Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #6813 from JAORMX/ocp4-multiple-versions
OCP4: Address flowschema version change by handling different OCP versions
- Loading branch information
Showing
18 changed files
with
215 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
File renamed without changes.
2 changes: 2 additions & 0 deletions
2
...ions/openshift/api-server/api_server_api_priority_flowschema_catch_all/tests/ocp4/4.6.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
default_result: NOT-APPLICABLE |
2 changes: 2 additions & 0 deletions
2
...ions/openshift/api-server/api_server_api_priority_flowschema_catch_all/tests/ocp4/4.7.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
default_result: NOT-APPLICABLE |
2 changes: 2 additions & 0 deletions
2
...ions/openshift/api-server/api_server_api_priority_flowschema_catch_all/tests/ocp4/4.8.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
default_result: PASS |
2 changes: 2 additions & 0 deletions
2
...ions/openshift/api-server/api_server_api_priority_flowschema_catch_all/tests/ocp4/4.9.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
default_result: PASS |
67 changes: 67 additions & 0 deletions
67
...tions/openshift/api-server/api_server_api_priority_v1alpha1_flowschema_catch_all/rule.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,67 @@ | ||
documentation_complete: true | ||
|
||
prodtype: ocp4 | ||
|
||
title: 'Ensure catch-all FlowSchema object for API Priority and Fairness Exists (v1alpha1)' | ||
|
||
description: |- | ||
Using <tt>APIPriorityAndFairness</tt> feature provides a fine-grained way | ||
to control the behaviour of the Kubernetes API server in an overload | ||
situation. The well-known FlowSchema <tt>catch-all</tt> should be available | ||
to make sure that every request gets some kind of classification. By default, | ||
the <tt>catch-all</tt> priority level only allows one concurrency share and | ||
does not queue requests. To inspect all the <tt>FlowSchema</tt> objects, run: | ||
<pre>oc get flowschema</pre> | ||
To inspect the well-known <tt>catch-all</tt> object, run the following: | ||
<pre>oc describe flowschema catch-all</pre> | ||
rationale: |- | ||
The <tt>FlowSchema</tt> API objects enforce a limit on the | ||
number of events that the API Server will accept in a given time slice | ||
In a large multi-tenant cluster, there might be a small percentage of | ||
misbehaving tenants which could have a significant impact on the | ||
performance of the cluster overall. It is recommended to limit the rate | ||
of events that the API Server will accept. | ||
identifiers: | ||
cce@ocp4: CCE-84002-5 | ||
|
||
|
||
platforms: | ||
- ocp4.6 | ||
- ocp4.7 | ||
|
||
severity: medium | ||
|
||
references: | ||
cis@ocp4: 1.2.10 | ||
|
||
ocil_clause: 'A FlowSchema object <tt>catch-all</tt> exists' | ||
|
||
ocil: |- | ||
Run the following commands: | ||
<pre>oc get flowschema</pre> | ||
and inspect the FlowSchema objects. Make sure that at least the <tt>catch-all</tt> | ||
object exists by calling: | ||
<pre>oc describe flowschema catch-all</pre> | ||
warnings: | ||
- general: |- | ||
{{{ openshift_cluster_setting("/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all") | indent(4) }}} | ||
- dependency: |- | ||
Note that this rule is only applicable in OpenShift Container Platform | ||
versions 4.7 and below. | ||
template: | ||
name: yamlfile_value | ||
vars: | ||
ocp_data: "true" | ||
filepath: "/apis/flowcontrol.apiserver.k8s.io/v1alpha1/flowschemas/catch-all" | ||
yamlpath: '.spec.rules[0].subjects[:].group["name"]' | ||
check_existence: "at_least_one_exists" | ||
entity_check: "at least one" | ||
values: | ||
- value: "system:authenticated" | ||
operation: "pattern match" | ||
check_existence: "at_least_one_exists" | ||
entity_check: "at least one" |
2 changes: 2 additions & 0 deletions
2
...ift/api-server/api_server_api_priority_v1alpha1_flowschema_catch_all/tests/ocp4/4.10.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
default_result: NOT-APPLICABLE |
2 changes: 2 additions & 0 deletions
2
...hift/api-server/api_server_api_priority_v1alpha1_flowschema_catch_all/tests/ocp4/4.6.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
default_result: PASS |
2 changes: 2 additions & 0 deletions
2
...hift/api-server/api_server_api_priority_v1alpha1_flowschema_catch_all/tests/ocp4/4.7.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
default_result: PASS |
2 changes: 2 additions & 0 deletions
2
...hift/api-server/api_server_api_priority_v1alpha1_flowschema_catch_all/tests/ocp4/4.8.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
default_result: NOT-APPLICABLE |
2 changes: 2 additions & 0 deletions
2
...hift/api-server/api_server_api_priority_v1alpha1_flowschema_catch_all/tests/ocp4/4.9.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,2 @@ | ||
--- | ||
default_result: NOT-APPLICABLE |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -396,7 +396,6 @@ CCE-83998-5 | |
CCE-83999-3 | ||
CCE-84000-9 | ||
CCE-84001-7 | ||
CCE-84002-5 | ||
CCE-84003-3 | ||
CCE-84004-1 | ||
CCE-84005-8 | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters