Operator Installation outside of targetNamespace

redhat-best-practices-for-k8s · Nov 25, 2024 · 20aff2f · 20aff2f
1 parent e0006f2
commit 20aff2f
Show file tree

Hide file tree

Showing 4 changed files with 202 additions and 104 deletions.
diff --git a/pkg/autodiscover/autodiscover_operators.go b/pkg/autodiscover/autodiscover_operators.go
@@ -116,6 +116,7 @@ func getAllNamespaces(oc corev1client.CoreV1Interface) (allNs []string, err erro
 	}
 	return allNs, nil
 }
+
 func getAllOperators(olmClient clientOlm.Interface) ([]*olmv1Alpha.ClusterServiceVersion, error) {
 	csvs := []*olmv1Alpha.ClusterServiceVersion{}
 

diff --git a/tests/identifiers/identifiers.go b/tests/identifiers/identifiers.go
@@ -76,108 +76,109 @@ func AddCatalogEntry(testID, suiteName, description, remediation, exception, ref
 }
 
 var (
-	TestICMPv4ConnectivityIdentifier                  claim.Identifier
-	TestNetworkPolicyDenyAllIdentifier                claim.Identifier
-	Test1337UIDIdentifier                             claim.Identifier
-	TestContainerIsCertifiedDigestIdentifier          claim.Identifier
-	TestHelmVersionIdentifier                         claim.Identifier
-	TestPodHugePages2M                                claim.Identifier
-	TestPodHugePages1G                                claim.Identifier
-	TestHyperThreadEnable                             claim.Identifier
-	TestReservedExtendedPartnerPorts                  claim.Identifier
-	TestAffinityRequiredPods                          claim.Identifier
-	TestContainerPostStartIdentifier                  claim.Identifier
-	TestContainerPrestopIdentifier                    claim.Identifier
-	TestDpdkCPUPinningExecProbe                       claim.Identifier
-	TestSysAdminIdentifier                            claim.Identifier
-	TestNetAdminIdentifier                            claim.Identifier
-	TestNetRawIdentifier                              claim.Identifier
-	TestIpcLockIdentifier                             claim.Identifier
-	TestBpfIdentifier                                 claim.Identifier
-	TestStorageProvisioner                            claim.Identifier
-	TestExclusiveCPUPoolIdentifier                    claim.Identifier
-	TestSharedCPUPoolSchedulingPolicy                 claim.Identifier
-	TestExclusiveCPUPoolSchedulingPolicy              claim.Identifier
-	TestIsolatedCPUPoolSchedulingPolicy               claim.Identifier
-	TestRtAppNoExecProbes                             claim.Identifier
-	TestRestartOnRebootLabelOnPodsUsingSRIOV          claim.Identifier
-	TestSecConNonRootUserIDIdentifier                 claim.Identifier
-	TestSecConRunAsNonRootIdentifier                  claim.Identifier
-	TestNetworkAttachmentDefinitionSRIOVUsingMTU      claim.Identifier
-	TestSecContextIdentifier                          claim.Identifier
-	TestSecConPrivilegeEscalation                     claim.Identifier
-	TestContainerHostPort                             claim.Identifier
-	TestPodHostNetwork                                claim.Identifier
-	TestPodHostPath                                   claim.Identifier
-	TestPodHostIPC                                    claim.Identifier
-	TestPodHostPID                                    claim.Identifier
-	TestHugepagesNotManuallyManipulated               claim.Identifier
-	TestICMPv6ConnectivityIdentifier                  claim.Identifier
-	TestICMPv4ConnectivityMultusIdentifier            claim.Identifier
-	TestICMPv6ConnectivityMultusIdentifier            claim.Identifier
-	TestServiceDualStackIdentifier                    claim.Identifier
-	TestNamespaceBestPracticesIdentifier              claim.Identifier
-	TestNonTaintedNodeKernelsIdentifier               claim.Identifier
-	TestOperatorInstallStatusSucceededIdentifier      claim.Identifier
-	TestOperatorNoSCCAccess                           claim.Identifier
-	TestOperatorIsCertifiedIdentifier                 claim.Identifier
-	TestHelmIsCertifiedIdentifier                     claim.Identifier
-	TestOperatorIsInstalledViaOLMIdentifier           claim.Identifier
-	TestOperatorHasSemanticVersioningIdentifier       claim.Identifier
-	TestSecConReadOnlyFilesystem                      claim.Identifier
-	TestOperatorOlmSkipRange                          claim.Identifier
-	TestOperatorAutomountTokens                       claim.Identifier
-	TestOperatorRunAsNonRoot                          claim.Identifier
-	TestOperatorRunAsUserID                           claim.Identifier
-	TestOperatorCrdVersioningIdentifier               claim.Identifier
-	TestOperatorCrdSchemaIdentifier                   claim.Identifier
-	TestOperatorSingleCrdOwnerIdentifier              claim.Identifier
-	TestOperatorPodsNoHugepages                       claim.Identifier
-	TestMultipleSameOperatorsIdentifier               claim.Identifier
-	TestPodNodeSelectorAndAffinityBestPractices       claim.Identifier
-	TestPodHighAvailabilityBestPractices              claim.Identifier
-	TestPodClusterRoleBindingsBestPracticesIdentifier claim.Identifier
-	TestPodDeploymentBestPracticesIdentifier          claim.Identifier
-	TestDeploymentScalingIdentifier                   claim.Identifier
