite-claim/cmd/generate/generate.go` on: " + currentTime.String(), "//", "// `https://github.com/a-h/generate` provides a generic set of interfaces to convert JSON schema into", "// workable GoLang struct implementations. However, the code generator is limited and does not allow", diff --git a/go.mod b/go.mod index 9247258..52c5daa 100644 --- a/go.mod +++ b/go.mod @@ -1,4 +1,4 @@ -module github.com/test-network-function/test-network-function-claim +module github.com/redhat-best-practices-for-k8s/certsuite-claim go 1.22.5 diff --git a/internal/generate/doc.go b/internal/generate/doc.go index dc8ad4d..d564508 100644 --- a/internal/generate/doc.go +++ b/internal/generate/doc.go @@ -11,7 +11,7 @@ // Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. /* -Package generate is responsible for generating GoLang representations of the test-network-function claim defined by +Package generate is responsible for generating GoLang representations of the redhat-best-practices-for-k8s claim defined by `claim-schema.json`. A modified version of `https://github.com/a-h/generate` is utilized to emit GoLang structs and their corresponding `MarshallJSON` and `UnmarshallJSON` interface implementations. A modified version was utilized since the original version (`https://github.com/a-h/generate`) blindly remaps JSON "object" types to GoLang diff --git a/pkg/claim/schema.go b/pkg/claim/schema.go index 8bdf809..29ae39f 100644 --- a/pkg/claim/schema.go +++ b/pkg/claim/schema.go @@ -11,7 +11,7 @@ // Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. // -// Code generated by `test-network-function-claim/cmd/generate/generate.go` on: 2024-07-26 10:31:19.664412 -0500 CDT m=+0.001070334 +// Code generated by `certsuite-claim/cmd/generate/generate.go` on: 2024-07-26 10:31:19.664412 -0500 CDT m=+0.001070334 // // `https://github.com/a-h/generate` provides a generic set of interfaces to convert JSON schema into // workable GoLang struct implementations. However, the code generator is limited and does not allow @@ -69,7 +69,7 @@ type CategoryClassification struct { // Claim type Claim struct { - // Tests within test-network-function often require configuration. For example, the generic test suite requires listing all CNF containers. This information is used to derive per-container IP address information, which is then used as input to the connectivity test suite. Test suites within test-network-function may use multiple configurations, but each with a unique name. + // Tests within redhat-best-practices-for-k8s often require configuration. For example, the generic test suite requires listing all CNF containers. This information is used to derive per-container IP address information, which is then used as input to the connectivity test suite. Test suites within redhat-best-practices-for-k8s may use multiple configurations, but each with a unique name. Configurations map[string]interface{} `json:"configurations"` Metadata *Metadata `json:"metadata"` @@ -97,10 +97,10 @@ type Identifier struct { // Metadata type Metadata struct { - // The UTC end time of a claim evaluation. This is recorded when the test-network-function test suite completes. + // The UTC end time of a claim evaluation. This is recorded when the redhat-best-practices-for-k8s test suite completes. EndTime string `json:"endTime"` - // The UTC start time of a claim evaluation. This is recorded when the test-network-function test suite is invoked. + // The UTC start time of a claim evaluation. This is recorded when the redhat-best-practices-for-k8s test suite is invoked. StartTime string `json:"startTime"` } @@ -144,7 +144,7 @@ type Result struct { TestID *Identifier `json:"testID"` } -// Root A test-network-function claim is an attestation of the tests performed, the results and the various configurations. Since a claim must be reproducible, it also includes an overview of the systems under test and their physical configurations. +// Root A redhat-best-practices-for-k8s claim is an attestation of the tests performed, the results and the various configurations. Since a claim must be reproducible, it also includes an overview of the systems under test and their physical configurations. type Root struct { Claim *Claim `json:"claim"` } @@ -164,10 +164,10 @@ type Versions struct { // OCP cluster release version. Ocp string `json:"ocp,omitempty"` - // The test-network-function (tnf) release version. + // The redhat-best-practices-for-k8s (tnf) release version. Tnf string `json:"tnf"` - // The test-network-function (tnf) Git Commit. + // The redhat-best-practices-for-k8s (tnf) Git Commit. TnfGitCommit string `json:"tnfGitCommit,omitempty"` } diff --git a/pkg/claim/schema_test.go b/pkg/claim/schema_test.go index 0a71cd8..a76a267 100644 --- a/pkg/claim/schema_test.go +++ b/pkg/claim/schema_test.go @@ -151,7 +151,7 @@ func TestResult_UnmarshalJSON(t *testing.T) { //nolint:funlen //nolint:lll CapturedTestOutput: "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is not modified\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is not modified\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is not modified\",\"tnf\",\"test-d78fbf8d6-jxgl2\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is not modified\",\"tnf\",\"test-d78fbf8d6-n4jlv\",\"test\"]}],\"NonCompliantObjectsOut\":null}\n", CatalogInfo: &CatalogInfo{ - BestPracticeReference: "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-image-standards", + BestPracticeReference: "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices/#cnf-best-practices-image-standards", //nolint:lll Description: "Ensures that the Container Base Image is not altered post-startup. This test is a heuristic, and ensures that there are no changes to the following directories: 1) /var/lib/rpm 2) /var/lib/dpkg 3) /bin 4) /sbin 5) /lib 6) /lib64 7) /usr/bin 8) /usr/sbin 9) /usr/lib 10) /usr/lib64", ExceptionProcess: "No exceptions", @@ -182,7 +182,7 @@ func TestResult_UnmarshalJSON(t *testing.T) { //nolint:funlen { "capturedTestOutput": "{\"CompliantObjectsOut\":[{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is not modified\",\"tnf\",\"test-0\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is not modified\",\"tnf\",\"test-1\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is not modified\",\"tnf\",\"test-d78fbf8d6-jxgl2\",\"test\"]},{\"ObjectType\":\"Container\",\"ObjectFieldsKeys\":[\"Reason For Compliance\",\"Namespace\",\"Pod Name\",\"Container Name\"],\"ObjectFieldsValues\":[\"Container is not modified\",\"tnf\",\"test-d78fbf8d6-n4jlv\",\"test\"]}],\"NonCompliantObjectsOut\":null}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-image-standards", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices/#cnf-best-practices-image-standards", "description": "Ensures that the Container Base Image is not altered post-startup. This test is a heuristic, and ensures that there are no changes to the following directories: 1) /var/lib/rpm 2) /var/lib/dpkg 3) /bin 4) /sbin 5) /lib 6) /lib64 7) /usr/bin 8) /usr/sbin 9) /usr/lib 10) /usr/lib64", "exceptionProcess": "No exceptions", "remediation": "Ensure that Container applications do not modify the Container Base Image. In particular, ensure that the following directories are not modified: 1) /var/lib/rpm 2) /var/lib/dpkg 3) /bin 4) /sbin 5) /lib 6) /lib64 7) /usr/bin 8) /usr/sbin 9) /usr/lib 10) /usr/lib64 Ensure that all required binaries are built directly into the container image, and are not installed post startup." diff --git a/pkg/claim/testdata/claim-invalid-additional-property.json b/pkg/claim/testdata/claim-invalid-additional-property.json index 13d2b1c..4dc4c25 100644 --- a/pkg/claim/testdata/claim-invalid-additional-property.json +++ b/pkg/claim/testdata/claim-invalid-additional-property.json @@ -11,7 +11,7 @@ }, "configurations": {}, "results": { - "{\"url\":\"https://test-network-function.com/tnf/test\",{\"version\":\"v1.0.0\"}": [ + "{\"url\":\"https://redhat-best-practices-for-k8s.com/tnf/test\",{\"version\":\"v1.0.0\"}": [ { "testText": "someText", "isMeasurement": false, diff --git a/pkg/claim/testdata/claim-invalid-bool-results.json b/pkg/claim/testdata/claim-invalid-bool-results.json index fc26652..fe8dfdd 100644 --- a/pkg/claim/testdata/claim-invalid-bool-results.json +++ b/pkg/claim/testdata/claim-invalid-bool-results.json @@ -159,7 +159,7 @@ }, "results": { "identifier": { - "url": "https://test-network-function.com/tnf/test", + "url": "https://redhat-best-practices-for-k8s.com/tnf/test", "version": "v1.0.0" }, "results": [ diff --git a/pkg/claim/testdata/claim-valid.json b/pkg/claim/testdata/claim-valid.json index e9f309e..07a20db 100644 --- a/pkg/claim/testdata/claim-valid.json +++ b/pkg/claim/testdata/claim-valid.json @@ -99669,11 +99669,11 @@ } ], "operatorsUnderTestLabels": [ - "test-network-function.com/operator:target", - "test-network-function.com/operator1:new" + "redhat-best-practices-for-k8s.com/operator:target", + "redhat-best-practices-for-k8s.com/operator1:new" ], "podsUnderTestLabels": [ - "test-network-function.com/generic: target" + "redhat-best-practices-for-k8s.com/generic: target" ], "servicesignorelist": [ "hazelcast-platform-controller-manager-service", @@ -99698,7 +99698,7 @@ "scalable": false }, { - "nameSuffix": "test-network-function.com", + "nameSuffix": "redhat-best-practices-for-k8s.com", "scalable": false }, { @@ -99729,7 +99729,7 @@ "controller-revision-hash": "6ddd47458f", "name": "tnf-debug", "pod-template-generation": "1", - "test-network-function.com/app": "tnf-debug" + "redhat-best-practices-for-k8s.com/app": "tnf-debug" }, "managedFields": [ { @@ -99743,7 +99743,7 @@ "f:controller-revision-hash": {}, "f:name": {}, "f:pod-template-generation": {}, - "f:test-network-function.com/app": {} + "f:redhat-best-practices-for-k8s.com/app": {} }, "f:ownerReferences": { ".": {}, @@ -126058,7 +126058,7 @@ "access-control-cluster-role-bindings": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-cluster-role-bindings] Skipping check access-control-cluster-role-bindings, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-cluster-role-bindings] Recording result \"SKIPPED\", claimID: {Id:access-control-cluster-role-bindings Suite:access-control Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-security-rbac", "description": "Tests that a Pod does not specify ClusterRoleBindings.", "exceptionProcess": "Exception possible only for workloads that's cluster wide in nature and absolutely needs cluster level roles \u0026 role bindings", "remediation": "In most cases, Pod's should not have ClusterRoleBindings. The suggested remediation is to remove the need for ClusterRoleBindings, if possible. Cluster roles and cluster role bindings discouraged unless absolutely needed by the workload (often reserved for cluster admin only)." @@ -126086,7 +126086,7 @@ "access-control-container-host-port": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [access-control-container-host-port] Skipping check access-control-container-host-port, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-container-host-port] Recording result \"SKIPPED\", claimID: {Id:access-control-container-host-port Suite:access-control Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-accessing-resource-on-host", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-accessing-resource-on-host", "description": "Verifies if containers define a hostPort.", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Remove hostPort configuration from the container. Workloads should avoid accessing host resources - containers should not configure HostPort." @@ -126114,7 +126114,7 @@ "access-control-crd-roles": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-crd-roles] Skipping check access-control-crd-roles, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-crd-roles] Recording result \"SKIPPED\", claimID: {Id:access-control-crd-roles Suite:access-control Tags:extended}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide-guide/#cnf-best-practices-custom-role-to-access-application-crds", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide-guide/#cnf-best-practices-custom-role-to-access-application-crds", "description": "If an application creates CRDs it must supply a role to access those CRDs and no other API resources/permission. This test checks that there is at least one role present in each namespaces under test that only refers to CRDs under test.