Documentation
¶
Overview ¶
Package identifiers contains TNF test identifiers.
Index ¶
Constants ¶
View Source
const ( // Default Strings NoDocLinkExtended = "No Doc Link - Extended" NoDocLinkFarEdge = "No Doc Link - Far Edge" NoDocLinkTelco = "No Doc Link - Telco" NoDocLink = "No Doc Link" // Networking Suite TestICMPv4ConnectivityIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-ipv4-&-ipv6" TestNetworkPolicyDenyAllIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-vrfs-aka-routing-instances" TestReservedExtendedPartnerPortsDocLink = NoDocLinkExtended TestDpdkCPUPinningExecProbeDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cpu-manager-pinning" TestRestartOnRebootLabelOnPodsUsingSRIOVDocLink = NoDocLinkFarEdge TestNetworkAttachmentDefinitionSRIOVUsingMTUDocLink = NoDocLinkFarEdge TestLimitedUseOfExecProbesIdentifierDocLink = NoDocLinkFarEdge TestICMPv6ConnectivityIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-ipv4-&-ipv6" TestICMPv4ConnectivityMultusIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-high-level-cnf-expectations" TestICMPv6ConnectivityMultusIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-high-level-cnf-expectations" TestServiceDualStackIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-ipv4-&-ipv6" TestUndeclaredContainerPortsUsageDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-requirements-cnf-reqs" TestOCPReservedPortsUsageDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-ports-reserved-by-openshift" // Access Control Suite Test1337UIDIdentifierDocLink = NoDocLinkExtended TestNetAdminIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-net_admin" TestSysAdminIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-avoid-sys_admin" TestIpcLockIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-ipc_lock" TestNetRawIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-user-plane-cnfs" TestBpfIdentifierDocLink = NoDocLinkTelco TestSecConNonRootUserIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-security" TestSecContextIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-security" TestSecConPrivilegeEscalationDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-security" TestContainerHostPortDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-avoid-accessing-resource-on-host" TestContainerHostNetworkDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-avoid-the-host-network-namespace" TestPodHostNetworkDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-avoid-the-host-network-namespace" TestPodHostPathDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-security" TestPodHostIPCDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-security" TestPodHostPIDDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-security" TestNamespaceBestPracticesIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-requirements-cnf-reqs" TestPodClusterRoleBindingsBestPracticesIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-security-rbac" TestPodRoleBindingsBestPracticesIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-security-rbac" TestPodServiceAccountBestPracticesIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-scc-permissions-for-an-application" TestPodAutomountServiceAccountIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-automount-services-for-pods" TestServicesDoNotUseNodeportsIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-avoid-the-host-network-namespace" TestUnalteredBaseImageIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-image-standards" TestOneProcessPerContainerIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-one-process-per-container" TestSYSNiceRealtimeCapabilityIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-sys_nice" TestSysPtraceCapabilityIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-sys_ptrace" TestPodRequestsAndLimitsIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-requests/limits" TestNamespaceResourceQuotaIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-memory-allocation" TestNoSSHDaemonsAllowedIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-pod-interaction/configuration" // Affiliated Certification Suite TestHelmVersionIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-helm" TestContainerIsCertifiedDigestIdentifierDocLink = "https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/certify-your-application/overview" TestContainerIsCertifiedIdentifierDocLink = "https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/certify-your-application/overview" TestHelmIsCertifiedIdentifierDocLink = "https://redhat-connect.gitbook.io/partner-guide-for-red-hat-openshift-and-container/certify-your-application/overview" // Platform Alteration Suite TestPodHugePages2MDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-huge-pages" TestPodHugePages1GDocLink = NoDocLinkFarEdge TestHugepagesNotManuallyManipulatedDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-huge-pages" TestNonTaintedNodeKernelsIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-high-level-cnf-expectations" TestUnalteredStartupBootParamsIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-host-os" TestSysctlConfigsIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-security" TestServiceMeshIdentifierDocLink = NoDocLinkExtended TestHyperThreadEnableDocLink = NoDocLinkExtended TestOCPLifecycleIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-k8s" TestNodeOperatingSystemIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-host-os" TestIsRedHatReleaseIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-base-images" TestIsSELinuxEnforcingIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-pod-security" // Lifecycle Suite TestAffinityRequiredPodsDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-high-level-cnf-expectations" TestStorageProvisionerDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-local-storage" TestContainerPostStartIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cloud-native-design-best-practices" TestContainerPrestopIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cloud-native-design-best-practices" TestPodNodeSelectorAndAffinityBestPracticesDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-high-level-cnf-expectations" TestPodHighAvailabilityBestPracticesDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-high-level-cnf-expectations" TestPodDeploymentBestPracticesIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-no-naked-pods" TestDeploymentScalingIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-high-level-cnf-expectations" TestStatefulSetScalingIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-high-level-cnf-expectations" TestImagePullPolicyIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-use-imagepullpolicy-if-not-present" TestPodRecreationIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-upgrade-expectations" TestLivenessProbeIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-high-level-cnf-expectations" TestReadinessProbeIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-high-level-cnf-expectations" TestStartupProbeIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-pod-exit-status" //nolint:gosec TestPodTolerationBypassIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-taints-and-tolerations" TestPersistentVolumeReclaimPolicyIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-csi" TestCPUIsolationIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cpu-isolation" TestCrdScalingIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-high-level-cnf-expectations" // Performance Test Suite TestExclusiveCPUPoolIdentifierDocLink = NoDocLinkFarEdge TestExclusiveCPUPoolSchedulingPolicyDocLink = NoDocLinkFarEdge TestIsolatedCPUPoolSchedulingPolicyDocLink = NoDocLinkFarEdge TestRtAppNoExecProbesDocLink = NoDocLinkFarEdge // Operator Test Suite DocOperatorRequirement = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-operator-requirements" TestOperatorInstallStatusSucceededIdentifierDocLink = DocOperatorRequirement TestOperatorNoPrivilegesDocLink = DocOperatorRequirement TestOperatorIsCertifiedIdentifierDocLink = DocOperatorRequirement TestOperatorIsInstalledViaOLMIdentifierDocLink = DocOperatorRequirement TestOperatorHasSemanticVersioningIdentifierDocLink = DocOperatorRequirement TestOperatorCrdSchemaIdentifierDocLink = DocOperatorRequirement TestOperatorCrdVersioningIdentifierDocLink = DocOperatorRequirement TestOperatorSingleCrdOwnerIdentifierDocLink = DocOperatorRequirement TestOperatorRunAsNonRootDocLink = DocOperatorRequirement TestOperatorAutomountTokensDocLink = DocOperatorRequirement TestOperatorReadOnlyFilesystemDocLink = DocOperatorRequirement TestOperatorPodsNoHugepagesDocLink = DocOperatorRequirement TestOperatorCatalogSourceBundleCountIdentifierDocLink = DocOperatorRequirement TestOperatorOlmSkipRangeDocLink = DocOperatorRequirement TestMultipleSameOperatorsIdentifierDocLink = DocOperatorRequirement // Observability Test Suite TestLoggingIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-logging" TestTerminationMessagePolicyIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-pod-exit-status" TestCrdsStatusSubresourceIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-cnf-operator-requirements" TestPodDisruptionBudgetIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-upgrade-expectations" TestAPICompatibilityWithNextOCPReleaseIdentifierDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-to-be-removed-apis" // Manageability Test Suite TestContainersImageTagDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-image-tagging" TestContainerPortNameFormatDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-requirements-cnf-reqs" )
