Versions Compared

Old Version 11

changes.mady.by.user Igor Duarte Cardoso

Saved on

compared with

New Version 12

changes.mady.by.user Kuralamudhan Ramakrishnan

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  • The SRIOV network device plugin is Kubernetes device plugin for discovering and advertising SRIOV network virtual functions (VFs) in a Kubernetes host. 
  • We first determine which hosts are SRIOV capable and install the drivers on them and run the DaemonSet and register Network attachment definition
  • On an SRIOV capable hosts, we can get the resources for the node before we run the pod. When we run the test case, there is a request for a VF from the pod, therefore the number of resources for the node is increased.
QAT 

    ...

    • KUD identify the QAT device in the hosts and assign 1 QAT VFs to the Kernel workloads 
    CMK
    • CPU Manager for Kubernetes provides cpu pinning for K8s workloads. In KUD, there are two test cases for the exclusive and shared cpu pools testing.
    CMK
    Le Yao
    Optane PM
    • The Optane PM plugin is Kubernetes CSI plugin and driver with storage volume provisioning for Kubernetes applications.
    • Check whether the Optane PM hardware: NVDIMM is existed, if not skip the validation.
    • Configure the Optane PM plugin in KUD, and create StorageClass and PersistentVolumeClaim which used by Kubernetes application, check whether the PVC is bound, if yes, the Optane PM volume created and bound to PVC and used by application, validation passed.

    ...

    Status as of May 13th 2020:

    Layer

    Result

    Comment

    os/lynis

    PASS if disabling ICN plugins

    If libvirt or weave are installed, lynis will no longer pass. This is a problem because the virtlet ICN plugin requires libvirt.

    os/vuls

    FAIL: 153 vulnerabilities found

    Total: 153 (High:33 Medium:93 Low:27 ?:0), 1/153 Fixed, 801 installed, 0 exploits, en: 2, ja: 0 alerts

    k8s/conformance

    PASS if disabling ICN plugins

    Need to enable ICN plugins and understand reason for failures. Just the basic KUD deployment is enough to make conformance pass.

    k8s/kubehunter

    FAIL: Inside-a-Pod Scanning: 5 vulnerabilities

    Patched system:public-info-viewer to hide /version, otherwise Cluster Remote Scanning would fail too. Need to update KUD scripts to automatically patch system:public-info-viewer.

    Important links:

    Steps To Implement Security Scan Requirements

    ...