Add fields for testing

config/certsuite_config.yml

@@ -1,11 +1,13 @@
 targetNameSpaces:
   - name: tnf
+  - name: certsuite-operator
 podsUnderTestLabels:
   - "redhat-best-practices-for-k8s.com/generic: target"
 operatorsUnderTestLabels:
   - "redhat-best-practices-for-k8s.com/operator:target"
   - "redhat-best-practices-for-k8s.com/operator1:new"
   - "cnf/test:cr-scale-operator"
+  - "operators.coreos.com/rh-best-practices-for-k8s-certsuite-operator.certsuite-operator:"
 targetCrdFilters:
   - nameSuffix: "group1.test.com"
     scalable: false

expected_results.yaml

@@ -59,6 +59,7 @@ testCases:
     - operator-single-crd-owner
     - operator-pods-no-hugepages
     - operator-multiple-same-operators
+    - operator-valid-installation-tenant-namespace
     - performance-exclusive-cpu-pool
     - performance-max-resources-exec-probes
     - performance-shared-cpu-pool-non-rt-scheduling-policy       # hazelcast pod meets requirements

tests/identifiers/doclinks.go

@@ -107,6 +107,7 @@ const (
 	TestOperatorNoPrivilegesDocLink                     = DocOperatorRequirement
 	TestOperatorIsCertifiedIdentifierDocLink            = DocOperatorRequirement
 	TestOperatorIsInstalledViaOLMIdentifierDocLink      = DocOperatorRequirement
+	TestOperatorInstallationInTenantNamespaceDocLink    = DocOperatorRequirement
 	TestOperatorHasSemanticVersioningIdentifierDocLink  = DocOperatorRequirement
 	TestOperatorCrdSchemaIdentifierDocLink              = DocOperatorRequirement
 	TestOperatorCrdVersioningIdentifierDocLink          = DocOperatorRequirement

tests/identifiers/identifiers.go

@@ -76,109 +76,109 @@ func AddCatalogEntry(testID, suiteName, description, remediation, exception, ref
 }
 
