From 20aff2f69f5c699dd48a79c0262c220acef13b18 Mon Sep 17 00:00:00 2001 From: bnshr Date: Mon, 25 Nov 2024 15:05:02 +0100 Subject: [PATCH] Operator Installation outside of targetNamespace --- pkg/autodiscover/autodiscover_operators.go | 1 + tests/identifiers/identifiers.go | 205 +++++++++++---------- tests/operator/helper.go | 15 +- tests/operator/suite.go | 85 ++++++++- 4 files changed, 202 insertions(+), 104 deletions(-) diff --git a/pkg/autodiscover/autodiscover_operators.go b/pkg/autodiscover/autodiscover_operators.go index 07f330fe7..e2ededd60 100644 --- a/pkg/autodiscover/autodiscover_operators.go +++ b/pkg/autodiscover/autodiscover_operators.go @@ -116,6 +116,7 @@ func getAllNamespaces(oc corev1client.CoreV1Interface) (allNs []string, err erro } return allNs, nil } + func getAllOperators(olmClient clientOlm.Interface) ([]*olmv1Alpha.ClusterServiceVersion, error) { csvs := []*olmv1Alpha.ClusterServiceVersion{} diff --git a/tests/identifiers/identifiers.go b/tests/identifiers/identifiers.go index ec505d4e2..48f514404 100644 --- a/tests/identifiers/identifiers.go +++ b/tests/identifiers/identifiers.go @@ -76,108 +76,109 @@ func AddCatalogEntry(testID, suiteName, description, remediation, exception, ref } var ( - TestICMPv4ConnectivityIdentifier claim.Identifier - TestNetworkPolicyDenyAllIdentifier claim.Identifier - Test1337UIDIdentifier claim.Identifier - TestContainerIsCertifiedDigestIdentifier claim.Identifier - TestHelmVersionIdentifier claim.Identifier - TestPodHugePages2M claim.Identifier - TestPodHugePages1G claim.Identifier - TestHyperThreadEnable claim.Identifier - TestReservedExtendedPartnerPorts claim.Identifier - TestAffinityRequiredPods claim.Identifier - TestContainerPostStartIdentifier claim.Identifier - TestContainerPrestopIdentifier claim.Identifier - TestDpdkCPUPinningExecProbe claim.Identifier - TestSysAdminIdentifier claim.Identifier - TestNetAdminIdentifier claim.Identifier - TestNetRawIdentifier claim.Identifier - TestIpcLockIdentifier claim.Identifier - TestBpfIdentifier claim.Identifier - TestStorageProvisioner claim.Identifier - TestExclusiveCPUPoolIdentifier claim.Identifier - TestSharedCPUPoolSchedulingPolicy claim.Identifier - TestExclusiveCPUPoolSchedulingPolicy claim.Identifier - TestIsolatedCPUPoolSchedulingPolicy claim.Identifier - TestRtAppNoExecProbes claim.Identifier - TestRestartOnRebootLabelOnPodsUsingSRIOV claim.Identifier - TestSecConNonRootUserIDIdentifier claim.Identifier - TestSecConRunAsNonRootIdentifier claim.Identifier - TestNetworkAttachmentDefinitionSRIOVUsingMTU claim.Identifier - TestSecContextIdentifier claim.Identifier - TestSecConPrivilegeEscalation claim.Identifier - TestContainerHostPort claim.Identifier - TestPodHostNetwork claim.Identifier - TestPodHostPath claim.Identifier - TestPodHostIPC claim.Identifier - TestPodHostPID claim.Identifier - TestHugepagesNotManuallyManipulated claim.Identifier - TestICMPv6ConnectivityIdentifier claim.Identifier - TestICMPv4ConnectivityMultusIdentifier claim.Identifier - TestICMPv6ConnectivityMultusIdentifier claim.Identifier - TestServiceDualStackIdentifier claim.Identifier - TestNamespaceBestPracticesIdentifier claim.Identifier - TestNonTaintedNodeKernelsIdentifier claim.Identifier - TestOperatorInstallStatusSucceededIdentifier claim.Identifier - TestOperatorNoSCCAccess claim.Identifier - TestOperatorIsCertifiedIdentifier claim.Identifier - TestHelmIsCertifiedIdentifier claim.Identifier - TestOperatorIsInstalledViaOLMIdentifier claim.Identifier - TestOperatorHasSemanticVersioningIdentifier claim.Identifier - TestSecConReadOnlyFilesystem claim.Identifier - TestOperatorOlmSkipRange claim.Identifier - TestOperatorAutomountTokens claim.Identifier - TestOperatorRunAsNonRoot claim.Identifier - TestOperatorRunAsUserID claim.Identifier - TestOperatorCrdVersioningIdentifier claim.Identifier - TestOperatorCrdSchemaIdentifier claim.Identifier - TestOperatorSingleCrdOwnerIdentifier claim.Identifier - TestOperatorPodsNoHugepages claim.Identifier - TestMultipleSameOperatorsIdentifier claim.Identifier - TestPodNodeSelectorAndAffinityBestPractices claim.Identifier - TestPodHighAvailabilityBestPractices claim.Identifier - TestPodClusterRoleBindingsBestPracticesIdentifier claim.Identifier - TestPodDeploymentBestPracticesIdentifier claim.Identifier - TestDeploymentScalingIdentifier claim.Identifier - TestStatefulSetScalingIdentifier claim.Identifier - TestImagePullPolicyIdentifier claim.Identifier - TestPodRecreationIdentifier claim.Identifier - TestPodRoleBindingsBestPracticesIdentifier claim.Identifier - TestPodServiceAccountBestPracticesIdentifier claim.Identifier - TestPodAutomountServiceAccountIdentifier claim.Identifier - TestServicesDoNotUseNodeportsIdentifier claim.Identifier - TestUnalteredBaseImageIdentifier claim.Identifier - TestUnalteredStartupBootParamsIdentifier claim.Identifier - TestLoggingIdentifier claim.Identifier - TestTerminationMessagePolicyIdentifier claim.Identifier - TestCrdsStatusSubresourceIdentifier claim.Identifier - TestSysctlConfigsIdentifier claim.Identifier - TestServiceMeshIdentifier claim.Identifier - TestOCPLifecycleIdentifier claim.Identifier - TestNodeOperatingSystemIdentifier claim.Identifier - TestIsRedHatReleaseIdentifier claim.Identifier - TestIsSELinuxEnforcingIdentifier claim.Identifier - TestUndeclaredContainerPortsUsage claim.Identifier - TestOCPReservedPortsUsage claim.Identifier - TestLivenessProbeIdentifier claim.Identifier - TestReadinessProbeIdentifier claim.Identifier - TestStartupProbeIdentifier claim.Identifier - TestOneProcessPerContainerIdentifier claim.Identifier - TestSYSNiceRealtimeCapabilityIdentifier claim.Identifier - TestSysPtraceCapabilityIdentifier claim.Identifier - TestPodRequestsAndLimitsIdentifier claim.Identifier - TestNamespaceResourceQuotaIdentifier claim.Identifier - TestPodDisruptionBudgetIdentifier claim.Identifier - TestAPICompatibilityWithNextOCPReleaseIdentifier claim.Identifier - TestPodTolerationBypassIdentifier claim.Identifier - TestPersistentVolumeReclaimPolicyIdentifier claim.Identifier - TestContainersImageTag claim.Identifier - TestNoSSHDaemonsAllowedIdentifier claim.Identifier - TestCPUIsolationIdentifier claim.Identifier - TestContainerPortNameFormat claim.Identifier - TestCrdScalingIdentifier claim.Identifier - TestCrdRoleIdentifier claim.Identifier - TestLimitedUseOfExecProbesIdentifier claim.Identifier + TestICMPv4ConnectivityIdentifier claim.Identifier + TestNetworkPolicyDenyAllIdentifier claim.Identifier + Test1337UIDIdentifier claim.Identifier + TestContainerIsCertifiedDigestIdentifier claim.Identifier + TestHelmVersionIdentifier claim.Identifier + TestPodHugePages2M claim.Identifier + TestPodHugePages1G claim.Identifier + TestHyperThreadEnable claim.Identifier + TestReservedExtendedPartnerPorts claim.Identifier + TestAffinityRequiredPods claim.Identifier + TestContainerPostStartIdentifier