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Roles providing access to CRDs should not refer to any other api or resources. Change the generation of the CRD role accordingly" @@ -126142,7 +126142,7 @@ "access-control-ipc-lock-capability-check": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [access-control-ipc-lock-capability-check] Skipping check access-control-ipc-lock-capability-check, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-ipc-lock-capability-check] Recording result \"SKIPPED\", claimID: {Id:access-control-ipc-lock-capability-check Suite:access-control Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipc_lock", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-ipc_lock", "description": "Ensures that containers do not use IPC_LOCK capability. Workloads should avoid accessing host resources - spec.HostIpc should be false.", "exceptionProcess": "Exception possible if a workload uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why.", "remediation": "Exception possible if a workload uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why." @@ -126170,7 +126170,7 @@ "access-control-namespace": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-namespace] Skipping check access-control-namespace, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-namespace] Recording result \"SKIPPED\", claimID: {Id:access-control-namespace Suite:access-control Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs", "description": "Tests that all workload resources (PUTs and CRs) belong to valid namespaces. A valid namespace meets\nthe following conditions: (1) It was declared in the yaml config file under the targetNameSpaces\ntag. (2) It does not have any of the following prefixes: default, openshift-, istio- and aspenmesh-", "exceptionProcess": "No exceptions", "remediation": "Ensure that your workload utilizes namespaces declared in the yaml config file. Additionally, the namespaces should not start with \"default, openshift-, istio- or aspenmesh-\"." @@ -126198,7 +126198,7 @@ "access-control-namespace-resource-quota": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-namespace-resource-quota] Skipping check access-control-namespace-resource-quota, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-namespace-resource-quota] Recording result \"SKIPPED\", claimID: {Id:access-control-namespace-resource-quota Suite:access-control Tags:extended}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-memory-allocation", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-memory-allocation", "description": "Checks to see if workload pods are running in namespaces that have resource quotas applied.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Apply a ResourceQuota to the namespace your workload is running in. The workload's namespace should have resource quota defined." @@ -126226,7 +126226,7 @@ "access-control-net-admin-capability-check": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [access-control-net-admin-capability-check] Skipping check access-control-net-admin-capability-check, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-net-admin-capability-check] Recording result \"SKIPPED\", claimID: {Id:access-control-net-admin-capability-check Suite:access-control Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-net_admin", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-net_admin", "description": "Ensures that containers do not use NET_ADMIN capability. Note: this test also ensures iptables and nftables are not configured by workload pods:\n- NET_ADMIN and NET_RAW are required to modify nftables (namespaced) which is not desired inside pods.\nnftables should be configured by an administrator outside the scope of the workload. nftables are usually configured\nby operators, for instance the Performance Addon Operator (PAO) or istio.\n- Privileged container are required to modify host iptables, which is not safe to perform inside pods. nftables\nshould be configured by an administrator outside the scope of the workload. iptables are usually configured by operators,\nfor instance the Performance Addon Operator (PAO) or istio.", "exceptionProcess": "Exception will be considered for user plane or networking functions (e.g. SR-IOV, Multicast). Must identify which container requires the capability and detail why.", "remediation": "Exception possible if a workload uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why." @@ -126254,7 +126254,7 @@ "access-control-net-raw-capability-check": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [access-control-net-raw-capability-check] Skipping check access-control-net-raw-capability-check, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-net-raw-capability-check] Recording result \"SKIPPED\", claimID: {Id:access-control-net-raw-capability-check Suite:access-control Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-user-plane-cnfs", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-user-plane-cnfs", "description": "Ensures that containers do not use NET_RAW capability. Note: this test also ensures iptables and nftables are not configured by workload pods:\n- NET_ADMIN and NET_RAW are required to modify nftables (namespaced) which is not desired inside pods.\nnftables should be configured by an administrator outside the scope of the workload. nftables are usually configured\nby operators, for instance the Performance Addon Operator (PAO) or istio.\n- Privileged container are required to modify host iptables, which is not safe to perform inside pods. nftables\nshould be configured by an administrator outside the scope of the workload. iptables are usually configured by operators,\nfor instance the Performance Addon Operator (PAO) or istio.", "exceptionProcess": "Exception will be considered for user plane or networking functions. Must identify which container requires the capability and detail why.", "remediation": "Exception possible if a workload uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why." @@ -126310,7 +126310,7 @@ "access-control-one-process-per-container": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-one-process-per-container] Skipping check access-control-one-process-per-container, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-one-process-per-container] Recording result \"SKIPPED\", claimID: {Id:access-control-one-process-per-container Suite:access-control Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-one-process-per-container", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-one-process-per-container", "description": "Check that all containers under test have only one process running", "exceptionProcess": "No exception needed for optional/extended tests. Not applicable to SNO applications.", "remediation": "Launch only one process per container. Should adhere to 1 process per container best practice wherever possible." @@ -126338,7 +126338,7 @@ "access-control-pod-automount-service-account-token": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-pod-automount-service-account-token] Skipping check access-control-pod-automount-service-account-token, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-pod-automount-service-account-token] Recording result \"SKIPPED\", claimID: {Id:access-control-pod-automount-service-account-token Suite:access-control Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-automount-services-for-pods", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-automount-services-for-pods", "description": "Check that all pods under test have automountServiceAccountToken set to false. Only pods that require access to the kubernetes API server should have automountServiceAccountToken set to true", "exceptionProcess": "Exception will be considered if container needs to access APIs which OCP does not offer natively. Must document which container requires which API(s) and detail why existing OCP APIs cannot be used.", "remediation": "Check that pod has automountServiceAccountToken set to false or pod is attached to service account which has automountServiceAccountToken set to false, unless the pod needs access to the kubernetes API server. Pods which do not need API access should set automountServiceAccountToken to false in pod spec." @@ -126366,7 +126366,7 @@ "access-control-pod-host-ipc": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-pod-host-ipc] Skipping check access-control-pod-host-ipc, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-pod-host-ipc] Recording result \"SKIPPED\", claimID: {Id:access-control-pod-host-ipc Suite:access-control Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", "description": "Verifies that the spec.HostIpc parameter is set to false", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Set the spec.HostIpc parameter to false in the pod configuration. Workloads should avoid accessing host resources - spec.HostIpc should be false." @@ -126394,7 +126394,7 @@ "access-control-pod-host-network": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-pod-host-network] Skipping check access-control-pod-host-network, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-pod-host-network] Recording result \"SKIPPED\", claimID: {Id:access-control-pod-host-network Suite:access-control Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace", "description": "Verifies that the spec.HostNetwork parameter is not set (not present)", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Set the spec.HostNetwork parameter to false in the pod configuration. Workloads should avoid accessing host resources - spec.HostNetwork should be false." @@ -126422,7 +126422,7 @@ "access-control-pod-host-path": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-pod-host-path] Skipping check access-control-pod-host-path, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-pod-host-path] Recording result \"SKIPPED\", claimID: {Id:access-control-pod-host-path Suite:access-control Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", "description": "Verifies that the spec.HostPath parameter is not set (not present)", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Set the spec.HostPath parameter to false in the pod configuration. Workloads should avoid accessing host resources - spec.HostPath should be false." @@ -126450,7 +126450,7 @@ "access-control-pod-host-pid": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-pod-host-pid] Skipping check access-control-pod-host-pid, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-pod-host-pid] Recording result \"SKIPPED\", claimID: {Id:access-control-pod-host-pid Suite:access-control Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", "description": "Verifies that the spec.HostPid parameter is set to false", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Set the spec.HostPid parameter to false in the pod configuration. Workloads should avoid accessing host resources - spec.HostPid should be false." @@ -126478,7 +126478,7 @@ "access-control-pod-role-bindings": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-pod-role-bindings] Skipping check access-control-pod-role-bindings, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-pod-role-bindings] Recording result \"SKIPPED\", claimID: {Id:access-control-pod-role-bindings Suite:access-control Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-security-rbac", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-security-rbac", "description": "Ensures that a workload does not utilize RoleBinding(s) in a non-workload Namespace.", "exceptionProcess": "No exceptions", "remediation": "Ensure the workload is not configured to use RoleBinding(s) in a non-workload Namespace. Scope of role must \u003c= scope of creator of role." @@ -126506,7 +126506,7 @@ "access-control-pod-service-account": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-pod-service-account] Skipping check access-control-pod-service-account, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-pod-service-account] Recording result \"SKIPPED\", claimID: {Id:access-control-pod-service-account Suite:access-control Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-scc-permissions-for-an-application", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-scc-permissions-for-an-application", "description": "Tests that each workload Pod utilizes a valid Service Account. Default or empty service account is not valid.", "exceptionProcess": "No exceptions", "remediation": "Ensure that the each workload Pod is configured to use a valid Service Account" @@ -126534,7 +126534,7 @@ "access-control-requests-and-limits": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-requests-and-limits] Skipping check access-control-requests-and-limits, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-requests-and-limits] Recording result \"SKIPPED\", claimID: {Id:access-control-requests-and-limits Suite:access-control Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requests/limits", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-requests/limits", "description": "Check that containers have resource requests and limits specified in their spec.