 var (
-	TestICMPv4ConnectivityIdentifier                      claim.Identifier
-	TestNetworkPolicyDenyAllIdentifier                    claim.Identifier
-	Test1337UIDIdentifier                                 claim.Identifier
-	TestContainerIsCertifiedDigestIdentifier              claim.Identifier
-	TestHelmVersionIdentifier                             claim.Identifier
-	TestPodHugePages2M                                    claim.Identifier
-	TestPodHugePages1G                                    claim.Identifier
-	TestHyperThreadEnable                                 claim.Identifier
-	TestReservedExtendedPartnerPorts                      claim.Identifier
-	TestAffinityRequiredPods                              claim.Identifier
-	TestContainerPostStartIdentifier                      claim.Identifier
-	TestContainerPrestopIdentifier                        claim.Identifier
-	TestDpdkCPUPinningExecProbe                           claim.Identifier
-	TestSysAdminIdentifier                                claim.Identifier
-	TestNetAdminIdentifier                                claim.Identifier
-	TestNetRawIdentifier                                  claim.Identifier
-	TestIpcLockIdentifier                                 claim.Identifier
-	TestBpfIdentifier                                     claim.Identifier
-	TestStorageProvisioner                                claim.Identifier
-	TestExclusiveCPUPoolIdentifier                        claim.Identifier
-	TestSharedCPUPoolSchedulingPolicy                     claim.Identifier
-	TestExclusiveCPUPoolSchedulingPolicy                  claim.Identifier
-	TestIsolatedCPUPoolSchedulingPolicy                   claim.Identifier
-	TestRtAppNoExecProbes                                 claim.Identifier
-	TestRestartOnRebootLabelOnPodsUsingSRIOV              claim.Identifier
-	TestSecConNonRootUserIDIdentifier                     claim.Identifier
-	TestSecConRunAsNonRootIdentifier                      claim.Identifier
-	TestNetworkAttachmentDefinitionSRIOVUsingMTU          claim.Identifier
-	TestSecContextIdentifier                              claim.Identifier
-	TestSecConPrivilegeEscalation                         claim.Identifier
-	TestContainerHostPort                                 claim.Identifier
-	TestPodHostNetwork                                    claim.Identifier
-	TestPodHostPath                                       claim.Identifier
-	TestPodHostIPC                                        claim.Identifier
-	TestPodHostPID                                        claim.Identifier
-	TestHugepagesNotManuallyManipulated                   claim.Identifier
-	TestICMPv6ConnectivityIdentifier                      claim.Identifier
-	TestICMPv4ConnectivityMultusIdentifier                claim.Identifier
-	TestICMPv6ConnectivityMultusIdentifier                claim.Identifier
-	TestServiceDualStackIdentifier                        claim.Identifier
-	TestNamespaceBestPracticesIdentifier                  claim.Identifier
-	TestNonTaintedNodeKernelsIdentifier                   claim.Identifier
-	TestOperatorInstallStatusSucceededIdentifier          claim.Identifier
-	TestOperatorNoSCCAccess                               claim.Identifier
-	TestOperatorIsCertifiedIdentifier                     claim.Identifier
-	TestHelmIsCertifiedIdentifier                         claim.Identifier
-	TestOperatorIsInstalledViaOLMIdentifier               claim.Identifier
-	TestOperatorHasSemanticVersioningIdentifier           claim.Identifier
-	TestSecConReadOnlyFilesystem                          claim.Identifier
-	TestOperatorOlmSkipRange                              claim.Identifier
-	TestOperatorAutomountTokens                           claim.Identifier
-	TestOperatorRunAsNonRoot                              claim.Identifier
-	TestOperatorRunAsUserID                               claim.Identifier
-	TestOperatorCrdVersioningIdentifier                   claim.Identifier
-	TestOperatorCrdSchemaIdentifier                       claim.Identifier
-	TestOperatorSingleCrdOwnerIdentifier                  claim.Identifier
-	TestOperatorPodsNoHugepages                           claim.Identifier
-	TestMultipleSameOperatorsIdentifier                   claim.Identifier
-	TestInstalledSingleNamespaceOperatorInTenantNamespace claim.Identifier
-	TestPodNodeSelectorAndAffinityBestPractices           claim.Identifier
-	TestPodHighAvailabilityBestPractices                  claim.Identifier
-	TestPodClusterRoleBindingsBestPracticesIdentifier     claim.Identifier
-	TestPodDeploymentBestPracticesIdentifier              claim.Identifier
-	TestDeploymentScalingIdentifier                       claim.Identifier
-	TestStatefulSetScalingIdentifier                      claim.Identifier
-	TestImagePullPolicyIdentifier                         claim.Identifier
-	TestPodRecreationIdentifier                           claim.Identifier
