[OPCT-109] [opct][cli] Dedicated mode must be default

Type: Task
Resolution: Done
Priority: Major
Fix Version/s: opct-v0.2.0
Affects Version/s: None
Component/s: None
Labels:
- OPCT
- opct-v0.2

Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Epic Link:
OPCT-90
Git Pull Request:
https://github.com/redhat-openshift-ecosystem/provider-certification-tool/pull/29

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

The provider cert tool needs to use dedicated mode by default to prevent random cert failures.

It needs to use dedicated by default because there are k8s e2e tests that apply taints to nodes (it is one of the things to test) and if the taints happen to apply to the node where the sonobuoy/plugin Pods are running it will kill the certification process.

If we use dedicated mode, then the taints won't be applied to the dedicated node; the process in which the e2e tests chooses a node works in our favor.

There are 2 requirements for this task:

Update tool code so dedicated mode is used by default. Invert the command line options. In other words, default `–dedicated` to true.
Update documentation that suggests dedicated mode is optional.

Marco Braga added a comment - 2022/12/06 9:17 PM

Both documentation PRs, and CLI have been merged. Testing the latest CLI including remaining PR for v0.2 and it gets the dedicated as default (without using the flag):

$ oc get nodes -l node-role.kubernetes.io/tests=''
NAME             STATUS   ROLES          AGE    VERSION
ip-10-0-49-138   Ready    tests,worker   117m   v1.24.6+5157800

$ oc get pods -n openshift-provider-certification -o wide
NAME                                                               READY   STATUS      RESTARTS   AGE   IP            NODE             NOMINATED NODE   READINESS GATES
sonobuoy                                                           1/1     Running     0          34m   10.131.0.12   ip-10-0-49-138   <none>           <none>
sonobuoy-10-openshift-kube-conformance-job-bb1d2497f5814bad        0/3     Completed   0          34m   10.131.0.15   ip-10-0-49-138   <none>           <none>
sonobuoy-20-openshift-conformance-validated-job-bdf0a74232f04dbd   3/3     Running     0          34m   10.131.0.13   ip-10-0-49-138   <none>           <none>
sonobuoy-99-openshift-artifacts-collector-job-4094f26a0a2c434b     3/3     Running     0          34m   10.131.0.14   ip-10-0-49-138   <none>           <none>