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Add requests and limits to your container spec. See: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/#requests-and-limits" @@ -126562,7 +126562,7 @@ "access-control-security-context": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [access-control-security-context] Skipping check access-control-security-context, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-security-context] Recording result \"SKIPPED\", claimID: {Id:access-control-security-context Suite:access-control Tags:extended}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", "description": "Checks the security context matches one of the 4 categories", "exceptionProcess": "no exception needed for optional/extended test", "remediation": "Exception possible if a workload uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and document why. If the container had the right configuration of the allowed category from the 4 approved list then the test will pass. The 4 categories are defined in Requirement ID 94118 [here](#security-context-categories)" @@ -126590,7 +126590,7 @@ "access-control-security-context-non-root-user-check": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [access-control-security-context-non-root-user-check] Skipping check access-control-security-context-non-root-user-check, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-security-context-non-root-user-check] Recording result \"SKIPPED\", claimID: {Id:access-control-security-context-non-root-user-check Suite:access-control Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", "description": "Checks the security context runAsUser parameter in pods and containers to make sure it is not set to uid root(0). Pods and containers should not run as root (runAsUser is not set to uid0).", "exceptionProcess": "No exceptions - will only be considered under special circumstances. Must identify which container needs access and document why with details.", "remediation": "Change the pod and containers \"runAsUser\" uid to something other than root(0)" @@ -126618,7 +126618,7 @@ "access-control-security-context-privilege-escalation": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [access-control-security-context-privilege-escalation] Skipping check access-control-security-context-privilege-escalation, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-security-context-privilege-escalation] Recording result \"SKIPPED\", claimID: {Id:access-control-security-context-privilege-escalation Suite:access-control Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", "description": "Checks if privileged escalation is enabled (AllowPrivilegeEscalation=true).", "exceptionProcess": "No exceptions", "remediation": "Configure privilege escalation to false. Privileged escalation should not be allowed (AllowPrivilegeEscalation=false)." @@ -126646,7 +126646,7 @@ "access-control-service-type": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-service-type] Skipping check access-control-service-type, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-service-type] Recording result \"SKIPPED\", claimID: {Id:access-control-service-type Suite:access-control Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-the-host-network-namespace", "description": "Tests that each workload Service does not utilize NodePort(s).", "exceptionProcess": "Exception for host resource access tests will only be considered in rare cases where it is absolutely needed", "remediation": "Ensure Services are not configured to use NodePort(s). Workloads should avoid accessing host resources - tests that each workload Service does not utilize NodePort(s)." @@ -126674,7 +126674,7 @@ "access-control-ssh-daemons": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-ssh-daemons] Skipping check access-control-ssh-daemons, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-ssh-daemons] Recording result \"SKIPPED\", claimID: {Id:access-control-ssh-daemons Suite:access-control Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-interaction/configuration", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-interaction/configuration", "description": "Check that pods do not run SSH daemons.", "exceptionProcess": "No exceptions - special consideration can be given to certain containers which run as utility tool daemon", "remediation": "Ensure that no SSH daemons are running inside a pod. Pods should not run as SSH Daemons (replicaset or statefulset only)." @@ -126702,7 +126702,7 @@ "access-control-sys-admin-capability-check": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [access-control-sys-admin-capability-check] Skipping check access-control-sys-admin-capability-check, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-sys-admin-capability-check] Recording result \"SKIPPED\", claimID: {Id:access-control-sys-admin-capability-check Suite:access-control Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-sys_admin", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-avoid-sys_admin", "description": "Ensures that containers do not use SYS_ADMIN capability", "exceptionProcess": "No exceptions", "remediation": "Exception possible if a workload uses mlock(), mlockall(), shmctl(), mmap(); exception will be considered for DPDK applications. Must identify which container requires the capability and detail why. Containers should not use the SYS_ADMIN Linux capability." @@ -126730,7 +126730,7 @@ "access-control-sys-nice-realtime-capability": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-sys-nice-realtime-capability] Skipping check access-control-sys-nice-realtime-capability, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-sys-nice-realtime-capability] Recording result \"SKIPPED\", claimID: {Id:access-control-sys-nice-realtime-capability Suite:access-control Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-sys_nice", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-sys_nice", "description": "Check that pods running on nodes with realtime kernel enabled have the SYS_NICE capability enabled in their spec. In the case that a workolad is running on a node using the real-time kernel, SYS_NICE will be used to allow DPDK application to switch to SCHED_FIFO.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "If pods are scheduled to realtime kernel nodes, they must add SYS_NICE capability to their spec." @@ -126758,7 +126758,7 @@ "access-control-sys-ptrace-capability": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [access-control-sys-ptrace-capability] Skipping check access-control-sys-ptrace-capability, reason: no matching labels\n[INFO] [May 21 12:24:18.895] [checksdb.go: 114] [access-control-sys-ptrace-capability] Recording result \"SKIPPED\", claimID: {Id:access-control-sys-ptrace-capability Suite:access-control Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-sys_ptrace", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-sys_ptrace", "description": "Check that if process namespace sharing is enabled for a Pod then the SYS_PTRACE capability is allowed. This capability is required when using Process Namespace Sharing. This is used when processes from one Container need to be exposed to another Container. For example, to send signals like SIGHUP from a process in a Container to another process in another Container. For more information on these capabilities refer to https://cloud.redhat.com/blog/linux-capabilities-in-openshift and https://kubernetes.io/docs/tasks/configure-pod-container/share-process-namespace/", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Allow the SYS_PTRACE capability when enabling process namespace sharing for a Pod" @@ -126814,7 +126814,7 @@ "affiliated-certification-helm-version": { "capturedTestOutput": "[INFO] [May 21 12:24:18.892] [checksgroup.go: 83] [affiliated-certification-helm-version] Skipping check affiliated-certification-helm-version, reason: no matching labels\n[INFO] [May 21 12:24:18.893] [checksdb.go: 114] [affiliated-certification-helm-version] Recording result \"SKIPPED\", claimID: {Id:affiliated-certification-helm-version Suite:affiliated-certification Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-helm", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-helm", "description": "Test to check if the helm chart is v3", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Check Helm Chart is v3 and not v2 which is not supported due to security risks associated with Tiller." @@ -126870,7 +126870,7 @@ "affiliated-certification-operator-is-certified": { "capturedTestOutput": "[INFO] [May 21 12:24:18.892] [checksgroup.go: 83] [affiliated-certification-operator-is-certified] Skipping check affiliated-certification-operator-is-certified, reason: no matching labels\n[INFO] [May 21 12:24:18.893] [checksdb.go: 114] [affiliated-certification-operator-is-certified] Recording result \"SKIPPED\", claimID: {Id:affiliated-certification-operator-is-certified Suite:affiliated-certification Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", "description": "Tests whether the workload Operators listed in the configuration file have passed the Red Hat Operator Certification Program (OCP).", "exceptionProcess": "There is no documented exception process for this. A partner can run the Red Hat Best Practices Test Suite before passing other certifications (Container/Operator/HelmChart) but the affiliated certification test cases in the Red Hat Best Practices Test Suite must be re-run once the other certifications have been granted.", "remediation": "Ensure that your Operator has passed Red Hat's Operator Certification Program (OCP)." @@ -126898,7 +126898,7 @@ "lifecycle-affinity-required-pods": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-affinity-required-pods] Skipping check lifecycle-affinity-required-pods, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-affinity-required-pods] Recording result \"SKIPPED\", claimID: {Id:lifecycle-affinity-required-pods Suite:lifecycle Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", "description": "Checks that affinity rules are in place if AffinityRequired: 'true' labels are set on Pods.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Pods which need to be co-located on the same node need Affinity rules. If a pod/statefulset/deployment is required to use affinity rules, please add AffinityRequired: 'true' as a label." @@ -126926,7 +126926,7 @@ "lifecycle-container-poststart": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [lifecycle-container-poststart] Skipping check lifecycle-container-poststart, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-container-poststart] Recording result \"SKIPPED\", claimID: {Id:lifecycle-container-poststart Suite:lifecycle Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cloud-native-design-best-practices", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cloud-native-design-best-practices", "description": "Ensure that the containers lifecycle postStart management feature is configured. A container must receive important events from the platform and conform/react to these events properly. For example, a container should catch SIGTERM or SIGKILL from the platform and shutdown as quickly as possible. Other typically important events from the platform are PostStart to initialize before servicing requests and PreStop to release resources cleanly before shutting down.", "exceptionProcess": "Identify which pod is not conforming to the process and submit information as to why it cannot use a postStart startup specification.", "remediation": "PostStart is normally used to configure the container, set up dependencies, and record the new creation. You could use this event to check that a required API is available before the container’s main work begins. Kubernetes will not change the container’s state to Running until the PostStart script has executed successfully. For details, see https://www.containiq.com/post/kubernetes-container-lifecycle-events-and-hooks and https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks. PostStart is used to configure container, set up dependencies, record new creation. It can also be used to check that a required API is available before the container’s work begins." @@ -126954,7 +126954,7 @@ "lifecycle-container-prestop": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [lifecycle-container-prestop] Skipping check lifecycle-container-prestop, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-container-prestop] Recording result \"SKIPPED\", claimID: {Id:lifecycle-container-prestop Suite:lifecycle Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cloud-native-design-best-practices", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cloud-native-design-best-practices", "description": "Ensure that the containers lifecycle preStop management feature is configured. The most basic requirement for the lifecycle management of Pods in OpenShift are the ability to start and stop correctly. There are different ways a pod can stop on an OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. When pods are shut down by the platform they are sent a SIGTERM signal which means that the process in the container should start shutting down, closing connections and stopping all activity. If the pod doesn’t shut down within the default 30 seconds then the platform may send a SIGKILL signal which will stop the pod immediately. This method isn’t as clean and the default time between the SIGTERM and SIGKILL messages can be modified based on the requirements of the application. Containers should respond to SIGTERM/SIGKILL with graceful shutdown.", "exceptionProcess": "Identify which pod is not conforming to the process and submit information as to why it cannot use a preStop shutdown specification.", "remediation": "The preStop can be used to gracefully stop the container and clean resources (e.g., DB connection). For details, see https://www.containiq.com/post/kubernetes-container-lifecycle-events-and-hooks and https://kubernetes.io/docs/concepts/containers/container-lifecycle-hooks. All pods must respond to SIGTERM signal and shutdown gracefully with a zero exit code." @@ -126982,7 +126982,7 @@ "lifecycle-cpu-isolation": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-cpu-isolation] Skipping check lifecycle-cpu-isolation, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-cpu-isolation] Recording result \"SKIPPED\", claimID: {Id:lifecycle-cpu-isolation Suite:lifecycle Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cpu-isolation", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cpu-isolation", "description": "CPU isolation requires: For each container within the pod, resource requests and limits must be identical. If cpu requests and limits are not identical and in whole units (Guaranteed pods with exclusive cpus), your pods will not be tested for compliance. The runTimeClassName must be specified. Annotations required disabling CPU and IRQ load-balancing.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "CPU isolation testing is enabled. Please ensure that all pods adhere to the CPU isolation requirements." @@ -127010,7 +127010,7 @@ "lifecycle-crd-scaling": { "capturedTestOutput": "[INFO] [May 21 12:24:18.895] [checksgroup.go: 83] [lifecycle-crd-scaling] Skipping check lifecycle-crd-scaling, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-crd-scaling] Recording result \"SKIPPED\", claimID: {Id:lifecycle-crd-scaling Suite:lifecycle Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", "description": "Tests that a workload's CRD support scale in/out operations. First, the test starts getting the current replicaCount (N) of the crd/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the crd/s. In case of crd that are managed by HPA the test is changing the min and max value to crd Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the crd/s", "exceptionProcess": "There is no documented exception process for this. Not applicable to SNO applications.", "remediation": "Ensure the workload's CRDs can scale in/out successfully." @@ -127038,7 +127038,7 @@ "lifecycle-deployment-scaling": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-deployment-scaling] Skipping check lifecycle-deployment-scaling, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-deployment-scaling] Recording result \"SKIPPED\", claimID: {Id:lifecycle-deployment-scaling Suite:lifecycle Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", "description": "Tests that workload deployments support scale in/out operations. First, the test starts getting the current replicaCount (N) of the deployment/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the deployment/s. In case of deployments that are managed by HPA the test is changing the min and max value to deployment Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the deployment/s", "exceptionProcess": "There is no documented exception process for this. Not applicable to SNO applications.", "remediation": "Ensure the workload's deployments/replica sets can scale in/out successfully." @@ -127066,7 +127066,7 @@ "lifecycle-image-pull-policy": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-image-pull-policy] Skipping check lifecycle-image-pull-policy, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-image-pull-policy] Recording result \"SKIPPED\", claimID: {Id:lifecycle-image-pull-policy Suite:lifecycle Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-use-imagepullpolicy-if-not-present", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-use-imagepullpolicy-if-not-present", "description": "Ensure that the containers under test are using IfNotPresent as Image Pull Policy. If there is a situation where the container dies and needs to be restarted, the image pull policy becomes important. PullIfNotPresent is recommended so that a loss of image registry access does not prevent the pod from restarting.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure that the containers under test are using IfNotPresent as Image Pull Policy." @@ -127094,7 +127094,7 @@ "lifecycle-liveness-probe": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-liveness-probe] Skipping check lifecycle-liveness-probe, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-liveness-probe] Recording result \"SKIPPED\", claimID: {Id:lifecycle-liveness-probe Suite:lifecycle Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", "description": "Check that all containers under test have liveness probe defined. The most basic requirement for the lifecycle management of Pods in OpenShift are the ability to start and stop correctly. When starting up, health probes like liveness and readiness checks can be put into place to ensure the application is functioning properly.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Add a liveness probe to deployed containers. workloads shall self-recover from common failures like pod failure, host failure, and network failure. Kubernetes native mechanisms such as health-checks (Liveness, Readiness and Startup Probes) shall be employed at a minimum." @@ -127122,7 +127122,7 @@ "lifecycle-persistent-volume-reclaim-policy": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-persistent-volume-reclaim-policy] Skipping check lifecycle-persistent-volume-reclaim-policy, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-persistent-volume-reclaim-policy] Recording result \"SKIPPED\", claimID: {Id:lifecycle-persistent-volume-reclaim-policy Suite:lifecycle Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-csi", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-csi", "description": "Check that the persistent volumes the workloads pods are using have a reclaim policy of delete. Network Functions should clear persistent storage by deleting their PVs when removing their application from a cluster.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure that all persistent volumes are using the reclaim policy: delete" @@ -127150,7 +127150,7 @@ "lifecycle-pod-high-availability": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-pod-high-availability] Skipping check lifecycle-pod-high-availability, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-pod-high-availability] Recording result \"SKIPPED\", claimID: {Id:lifecycle-pod-high-availability Suite:lifecycle Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", "description": "Ensures that workloads Pods specify podAntiAffinity rules and replica value is set to more than 1.", "exceptionProcess": "There is no documented exception process for this. Not applicable to SNO applications.", "remediation": "In high availability cases, Pod podAntiAffinity rule should be specified for pod scheduling and pod replica value is set to more than 1 ." @@ -127178,7 +127178,7 @@ "lifecycle-pod-owner-type": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-pod-owner-type] Skipping check lifecycle-pod-owner-type, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-pod-owner-type] Recording result \"SKIPPED\", claimID: {Id:lifecycle-pod-owner-type Suite:lifecycle Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-no-naked-pods", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-no-naked-pods", "description": "Tests that the workload Pods are deployed as part of a ReplicaSet(s)/StatefulSet(s).", "exceptionProcess": "There is no documented exception process for this. Pods should not be deployed as DaemonSet or naked pods.", "remediation": "Deploy the workload using ReplicaSet/StatefulSet." @@ -127206,7 +127206,7 @@ "lifecycle-pod-recreation": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-pod-recreation] Skipping check lifecycle-pod-recreation, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-pod-recreation] Recording result \"SKIPPED\", claimID: {Id:lifecycle-pod-recreation Suite:lifecycle Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-upgrade-expectations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-upgrade-expectations", "description": "Tests that a workload is configured to support High Availability. First, this test cordons and drains a Node that hosts the workload Pod. Next, the test ensures that OpenShift can re-instantiate the Pod on another Node, and that the actual replica count matches the desired replica count.", "exceptionProcess": "No exceptions - workloads should be able to be restarted/recreated.", "remediation": "Ensure that the workloads Pods utilize a configuration that supports High Availability. Additionally, ensure that there are available Nodes in the OpenShift cluster that can be utilized in the event that a host Node fails." @@ -127234,7 +127234,7 @@ "lifecycle-pod-scheduling": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-pod-scheduling] Skipping check lifecycle-pod-scheduling, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-pod-scheduling] Recording result \"SKIPPED\", claimID: {Id:lifecycle-pod-scheduling Suite:lifecycle Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", "description": "Ensures that workload Pods do not specify nodeSelector or nodeAffinity. In most cases, Pods should allow for instantiation on any underlying Node. Workloads shall not use node selectors nor taints/tolerations to assign pod location.", "exceptionProcess": "Exception will only be considered if application requires specialized hardware. Must specify which container requires special hardware and why.", "remediation": "In most cases, Pod's should not specify their host Nodes through nodeSelector or nodeAffinity. However, there are cases in which workloads require specialized hardware specific to a particular class of Node." @@ -127262,7 +127262,7 @@ "lifecycle-pod-toleration-bypass": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-pod-toleration-bypass] Skipping check lifecycle-pod-toleration-bypass, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-pod-toleration-bypass] Recording result \"SKIPPED\", claimID: {Id:lifecycle-pod-toleration-bypass Suite:lifecycle Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-taints-and-tolerations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-taints-and-tolerations", "description": "Check that pods do not have NoExecute, PreferNoSchedule, or NoSchedule tolerations that have been modified from the default.