-	TestPodRoleBindingsBestPracticesIdentifier            claim.Identifier
-	TestPodServiceAccountBestPracticesIdentifier          claim.Identifier
-	TestPodAutomountServiceAccountIdentifier              claim.Identifier
-	TestServicesDoNotUseNodeportsIdentifier               claim.Identifier
-	TestUnalteredBaseImageIdentifier                      claim.Identifier
-	TestUnalteredStartupBootParamsIdentifier              claim.Identifier
-	TestLoggingIdentifier                                 claim.Identifier
-	TestTerminationMessagePolicyIdentifier                claim.Identifier
-	TestCrdsStatusSubresourceIdentifier                   claim.Identifier
-	TestSysctlConfigsIdentifier                           claim.Identifier
-	TestServiceMeshIdentifier                             claim.Identifier
-	TestOCPLifecycleIdentifier                            claim.Identifier
-	TestNodeOperatingSystemIdentifier                     claim.Identifier
-	TestIsRedHatReleaseIdentifier                         claim.Identifier
-	TestIsSELinuxEnforcingIdentifier                      claim.Identifier
-	TestUndeclaredContainerPortsUsage                     claim.Identifier
-	TestOCPReservedPortsUsage                             claim.Identifier
-	TestLivenessProbeIdentifier                           claim.Identifier
-	TestReadinessProbeIdentifier                          claim.Identifier
-	TestStartupProbeIdentifier                            claim.Identifier
-	TestOneProcessPerContainerIdentifier                  claim.Identifier
-	TestSYSNiceRealtimeCapabilityIdentifier               claim.Identifier
-	TestSysPtraceCapabilityIdentifier                     claim.Identifier
-	TestPodRequestsAndLimitsIdentifier                    claim.Identifier
-	TestNamespaceResourceQuotaIdentifier                  claim.Identifier
-	TestPodDisruptionBudgetIdentifier                     claim.Identifier
-	TestAPICompatibilityWithNextOCPReleaseIdentifier      claim.Identifier
-	TestPodTolerationBypassIdentifier                     claim.Identifier
-	TestPersistentVolumeReclaimPolicyIdentifier           claim.Identifier
-	TestContainersImageTag                                claim.Identifier
-	TestNoSSHDaemonsAllowedIdentifier                     claim.Identifier
-	TestCPUIsolationIdentifier                            claim.Identifier
-	TestContainerPortNameFormat                           claim.Identifier
-	TestCrdScalingIdentifier                              claim.Identifier
-	TestCrdRoleIdentifier                                 claim.Identifier
-	TestLimitedUseOfExecProbesIdentifier                  claim.Identifier
+	TestICMPv4ConnectivityIdentifier                  claim.Identifier
+	TestNetworkPolicyDenyAllIdentifier                claim.Identifier
+	Test1337UIDIdentifier                             claim.Identifier
+	TestContainerIsCertifiedDigestIdentifier          claim.Identifier
+	TestHelmVersionIdentifier                         claim.Identifier
+	TestPodHugePages2M                                claim.Identifier
+	TestPodHugePages1G                                claim.Identifier
+	TestHyperThreadEnable                             claim.Identifier
+	TestReservedExtendedPartnerPorts                  claim.Identifier
+	TestAffinityRequiredPods                          claim.Identifier
+	TestContainerPostStartIdentifier                  claim.Identifier
+	TestContainerPrestopIdentifier                    claim.Identifier
+	TestDpdkCPUPinningExecProbe                       claim.Identifier
+	TestSysAdminIdentifier                            claim.Identifier
+	TestNetAdminIdentifier                            claim.Identifier
+	TestNetRawIdentifier                              claim.Identifier
+	TestIpcLockIdentifier                             claim.Identifier
+	TestBpfIdentifier                                 claim.Identifier
+	TestStorageProvisioner                            claim.Identifier
+	TestExclusiveCPUPoolIdentifier                    claim.Identifier
+	TestSharedCPUPoolSchedulingPolicy                 claim.Identifier
+	TestExclusiveCPUPoolSchedulingPolicy              claim.Identifier
+	TestIsolatedCPUPoolSchedulingPolicy               claim.Identifier
+	TestRtAppNoExecProbes                             claim.Identifier
+	TestRestartOnRebootLabelOnPodsUsingSRIOV          claim.Identifier
+	TestSecConNonRootUserIDIdentifier                 claim.Identifier
+	TestSecConRunAsNonRootIdentifier                  claim.Identifier
+	TestNetworkAttachmentDefinitionSRIOVUsingMTU      claim.Identifier
+	TestSecContextIdentifier                          claim.Identifier
+	TestSecConPrivilegeEscalation                     claim.Identifier
+	TestContainerHostPort                             claim.Identifier
+	TestPodHostNetwork                                claim.Identifier
+	TestPodHostPath                                   claim.Identifier
+	TestPodHostIPC                                    claim.Identifier