-	TestStatefulSetScalingIdentifier                  claim.Identifier
-	TestImagePullPolicyIdentifier                     claim.Identifier
-	TestPodRecreationIdentifier                       claim.Identifier
-	TestPodRoleBindingsBestPracticesIdentifier        claim.Identifier
-	TestPodServiceAccountBestPracticesIdentifier      claim.Identifier
-	TestPodAutomountServiceAccountIdentifier          claim.Identifier
-	TestServicesDoNotUseNodeportsIdentifier           claim.Identifier
-	TestUnalteredBaseImageIdentifier                  claim.Identifier
-	TestUnalteredStartupBootParamsIdentifier          claim.Identifier
-	TestLoggingIdentifier                             claim.Identifier
-	TestTerminationMessagePolicyIdentifier            claim.Identifier
-	TestCrdsStatusSubresourceIdentifier               claim.Identifier
-	TestSysctlConfigsIdentifier                       claim.Identifier
-	TestServiceMeshIdentifier                         claim.Identifier
-	TestOCPLifecycleIdentifier                        claim.Identifier
-	TestNodeOperatingSystemIdentifier                 claim.Identifier
-	TestIsRedHatReleaseIdentifier                     claim.Identifier
-	TestIsSELinuxEnforcingIdentifier                  claim.Identifier
-	TestUndeclaredContainerPortsUsage                 claim.Identifier
-	TestOCPReservedPortsUsage                         claim.Identifier
-	TestLivenessProbeIdentifier                       claim.Identifier
-	TestReadinessProbeIdentifier                      claim.Identifier
-	TestStartupProbeIdentifier                        claim.Identifier
-	TestOneProcessPerContainerIdentifier              claim.Identifier
-	TestSYSNiceRealtimeCapabilityIdentifier           claim.Identifier
-	TestSysPtraceCapabilityIdentifier                 claim.Identifier
-	TestPodRequestsAndLimitsIdentifier                claim.Identifier
-	TestNamespaceResourceQuotaIdentifier              claim.Identifier
-	TestPodDisruptionBudgetIdentifier                 claim.Identifier
-	TestAPICompatibilityWithNextOCPReleaseIdentifier  claim.Identifier
-	TestPodTolerationBypassIdentifier                 claim.Identifier
-	TestPersistentVolumeReclaimPolicyIdentifier       claim.Identifier
-	TestContainersImageTag                            claim.Identifier
-	TestNoSSHDaemonsAllowedIdentifier                 claim.Identifier
-	TestCPUIsolationIdentifier                        claim.Identifier
-	TestContainerPortNameFormat                       claim.Identifier
-	TestCrdScalingIdentifier                          claim.Identifier
-	TestCrdRoleIdentifier                             claim.Identifier
-	TestLimitedUseOfExecProbesIdentifier              claim.Identifier
+	TestICMPv4ConnectivityIdentifier                      claim.Identifier
+	TestNetworkPolicyDenyAllIdentifier                    claim.Identifier
+	Test1337UIDIdentifier                                 claim.Identifier
+	TestContainerIsCertifiedDigestIdentifier              claim.Identifier
+	TestHelmVersionIdentifier                             claim.Identifier
+	TestPodHugePages2M                                    claim.Identifier
+	TestPodHugePages1G                                    claim.Identifier
+	TestHyperThreadEnable                                 claim.Identifier
+	TestReservedExtendedPartnerPorts                      claim.Identifier
+	TestAffinityRequiredPods                              claim.Identifier
+	TestContainerPostStartIdentifier                      claim.Identifier
+	TestContainerPrestopIdentifier                        claim.Identifier
+	TestDpdkCPUPinningExecProbe                           claim.Identifier
+	TestSysAdminIdentifier                                claim.Identifier
+	TestNetAdminIdentifier                                claim.Identifier
+	TestNetRawIdentifier                                  claim.Identifier
+	TestIpcLockIdentifier                                 claim.Identifier
+	TestBpfIdentifier                                     claim.Identifier
+	TestStorageProvisioner                                claim.Identifier
+	TestExclusiveCPUPoolIdentifier                        claim.Identifier
+	TestSharedCPUPoolSchedulingPolicy                     claim.Identifier
+	TestExclusiveCPUPoolSchedulingPolicy                  claim.Identifier
+	TestIsolatedCPUPoolSchedulingPolicy                   claim.Identifier
+	TestRtAppNoExecProbes                                 claim.Identifier
+	TestRestartOnRebootLabelOnPodsUsingSRIOV              claim.Identifier
+	TestSecConNonRootUserIDIdentifier                     claim.Identifier
+	TestSecConRunAsNonRootIdentifier                      claim.Identifier
+	TestNetworkAttachmentDefinitionSRIOVUsingMTU          claim.Identifier
+	TestSecContextIdentifier                              claim.Identifier
+	TestSecConPrivilegeEscalation                         claim.Identifier
+	TestContainerHostPort                                 claim.Identifier
+	TestPodHostNetwork                                    claim.Identifier
+	TestPodHostPath                                       claim.Identifier