claim.Identifier + TestContainerPrestopIdentifier claim.Identifier + TestDpdkCPUPinningExecProbe claim.Identifier + TestSysAdminIdentifier claim.Identifier + TestNetAdminIdentifier claim.Identifier + TestNetRawIdentifier claim.Identifier + TestIpcLockIdentifier claim.Identifier + TestBpfIdentifier claim.Identifier + TestStorageProvisioner claim.Identifier + TestExclusiveCPUPoolIdentifier claim.Identifier + TestSharedCPUPoolSchedulingPolicy claim.Identifier + TestExclusiveCPUPoolSchedulingPolicy claim.Identifier + TestIsolatedCPUPoolSchedulingPolicy claim.Identifier + TestRtAppNoExecProbes claim.Identifier + TestRestartOnRebootLabelOnPodsUsingSRIOV claim.Identifier + TestSecConNonRootUserIDIdentifier claim.Identifier + TestSecConRunAsNonRootIdentifier claim.Identifier + TestNetworkAttachmentDefinitionSRIOVUsingMTU claim.Identifier + TestSecContextIdentifier claim.Identifier + TestSecConPrivilegeEscalation claim.Identifier + TestContainerHostPort claim.Identifier + TestPodHostNetwork claim.Identifier + TestPodHostPath claim.Identifier + TestPodHostIPC claim.Identifier + TestPodHostPID claim.Identifier + TestHugepagesNotManuallyManipulated claim.Identifier + TestICMPv6ConnectivityIdentifier claim.Identifier + TestICMPv4ConnectivityMultusIdentifier claim.Identifier + TestICMPv6ConnectivityMultusIdentifier claim.Identifier + TestServiceDualStackIdentifier claim.Identifier + TestNamespaceBestPracticesIdentifier claim.Identifier + TestNonTaintedNodeKernelsIdentifier claim.Identifier + TestOperatorInstallStatusSucceededIdentifier claim.Identifier + TestOperatorNoSCCAccess claim.Identifier + TestOperatorIsCertifiedIdentifier claim.Identifier + TestHelmIsCertifiedIdentifier claim.Identifier + TestOperatorIsInstalledViaOLMIdentifier claim.Identifier + TestOperatorHasSemanticVersioningIdentifier claim.Identifier + TestSecConReadOnlyFilesystem claim.Identifier + TestOperatorOlmSkipRange claim.Identifier + TestOperatorAutomountTokens claim.Identifier + TestOperatorRunAsNonRoot claim.Identifier + TestOperatorRunAsUserID claim.Identifier + TestOperatorCrdVersioningIdentifier claim.Identifier + TestOperatorCrdSchemaIdentifier claim.Identifier + TestOperatorSingleCrdOwnerIdentifier claim.Identifier + TestOperatorPodsNoHugepages claim.Identifier + TestMultipleSameOperatorsIdentifier claim.Identifier + TestInstalledSingleNamespaceOperatorInTenantNamespace claim.Identifier + TestPodNodeSelectorAndAffinityBestPractices claim.Identifier + TestPodHighAvailabilityBestPractices claim.Identifier + TestPodClusterRoleBindingsBestPracticesIdentifier claim.Identifier + TestPodDeploymentBestPracticesIdentifier claim.Identifier + TestDeploymentScalingIdentifier claim.Identifier + TestStatefulSetScalingIdentifier claim.Identifier + TestImagePullPolicyIdentifier claim.Identifier + TestPodRecreationIdentifier claim.Identifier + TestPodRoleBindingsBestPracticesIdentifier claim.Identifier + TestPodServiceAccountBestPracticesIdentifier claim.Identifier + TestPodAutomountServiceAccountIdentifier claim.Identifier + TestServicesDoNotUseNodeportsIdentifier claim.Identifier + TestUnalteredBaseImageIdentifier claim.Identifier + TestUnalteredStartupBootParamsIdentifier claim.Identifier + TestLoggingIdentifier claim.Identifier + TestTerminationMessagePolicyIdentifier claim.Identifier + TestCrdsStatusSubresourceIdentifier claim.Identifier + TestSysctlConfigsIdentifier claim.Identifier + TestServiceMeshIdentifier claim.Identifier + TestOCPLifecycleIdentifier claim.Identifier + TestNodeOperatingSystemIdentifier claim.Identifier + TestIsRedHatReleaseIdentifier claim.Identifier + TestIsSELinuxEnforcingIdentifier claim.Identifier + TestUndeclaredContainerPortsUsage claim.Identifier + TestOCPReservedPortsUsage claim.Identifier + TestLivenessProbeIdentifier claim.Identifier + TestReadinessProbeIdentifier claim.Identifier + TestStartupProbeIdentifier claim.Identifier + TestOneProcessPerContainerIdentifier claim.Identifier + TestSYSNiceRealtimeCapabilityIdentifier claim.Identifier + TestSysPtraceCapabilityIdentifier claim.Identifier + TestPodRequestsAndLimitsIdentifier claim.Identifier + TestNamespaceResourceQuotaIdentifier claim.Identifier + TestPodDisruptionBudgetIdentifier claim.Identifier + TestAPICompatibilityWithNextOCPReleaseIdentifier claim.Identifier + TestPodTolerationBypassIdentifier claim.Identifier + TestPersistentVolumeReclaimPolicyIdentifier claim.Identifier + TestContainersImageTag claim.Identifier + TestNoSSHDaemonsAllowedIdentifier claim.Identifier + TestCPUIsolationIdentifier claim.Identifier + TestContainerPortNameFormat claim.Identifier + TestCrdScalingIdentifier claim.Identifier + TestCrdRoleIdentifier claim.Identifier + TestLimitedUseOfExecProbesIdentifier claim.Identifier // Chaos Testing // TestPodDeleteIdentifier claim.Identifier ) diff --git a/tests/operator/helper.go b/tests/operator/helper.go index 793d81511..a0a5ba39d 100644 --- a/tests/operator/helper.go +++ b/tests/operator/helper.go @@ -20,7 +20,11 @@ Package operator provides CNFCERT tests used to validate operator CNF facets. package operator -import "strings" +import ( + "strings" + + "github.com/operator-framework/api/pkg/operators/v1alpha1" +) // CsvResult holds the results of the splitCsv function. type CsvResult struct { @@ -45,3 +49,12 @@ func SplitCsv(csv string) CsvResult { } return result } + +func IsInstallModeSingleNamespace(installModes []v1alpha1.InstallMode) bool { + for i := 0; i < len(installModes); i++ { + if installModes[i].Type == v1alpha1.InstallModeTypeSingleNamespace { + return true + } + } + return false +} diff --git a/tests/operator/suite.go b/tests/operator/suite.go index ed44397ce..03459847e 100644 --- a/tests/operator/suite.go +++ b/tests/operator/suite.go @@ -28,6 +28,8 @@ import ( "github.com/redhat-best-practices-for-k8s/certsuite/pkg/provider" "github.com/redhat-best-practices-for-k8s/certsuite/pkg/testhelper" "github.com/redhat-best-practices-for-k8s/certsuite/pkg/versions" + + v1 "github.com/operator-framework/api/pkg/operators/v1" ) var ( @@ -115,9 +117,90 @@ func LoadChecks() { testMultipleSameOperators(c, &env) return nil })) + + checksGroup.Add(checksdb.NewCheck(identifiers.GetTestIDAndLabels(identifiers.TestInstalledSingleNamespaceOperatorInTenantNamespace)). + WithSkipCheckFn(testhelper.GetNoOperatorsSkipFn(&env)). + WithCheckFn(func(c *checksdb.Check) error { + testInstalledSingleNamespaceOperatorInTenanttNamespace(c, &env) + return nil + })) + +} + +/* +Checks : + + 1. Operators whose InstallTypeMode is not SingleNamespace must not be installed in the namespaces specified by targetNamespace + in the OperatorGroup of the operators + + 2. Operators that are SingleNamespace must have CRs in only tenant namespace +*/ +func testInstalledSingleNamespaceOperatorInTenanttNamespace(check *checksdb.Check, env *provider.TestEnvironment) { + check.LogInfo("Starting testInstalledSingleNamespaceOperatorInTenanttNamespace") + var