-
Task
-
Resolution: Unresolved
-
Normal
-
None
-
None
-
Quality / Stability / Reliability
-
False
-
-
False
-
None
-
None
-
None
-
None
Objective
Create E2E test test/e2e/isolation_kubevirt_test.go that validates kernel-level isolation for KubeVirt platform using the utilities from test/e2e/util/isolation.go.
Parent Work Item
This task is part of CNTRLPLANE-2630: E2E test for OCPSTRAT-2217 VM-level and Hosted Cluster Isolation levels
Deliverables
Create test/e2e/isolation_kubevirt_test.go with:
Main Test Function:
- TestKubevirtKernelLevelIsolation - E2E test that:
- Skips if platform is not KubeVirt
- Uses e2eutil.NewHypershiftTest framework
- Calls EnsureKernelLevelIsolation() to validate kernel isolation
- Calls EnsureVMLauncherNetworkPolicies() to validate NetworkPolicy
- Logs comprehensive evidence for documentation
- Runs in parallel with other tests
Test Structure
//go:build e2e package e2e func TestKubevirtKernelLevelIsolation(t *testing.T) { if globalOpts.Platform != hyperv1.KubevirtPlatform { t.Skip("Kernel-level isolation test requires KubeVirt platform") } t.Parallel() ctx, cancel := context.WithCancel(testContext) defer cancel() clusterOpts := globalOpts.DefaultClusterOptions(t) e2eutil.NewHypershiftTest(t, ctx, func(t _testing.T, g Gomega, mgtClient crclient.Client, hostedCluster _hyperv1.HostedCluster) { // Validate kernel-level isolation e2eutil.EnsureKernelLevelIsolation(t, ctx, mgtClient, hostedCluster) // Validate NetworkPolicy enforcement e2eutil.EnsureVMLauncherNetworkPolicies(t, ctx, mgtClient, hostedCluster) t.Logf("✓ KERNEL-LEVEL ISOLATION VALIDATED") }).Execute(&clusterOpts, globalOpts.Platform, globalOpts.ArtifactDir, "kernel-isolation", globalOpts.ServiceAccountSigningKey) }
Acceptance Criteria
- Test passes on KubeVirt platform with real hosted cluster
- Test demonstrates kernel isolation evidence:
- Different kernel versions between management and guest
- VirtLauncher NetworkPolicy applied correctly
- Clear log output showing proof of isolation
- Test skips gracefully on non-KubeVirt platforms
- Test runs in parallel with other E2E tests (t.Parallel())
- Test follows existing HyperShift test patterns
- Build tag //go:build e2e at top of file
- Code passes gofmt and golangci-lint
Expected Test Output
=== RUN TestKubevirtKernelLevelIsolation
isolation_kubevirt_test.go:25: Starting kernel-level isolation validation for cluster clusters/test-cluster
isolation_kubevirt_test.go:28: Validating kernel-level isolation for cluster test-cluster
isolation_kubevirt_test.go:75: Management cluster kernel: 5.14.0-284.el9.x86_64
isolation_kubevirt_test.go:78: Guest cluster kernel: 5.14.0-162.el9.x86_64
isolation_kubevirt_test.go:95: ✓ Kernel-level isolation VALIDATED: Separate kernel instances confirmed
isolation_kubevirt_test.go:160: ✓ VirtLauncher NetworkPolicy VALIDATED
isolation_kubevirt_test.go:35: ✓ KERNEL-LEVEL ISOLATION VALIDATED for cluster test-cluster
--- PASS: TestKubevirtKernelLevelIsolation (180.23s)
Test Execution
h1. Build test binary make e2e h1. Run kernel isolation test ./bin/test-e2e \ -test.run TestKubevirtKernelLevelIsolation \ -test.v \ -test.timeout=2h \ -e2e.platform=kubevirt \ -e2e.artifact-dir=./artifacts
Files to Reference
- test/e2e/create_cluster_test.go - Test pattern examples (TestCreateClusterRequestServingIsolation)
- test/e2e/nodepool_kv_multinet_test.go - KubeVirt test patterns
- test/e2e/util/hypershift_framework.go - NewHypershiftTest framework
Dependencies
- Requires test/e2e/util/isolation.go to be implemented first
- Requires KubeVirt test environment
- Requires HyperShift operator installed
Estimated Time
2-3 days (including local testing and debugging)