+	TestPodHostIPC                                        claim.Identifier
+	TestPodHostPID                                        claim.Identifier
+	TestHugepagesNotManuallyManipulated                   claim.Identifier
+	TestICMPv6ConnectivityIdentifier                      claim.Identifier
+	TestICMPv4ConnectivityMultusIdentifier                claim.Identifier
+	TestICMPv6ConnectivityMultusIdentifier                claim.Identifier
+	TestServiceDualStackIdentifier                        claim.Identifier
+	TestNamespaceBestPracticesIdentifier                  claim.Identifier
+	TestNonTaintedNodeKernelsIdentifier                   claim.Identifier
+	TestOperatorInstallStatusSucceededIdentifier          claim.Identifier
+	TestOperatorNoSCCAccess                               claim.Identifier
+	TestOperatorIsCertifiedIdentifier                     claim.Identifier
+	TestHelmIsCertifiedIdentifier                         claim.Identifier
+	TestOperatorIsInstalledViaOLMIdentifier               claim.Identifier
+	TestOperatorHasSemanticVersioningIdentifier           claim.Identifier
+	TestSecConReadOnlyFilesystem                          claim.Identifier
+	TestOperatorOlmSkipRange                              claim.Identifier
+	TestOperatorAutomountTokens                           claim.Identifier
+	TestOperatorRunAsNonRoot                              claim.Identifier
+	TestOperatorRunAsUserID                               claim.Identifier
+	TestOperatorCrdVersioningIdentifier                   claim.Identifier
+	TestOperatorCrdSchemaIdentifier                       claim.Identifier
+	TestOperatorSingleCrdOwnerIdentifier                  claim.Identifier
+	TestOperatorPodsNoHugepages                           claim.Identifier
+	TestMultipleSameOperatorsIdentifier                   claim.Identifier
+	TestInstalledSingleNamespaceOperatorInTenantNamespace claim.Identifier
+	TestPodNodeSelectorAndAffinityBestPractices           claim.Identifier
+	TestPodHighAvailabilityBestPractices                  claim.Identifier
+	TestPodClusterRoleBindingsBestPracticesIdentifier     claim.Identifier
+	TestPodDeploymentBestPracticesIdentifier              claim.Identifier
+	TestDeploymentScalingIdentifier                       claim.Identifier
+	TestStatefulSetScalingIdentifier                      claim.Identifier
+	TestImagePullPolicyIdentifier                         claim.Identifier
+	TestPodRecreationIdentifier                           claim.Identifier
+	TestPodRoleBindingsBestPracticesIdentifier            claim.Identifier
+	TestPodServiceAccountBestPracticesIdentifier          claim.Identifier
+	TestPodAutomountServiceAccountIdentifier              claim.Identifier
+	TestServicesDoNotUseNodeportsIdentifier               claim.Identifier
+	TestUnalteredBaseImageIdentifier                      claim.Identifier
+	TestUnalteredStartupBootParamsIdentifier              claim.Identifier
+	TestLoggingIdentifier                                 claim.Identifier
+	TestTerminationMessagePolicyIdentifier                claim.Identifier
+	TestCrdsStatusSubresourceIdentifier                   claim.Identifier
+	TestSysctlConfigsIdentifier                           claim.Identifier
+	TestServiceMeshIdentifier                             claim.Identifier
+	TestOCPLifecycleIdentifier                            claim.Identifier
+	TestNodeOperatingSystemIdentifier                     claim.Identifier
+	TestIsRedHatReleaseIdentifier                         claim.Identifier
+	TestIsSELinuxEnforcingIdentifier                      claim.Identifier
+	TestUndeclaredContainerPortsUsage                     claim.Identifier
+	TestOCPReservedPortsUsage                             claim.Identifier
+	TestLivenessProbeIdentifier                           claim.Identifier
+	TestReadinessProbeIdentifier                          claim.Identifier
+	TestStartupProbeIdentifier                            claim.Identifier
+	TestOneProcessPerContainerIdentifier                  claim.Identifier
+	TestSYSNiceRealtimeCapabilityIdentifier               claim.Identifier
+	TestSysPtraceCapabilityIdentifier                     claim.Identifier
+	TestPodRequestsAndLimitsIdentifier                    claim.Identifier
+	TestNamespaceResourceQuotaIdentifier                  claim.Identifier
+	TestPodDisruptionBudgetIdentifier                     claim.Identifier
+	TestAPICompatibilityWithNextOCPReleaseIdentifier      claim.Identifier
+	TestPodTolerationBypassIdentifier                     claim.Identifier
+	TestPersistentVolumeReclaimPolicyIdentifier           claim.Identifier
+	TestContainersImageTag                                claim.Identifier
+	TestNoSSHDaemonsAllowedIdentifier                     claim.Identifier
+	TestCPUIsolationIdentifier                            claim.Identifier
+	TestContainerPortNameFormat                           claim.Identifier
+	TestCrdScalingIdentifier                              claim.Identifier
+	TestCrdRoleIdentifier                                 claim.Identifier
+	TestLimitedUseOfExecProbesIdentifier                  claim.Identifier
 	// Chaos Testing
 	// TestPodDeleteIdentifier claim.Identifier
 )