compliantObjects []*testhelper.ReportObject + var nonCompliantObjects []*testhelper.ReportObject + + for _, operator := range env.Operators { + check.LogInfo("Checking crd %s in namespace %s ", operator.Name, operator.Namespace) + + csv := operator.Csv + + operatorNamespace := csv.Annotations["olm.operatorNamespace"] + operatorGroupName := csv.Annotations["olm.operatorGroup"] + + targetNamespacesStr := csv.Annotations["olm.targetNamespaces"] + operatorTargetNamespaces := strings.Split(targetNamespacesStr, ",") + check.LogInfo("operatorNamespace %s, targetNamespaces %v", operatorNamespace, operatorTargetNamespaces) + + var operatorGroup *v1.OperatorGroup + for _, opGroup := range env.OperatorGroups { + if opGroup.Name == operatorGroupName && opGroup.Namespace == operator.Namespace { + operatorGroup = opGroup + break + } + } + + opGroupTargetNamespaces := operatorGroup.Spec.TargetNamespaces // array of strings + + if IsInstallModeSingleNamespace(csv.Spec.InstallModes) { + // checks opgroup targetnamespace matches with csv targetnamespace + if len(opGroupTargetNamespaces) == 1 && len(operatorTargetNamespaces) == 1 { + if opGroupTargetNamespaces[0] == operatorTargetNamespaces[0] { + check.LogInfo("Operator %s with SingleInstallMode is installed in tenant namespace ", operator.Name) + compliantObjects = append(compliantObjects, testhelper.NewOperatorReportObject(operator.Namespace, operator.Name, + "Operator with SingleInstallMode is not installed in tenant namespace ", true).AddField(testhelper.OperatorName, operator.Name)) + } else { + check.LogInfo("Operator %s with SingleInstallMode is not installed in tenant namespace ", operator.Name) + nonCompliantObjects = append(nonCompliantObjects, testhelper.NewOperatorReportObject(operator.Namespace, operator.Name, + "Operator with SingleInstallMode is not installed in tenant namespace ", false).AddField(testhelper.OperatorName, operator.Name)) + } + } + } else { + // The operator must not be installed inside the targetNamespaces + var isOperatorInstalledInTargetNamespaces bool + for _, opGroupTargetNamespace := range opGroupTargetNamespaces { + if opGroupTargetNamespace == operatorNamespace { + isOperatorInstalledInTargetNamespaces = true + break + } + } + + if !isOperatorInstalledInTargetNamespaces { + check.LogInfo("Operator %s with non-SingleInstallMode is not installed in the tenant namespace ", operator.Name) + compliantObjects = append(compliantObjects, testhelper.NewOperatorReportObject(operator.Namespace, operator.Name, + "Operator with non-SingleInstallMode is not installed in tenant namespace ", true).AddField(testhelper.OperatorName, operator.Name)) + } else { + check.LogInfo("Operator %s with non-SingleInstallMode is installed in the tenant namespace ", operator.Name) + nonCompliantObjects = append(nonCompliantObjects, testhelper.NewOperatorReportObject(operator.Namespace, operator.Name, + "Operator with non-SingleInstallMode is installed in tenant namespace ", false).AddField(testhelper.OperatorName, operator.Name)) + } + } + } + + check.SetResult(compliantObjects, nonCompliantObjects) } -// This function check if the Operator CRD version follows K8s versioning +// This function checks if the Operator CRD version follows K8s versioning func testOperatorCrdVersioning(check *checksdb.Check, env *provider.TestEnvironment) { check.LogInfo("Starting testOperatorCrdVersioning") var compliantObjects []*testhelper.ReportObject