Anuket Project

Pre and Post Deployment Validation for Airship 2.0

Owned by Sridhar Rao
Last updated: Jul 22, 2021


Intern

Accepted: Parth Inamdar

Type: Part-Time.


Weekly Meeting :

Every Thursday at UTC 8:30-9:30

https://zoom.us/j/95106311750

Tasks

Sl. NoTask

Week

*2 for part-time

Support from the TeamProgress: Update by Parth Inamdar
1.

Understanding existing tool

  • Pre-Deployment Validation Tools
  • Post-Deployment Validation Tools
1Knowledge sharing session.

Introduction to Kubernetes and OpenStack, PDF & Manifests, Process Workflow of existing validation tools & PDF Creation Tool, Airship Introduction and importance

2

Understanding PDF

  • Exercise1: Update PDF Creation Tool to newer version
  • Exercise2: Create PDF for Existing Testbed
1

Pod Details.

Tentative List.

[Test: Observability Pods]

1. Check if any of the containers are running in privileged mode?
2. Check if any host directories are mounted as volumes?
3. Check if host network namespace is used or not?
4. Check for NET_ADMIN and NET_RAW capabilities. Use capable tool?
5. Telemetry system - logs and monitoring
6. CPU manager - policy configuration.
7. Topology manager - policy
8. Traffic over main CNI?
9. Use of service mesh?
10. Approach used for Ingress/Egress Traffic
11. Helm V3 support.
12. No Access to Kubernetes API/Mgmt from the CNF.
13. Liveliness, Readiness startup probes -- recovery from failures.
14. Kubevirt support.
15. List of CNIs/Device plugins.

CMKVsDefault.pptx

  • Understand Kuberef in Pod18.
  • Do the below exercise
  1. Connect to cluster.
  2. Check if there is monitoring namespace. If yes, get only pods within the monitoring namespace.... Check (4) within this.
  3. If Not, get all pods
  4. Check of the pods with following names: { prometheus, node-exporter }

Above exercise:  Wrote a separate program → Reuse the existing framework.

Current Post-Deployment Validation - Openstack

  1. Add differentiator (flag/variable/api-value) to the framework for Kubernetes.
    1. This differentiator decides the list*
  2. Move the above piece of code into this framework.
  3. Both Inamdar and Adarsh can work on this separate 'segment' of the code.
  4. 3 Levels:
    1. -- 3rd party repo – (manifests, charts, definitions, etc).  This may not be required.
    2. API level (kubectl cmds)
    3. Node-Level (login to the node to check)
    4. Pod-Level  (get into the pod to check it)
  5. List of Missing policies in PDF 2.0.
    1. Ex1: NET_ADMIN NET_RAW true/false.
    2. Ex2: Service mesh true/false.
    3. Ex3: TOPOLOGY_MANAGER policy is single_numa_*  





3

Update the Mapping of PDF-Keys to Airship 2.0 CRD Keys

  • Airship 2.0 Overview
2KT Session on Airship.
4Implement the validation of Manifests against the PDF2.5

5

Enlist Post-Validation (not covered by CNCF-Conformance and K8S E2E Tests tools)

  • Include Security too. 
  • At least 10.
1

Walkthrough of K8S E2E, CNCF-Conformance, etc.

CNTT-RC2/RA2


6Implement Post-Validation.2.5

7Integrate the implementations to the main branch and submit the patch.1

8Knowledge-Sharing, Handoff, (Buffer)1

01-July-2021 - 30-Aug-2021

Sl. No. TaskResponsibleStatus
1

Add differentiator (flag/variable/api-value) to the framework for Kubernetes. This differentiator decides the list*

Parth YadavCompletedSubmitted the patch
1aUser should be able to select the "Suite of Checks", and customize each of these suites

Parth yadav

In Progress.
25. Observability Pods - Status,Parth InamdarCompletedtested on pod18
3

Security: 

1. Check if any of the containers are running in privileged mode?
2. Check if any host directories are mounted as volumes?
3. Check if host network namespace is used or not?
4. Check for NET_ADMIN and NET_RAW capabilities. Use capable tool?

12. No Access to Kubernetes API/Mgmt from the CNF.

Parth Inamdar

Option to use capable tool – http://www.brendangregg.com/blog/2016-10-01/linux-bcc-security-capabilities.html


Option 2:  Create a Test-Pod 

Ex: Test-Pod tries to do all the 5.

4

Policy:

6. CPU manager - policy configuration.
7. Topology manager - policy

15. List of CNIs/Device plugins.



  1. Use Kubelet command on any worker to know the current configuration - and use this to validate. 

2. Test Pod-Definition.

Play with these two keys: requests and limits

5

Networking:

8. Traffic over main CNI?
9. Use of service mesh?
10. Approach used for Ingress/Egress Traffic




6

Virtualization (VMs in K8S).

14. Kubevirt support.




7

VNF/CNF Packaging

11. Helm V3 support



Any Sample Helm V3 CNF package - download and test.
8

Stability:

13. Liveliness, Readiness startup probes -- recovery from failures.

Adarsh YadavIn Progress

01-August-2021 - 30-August 2021 : Improving the SDV architecture (Buffer for Post-Deployment Validation)