diff --git a/tests/operator/helper.go b/tests/operator/helper.go
@@ -20,7 +20,11 @@ Package operator provides CNFCERT tests used to validate operator CNF facets.
 
 package operator
 
-import "strings"
+import (
+	"strings"
+
+	"github.com/operator-framework/api/pkg/operators/v1alpha1"
+)
 
 // CsvResult holds the results of the splitCsv function.
 type CsvResult struct {
@@ -45,3 +49,12 @@ func SplitCsv(csv string) CsvResult {
 	}
 	return result
 }
+
+func IsInstallModeSingleNamespace(installModes []v1alpha1.InstallMode) bool {
+	for i := 0; i < len(installModes); i++ {
+		if installModes[i].Type == v1alpha1.InstallModeTypeSingleNamespace {
+			return true
+		}
+	}
+	return false
+}
diff --git a/tests/operator/suite.go b/tests/operator/suite.go
@@ -28,6 +28,8 @@ import (
 	"github.com/redhat-best-practices-for-k8s/certsuite/pkg/provider"
 	"github.com/redhat-best-practices-for-k8s/certsuite/pkg/testhelper"
 	"github.com/redhat-best-practices-for-k8s/certsuite/pkg/versions"
+
+	v1 "github.com/operator-framework/api/pkg/operators/v1"
 )
 