$ ./openshift-provider-cert-linux-amd64 run -w
INFO[2022-12-06T17:41:23-03:00] Ensuring proper node label for dedicated mode 
INFO[2022-12-06T17:41:24-03:00] Ensuring the tool will run in the privileged environment... 
INFO[2022-12-06T17:41:24-03:00] Created opct-anyuid ClusterRoleBinding       
INFO[2022-12-06T17:41:24-03:00] Created opct-privileged ClusterRoleBinding   
INFO[2022-12-06T17:41:24-03:00] Running OpenShift Provider Certification Tool... 
INFO[2022-12-06T17:41:25-03:00] object already exists                         name=openshift-provider-certification namespace= resource=namespaces
INFO[2022-12-06T17:41:25-03:00] create request issued                         name=sonobuoy-serviceaccount namespace=openshift-provider-certification resource=serviceaccounts
INFO[2022-12-06T17:41:25-03:00] object already exists                         name=sonobuoy-serviceaccount-openshift-provider-certification namespace= resource=clusterrolebindings
INFO[2022-12-06T17:41:25-03:00] object already exists                         name=sonobuoy-serviceaccount-openshift-provider-certification namespace= resource=clusterroles
INFO[2022-12-06T17:41:26-03:00] create request issued                         name=sonobuoy-config-cm namespace=openshift-provider-certification resource=configmaps
INFO[2022-12-06T17:41:26-03:00] create request issued                         name=sonobuoy-plugins-cm namespace=openshift-provider-certification resource=configmaps
W1206 17:41:26.423350  950697 warnings.go:70] would violate PodSecurity "restricted:latest": allowPrivilegeEscalation != false (container "kube-sonobuoy" must set securityContext.allowPrivilegeEscalation=false), unrestricted capabilities (container "kube-sonobuoy" must set securityContext.capabilities.drop=["ALL"]), seccompProfile (pod or container "kube-sonobuoy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost")
INFO[2022-12-06T17:41:26-03:00] create request issued                         name=sonobuoy namespace=openshift-provider-certification resource=pods
INFO[2022-12-06T17:41:26-03:00] create request issued                         name=sonobuoy-aggregator namespace=openshift-provider-certification resource=services
INFO[2022-12-06T17:41:26-03:00] Jobs scheduled! Waiting for resources be created... 
Tue, 06 Dec 2022 17:41:41 -03> Global Status: running
JOB_NAME                           | STATUS     | RESULTS    | PROGRESS                  | MESSAGE                                           
10-openshift-kube-conformance      | running    |            |                           |                                                   
20-openshift-conformance-validated | running    |            |                           |                                                   
99-openshift-artifacts-collector   | running    |            |                           |                                                   
Tue, 06 Dec 2022 17:41:51 -03> Global Status: running
JOB_NAME                           | STATUS     | RESULTS    | PROGRESS                  | MESSAGE                                           
10-openshift-kube-conformance      | running    |            |                           |                                                   
20-openshift-conformance-validated | running    |            |                           |                                                   
99-openshift-artifacts-collector   | running    |            |                           |                                                   
Tue, 06 Dec 2022 17:42:01 -03> Global Status: running
JOB_NAME                           | STATUS     | RESULTS    | PROGRESS                  | MESSAGE                                           
10-openshift-kube-conformance      | running    |            | 33/270 (0 failures)       | status=running                                    
20-openshift-conformance-validated | running    |            | 0/3487 (0 failures)       | status=waiting-for=10-openshift-kube-conformance=(0/0/0)=[0/100]
99-openshift-artifacts-collector   | running    |            | 0/0 (0 failures)          | status=waiting-for=20-openshift-conformance-validated=(0/0/0)=[0/100]