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Do not allow pods to bypass the NoExecute, PreferNoSchedule, or NoSchedule tolerations that are default applied by Kubernetes." @@ -127290,7 +127290,7 @@ "lifecycle-readiness-probe": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-readiness-probe] Skipping check lifecycle-readiness-probe, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-readiness-probe] Recording result \"SKIPPED\", claimID: {Id:lifecycle-readiness-probe Suite:lifecycle Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", "description": "Check that all containers under test have readiness probe defined. There are different ways a pod can stop on on OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. In the first case, if the administrator has implemented liveness and readiness checks, OpenShift can stop the pod and either restart it on the same node or a different node in the cluster. For the second case, when the application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Add a readiness probe to deployed containers" @@ -127318,7 +127318,7 @@ "lifecycle-startup-probe": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-startup-probe] Skipping check lifecycle-startup-probe, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-startup-probe] Recording result \"SKIPPED\", claimID: {Id:lifecycle-startup-probe Suite:lifecycle Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-exit-status", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-exit-status", "description": "Check that all containers under test have startup probe defined. Workloads shall self-recover from common failures like pod failure, host failure, and network failure. Kubernetes native mechanisms such as health-checks (Liveness, Readiness and Startup Probes) shall be employed at a minimum.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Add a startup probe to deployed containers" @@ -127346,7 +127346,7 @@ "lifecycle-statefulset-scaling": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-statefulset-scaling] Skipping check lifecycle-statefulset-scaling, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-statefulset-scaling] Recording result \"SKIPPED\", claimID: {Id:lifecycle-statefulset-scaling Suite:lifecycle Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", "description": "Tests that workload statefulsets support scale in/out operations. First, the test starts getting the current replicaCount (N) of the statefulset/s with the Pod Under Test. Then, it executes the scale-in oc command for (N-1) replicas. Lastly, it executes the scale-out oc command, restoring the original replicaCount of the statefulset/s. In case of statefulsets that are managed by HPA the test is changing the min and max value to statefulset Replica - 1 during scale-in and the original replicaCount again for both min/max during the scale-out stage. Lastly its restoring the original min/max replica of the statefulset/s", "exceptionProcess": "There is no documented exception process for this. Not applicable to SNO applications.", "remediation": "Ensure the workload's statefulsets/replica sets can scale in/out successfully." @@ -127374,7 +127374,7 @@ "lifecycle-storage-provisioner": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [lifecycle-storage-provisioner] Skipping check lifecycle-storage-provisioner, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [lifecycle-storage-provisioner] Recording result \"SKIPPED\", claimID: {Id:lifecycle-storage-provisioner Suite:lifecycle Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-local-storage", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-local-storage", "description": "Checks that pods do not place persistent volumes on local storage in multinode clusters. Local storage is recommended for single node clusters, but only one type of local storage should be installed (lvms or noprovisioner).", "exceptionProcess": "No exceptions", "remediation": "Use a non-local storage (e.g. no kubernetes.io/no-provisioner and no topolvm.io provisioners) in multinode clusters. Local storage are recommended for single node clusters only, but a single local provisioner should be installed." @@ -127402,7 +127402,7 @@ "manageability-container-port-name-format": { "capturedTestOutput": "[INFO] [May 21 12:24:18.893] [checksgroup.go: 83] [manageability-container-port-name-format] Skipping check manageability-container-port-name-format, reason: no matching labels\n[INFO] [May 21 12:24:18.893] [checksdb.go: 114] [manageability-container-port-name-format] Recording result \"SKIPPED\", claimID: {Id:manageability-container-port-name-format Suite:manageability Tags:extended}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs", "description": "Check that the container's ports name follow the naming conventions. Name field in ContainerPort section must be of form `\u003cprotocol\u003e[-\u003csuffix\u003e]`. More naming convention requirements may be released in future", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Ensure that the container's ports name follow our partner naming conventions" @@ -127430,7 +127430,7 @@ "manageability-containers-image-tag": { "capturedTestOutput": "[INFO] [May 21 12:24:18.893] [checksgroup.go: 83] [manageability-containers-image-tag] Skipping check manageability-containers-image-tag, reason: no matching labels\n[INFO] [May 21 12:24:18.893] [checksdb.go: 114] [manageability-containers-image-tag] Recording result \"SKIPPED\", claimID: {Id:manageability-containers-image-tag Suite:manageability Tags:extended}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-image-tagging", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-image-tagging", "description": "Check that image tag exists on containers.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Ensure that all the container images are tagged. Checks containers have image tags (e.g. latest, stable, dev)." @@ -127458,7 +127458,7 @@ "networking-dpdk-cpu-pinning-exec-probe": { "capturedTestOutput": "[INFO] [May 21 12:24:18.893] [checksgroup.go: 83] [networking-dpdk-cpu-pinning-exec-probe] Skipping check networking-dpdk-cpu-pinning-exec-probe, reason: no matching labels\n[INFO] [May 21 12:24:18.893] [checksdb.go: 114] [networking-dpdk-cpu-pinning-exec-probe] Recording result \"SKIPPED\", claimID: {Id:networking-dpdk-cpu-pinning-exec-probe Suite:networking Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cpu-manager-pinning", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cpu-manager-pinning", "description": "If a workload is doing CPU pinning, exec probes may not be used.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "If the workload is doing CPU pinning and running a DPDK process do not use exec probes (executing a command within the container) as it may pile up and block the node eventually." @@ -127486,7 +127486,7 @@ "networking-dual-stack-service": { "capturedTestOutput": "[INFO] [May 21 12:24:18.893] [checksgroup.go: 83] [networking-dual-stack-service] Skipping check networking-dual-stack-service, reason: no matching labels\n[INFO] [May 21 12:24:18.893] [checksdb.go: 114] [networking-dual-stack-service] Recording result \"SKIPPED\", claimID: {Id:networking-dual-stack-service Suite:networking Tags:extended}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-\u0026-ipv6", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-\u0026-ipv6", "description": "Checks that all services in namespaces under test are either ipv6 single stack or dual stack. This test case requires the deployment of the debug daemonset.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Configure every workload service with either a single stack ipv6 or dual stack (ipv4/ipv6) load balancer." @@ -127514,10 +127514,10 @@ "networking-icmpv4-connectivity": { "capturedTestOutput": "[INFO] [May 21 12:24:18.893] [checksgroup.go: 83] [networking-icmpv4-connectivity] Skipping check networking-icmpv4-connectivity, reason: no matching labels\n[INFO] [May 21 12:24:18.893] [checksdb.go: 114] [networking-icmpv4-connectivity] Recording result \"SKIPPED\", claimID: {Id:networking-icmpv4-connectivity Suite:networking Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-\u0026-ipv6", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-\u0026-ipv6", "description": "Checks that each workload Container is able to communicate via ICMPv4 on the Default OpenShift network. This test case requires the Deployment of the debug daemonset and at least 2 pods connected to each network under test(one source and one destination). If no network with more than 2 pods exists this test will be skipped.", "exceptionProcess": "No exceptions - must be able to communicate on default network using IPv4", - "remediation": "Ensure that the workload is able to communicate via the Default OpenShift network. In some rare cases, workloads may require routing table changes in order to communicate over the Default network. To exclude a particular pod from ICMPv4 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence." + "remediation": "Ensure that the workload is able to communicate via the Default OpenShift network. In some rare cases, workloads may require routing table changes in order to communicate over the Default network. To exclude a particular pod from ICMPv4 connectivity tests, add the redhat-best-practices-for-k8s.com/skip_connectivity_tests label to it. The label value is trivial, only its presence." }, "categoryClassification": { "Extended": "Mandatory", @@ -127542,10 +127542,10 @@ "networking-icmpv4-connectivity-multus": { "capturedTestOutput": "[INFO] [May 21 12:24:18.893] [checksgroup.go: 83] [networking-icmpv4-connectivity-multus] Skipping check networking-icmpv4-connectivity-multus, reason: no matching labels\n[INFO] [May 21 12:24:18.893] [checksdb.go: 114] [networking-icmpv4-connectivity-multus] Recording result \"SKIPPED\", claimID: {Id:networking-icmpv4-connectivity-multus Suite:networking Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", "description": "Checks that each workload Container is able to communicate via ICMPv4 on the Multus network(s). This test case requires the Deployment of the debug daemonset and at least 2 pods connected to each network under test(one source and one destination). If no network with more than 2 pods exists this test will be skipped.", "exceptionProcess": "There is no documented exception process for this.", - "remediation": "Ensure that the workload is able to communicate via the Multus network(s). In some rare cases, workloads may require routing table changes in order to communicate over the Multus network(s). To exclude a particular pod from ICMPv4 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. Not applicable if MULTUS is not supported." + "remediation": "Ensure that the workload is able to communicate via the Multus network(s). In some rare cases, workloads may require routing table changes in order to communicate over the Multus network(s). To exclude a particular pod from ICMPv4 connectivity tests, add the redhat-best-practices-for-k8s.