Objective

Create test utility functions in test/e2e/util/isolation.go to validate kernel-level isolation for HyperShift Hosted Control Planes on KubeVirt platform.

Parent Work Item

This task is part of CNTRLPLANE-2630: E2E test for OCPSTRAT-2217 VM-level and Hosted Cluster Isolation levels

Deliverables

Create test/e2e/util/isolation.go with the following functions:

Core Validation Functions:

• EnsureKernelLevelIsolation() - Main validation function that:
  • Compares management cluster kernel vs guest cluster kernel
  • Validates separate kernel instances via NodeInfo
  • Proves VM-based isolation
  • Logs evidence for documentation
• EnsureVMLauncherNetworkPolicies() - Validates NetworkPolicy enforcement:
  • Verifies VirtLauncher NetworkPolicy exists
  • Checks correct pod selectors (kubevirt.io=virt-launcher, infraID)
  • Validates Ingress and Egress rules
  • Confirms egress rules block management cluster networks

Helper Functions:

• GetKernelVersion() - Retrieves kernel version from node:
  • Uses node.Status.NodeInfo.KernelVersion
  • Works for both management and guest clusters
  • Returns clean kernel version string
• GetProcVersion() - Retrieves detailed OS/kernel info:
  • Uses node.Status.NodeInfo.KernelVersion + OSImage
  • Provides comprehensive version comparison
  • Returns combined string for evidence

Implementation Details

// Function signatures
func EnsureKernelLevelIsolation(t _testing.T, ctx context.Context, mgtClient crclient.Client, hc _hyperv1.HostedCluster)
func EnsureVMLauncherNetworkPolicies(t _testing.T, ctx context.Context, client crclient.Client, hc _hyperv1.HostedCluster)
func GetKernelVersion(t _testing.T, ctx context.Context, config _rest.Config, nodeName string) string
func GetProcVersion(t _testing.T, ctx context.Context, config _rest.Config, nodeName string) string

Acceptance Criteria

• All functions follow Go coding principles:
  • Line of sight rule (early returns, no nesting)
  • No else blocks
  • Immediate error handling with context wrapping
  • No panic in application logic
• Functions use existing test patterns from test/e2e/util/util.go
• Proper Gomega assertions (NewWithT, Expect, NotTo, BeEmpty, etc.)
• Functions skip gracefully on non-KubeVirt platforms
• Code passes gofmt and golangci-lint
• Clear logging for test evidence

Technical Notes

• Use WaitForGuestRestConfig() to get guest cluster access
• Use WaitForGuestClient() to get guest cluster client
• Use EventuallyObject() for async validation with predicates
• Reference VirtLauncher NetworkPolicy: hypershift-operator/controllers/manifests/networkpolicy.VirtLauncherNetworkPolicy()
• Control plane namespace format: clusters-[hostedClusterName]

Example Test Flow

# Get management cluster config and nodes
# Get guest cluster config and nodes (via WaitForGuestClient)
# Get kernel version from management node → "5.14.0-284.el9.x86_64"
# Get kernel version from guest node → "5.14.0-162.el9.x86_64"
# Compare and log differences → PROOF of separate kernels
# Validate VirtLauncher NetworkPolicy exists
# Verify policy selectors and rules

Files to Reference

• test/e2e/util/util.go - Existing utility patterns
• test/e2e/nodepool_kv_multinet_test.go - KubeVirt test examples
• hypershift-operator/controllers/hostedcluster/network_policies.go - NetworkPolicy reconciliation
• hypershift-operator/controllers/manifests/networkpolicy/ - NetworkPolicy manifests

Estimated Time

2-3 days