Marco Braga added a comment - 2022/12/06 9:17 PM Both documentation PRs, and CLI have been merged. Testing the latest CLI including remaining PR for v0.2 and it gets the dedicated as default (without using the flag): $ oc get nodes -l node-role.kubernetes.io/tests='' NAME STATUS ROLES AGE VERSION ip-10-0-49-138 Ready tests,worker 117m v1.24.6+5157800 $ oc get pods -n openshift-provider-certification -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES sonobuoy 1/1 Running 0 34m 10.131.0.12 ip-10-0-49-138 <none> <none> sonobuoy-10-openshift-kube-conformance-job-bb1d2497f5814bad 0/3 Completed 0 34m 10.131.0.15 ip-10-0-49-138 <none> <none> sonobuoy-20-openshift-conformance-validated-job-bdf0a74232f04dbd 3/3 Running 0 34m 10.131.0.13 ip-10-0-49-138 <none> <none> sonobuoy-99-openshift-artifacts-collector-job-4094f26a0a2c434b 3/3 Running 0 34m 10.131.0.14 ip-10-0-49-138 <none> <none> $ ./openshift-provider-cert-linux-amd64 run -w INFO[2022-12-06T17:41:23-03:00] Ensuring proper node label for dedicated mode INFO[2022-12-06T17:41:24-03:00] Ensuring the tool will run in the privileged environment... INFO[2022-12-06T17:41:24-03:00] Created opct-anyuid ClusterRoleBinding INFO[2022-12-06T17:41:24-03:00] Created opct-privileged ClusterRoleBinding INFO[2022-12-06T17:41:24-03:00] Running OpenShift Provider Certification Tool... INFO[2022-12-06T17:41:25-03:00] object already exists name=openshift-provider-certification namespace= resource=namespaces INFO[2022-12-06T17:41:25-03:00] create request issued name=sonobuoy-serviceaccount namespace=openshift-provider-certification resource=serviceaccounts INFO[2022-12-06T17:41:25-03:00] object already exists name=sonobuoy-serviceaccount-openshift-provider-certification namespace= resource=clusterrolebindings INFO[2022-12-06T17:41:25-03:00] object already exists name=sonobuoy-serviceaccount-openshift-provider-certification namespace= resource=clusterroles INFO[2022-12-06T17:41:26-03:00] create request issued name=sonobuoy-config-cm namespace=openshift-provider-certification resource=configmaps INFO[2022-12-06T17:41:26-03:00] create request issued name=sonobuoy-plugins-cm namespace=openshift-provider-certification resource=configmaps W1206 17:41:26.423350 950697 warnings.go:70] would violate PodSecurity "restricted:latest" : allowPrivilegeEscalation != false (container "kube-sonobuoy" must set securityContext.allowPrivilegeEscalation= false ), unrestricted capabilities (container "kube-sonobuoy" must set securityContext.capabilities.drop=[ "ALL" ]), seccompProfile (pod or container "kube-sonobuoy" must set securityContext.seccompProfile.type to "RuntimeDefault" or "Localhost" ) INFO[2022-12-06T17:41:26-03:00] create request issued name=sonobuoy namespace=openshift-provider-certification resource=pods INFO[2022-12-06T17:41:26-03:00] create request issued name=sonobuoy-aggregator namespace=openshift-provider-certification resource=services INFO[2022-12-06T17:41:26-03:00] Jobs scheduled! Waiting for resources be created... Tue, 06 Dec 2022 17:41:41 -03> Global Status: running JOB_NAME | STATUS | RESULTS | PROGRESS | MESSAGE 10-openshift-kube-conformance | running | | | 20-openshift-conformance-validated | running | | | 99-openshift-artifacts-collector | running | | | Tue, 06 Dec 2022 17:41:51 -03> Global Status: running JOB_NAME | STATUS | RESULTS | PROGRESS | MESSAGE 10-openshift-kube-conformance | running | | | 20-openshift-conformance-validated | running | | | 99-openshift-artifacts-collector | running | | | Tue, 06 Dec 2022 17:42:01 -03> Global Status: running JOB_NAME | STATUS | RESULTS | PROGRESS | MESSAGE 10-openshift-kube-conformance | running | | 33/270 (0 failures) | status=running 20-openshift-conformance-validated | running | | 0/3487 (0 failures) | status=waiting- for =10-openshift-kube-conformance=(0/0/0)=[0/100] 99-openshift-artifacts-collector | running | | 0/0 (0 failures) | status=waiting- for =20-openshift-conformance-validated=(0/0/0)=[0/100]

Robert Bost added a comment - 2022/11/29 5:57 PM

Documentation update is ready here: https://github.com/mtulio/provider-certification-tool/pull/1

Robert Bost added a comment - 2022/11/29 5:57 PM Documentation update is ready here: https://github.com/mtulio/provider-certification-tool/pull/1

Robert Bost added a comment - 2022/11/02 5:55 PM

https://github.com/redhat-openshift-ecosystem/provider-certification-tool/pull/29

Robert Bost added a comment - 2022/11/02 5:55 PM https://github.com/redhat-openshift-ecosystem/provider-certification-tool/pull/29

Details

Description

Attachments

Easy Agile Planning Poker

Activity

Collapse comment: Marco Braga added a comment - 2022/12/06 9:17 PM

Expand comment: Marco Braga added a comment - 2022/12/06 9:17 PM

Collapse comment: Robert Bost added a comment - 2022/11/29 5:57 PM

Expand comment: Robert Bost added a comment - 2022/11/29 5:57 PM

Collapse comment: Robert Bost added a comment - 2022/11/02 5:55 PM

Expand comment: Robert Bost added a comment - 2022/11/02 5:55 PM

People

Dates

PagerDuty