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. Not applicable if MULTUS is not supported." }, "categoryClassification": { "Extended": "Mandatory", @@ -127570,10 +127570,10 @@ "networking-icmpv6-connectivity": { "capturedTestOutput": "[INFO] [May 21 12:24:18.893] [checksgroup.go: 83] [networking-icmpv6-connectivity] Skipping check networking-icmpv6-connectivity, reason: no matching labels\n[INFO] [May 21 12:24:18.893] [checksdb.go: 114] [networking-icmpv6-connectivity] Recording result \"SKIPPED\", claimID: {Id:networking-icmpv6-connectivity Suite:networking Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-\u0026-ipv6", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-ipv4-\u0026-ipv6", "description": "Checks that each workload Container is able to communicate via ICMPv6 on the Default OpenShift network. This test case requires the Deployment of the debug daemonset and at least 2 pods connected to each network under test(one source and one destination). If no network with more than 2 pods exists this test will be skipped.", "exceptionProcess": "There is no documented exception process for this.", - "remediation": "Ensure that the workload is able to communicate via the Default OpenShift network. In some rare cases, workloads may require routing table changes in order to communicate over the Default network. To exclude a particular pod from ICMPv6 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. Not applicable if IPv6 is not supported." + "remediation": "Ensure that the workload is able to communicate via the Default OpenShift network. In some rare cases, workloads may require routing table changes in order to communicate over the Default network. To exclude a particular pod from ICMPv6 connectivity tests, add the redhat-best-practices-for-k8s.com/skip_connectivity_tests label to it. The label value is trivial, only its presence. Not applicable if IPv6 is not supported." }, "categoryClassification": { "Extended": "Mandatory", @@ -127598,10 +127598,10 @@ "networking-icmpv6-connectivity-multus": { "capturedTestOutput": "[INFO] [May 21 12:24:18.893] [checksgroup.go: 83] [networking-icmpv6-connectivity-multus] Skipping check networking-icmpv6-connectivity-multus, reason: no matching labels\n[INFO] [May 21 12:24:18.893] [checksdb.go: 114] [networking-icmpv6-connectivity-multus] Recording result \"SKIPPED\", claimID: {Id:networking-icmpv6-connectivity-multus Suite:networking Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", "description": "Checks that each workload Container is able to communicate via ICMPv6 on the Multus network(s). This test case requires the Deployment of the debug daemonset and at least 2 pods connected to each network under test(one source and one destination). If no network with more than 2 pods exists this test will be skipped.", "exceptionProcess": "There is no documented exception process for this.", - "remediation": "Ensure that the workload is able to communicate via the Multus network(s). In some rare cases, workloads may require routing table changes in order to communicate over the Multus network(s). To exclude a particular pod from ICMPv6 connectivity tests, add the test-network-function.com/skip_connectivity_tests label to it.The label value is trivial, only its presence. Not applicable if IPv6/MULTUS is not supported." + "remediation": "Ensure that the workload is able to communicate via the Multus network(s). In some rare cases, workloads may require routing table changes in order to communicate over the Multus network(s). To exclude a particular pod from ICMPv6 connectivity tests, add the redhat-best-practices-for-k8s.com/skip_connectivity_tests label to it.The label value is trivial, only its presence. Not applicable if IPv6/MULTUS is not supported." }, "categoryClassification": { "Extended": "Mandatory", @@ -127626,7 +127626,7 @@ "networking-network-policy-deny-all": { "capturedTestOutput": "[INFO] [May 21 12:24:18.893] [checksgroup.go: 83] [networking-network-policy-deny-all] Skipping check networking-network-policy-deny-all, reason: no matching labels\n[INFO] [May 21 12:24:18.893] [checksdb.go: 114] [networking-network-policy-deny-all] Recording result \"SKIPPED\", claimID: {Id:networking-network-policy-deny-all Suite:networking Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-vrfs-aka-routing-instances", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-vrfs-aka-routing-instances", "description": "Check that network policies attached to namespaces running workload pods contain a default deny-all rule for both ingress and egress traffic", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Ensure that a NetworkPolicy with a default deny-all is applied. After the default is applied, apply a network policy to allow the traffic your application requires." @@ -127654,7 +127654,7 @@ "networking-ocp-reserved-ports-usage": { "capturedTestOutput": "[INFO] [May 21 12:24:18.893] [checksgroup.go: 83] [networking-ocp-reserved-ports-usage] Skipping check networking-ocp-reserved-ports-usage, reason: no matching labels\n[INFO] [May 21 12:24:18.893] [checksdb.go: 114] [networking-ocp-reserved-ports-usage] Recording result \"SKIPPED\", claimID: {Id:networking-ocp-reserved-ports-usage Suite:networking Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-ports-reserved-by-openshift", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-ports-reserved-by-openshift", "description": "Check that containers do not listen on ports that are reserved by OpenShift", "exceptionProcess": "No exceptions", "remediation": "Ensure that workload's apps do not listen on ports that are reserved by OpenShift. The following ports are reserved by OpenShift and must NOT be used by any application: 22623, 22624." @@ -127738,7 +127738,7 @@ "networking-undeclared-container-ports-usage": { "capturedTestOutput": "[INFO] [May 21 12:24:18.893] [checksgroup.go: 83] [networking-undeclared-container-ports-usage] Skipping check networking-undeclared-container-ports-usage, reason: no matching labels\n[INFO] [May 21 12:24:18.893] [checksdb.go: 114] [networking-undeclared-container-ports-usage] Recording result \"SKIPPED\", claimID: {Id:networking-undeclared-container-ports-usage Suite:networking Tags:extended}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-requirements-cnf-reqs", "description": "Check that containers do not listen on ports that weren't declared in their specification. Platforms may be configured to block undeclared ports.", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Ensure the workload's apps do not listen on undeclared containers' ports." @@ -127766,7 +127766,7 @@ "observability-container-logging": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [observability-container-logging] Skipping check observability-container-logging, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [observability-container-logging] Recording result \"SKIPPED\", claimID: {Id:observability-container-logging Suite:observability Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-logging", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-logging", "description": "Check that all containers under test use standard input output and standard error when logging. A container must provide APIs for the platform to observe the container health and act accordingly. These APIs include health checks (liveness and readiness), logging to stderr and stdout for log aggregation (by tools such as Logstash or Filebeat), and integrate with tracing and metrics-gathering libraries (such as Prometheus or Metricbeat).", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure containers are not redirecting stdout/stderr" @@ -127794,7 +127794,7 @@ "observability-crd-status": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [observability-crd-status] Skipping check observability-crd-status, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [observability-crd-status] Recording result \"SKIPPED\", claimID: {Id:observability-crd-status Suite:observability Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", "description": "Checks that all CRDs have a status sub-resource specification (Spec.versions[].Schema.OpenAPIV3Schema.Properties[“status”]).", "exceptionProcess": "No exceptions", "remediation": "Ensure that all the CRDs have a meaningful status specification (Spec.versions[].Schema.OpenAPIV3Schema.Properties[“status”])." @@ -127822,7 +127822,7 @@ "observability-pod-disruption-budget": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [observability-pod-disruption-budget] Skipping check observability-pod-disruption-budget, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [observability-pod-disruption-budget] Recording result \"SKIPPED\", claimID: {Id:observability-pod-disruption-budget Suite:observability Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-upgrade-expectations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-upgrade-expectations", "description": "Checks to see if pod disruption budgets have allowed values for minAvailable and maxUnavailable", "exceptionProcess": "No exceptions", "remediation": "Ensure minAvailable is not zero and maxUnavailable does not equal the number of pods in the replica" @@ -127850,7 +127850,7 @@ "observability-termination-policy": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [observability-termination-policy] Skipping check observability-termination-policy, reason: no matching labels\n[INFO] [May 21 12:24:18.896] [checksdb.go: 114] [observability-termination-policy] Recording result \"SKIPPED\", claimID: {Id:observability-termination-policy Suite:observability Tags:telco}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-exit-status", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-exit-status", "description": "Check that all containers are using terminationMessagePolicy: FallbackToLogsOnError. There are different ways a pod can stop on an OpenShift cluster. One way is that the pod can remain alive but non-functional. Another way is that the pod can crash and become non-functional. In the first case, if the administrator has implemented liveness and readiness checks, OpenShift can stop the pod and either restart it on the same node or a different node in the cluster. For the second case, when the application in the pod stops, it should exit with a code and write suitable log entries to help the administrator diagnose what the issue was that caused the problem.", "exceptionProcess": "There is no documented exception process for this.", "remediation": "Ensure containers are all using FallbackToLogsOnError in terminationMessagePolicy" @@ -127878,7 +127878,7 @@ "operator-crd-openapi-schema": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [operator-crd-openapi-schema] Skipping check operator-crd-openapi-schema, reason: no matching labels\n[INFO] [May 21 12:24:18.897] [checksdb.go: 114] [operator-crd-openapi-schema] Recording result \"SKIPPED\", claimID: {Id:operator-crd-openapi-schema Suite:operator Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", "description": "Tests whether an application Operator CRD is defined with OpenAPI spec.", "exceptionProcess": "No exceptions", "remediation": "Ensure that the Operator CRD is defined with OpenAPI spec." @@ -127906,7 +127906,7 @@ "operator-crd-versioning": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [operator-crd-versioning] Skipping check operator-crd-versioning, reason: no matching labels\n[INFO] [May 21 12:24:18.897] [checksdb.go: 114] [operator-crd-versioning] Recording result \"SKIPPED\", claimID: {Id:operator-crd-versioning Suite:operator Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", "description": "Tests whether the Operator CRD has a valid versioning.", "exceptionProcess": "No exceptions", "remediation": "Ensure that the Operator CRD has a valid version." @@ -127934,7 +127934,7 @@ "operator-install-source": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [operator-install-source] Skipping check operator-install-source, reason: no matching labels\n[INFO] [May 21 12:24:18.897] [checksdb.go: 114] [operator-install-source] Recording result \"SKIPPED\", claimID: {Id:operator-install-source Suite:operator Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", "description": "Tests