Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add clarification for cpu-isolation test in catalog #1401

Merged
merged 1 commit into from
Sep 11, 2023
Merged

Add clarification for cpu-isolation test in catalog #1401

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
48 changes: 40 additions & 8 deletions CATALOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,27 +7,27 @@ Depending on the CNF type, not all tests are required to pass to satisfy best pr

## Test cases summary

### Total test cases: 88
### Total test cases: 90

### Total suites: 9

|Suite|Tests per suite|
|---|---|
|access-control|27|
|access-control|28|
|affiliated-certification|5|
|lifecycle|18|
|manageability|2|
|networking|11|
|observability|4|
|operator|3|
|performance|6|
|platform-alteration|12|
|platform-alteration|13|

### Extended specific tests only: 11
### Extended specific tests only: 12

|Mandatory|Optional|
|---|---|
|9|2|
|9|3|

### Far-Edge specific tests only: 8

Expand All @@ -41,18 +41,34 @@ Depending on the CNF type, not all tests are required to pass to satisfy best pr
|---|---|
|39|3|

### Telco specific tests only: 27
### Telco specific tests only: 28

|Mandatory|Optional|
|---|---|
|27|0|
|28|0|

## Test Case list

Test Cases are the specifications used to perform a meaningful test. Test cases may run once, or several times against several targets. CNF Certification includes a number of normative and informative tests to ensure CNFs follow best practices. Here is the list of available Test Cases:

### access-control

#### access-control-bpf-capability-check

Property|Description
---|---
Unique ID|access-control-bpf-capability-check
Description|Ensures that containers do not use BFP capability. CNF should avoid loading eBPF filters
Suggested Remediation|Remove the following capability from the container/pod definitions: BPF
Best Practice Reference|No Doc Link - Telco
Exception Process|Exception can be considered. Must identify which container requires the capability and detail why.
Tags|telco,access-control
|**Scenario**|**Optional/Mandatory**|
|Extended|Mandatory|
|Far-Edge|Mandatory|
|Non-Telco|Optional|
|Telco|Mandatory|

#### access-control-cluster-role-bindings

Property|Description
Expand Down Expand Up @@ -622,7 +638,7 @@ Tags|telco,lifecycle
Property|Description
---|---
Unique ID|lifecycle-cpu-isolation
Description|CPU isolation requires: For each container within the pod, resource requests and limits must be identical. Request and Limits are in the form of whole CPUs. The runTimeClassName must be specified. Annotations required disabling CPU and IRQ load-balancing.
Description|CPU isolation requires: For each container within the pod, resource requests and limits must be identical. If cpu requests and limits are not identical and in whole units (Guaranteed pods with exclusive cpus), your pods will not be tested for compliance. The runTimeClassName must be specified. Annotations required disabling CPU and IRQ load-balancing.
Suggested Remediation|CPU isolation testing is enabled. Please ensure that all pods adhere to the CPU isolation requirements.
Best Practice Reference|https://test-network-function.github.io/cnf-best-practices/#cnf-best-practices-cpu-isolation
Exception Process|There is no documented exception process for this.
Expand Down Expand Up @@ -1365,6 +1381,22 @@ Tags|common,platform-alteration
|Non-Telco|Mandatory|
|Telco|Mandatory|

#### platform-alteration-hyperthread-enable

Property|Description
---|---
Unique ID|platform-alteration-hyperthread-enable
Description|Check that baremetal workers have hyperthreading enabled
Suggested Remediation|Check that baremetal workers have hyperthreading enabled
Best Practice Reference|No Doc Link - Extended
Exception Process|There is no documented exception process for this.
Tags|extended,platform-alteration
|**Scenario**|**Optional/Mandatory**|
|Extended|Optional|
|Far-Edge|Optional|
|Non-Telco|Optional|
|Telco|Optional|

#### platform-alteration-is-selinux-enforcing

Property|Description
Expand Down
2 changes: 1 addition & 1 deletion cnf-certification-test/identifiers/identifiers.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1548,7 +1548,7 @@ tag. (2) It does not have any of the following prefixes: default, openshift-, is
TestCPUIsolationIdentifier = AddCatalogEntry(
"cpu-isolation",
common.LifecycleTestKey,
`CPU isolation requires: For each container within the pod, resource requests and limits must be identical. Request and Limits are in the form of whole CPUs. The runTimeClassName must be specified. Annotations required disabling CPU and IRQ load-balancing.`, //nolint:lll
`CPU isolation requires: For each container within the pod, resource requests and limits must be identical. If cpu requests and limits are not identical and in whole units (Guaranteed pods with exclusive cpus), your pods will not be tested for compliance. The runTimeClassName must be specified. Annotations required disabling CPU and IRQ load-balancing.`, //nolint:lll
CPUIsolationRemediation,
NoDocumentedProcess,
TestCPUIsolationIdentifierDocLink,
Expand Down