View Source
const ( // Tests with exception processes // TODO: Add more exception processes if/when we encounter more opportunities with partners IsRedHatReleaseExceptionProcess = `` /* 126-byte string literal not displayed */ SecConNonRootUserExceptionProcess = `` /* 142-byte string literal not displayed */ SecConCapabilitiesExceptionProcess = `Identify the pod that is needing special capabilities and document why` // Tests that do not have an exception process but have additional insight UnalteredBaseImageExceptionProcess = `Images should not be changed during runtime. There is no exception process for this.` // Generic Exception Process Message NoDocumentedProcess = `There is no documented exception process for this.` // Generic provide info message ElaborateOnWhyItIsNeeded = `Please elaborate why it's needed and explain how it's used.` // No exception process for extended tests NoExceptionProcessForExtendedTests = `No exception needed for optional/extended tests.` // No exception process NoExceptions = `No exceptions` // affiliated certification exception process AffiliatedCert = NoDocumentedProcess + " " + `A partner can run the Red Hat Best Practices Test Suite before passing other certifications (Container/Operator/HelmChart) but the affiliated certification test cases in the Red Hat Best Practices Test Suite must be re-run once the other certifications have been granted.` //nolint:lll OperatorSkipRangeExceptionProcess = `If there is not a version of the operator that needs to be skipped, then an exception will be granted.` )
View Source
const ( TagCommon = "common" TagExtended = "extended" TagTelco = "telco" TagFarEdge = "faredge" FarEdge = "FarEdge" Telco = "Telco" NonTelco = "NonTelco" Extended = "Extended" Optional = "Optional" Mandatory = "Mandatory" TagPreflight = "preflight" )
View Source
const ( //nolint:gosec AutomountServiceTokenRemediation = `` /* 305-byte string literal not displayed */ IsRedHatReleaseRemediation = `Build a new container image that is based on UBI (Red Hat Universal Base Image).` NodeOperatingSystemRemediation = `Please update your workers to a version that is supported by your version of OpenShift` SecConNonRootUserRemediation = `Change the pod and containers "runAsUser" uid to something other than root(0)` SecConRunAsNonRootUserRemediation = `Set the the pod and containers "runAsNonRoot" to true.` SecConRemediation = `` /* 198-byte string literal not displayed */ UnalteredBaseImageRemediation = `` /* 380-byte string literal not displayed */ OCPLifecycleRemediation = `Please update your cluster to a version that is generally available.` DeploymentScalingRemediation = `Ensure the workload's deployments/replica sets can scale in/out successfully.` CrdScalingRemediation = `Ensure the workload's CRDs can scale in/out successfully.` StatefulSetScalingRemediation = `Ensure the workload's statefulsets/replica sets can scale in/out successfully.` SecConCapabilitiesRemediation = `Remove the following capabilities from the container/pod definitions: NET_ADMIN SCC, SYS_ADMIN SCC, NET_RAW SCC, IPC_LOCK SCC` BpfCapabilityRemediation = `Remove the following capability from the container/pod definitions: BPF` SecConPrivilegeRemediation = `Configure privilege escalation to false. Privileged escalation should not be allowed (AllowPrivilegeEscalation=false).` SecConReadOnlyFilesystem = `Ensure that the pods have the read-only root filesystem setting enabled.