+	TestPodHostPID                                    claim.Identifier
+	TestHugepagesNotManuallyManipulated               claim.Identifier
+	TestICMPv6ConnectivityIdentifier                  claim.Identifier
+	TestICMPv4ConnectivityMultusIdentifier            claim.Identifier
+	TestICMPv6ConnectivityMultusIdentifier            claim.Identifier
+	TestServiceDualStackIdentifier                    claim.Identifier
+	TestNamespaceBestPracticesIdentifier              claim.Identifier
+	TestNonTaintedNodeKernelsIdentifier               claim.Identifier
+	TestOperatorInstallStatusSucceededIdentifier      claim.Identifier
+	TestOperatorNoSCCAccess                           claim.Identifier
+	TestOperatorIsCertifiedIdentifier                 claim.Identifier
+	TestHelmIsCertifiedIdentifier                     claim.Identifier
+	TestOperatorIsInstalledViaOLMIdentifier           claim.Identifier
+	TestOperatorHasSemanticVersioningIdentifier       claim.Identifier
+	TestSecConReadOnlyFilesystem                      claim.Identifier
+	TestOperatorOlmSkipRange                          claim.Identifier
+	TestOperatorAutomountTokens                       claim.Identifier
+	TestOperatorRunAsNonRoot                          claim.Identifier
+	TestOperatorRunAsUserID                           claim.Identifier
+	TestOperatorCrdVersioningIdentifier               claim.Identifier
+	TestOperatorCrdSchemaIdentifier                   claim.Identifier
+	TestOperatorSingleCrdOwnerIdentifier              claim.Identifier
+	TestOperatorPodsNoHugepages                       claim.Identifier
+	TestMultipleSameOperatorsIdentifier               claim.Identifier
+	TestOperatorInstallationInTenantNamespace         claim.Identifier
+	TestPodNodeSelectorAndAffinityBestPractices       claim.Identifier
+	TestPodHighAvailabilityBestPractices              claim.Identifier
+	TestPodClusterRoleBindingsBestPracticesIdentifier claim.Identifier
+	TestPodDeploymentBestPracticesIdentifier          claim.Identifier
+	TestDeploymentScalingIdentifier                   claim.Identifier
+	TestStatefulSetScalingIdentifier                  claim.Identifier
+	TestImagePullPolicyIdentifier                     claim.Identifier
+	TestPodRecreationIdentifier                       claim.Identifier
+	TestPodRoleBindingsBestPracticesIdentifier        claim.Identifier
+	TestPodServiceAccountBestPracticesIdentifier      claim.Identifier
+	TestPodAutomountServiceAccountIdentifier          claim.Identifier
+	TestServicesDoNotUseNodeportsIdentifier           claim.Identifier
+	TestUnalteredBaseImageIdentifier                  claim.Identifier
+	TestUnalteredStartupBootParamsIdentifier          claim.Identifier
+	TestLoggingIdentifier                             claim.Identifier
+	TestTerminationMessagePolicyIdentifier            claim.Identifier
+	TestCrdsStatusSubresourceIdentifier               claim.Identifier
+	TestSysctlConfigsIdentifier                       claim.Identifier
+	TestServiceMeshIdentifier                         claim.Identifier
+	TestOCPLifecycleIdentifier                        claim.Identifier
+	TestNodeOperatingSystemIdentifier                 claim.Identifier
+	TestIsRedHatReleaseIdentifier                     claim.Identifier
+	TestIsSELinuxEnforcingIdentifier                  claim.Identifier
+	TestUndeclaredContainerPortsUsage                 claim.Identifier
+	TestOCPReservedPortsUsage                         claim.Identifier
+	TestLivenessProbeIdentifier                       claim.Identifier
+	TestReadinessProbeIdentifier                      claim.Identifier
+	TestStartupProbeIdentifier                        claim.Identifier
+	TestOneProcessPerContainerIdentifier              claim.Identifier
+	TestSYSNiceRealtimeCapabilityIdentifier           claim.Identifier
+	TestSysPtraceCapabilityIdentifier                 claim.Identifier
+	TestPodRequestsAndLimitsIdentifier                claim.Identifier
+	TestNamespaceResourceQuotaIdentifier              claim.Identifier
+	TestPodDisruptionBudgetIdentifier                 claim.Identifier
+	TestAPICompatibilityWithNextOCPReleaseIdentifier  claim.Identifier
+	TestPodTolerationBypassIdentifier                 claim.Identifier
+	TestPersistentVolumeReclaimPolicyIdentifier       claim.Identifier
+	TestContainersImageTag                            claim.Identifier
+	TestNoSSHDaemonsAllowedIdentifier                 claim.Identifier
+	TestCPUIsolationIdentifier                        claim.Identifier
+	TestContainerPortNameFormat                       claim.Identifier
+	TestCrdScalingIdentifier                          claim.Identifier
+	TestCrdRoleIdentifier                             claim.Identifier
+	TestLimitedUseOfExecProbesIdentifier              claim.Identifier
 	// Chaos Testing
 	// TestPodDeleteIdentifier claim.Identifier
 )
@@ -973,6 +973,22 @@ that Node's kernel may not have the same hacks.'`,
 		},
 		TagCommon)
 
