Skip to content

Commit 8bd31c0

Browse files
committed
Add documentation for operator features and security hardening
Document configurable OpenStack config, network attachments, nodeSelector/tolerations, security hardening, privileged mode capabilities, image creation timeout, and tempest cleanup in crds.rst. Add ServiceConfigReady condition diagnostics to guide.rst.
1 parent 1f2407a commit 8bd31c0

7 files changed

Lines changed: 105 additions & 3 deletions

File tree

config/samples/test_v1beta1_ansibletest.yaml

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -16,7 +16,10 @@ spec:
1616
storageClass: local-storage
1717
workloadSSHKeySecretName: open-ssh-keys
1818
ansiblePlaybookPath: playbooks/my_playbook.yaml
19+
# git repository URL to clone into the test pod
1920
ansibleGitRepo: https://github.com/myansible/project
21+
# branch, tag, or commit SHA to check out (default: repo's default branch)
22+
# ansibleGitBranch: ""
2023
# containerImage:
2124
ansibleInventory: |
2225
localhost ansible_connection=local ansible_python_interpreter=python3

config/samples/test_v1beta1_tempest.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,8 @@ spec:
99
# storageClass: local-storage
1010
# parallel: false
1111
# debug: false
12+
# networkAttachments: [] # list of NADs to attach extra networks to the test pod
13+
# # if omitted, the pod uses only the default cluster network
1214

1315
# configOverwrite
1416
# ---------------
@@ -91,6 +93,8 @@ spec:
9193
# RAM: 512
9294
# disk: 20
9395
# vcpus: 1
96+
# Set to true to remove all resources created by Tempest during teardown
97+
# cleanup: false
9498

9599
# extraRPMs:
96100
# ----------

config/samples/test_v1beta1_tobiko.yaml

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -35,6 +35,8 @@ spec:
3535
# storageClass: local-storage
3636
# parallel: false
3737
# debug: false
38+
# networkAttachments: [] # list of NADs to attach extra networks to the test pod
39+
# # if omitted, the pod uses only the default cluster network
3840
# privateKey: |
3941
# <private-key-value>
4042
# publicKey: |

docs/source/crds.rst

Lines changed: 28 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -144,6 +144,33 @@ CRs that can use the workflow section:
144144

145145
* :ref:`ansibletest-custom-resource`
146146

147+
.. _nodeselector-and-tolerations:
148+
149+
NodeSelector and Tolerations
150+
============================
151+
Use :code:`nodeSelector` and :code:`tolerations` to control which nodes the
152+
test pods are scheduled on. The :code:`nodeSelector` ensures the pod only runs
153+
on nodes with a matching label. The :code:`tolerations` grant permission to run
154+
on tainted nodes.
155+
156+
Basic Usage
157+
-----------
158+
159+
.. code-block:: yaml
160+
161+
spec:
162+
# Targets nodes labeled testoperator=true
163+
# (oc get node <node-name> --show-labels)
164+
nodeSelector:
165+
testoperator: "true"
166+
# Tolerates nodes tainted with test=true:NoSchedule
167+
# (oc describe node <node-name> | grep Taints)
168+
tolerations:
169+
- key: "test"
170+
operator: "Equal"
171+
value: "true"
172+
effect: "NoSchedule"
173+
147174
ExtraMounts parameter
148175
=====================
149176
To correctly use the :code:`ExtraMounts` parameter, follow these steps:
@@ -159,7 +186,7 @@ to be mounted. The name assigned here is later referenced in the
159186
mounted in the Pod. Each entry should include the name of a volume
160187
from the :code:`volumes` field and the target mount path.
161188

162-
Example of using the :code:`ExtraMounts` parameter:
189+
Example test of using the :code:`ExtraMounts` parameter:
163190

164191
.. code-block:: yaml
165192

docs/source/guide.rst

Lines changed: 21 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -201,7 +201,6 @@ Please make sure that you follow the order of the steps:
201201
:code:`crd`. In such a case, try to delete the :code:`finalizers:`
202202
section in the output of the :code:`oc edit tempest/tempest-tests`.
203203

204-
205204
.. _executing-tests:
206205

207206
Executing Tests
@@ -248,11 +247,31 @@ You should see a pod with a name like :code:`tempest-tests-xxxxx`.
248247

249248
.. code-block:: bash
250249
251-
oc logs <name of the pod>
250+
oc logs <pod-name>
252251
253252
Read :ref:`getting-logs` section if you want to see logs and artifacts
254253
produced during the testing.
255254

255+
.. _checking-conditions:
256+
257+
Checking Conditions
258+
-------------------
259+
Every test CR exposes standard conditions that track its progress:
260+
261+
.. code-block:: bash
262+
263+
oc get tempest <cr-name> -n openstack -o jsonpath='{.status.conditions}' | jq
264+
265+
Example output of a condition:
266+
267+
.. code-block:: bash
268+
269+
{
270+
"type": "DeploymentReady",
271+
"status": "False",
272+
"reason": "Requested",
273+
"message": "Deployment is running"
274+
}
256275
257276
.. _getting-logs:
258277

docs/source/index.rst

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -24,6 +24,7 @@ Running Test Operator
2424
prerequisites.rst
2525
guide.rst
2626
crds.rst
27+
security.rst
2728
FAQ.rst
2829

2930
Alternative Ways of Running Tempest Container

docs/source/security.rst

Lines changed: 46 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,46 @@
1+
.. _test-pod-privileges:
2+
3+
===================
4+
Test Pod Privileges
5+
===================
6+
The test-operator follows security best practices by applying a restricted
7+
security profile to all test pods by default. This section describes the
8+
defaults and when you might need to change them.
9+
10+
Default Security Profile
11+
========================
12+
13+
Every test pod runs with the following restrictions:
14+
15+
* **Seccomp**: A :code:`RuntimeDefault` profile filters system calls at the
16+
kernel level.
17+
18+
* **Privilege escalation**: Disabled processes cannot gain more privileges
19+
than their parent.
20+
21+
* **Root filesystem**: Read-only containers cannot modify their own binaries
22+
or write to unexpected locations.
23+
24+
* **Capabilities**: All capabilities are dropped.
25+
26+
* **SELinux level**: Not set by default. Only needed for privileged
27+
workflows that write to shared PVCs.
28+
29+
When to Use Privileged Mode
30+
===========================
31+
32+
.. important::
33+
Leave :code:`privileged: false` unless your tests specifically require it.
34+
35+
Set :code:`privileged: true` on the CR spec when your tests need capabilities
36+
that the default profile blocks. The two capabilities added in privileged mode
37+
are:
38+
39+
* :code:`NET_ADMIN` allows modifying network configuration such as routing
40+
tables, interfaces, and firewall rules.
41+
42+
* :code:`NET_RAW` allows raw socket access for tools like :code:`ping` and
43+
:code:`tcpdump`.
44+
45+
Privileged mode is also required when Tempest installs additional RPMs at
46+
runtime via :code:`extraRPMs`, since that needs a writable root filesystem.

0 commit comments

Comments
 (0)