1.

Understanding existing tool

1

Knowledge sharing session.

Introduction to Kubernetes and OpenStack, PDF & Manifests, Process Workflow of existing validation tools & PDF Creation Tool, Airship Introduction and importance

2

Understanding PDF

1

Pod Details.

Tentative List.

[Test: Observability Pods]

1. Check if any of the containers are running in privileged mode?
2. Check if any host directories are mounted as volumes?
3. Check if host network namespace is used or not?
4. Check for NET_ADMIN and NET_RAW capabilities. Use capable tool?
5. Telemetry system - logs and monitoring
6. CPU manager - policy configuration.
7. Topology manager - policy
8. Traffic over main CNI?
9. Use of service mesh?
10. Approach used for Ingress/Egress Traffic
11. Helm V3 support.
12. No Access to Kubernetes API/Mgmt from the CNF.
13. Liveliness, Readiness startup probes -- recovery from failures.
14. Kubevirt support.
15. List of CNIs/Device plugins.

CMKVsDefault.pptx

1. Connect to cluster.

2. Check if there is monitoring namespace. If yes, get only pods within the monitoring namespace.... Check (4) within this.

3. If Not, get all pods

4. Check of the pods with following names: { prometheus, node-exporter }

Above exercise:  Wrote a separate program → Reuse the existing framework.

Current Post-Deployment Validation - Openstack

1. Add differentiator (flag/variable/api-value) to the framework for Kubernetes.

   1. This differentiator decides the list*

2. Move the above piece of code into this framework.

3. Both Inamdar and Adarsh can work on this separate 'segment' of the code.

4. 3 Levels:

   1. -- 3rd party repo – (manifests, charts, definitions, etc).  This may not be required.

   2. API level (kubectl cmds)

   3. Node-Level (login to the node to check)

   4. Pod-Level  (get into the pod to check it)

5. List of Missing policies in PDF 2.0.

   1. Ex1: NET_ADMIN NET_RAW true/false.

   2. Ex2: Service mesh true/false.

   3. Ex3: TOPOLOGY_MANAGER policy is single_numa_*  

3

Update the Mapping of PDF-Keys to Airship 2.0 CRD Keys

2

KT Session on Airship.

4

Implement the validation of Manifests against the PDF

2.5

5

Enlist Post-Validation (not covered by CNCF-Conformance and K8S E2E Tests tools)

1

Walkthrough of K8S E2E, CNCF-Conformance, etc.

CNTT-RC2/RA2

6

Implement Post-Validation.

2.5

7

Integrate the implementations to the main branch and submit the patch.

1

8

Knowledge-Sharing, Handoff, (Buffer)

1

1

Add differentiator (flag/variable/api-value) to the framework for Kubernetes. This differentiator decides the list*

Parth Yadav

Completed

Submitted the patch

1a

User should be able to select the "Suite of Checks", and customize each of these suites

@Parth yadav

In Progress.

2

5. Observability Pods - Status,

Parth Inamdar

Completed

tested on pod18

3

Security: 

1. Check if any of the containers are running in privileged mode?
2. Check if any host directories are mounted as volumes?
3. Check if host network namespace is used or not?
4. Check for NET_ADMIN and NET_RAW capabilities. Use capable tool?

12. No Access to Kubernetes API/Mgmt from the CNF.

Parth Inamdar

Option to use capable tool – http://www.brendangregg.com/blog/2016-10-01/linux-bcc-security-capabilities.html

Option 2:  Create a Test-Pod 

Ex: Test-Pod tries to do all the 5.

4

Policy:

6. CPU manager - policy configuration.
7. Topology manager - policy

15. List of CNIs/Device plugins.

1. Use Kubelet command on any worker to know the current configuration - and use this to validate. 

2. Test Pod-Definition.

Play with these two keys: requests and limits

5

Networking:

8. Traffic over main CNI?
9. Use of service mesh?
10. Approach used for Ingress/Egress Traffic

6

Virtualization (VMs in K8S).

14. Kubevirt support.

7

VNF/CNF Packaging

11. Helm V3 support

Any Sample Helm V3 CNF package - download and test.

8

Stability:

13. Liveliness, Readiness startup probes -- recovery from failures.

Adarsh Yadav

In Progress