` ContainerHostPortRemediation = `` /* 141-byte string literal not displayed */ PodHostNetworkRemediation = `` /* 153-byte string literal not displayed */ PodHostPathRemediation = `` /* 147-byte string literal not displayed */ PodHostIPCRemediation = `` /* 145-byte string literal not displayed */ PodHostPIDRemediation = `` /* 145-byte string literal not displayed */ HugepagesNotManuallyManipulatedRemediation = `` /* 535-byte string literal not displayed */ ICMPv4ConnectivityRemediation = `` /* 382-byte string literal not displayed */ ICMPv6ConnectivityRemediation = `` /* 423-byte string literal not displayed */ ICMPv4ConnectivityMultusRemediation = `` /* 419-byte string literal not displayed */ ICMPv6ConnectivityMultusRemediation = `` /* 375-byte string literal not displayed */ TestServiceDualStackRemediation = `Configure every workload service with either a single stack ipv6 or dual stack (ipv4/ipv6) load balancer.` NamespaceBestPracticesRemediation = `` /* 175-byte string literal not displayed */ NonTaintedNodeKernelsRemediation = `` /* 158-byte string literal not displayed */ OperatorInstallStatusSucceededRemediation = `Ensure all the workload's operators have been successfully installed by OLM.` OperatorNoPrivilegesRemediation = `Ensure all the workload's operators have no privileges on cluster resources.` OperatorIsCertifiedRemediation = `Ensure that your Operator has passed Red Hat's Operator Certification Program (OCP).` HelmIsCertifiedRemediation = `` /* 143-byte string literal not displayed */ OperatorIsInstalledViaOLMRemediation = `Ensure that your Operator is installed via OLM.` OperatorHasSemanticVersioningRemediation = `Ensure that the Operator has a valid semantic versioning.` OperatorCrdSchemaIdentifierRemediation = `Ensure that the Operator CRD is defined with OpenAPI spec.` OperatorRunAsNonRoot = `Ensure that the pods are running as non root.` OperatorAutomountTokens = `Ensure that the pods have the automount service account token disabled.` OperatorCrdVersioningRemediation = `Ensure that the Operator CRD has a valid version.` OperatorOlmSkipRangeRemediation = `` /* 146-byte string literal not displayed */ OperatorSingleCrdOwnerRemediation = `Ensure that a CRD is owned by only one Operator` OperatorPodsNoHugepagesRemediation = `Ensure that the pods are not using hugepages` OperatorCatalogSourceBundleCountRemediation = `Ensure that the Operator's catalog source has a valid bundle count less than 1000.` MultipleSameOperatorsRemediation = `Ensure that only one Operator of the same type is installed in the cluster.` PodNodeSelectorAndAffinityBestPracticesRemediation = `` /* 207-byte string literal not displayed */ PodHighAvailabilityBestPracticesRemediation = `` /* 137-byte string literal not displayed */ PodClusterRoleBindingsBestPracticesRemediation = `` /* 277-byte string literal not displayed */ PodDeploymentBestPracticesRemediation = `Deploy the workload using ReplicaSet/StatefulSet.` ImagePullPolicyRemediation = `Ensure that the containers under test are using IfNotPresent as Image Pull Policy.` PodRoleBindingsBestPracticesRemediation = `` /* 136-byte string literal not displayed */ PodServiceAccountBestPracticesRemediation = `Ensure that the each workload Pod is configured to use a valid Service Account` ServicesDoNotUseNodeportsRemediation = `` /* 167-byte string literal not displayed */ UnalteredStartupBootParamsRemediation = `` /* 244-byte string literal not displayed */ PodRecreationRemediation = `` /* 222-byte string literal not displayed */ SysctlConfigsRemediation = `You should recreate the node or change the sysctls, recreating is recommended because there might be other unknown changes` ServiceMeshRemediation = `Ensure all the workload pods are using service mesh if the cluster provides it.` ScalingRemediation = `Ensure the workload's deployments/replica sets can scale in/out successfully.` IsSELinuxEnforcingRemediation = `Configure selinux and enable enforcing mode.` UndeclaredContainerPortsRemediation = `Ensure the workload's apps do not listen on undeclared containers' ports.` CrdsStatusSubresourceRemediation = `` /* 130-byte string literal not displayed */ LoggingRemediation = `Ensure containers are not redirecting stdout/stderr` TerminationMessagePolicyRemediation = `Ensure containers are all using FallbackToLogsOnError in terminationMessagePolicy` LivenessProbeRemediation = `Add a liveness probe to deployed containers.` ReadinessProbeRemediation = `Add a readiness probe to deployed containers` StartupProbeRemediation = `Add a startup probe to deployed containers` OneProcessPerContainerRemediation = `Launch only one process per container. Should adhere to 1 process per container best practice wherever possible.` SysPtraceCapabilityRemediation = `Allow the SYS_PTRACE capability when enabling process namespace sharing for a Pod` SYSNiceRealtimeCapabilityRemediation = `If pods are scheduled to realtime kernel nodes, they must add SYS_NICE capability to their spec.