+	TestOperatorInstallationInTenantNamespace = AddCatalogEntry(
+		"valid-installation-tenant-namespace",
+		common.OperatorTestKey,
+		`Tests whether operator installation is valid in tenant namespace.`,
+		OperatorInstallationInTenantNamespaceRemediation,
+		NoExceptions,
+		TestOperatorInstallationInTenantNamespaceDocLink,
+		false,
+		map[string]string{
+			FarEdge:  Mandatory,
+			Telco:    Mandatory,
+			NonTelco: Mandatory,
+			Extended: Mandatory,
+		},
+		TagCommon)
+
 	TestOperatorHasSemanticVersioningIdentifier = AddCatalogEntry(
 		"semantic-versioning",
 		common.OperatorTestKey,

tests/identifiers/remediation.go

@@ -103,6 +103,8 @@ const (
 
 	MultipleSameOperatorsRemediation = `Ensure that only one Operator of the same type is installed in the cluster.`
 
+	OperatorInstallationInTenantNamespaceRemediation = `Ensure that operator with install mode SingleNamespace only is installed in the tenant namespace.`
+
 	PodNodeSelectorAndAffinityBestPracticesRemediation = `In most cases, Pod's should not specify their host Nodes through nodeSelector or nodeAffinity. However, there are cases in which workloads require specialized hardware specific to a particular class of Node.`
 
 	PodHighAvailabilityBestPracticesRemediation = `In high availability cases, Pod podAntiAffinity rule should be specified for pod scheduling and pod replica value is set to more than 1 .`

tests/operator/suite.go

@@ -118,24 +118,24 @@ func LoadChecks() {
 			return nil
 		}))
 
-	checksGroup.Add(checksdb.NewCheck(identifiers.GetTestIDAndLabels(identifiers.TestInstalledSingleNamespaceOperatorInTenantNamespace)).
+	checksGroup.Add(checksdb.NewCheck(identifiers.GetTestIDAndLabels(identifiers.TestOperatorInstallationInTenantNamespace)).
 		WithSkipCheckFn(testhelper.GetNoOperatorsSkipFn(&env)).
 		WithCheckFn(func(c *checksdb.Check) error {
-			testInstalledSingleNamespaceOperatorInTenanttNamespace(c, &env)
+			testOperatorInstallationInTenantNamespace(c, &env)
 			return nil
 		}))
-
 }
 
 /*
 Checks :
 
- 1. Operators whose InstallTypeMode is not SingleNamespace must not be installed in the namespaces specified by targetNamespace
-    in the OperatorGroup of the operators
+ 1. Operators whose InstallTypeMode is not SingleNamespace must not be installed in the namespaces
+    specified by targetNamespace in the OperatorGroup of the operators
 
  2. Operators that are SingleNamespace must have CRs in only tenant namespace
 */
-func testInstalledSingleNamespaceOperatorInTenanttNamespace(check *checksdb.Check, env *provider.TestEnvironment) {
+func testOperatorInstallationInTenantNamespace(check *checksdb.Check,
+	env *provider.TestEnvironment) {
 	check.LogInfo("Starting testInstalledSingleNamespaceOperatorInTenanttNamespace")
 	var compliantObjects []*testhelper.ReportObject
 	var nonCompliantObjects []*testhelper.ReportObject