 var (
@@ -115,9 +117,90 @@ func LoadChecks() {
 			testMultipleSameOperators(c, &env)
 			return nil
 		}))
+
+	checksGroup.Add(checksdb.NewCheck(identifiers.GetTestIDAndLabels(identifiers.TestInstalledSingleNamespaceOperatorInTenantNamespace)).
+		WithSkipCheckFn(testhelper.GetNoOperatorsSkipFn(&env)).
+		WithCheckFn(func(c *checksdb.Check) error {
+			testInstalledSingleNamespaceOperatorInTenanttNamespace(c, &env)
+			return nil
+		}))
+
+}
+
+/*
+Checks :
+
+ 1. Operators whose InstallTypeMode is not SingleNamespace must not be installed in the namespaces specified by targetNamespace
+    in the OperatorGroup of the operators
+
+ 2. Operators that are SingleNamespace must have CRs in only tenant namespace
+*/
+func testInstalledSingleNamespaceOperatorInTenanttNamespace(check *checksdb.Check, env *provider.TestEnvironment) {
+	check.LogInfo("Starting testInstalledSingleNamespaceOperatorInTenanttNamespace")
+	var compliantObjects []*testhelper.ReportObject
+	var nonCompliantObjects []*testhelper.ReportObject
+
+	for _, operator := range env.Operators {
+		check.LogInfo("Checking crd %s in namespace %s ", operator.Name, operator.Namespace)
+
+		csv := operator.Csv
+
+		operatorNamespace := csv.Annotations["olm.operatorNamespace"]
+		operatorGroupName := csv.Annotations["olm.operatorGroup"]
+
+		targetNamespacesStr := csv.Annotations["olm.targetNamespaces"]
+		operatorTargetNamespaces := strings.Split(targetNamespacesStr, ",")
+		check.LogInfo("operatorNamespace %s, targetNamespaces %v", operatorNamespace, operatorTargetNamespaces)
+
+		var operatorGroup *v1.OperatorGroup
+		for _, opGroup := range env.OperatorGroups {
+			if opGroup.Name == operatorGroupName && opGroup.Namespace == operator.Namespace {
+				operatorGroup = opGroup
+				break
+			}
+		}
+
+		opGroupTargetNamespaces := operatorGroup.Spec.TargetNamespaces // array of strings
+
+		if IsInstallModeSingleNamespace(csv.Spec.InstallModes) {
+			// checks opgroup targetnamespace matches with csv targetnamespace
+			if len(opGroupTargetNamespaces) == 1 && len(operatorTargetNamespaces) == 1 {
+				if opGroupTargetNamespaces[0] == operatorTargetNamespaces[0] {
+					check.LogInfo("Operator %s with SingleInstallMode is installed in tenant namespace ", operator.Name)
+					compliantObjects = append(compliantObjects, testhelper.NewOperatorReportObject(operator.Namespace, operator.Name,
+						"Operator with SingleInstallMode is not installed in tenant namespace ", true).AddField(testhelper.OperatorName, operator.Name))
+				} else {
+					check.LogInfo("Operator %s with SingleInstallMode is not installed in tenant namespace ", operator.Name)
+					nonCompliantObjects = append(nonCompliantObjects, testhelper.NewOperatorReportObject(operator.Namespace, operator.Name,
+						"Operator with SingleInstallMode is not installed in tenant namespace ", false).AddField(testhelper.OperatorName, operator.Name))
+				}
+			}
+		} else {
+			// The operator must not be installed inside the targetNamespaces
+			var isOperatorInstalledInTargetNamespaces bool
+			for _, opGroupTargetNamespace := range opGroupTargetNamespaces {
+				if opGroupTargetNamespace == operatorNamespace {
+					isOperatorInstalledInTargetNamespaces = true
+					break
+				}
+			}
+
+			if !isOperatorInstalledInTargetNamespaces {
+				check.LogInfo("Operator %s with non-SingleInstallMode is not installed in the tenant namespace ", operator.Name)
+				compliantObjects = append(compliantObjects, testhelper.NewOperatorReportObject(operator.Namespace, operator.Name,
+					"Operator with non-SingleInstallMode is not installed in tenant namespace ", true).AddField(testhelper.OperatorName, operator.Name))
+			} else {
+				check.LogInfo("Operator %s with non-SingleInstallMode is installed in the tenant namespace ", operator.Name)
+				nonCompliantObjects = append(nonCompliantObjects, testhelper.NewOperatorReportObject(operator.Namespace, operator.Name,
+					"Operator with non-SingleInstallMode is installed in tenant namespace ", false).AddField(testhelper.OperatorName, operator.Name))
+			}
+		}
+	}
+
+	check.SetResult(compliantObjects, nonCompliantObjects)
 }
 
-// This function check if the Operator CRD version follows K8s versioning
+// This function checks if the Operator CRD version follows K8s versioning
 func testOperatorCrdVersioning(check *checksdb.Check, env *provider.TestEnvironment) {
 	check.LogInfo("Starting testOperatorCrdVersioning")
 	var compliantObjects []*testhelper.ReportObject
-Original file line number
+Diff line change
@@ Expand Up @@
     	}
     	return allNs, nil
     }
     func getAllOperators(olmClient clientOlm.Interface) ([]*olmv1Alpha.ClusterServiceVersion, error) {
     	csvs := []*olmv1Alpha.ClusterServiceVersion{}
@@ Expand Down @@