` OCPReservedPortsUsageRemediation = `` /* 183-byte string literal not displayed */ RequestsAndLimitsRemediation = `` /* 151-byte string literal not displayed */ NamespaceResourceQuotaRemediation = `` /* 128-byte string literal not displayed */ PodDisruptionBudgetRemediation = `Ensure minAvailable is not zero and maxUnavailable does not equal the number of pods in the replica` APICompatibilityWithNextOCPReleaseRemediation = `Ensure the APIs the workload uses are compatible with the next OCP version` //nolint:gosec PodTolerationBypassRemediation = `` /* 126-byte string literal not displayed */ PersistentVolumeReclaimPolicyRemediation = `Ensure that all persistent volumes are using the reclaim policy: delete` ContainersImageTagRemediation = `Ensure that all the container images are tagged. Checks containers have image tags (e.g. latest, stable, dev).` NoSSHDaemonsAllowedRemediation = `Ensure that no SSH daemons are running inside a pod. Pods should not run as SSH Daemons (replicaset or statefulset only).` NetworkPolicyDenyAllRemediation = `` /* 164-byte string literal not displayed */ CPUIsolationRemediation = `CPU isolation testing is enabled. Please ensure that all pods adhere to the CPU isolation requirements.` UID1337Remediation = `Use another process UID that is not 1337.` LimitedUseOfExecProbesRemediation = `` /* 166-byte string literal not displayed */ ReservedPartnerPortsRemediation = `Ensure ports are not being used that are reserved by our partner` AffinityRequiredRemediation = `` /* 185-byte string literal not displayed */ ContainerPortNameFormatRemediation = `Ensure that the container's ports name follow our partner naming conventions` DpdkCPUPinningExecProbeRemediation = "" /* 178-byte string literal not displayed */ CheckStorageProvisionerRemediation = `` /* 229-byte string literal not displayed */ ExclusiveCPUPoolRemediation = `Ensure that if one container in a Pod selects an exclusive CPU pool the rest also select this type of CPU pool` ExclusiveCPUPoolSchedulingPolicyRemediation = `` /* 140-byte string literal not displayed */ IsolatedCPUPoolSchedulingPolicyRemediation = `` /* 163-byte string literal not displayed */ RtAppNoExecProbesRemediation = `Ensure that if one container runs a real time application exec probes are not used` SRIOVPodsRestartOnRebootLabelRemediation = `Ensure that the label restart-on-reboot exists on pods that use SRIOV network interfaces.` SRIOVNetworkAttachmentDefinitionMTURemediation = `Ensure that the MTU of the SR-IOV network attachment definition is set explicitly.` HelmVersionV3Remediation = `Check Helm Chart is v3 and not v2 which is not supported due to security risks associated with Tiller.` ContainerIsCertifiedDigestRemediation = "Ensure that your container has passed the Red Hat Container Certification Program (CCP)." PodHugePages2MRemediation = "Modify pod to consume 2Mi hugepages only" PodHugePages1GRemediation = "Modify pod to consume 1Gi hugepages only" HyperThreadEnable = "Check that baremetal workers have hyperthreading enabled" ContainerPostStartIdentifierRemediation = `` /* 133-byte string literal not displayed */ ContainerPrestopIdentifierRemediation = `` /* 132-byte string literal not displayed */ )
View Source
const (
NotApplicableSNO = ` Not applicable to SNO applications.`
)
Variables ¶
View Source
var ( TestICMPv4ConnectivityIdentifier claim.Identifier TestNetworkPolicyDenyAllIdentifier claim.Identifier Test1337UIDIdentifier claim.Identifier TestContainerIsCertifiedDigestIdentifier claim.Identifier TestHelmVersionIdentifier claim.Identifier TestPodHugePages2M claim.Identifier TestPodHugePages1G claim.Identifier TestHyperThreadEnable claim.Identifier TestReservedExtendedPartnerPorts claim.Identifier TestAffinityRequiredPods claim.Identifier TestContainerPostStartIdentifier claim.Identifier TestContainerPrestopIdentifier claim.Identifier TestDpdkCPUPinningExecProbe claim.Identifier TestSysAdminIdentifier claim.Identifier TestNetAdminIdentifier claim.Identifier TestNetRawIdentifier claim.Identifier TestIpcLockIdentifier claim.Identifier TestBpfIdentifier claim.Identifier TestStorageProvisioner claim.Identifier TestExclusiveCPUPoolIdentifier claim.Identifier TestExclusiveCPUPoolSchedulingPolicy claim.Identifier TestIsolatedCPUPoolSchedulingPolicy claim.Identifier TestRtAppNoExecProbes claim.Identifier TestRestartOnRebootLabelOnPodsUsingSRIOV claim.Identifier TestSecConNonRootUserIDIdentifier claim.Identifier TestSecConRunAsNonRootIdentifier claim.Identifier