whether a workload Operator is installed via OLM.", "exceptionProcess": "No exceptions", "remediation": "Ensure that your Operator is installed via OLM." @@ -127962,7 +127962,7 @@ "operator-install-status-no-privileges": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [operator-install-status-no-privileges] Skipping check operator-install-status-no-privileges, reason: no matching labels\n[INFO] [May 21 12:24:18.897] [checksdb.go: 114] [operator-install-status-no-privileges] Recording result \"SKIPPED\", claimID: {Id:operator-install-status-no-privileges Suite:operator Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", "description": "Checks whether the operator needs access to Security Context Constraints. Test passes if clusterPermissions is not present in the CSV manifest or is present with no RBAC rules related to SCCs.", "exceptionProcess": "No exceptions", "remediation": "Ensure all the workload's operators have no privileges on cluster resources." @@ -127990,7 +127990,7 @@ "operator-install-status-succeeded": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [operator-install-status-succeeded] Skipping check operator-install-status-succeeded, reason: no matching labels\n[INFO] [May 21 12:24:18.897] [checksdb.go: 114] [operator-install-status-succeeded] Recording result \"SKIPPED\", claimID: {Id:operator-install-status-succeeded Suite:operator Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", "description": "Ensures that the target workload operators report \"Succeeded\" as their installation status.", "exceptionProcess": "No exceptions", "remediation": "Ensure all the workload's operators have been successfully installed by OLM." @@ -128018,7 +128018,7 @@ "operator-semantic-versioning": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [operator-semantic-versioning] Skipping check operator-semantic-versioning, reason: no matching labels\n[INFO] [May 21 12:24:18.897] [checksdb.go: 114] [operator-semantic-versioning] Recording result \"SKIPPED\", claimID: {Id:operator-semantic-versioning Suite:operator Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", "description": "Tests whether an application Operator has a valid semantic versioning.", "exceptionProcess": "No exceptions", "remediation": "Ensure that the Operator has a valid semantic versioning." @@ -128046,7 +128046,7 @@ "operator-single-crd-owner": { "capturedTestOutput": "[INFO] [May 21 12:24:18.896] [checksgroup.go: 83] [operator-single-crd-owner] Skipping check operator-single-crd-owner, reason: no matching labels\n[INFO] [May 21 12:24:18.897] [checksdb.go: 114] [operator-single-crd-owner] Recording result \"SKIPPED\", claimID: {Id:operator-single-crd-owner Suite:operator Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-operator-requirements", "description": "Tests whether a CRD is owned by a single Operator.", "exceptionProcess": "No exceptions", "remediation": "Ensure that a CRD is owned by only one Operator" @@ -128242,7 +128242,7 @@ "platform-alteration-base-image": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [platform-alteration-base-image] Skipping check platform-alteration-base-image, reason: no matching labels\n[INFO] [May 21 12:24:18.894] [checksdb.go: 114] [platform-alteration-base-image] Recording result \"SKIPPED\", claimID: {Id:platform-alteration-base-image Suite:platform-alteration Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-image-standards", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-image-standards", "description": "Ensures that the Container Base Image is not altered post-startup. This test is a heuristic, and ensures that there are no changes to the following directories: 1) /var/lib/rpm 2) /var/lib/dpkg 3) /bin 4) /sbin 5) /lib 6) /lib64 7) /usr/bin 8) /usr/sbin 9) /usr/lib 10) /usr/lib64", "exceptionProcess": "No exceptions", "remediation": "Ensure that Container applications do not modify the Container Base Image. In particular, ensure that the following directories are not modified: 1) /var/lib/rpm 2) /var/lib/dpkg 3) /bin 4) /sbin 5) /lib 6) /lib64 7) /usr/bin 8) /usr/sbin 9) /usr/lib 10) /usr/lib64 Ensure that all required binaries are built directly into the container image, and are not installed post startup." @@ -128270,7 +128270,7 @@ "platform-alteration-boot-params": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [platform-alteration-boot-params] Skipping check platform-alteration-boot-params, reason: no matching labels\n[INFO] [May 21 12:24:18.894] [checksdb.go: 114] [platform-alteration-boot-params] Recording result \"SKIPPED\", claimID: {Id:platform-alteration-boot-params Suite:platform-alteration Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-host-os", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-host-os", "description": "Tests that boot parameters are set through the MachineConfigOperator, and not set manually on the Node.", "exceptionProcess": "No exceptions", "remediation": "Ensure that boot parameters are set directly through the MachineConfigOperator, or indirectly through the PerformanceAddonOperator. Boot parameters should not be changed directly through the Node, as OpenShift should manage the changes for you." @@ -128326,7 +128326,7 @@ "platform-alteration-hugepages-2m-only": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [platform-alteration-hugepages-2m-only] Skipping check platform-alteration-hugepages-2m-only, reason: no matching labels\n[INFO] [May 21 12:24:18.894] [checksdb.go: 114] [platform-alteration-hugepages-2m-only] Recording result \"SKIPPED\", claimID: {Id:platform-alteration-hugepages-2m-only Suite:platform-alteration Tags:extended}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-huge-pages", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-huge-pages", "description": "Check that pods using hugepages only use 2Mi size", "exceptionProcess": "No exception needed for optional/extended tests.", "remediation": "Modify pod to consume 2Mi hugepages only" @@ -128354,7 +128354,7 @@ "platform-alteration-hugepages-config": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [platform-alteration-hugepages-config] Skipping check platform-alteration-hugepages-config, reason: no matching labels\n[INFO] [May 21 12:24:18.894] [checksdb.go: 114] [platform-alteration-hugepages-config] Recording result \"SKIPPED\", claimID: {Id:platform-alteration-hugepages-config Suite:platform-alteration Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-huge-pages", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-huge-pages", "description": "Checks to see that HugePage settings have been configured through MachineConfig, and not manually on the underlying Node. This test case applies only to Nodes that are configured with the \"worker\" MachineConfigSet. First, the \"worker\" MachineConfig is polled, and the Hugepage settings are extracted. Next, the underlying Nodes are polled for configured HugePages through inspection of /proc/meminfo. The results are compared, and the test passes only if they are the same.", "exceptionProcess": "No exceptions", "remediation": "HugePage settings should be configured either directly through the MachineConfigOperator or indirectly using the PerformanceAddonOperator. This ensures that OpenShift is aware of the special MachineConfig requirements, and can provision your workload on a Node that is part of the corresponding MachineConfigSet. Avoid making changes directly to an underlying Node, and let OpenShift handle the heavy lifting of configuring advanced settings. This test case applies only to Nodes that are configured with the \"worker\" MachineConfigSet." @@ -128410,7 +128410,7 @@ "platform-alteration-is-selinux-enforcing": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [platform-alteration-is-selinux-enforcing] Skipping check platform-alteration-is-selinux-enforcing, reason: no matching labels\n[INFO] [May 21 12:24:18.894] [checksdb.go: 114] [platform-alteration-is-selinux-enforcing] Recording result \"SKIPPED\", claimID: {Id:platform-alteration-is-selinux-enforcing Suite:platform-alteration Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-security", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-pod-security", "description": "verifies that all openshift platform/cluster nodes have selinux in \"Enforcing\" mode.", "exceptionProcess": "No exceptions", "remediation": "Configure selinux and enable enforcing mode." @@ -128438,7 +128438,7 @@ "platform-alteration-isredhat-release": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [platform-alteration-isredhat-release] Skipping check platform-alteration-isredhat-release, reason: no matching labels\n[INFO] [May 21 12:24:18.894] [checksdb.go: 114] [platform-alteration-isredhat-release] Recording result \"SKIPPED\", claimID: {Id:platform-alteration-isredhat-release Suite:platform-alteration Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-base-images", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-base-images", "description": "verifies if the container base image is redhat.", "exceptionProcess": "No exceptions", "remediation": "Build a new container image that is based on UBI (Red Hat Universal Base Image)." @@ -128466,7 +128466,7 @@ "platform-alteration-ocp-lifecycle": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [platform-alteration-ocp-lifecycle] Skipping check platform-alteration-ocp-lifecycle, reason: no matching labels\n[INFO] [May 21 12:24:18.894] [checksdb.go: 114] [platform-alteration-ocp-lifecycle] Recording result \"SKIPPED\", claimID: {Id:platform-alteration-ocp-lifecycle Suite:platform-alteration Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-k8s", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-k8s", "description": "Tests that the running OCP version is not end of life.", "exceptionProcess": "No exceptions", "remediation": "Please update your cluster to a version that is generally available." @@ -128494,7 +128494,7 @@ "platform-alteration-ocp-node-os-lifecycle": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [platform-alteration-ocp-node-os-lifecycle] Skipping check platform-alteration-ocp-node-os-lifecycle, reason: no matching labels\n[INFO] [May 21 12:24:18.894] [checksdb.go: 114] [platform-alteration-ocp-node-os-lifecycle] Recording result \"SKIPPED\", claimID: {Id:platform-alteration-ocp-node-os-lifecycle Suite:platform-alteration Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-host-os", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-host-os", "description": "Tests that the nodes running in the cluster have operating systems that are compatible with the deployed version of OpenShift.", "exceptionProcess": "No exceptions", "remediation": "Please update your workers to a version that is supported by your version of OpenShift" @@ -128550,7 +128550,7 @@ "platform-alteration-sysctl-config": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [platform-alteration-sysctl-config] Skipping check platform-alteration-sysctl-config, reason: no matching labels\n[INFO] [May 21 12:24:18.894] [checksdb.go: 114] [platform-alteration-sysctl-config] Recording result \"SKIPPED\", claimID: {Id:platform-alteration-sysctl-config Suite:platform-alteration Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-cnf-security", "description": "Tests that no one has changed the node's sysctl configs after the node was created, the tests works by checking if the sysctl configs are consistent with the MachineConfig CR which defines how the node should be configured", "exceptionProcess": "No exceptions", "remediation": "You should recreate the node or change the sysctls, recreating is recommended because there might be other unknown changes" @@ -128578,7 +128578,7 @@ "platform-alteration-tainted-node-kernel": { "capturedTestOutput": "[INFO] [May 21 12:24:18.894] [checksgroup.go: 83] [platform-alteration-tainted-node-kernel] Skipping check platform-alteration-tainted-node-kernel, reason: no matching labels\n[INFO] [May 21 12:24:18.894] [checksdb.go: 114] [platform-alteration-tainted-node-kernel] Recording result \"SKIPPED\", claimID: {Id:platform-alteration-tainted-node-kernel Suite:platform-alteration Tags:common}\n", "catalogInfo": { - "bestPracticeReference": "https://test-network-function.