TestNetworkAttachmentDefinitionSRIOVUsingMTU claim.Identifier TestSecContextIdentifier claim.Identifier TestSecConPrivilegeEscalation claim.Identifier TestContainerHostPort claim.Identifier TestPodHostNetwork claim.Identifier TestPodHostPath claim.Identifier TestPodHostIPC claim.Identifier TestPodHostPID claim.Identifier TestHugepagesNotManuallyManipulated claim.Identifier TestICMPv6ConnectivityIdentifier claim.Identifier TestICMPv4ConnectivityMultusIdentifier claim.Identifier TestICMPv6ConnectivityMultusIdentifier claim.Identifier TestServiceDualStackIdentifier claim.Identifier TestNamespaceBestPracticesIdentifier claim.Identifier TestNonTaintedNodeKernelsIdentifier claim.Identifier TestOperatorInstallStatusSucceededIdentifier claim.Identifier TestOperatorNoSCCAccess claim.Identifier TestOperatorIsCertifiedIdentifier claim.Identifier TestHelmIsCertifiedIdentifier claim.Identifier TestOperatorIsInstalledViaOLMIdentifier claim.Identifier TestOperatorHasSemanticVersioningIdentifier claim.Identifier TestSecConReadOnlyFilesystem claim.Identifier TestOperatorOlmSkipRange claim.Identifier TestOperatorAutomountTokens claim.Identifier TestOperatorRunAsNonRoot claim.Identifier TestOperatorCrdVersioningIdentifier claim.Identifier TestOperatorCrdSchemaIdentifier claim.Identifier TestOperatorSingleCrdOwnerIdentifier claim.Identifier TestOperatorPodsNoHugepages claim.Identifier TestMultipleSameOperatorsIdentifier claim.Identifier TestOperatorCatalogSourceBundleCountIdentifier claim.Identifier TestPodNodeSelectorAndAffinityBestPractices claim.Identifier TestPodHighAvailabilityBestPractices claim.Identifier TestPodClusterRoleBindingsBestPracticesIdentifier claim.Identifier TestPodDeploymentBestPracticesIdentifier claim.Identifier TestDeploymentScalingIdentifier claim.Identifier TestStatefulSetScalingIdentifier claim.Identifier TestImagePullPolicyIdentifier claim.Identifier TestPodRecreationIdentifier claim.Identifier TestPodRoleBindingsBestPracticesIdentifier claim.Identifier TestPodServiceAccountBestPracticesIdentifier claim.Identifier TestPodAutomountServiceAccountIdentifier claim.Identifier TestServicesDoNotUseNodeportsIdentifier claim.Identifier TestUnalteredBaseImageIdentifier claim.Identifier TestUnalteredStartupBootParamsIdentifier claim.Identifier TestLoggingIdentifier claim.Identifier TestTerminationMessagePolicyIdentifier claim.Identifier TestCrdsStatusSubresourceIdentifier claim.Identifier TestSysctlConfigsIdentifier claim.Identifier TestServiceMeshIdentifier claim.Identifier TestOCPLifecycleIdentifier claim.Identifier TestNodeOperatingSystemIdentifier claim.Identifier TestIsRedHatReleaseIdentifier claim.Identifier TestIsSELinuxEnforcingIdentifier claim.Identifier TestUndeclaredContainerPortsUsage claim.Identifier TestOCPReservedPortsUsage claim.Identifier TestLivenessProbeIdentifier claim.Identifier TestReadinessProbeIdentifier claim.Identifier TestStartupProbeIdentifier claim.Identifier TestOneProcessPerContainerIdentifier claim.Identifier TestSYSNiceRealtimeCapabilityIdentifier claim.Identifier TestSysPtraceCapabilityIdentifier claim.Identifier TestPodRequestsAndLimitsIdentifier claim.Identifier TestNamespaceResourceQuotaIdentifier claim.Identifier TestPodDisruptionBudgetIdentifier claim.Identifier TestAPICompatibilityWithNextOCPReleaseIdentifier claim.Identifier TestPodTolerationBypassIdentifier claim.Identifier TestPersistentVolumeReclaimPolicyIdentifier claim.Identifier TestContainersImageTag claim.Identifier TestNoSSHDaemonsAllowedIdentifier claim.Identifier TestCPUIsolationIdentifier claim.Identifier TestContainerPortNameFormat claim.Identifier TestCrdScalingIdentifier claim.Identifier TestCrdRoleIdentifier claim.Identifier TestLimitedUseOfExecProbesIdentifier claim.Identifier )
View Source
var Catalog = map[claim.Identifier]claim.TestCaseDescription{}
Catalog is the JUnit testcase catalog of tests.
View Source
var Classification = map[string]map[string]string{}
View Source
var ( // TestIdToClaimId converts the testcase short ID to the claim identifier TestIDToClaimID = map[string]claim.Identifier{} )
Functions ¶
func AddCatalogEntry ¶
func GetTestIDAndLabels ¶
func GetTestIDAndLabels(identifier claim.Identifier) (testID string, tags []string)
GetTestIDAndLabels transform the claim.Identifier into a test Id that can be used to skip specific tests
func InitCatalog ¶
func InitCatalog() map[claim.Identifier]claim.TestCaseDescription
Types ¶
This section is empty.
Source Files
Click to show internal directories.
Click to hide internal directories.