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", + "bestPracticeReference": "https://redhat-best-practices-for-k8s.github.io/cnf-best-practices-guide/#cnf-best-practices-high-level-cnf-expectations", "description": "Ensures that the Node(s) hosting workloads do not utilize tainted kernels. This test case is especially\nimportant to support Highly Available workloads, since when a workload is re-instantiated on a backup Node,\nthat Node's kernel may not have the same hacks.'", "exceptionProcess": "If taint is necessary, document details of the taint and why it's needed by workload or environment.", "remediation": "Test failure indicates that the underlying Node's kernel is tainted. Ensure that you have not altered underlying Node(s) kernels in order to run the workload." diff --git a/schemas/claim.example.json b/schemas/claim.example.json index f97ea25..0169a4d 100644 --- a/schemas/claim.example.json +++ b/schemas/claim.example.json @@ -461,11 +461,11 @@ } }, "results": { - "{\"Url\":\"http://test-network-function.com/testcases/generic/icmpv4-connectivity\",\"Version\":\"v1.0.0\"}": [ + "{\"Url\":\"http://redhat-best-practices-for-k8s.com/testcases/generic/icmpv4-connectivity\",\"Version\":\"v1.0.0\"}": [ { "duration": 4097243052, "failureReason": "", - "filename": "/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go", + "filename": "/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go", "isMeasurement": false, "lineNumber": 311, "passed": true, @@ -474,106 +474,106 @@ { "duration": 4094205613, "failureReason": "", - "filename": "/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go", + "filename": "/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go", "isMeasurement": false, "lineNumber": 311, "passed": true, "testText": "generic Both Pods are on the Default network when a Ping is issued from partner(partner) to test(test) 172.17.0.3 test(test) should reply" } ], - "{\"Url\":\"http://test-network-function.com/testcases/generic/namespace-best-practices\",\"Version\":\"v1.0.0\"}": [ + "{\"Url\":\"http://redhat-best-practices-for-k8s.com/testcases/generic/namespace-best-practices\",\"Version\":\"v1.0.0\"}": [ { "duration": 2796, "failureReason": "", - "filename": "/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go", + "filename": "/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go", "isMeasurement": false, "lineNumber": 355, "passed": true, "testText": "generic when Reading namespace of test/test Should not be 'default' and should not begin with 'openshift-'" } ], - "{\"Url\":\"http://test-network-function.com/testcases/generic/non-default-grace-period\",\"Version\":\"v1.0.0\"}": [ + "{\"Url\":\"http://redhat-best-practices-for-k8s.com/testcases/generic/non-default-grace-period\",\"Version\":\"v1.0.0\"}": [ { "duration": 159628157, "failureReason": "", - "filename": "/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go", + "filename": "/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go", "isMeasurement": false, "lineNumber": 373, "passed": true, "testText": "generic Testing pod terminationGracePeriod tnf/test" } ], - "{\"Url\":\"http://test-network-function.com/testcases/generic/pod-cluster-role-bindings-best-practices\",\"Version\":\"v1.0.0\"}": [ + "{\"Url\":\"http://redhat-best-practices-for-k8s.com/testcases/generic/pod-cluster-role-bindings-best-practices\",\"Version\":\"v1.0.0\"}": [ { "duration": 204725410, "failureReason": "", - "filename": "/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go", + "filename": "/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go", "isMeasurement": false, "lineNumber": 554, "passed": true, "testText": "generic when Testing roles and privileges of tnf/test Should not have ClusterRoleBindings" } ], - "{\"Url\":\"http://test-network-function.com/testcases/generic/pod-deployment-best-practices\",\"Version\":\"v1.0.0\"}": [ + "{\"Url\":\"http://redhat-best-practices-for-k8s.com/testcases/generic/pod-deployment-best-practices\",\"Version\":\"v1.0.0\"}": [ { "duration": 10003938067, - "failureReason": "/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go:801\nExpected\n \u003cint\u003e: 0\nto equal\n \u003cint\u003e: 1\n/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go:808", - "filename": "/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go", + "failureReason": "/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go:801\nExpected\n \u003cint\u003e: 0\nto equal\n \u003cint\u003e: 1\n/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go:808", + "filename": "/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go", "isMeasurement": false, "lineNumber": 801, "passed": false, "testText": "generic when Testing owners of CNF pod Should contain at least one of kind DaemonSet/ReplicaSet" } ], - "{\"Url\":\"http://test-network-function.com/testcases/generic/pod-node-selector-node-affinity-best-practices\",\"Version\":\"v1.0.0\"}": [ + "{\"Url\":\"http://redhat-best-practices-for-k8s.com/testcases/generic/pod-node-selector-node-affinity-best-practices\",\"Version\":\"v1.0.0\"}": [ { "duration": 199758755, "failureReason": "", - "filename": "/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go", + "filename": "/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go", "isMeasurement": false, "lineNumber": 389, "passed": true, "testText": "generic Testing pod nodeSelector tnf/test" } ], - "{\"Url\":\"http://test-network-function.com/testcases/generic/pod-role-bindings-best-practices\",\"Version\":\"v1.0.0\"}": [ + "{\"Url\":\"http://redhat-best-practices-for-k8s.com/testcases/generic/pod-role-bindings-best-practices\",\"Version\":\"v1.0.0\"}": [ { "duration": 195087641, "failureReason": "", - "filename": "/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go", + "filename": "/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go", "isMeasurement": false, "lineNumber": 535, "passed": true, "testText": "generic when Testing roles and privileges of tnf/test Should not have RoleBinding in other namespaces" } ], - "{\"Url\":\"http://test-network-function.com/testcases/generic/pod-service-account-best-practices\",\"Version\":\"v1.0.0\"}": [ + "{\"Url\":\"http://redhat-best-practices-for-k8s.com/testcases/generic/pod-service-account-best-practices\",\"Version\":\"v1.0.0\"}": [ { "duration": 168269817, "failureReason": "", - "filename": "/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go", + "filename": "/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go", "isMeasurement": false, "lineNumber": 520, "passed": true, "testText": "generic when Testing roles and privileges of tnf/test Should have a valid ServiceAccount name" } ], - "{\"Url\":\"http://test-network-function.com/testcases/generic/services-do-not-use-nodeports\",\"Version\":\"v1.0.0\"}": [ + "{\"Url\":\"http://redhat-best-practices-for-k8s.com/testcases/generic/services-do-not-use-nodeports\",\"Version\":\"v1.0.0\"}": [ { "duration": 157320657, "failureReason": "", - "filename": "/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go", + "filename": "/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go", "isMeasurement": false, "lineNumber": 574, "passed": true, "testText": "generic when Testing services in namespace tnf Should not have services of type NodePort" } ], - "{\"Url\":\"http://test-network-function.com/testcases/generic/unaltered-startup-boot-params\",\"Version\":\"v1.0.0\"}": [ + "{\"Url\":\"http://redhat-best-practices-for-k8s.com/testcases/generic/unaltered-startup-boot-params\",\"Version\":\"v1.0.0\"}": [ { "duration": 10170095299, - "failureReason": "/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go:500\nExpected\n \u003cint\u003e: 0\nto equal\n \u003cint\u003e: 1\n/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go:423", - "filename": "/Users/ryangoulding/workspace/t/test-network-function/test-network-function/generic/suite.go", + "failureReason": "/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go:500\nExpected\n \u003cint\u003e: 0\nto equal\n \u003cint\u003e: 1\n/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go:423", + "filename": "/Users/ryangoulding/workspace/t/redhat-best-practices-for-k8s/redhat-best-practices-for-k8s/generic/suite.go", "isMeasurement": false, "lineNumber": 500, "passed": false, diff --git a/schemas/claim.schema.json b/schemas/claim.schema.json index c49eb46..62051f1 100644 --- a/schemas/claim.schema.json +++ b/schemas/claim.schema.json @@ -1,8 +1,8 @@ { - "$id": "http://test-network-function.com/schemas/claim.schema.json", + "$id": "http://redhat-best-practices-for-k8s.com/schemas/claim.schema.json", "$schema": "http://json-schema.org/draft-07/schema#", "version": "v1.0.0", - "description": "A test-network-function claim is an attestation of the tests performed, the results and the various configurations. Since a claim must be reproducible, it also includes an overview of the systems under test and their physical configurations.", + "description": "A redhat-best-practices-for-k8s claim is an attestation of the tests performed, the results and the various configurations. Since a claim must be reproducible, it also includes an overview of the systems under test and their physical configurations.", "definitions": { "identifier": { "$id": "#identifier", @@ -166,12 +166,12 @@ "startTime": { "type": "string", "format": "date-time", - "description": "The UTC start time of a claim evaluation. This is recorded when the test-network-function test suite is invoked." + "description": "The UTC start time of a claim evaluation. This is recorded when the redhat-best-practices-for-k8s test suite is invoked." }, "endTime": { "type": "string", "format": "date-time", - "description": "The UTC end time of a claim evaluation. This is recorded when the test-network-function test suite completes." + "description": "The UTC end time of a claim evaluation. This is recorded when the redhat-best-practices-for-k8s test suite completes." } }, "additionalProperties": false, @@ -185,11 +185,11 @@ "properties": { "tnf": { "type": "string", - "description": "The test-network-function (tnf) release version." + "description": "The redhat-best-practices-for-k8s (tnf) release version." }, "tnfGitCommit": { "type": "string", - "description": "The test-network-function (tnf) Git Commit." + "description": "The redhat-best-practices-for-k8s (tnf) Git Commit." }, "ocp": { "type": "string", @@ -216,9 +216,9 @@ }, "configurations": { "type": "object", - "description": "Tests within test-network-function often require configuration. For example, the generic test suite requires listing all CNF containers. This information is used to derive per-container IP address information, which is then used as input to the connectivity test suite. Test suites within test-network-function may use multiple configurations, but each with a unique name.", + "description": "Tests within redhat-best-practices-for-k8s often require configuration. For example, the generic test suite requires listing all CNF containers. This information is used to derive per-container IP address information, which is then used as input to the connectivity test suite. Test suites within redhat-best-practices-for-k8s may use multiple configurations, but each with a unique name.", "additionalProperties": { - "description": "Tests within test-network-function often require configuration. For example, the generic test suite requires listing all CNF containers. This information is used to derive per-container IP address information, which is then used as input to the connectivity test suite. Test suites within test-network-function may use multiple configurations, each of which is arbitrary in structure and use case specific." + "description": "Tests within redhat-best-practices-for-k8s often require configuration. For example, the generic test suite requires listing all CNF containers. This information is used to derive per-container IP address information, which is then used as input to the connectivity test suite. Test suites within redhat-best-practices-for-k8s may use multiple configurations, each of which is arbitrary in structure and use case specific." } }, "nodes": {