Task hardcoded_ip_adresses_in_k8s_runtime_configuration doesnt flag network adress as hardcoded adress

LuciaSirova · martin-mat · commit 1fdd2b8fcae5 · 2025-08-12T08:17:29.000+02:00
Signed-off-by: Lucia Sirova &lt;lucia.sirova@tietoevry.com&gt;

Add methods for checking whether ip adress and mask is valid

Signed-off-by: Lucia Sirova &lt;lucia.sirova@tietoevry.com&gt;

Add adding allowed ip adresses via config

Signed-off-by: Lucia Sirova &lt;lucia.sirova@tietoevry.com&gt;
diff --git a/CNF_TESTSUITE_YML_USAGE.md b/CNF_TESTSUITE_YML_USAGE.md
@@ -89,6 +89,22 @@ Example setting:
 
 `white_list_container_names: [coredns]`
 
+##### hardcoded_ip_exceptions 
+
+The values of this optional key are the IP addresses that are allowed to appear as hardcoded values in the configuration of the CNF.
+This value is used to allow particular hardcoded IPs to be exempted from the `hardcoded_ip_adresses_in_k8s_runtime_configuration` test when the CNF is being validated.
+The reason this is needed is because the CNF Testsuite checks all configuration files and manifests used by the CNF for the presence of hardcoded IP addresses.
+While hardcoding IPs is generally discouraged in cloud-native environments, there may be cases where certain addresses are justified and cannot be avoided.
+This exception list can be used to explicitly allow such IPs and prevent them from being reported as violations.
+
+````yaml
+config_version: v2
+common:
+  hardcoded_ip_exceptions:
+    - ip: 8.8.8.8
+    - ip: 4.4.4.4
+````
+
 ##### `docker_insecure_registries`
 
 The docker client expects the image registries to be using an HTTPS API endpoint. This option is used to configure insecure registries that the docker client should be allowed to access.
diff --git a/docs/TEST_DOCUMENTATION.md b/docs/TEST_DOCUMENTATION.md
@@ -1481,8 +1481,8 @@ Review all Helm Charts & Kubernetes Manifest files for the CNF and remove all oc
 
 #### Overview
 
-The hardcoded ip address test will scan all of the CNF's workload resources and check for any static, hardcoded ip addresses being used in the configuration. CIDR notation is allowed and will not cause the test to fail.
-Expectation: That no hardcoded IP addresses (without CIDR masks) are found in the Kubernetes workload resources for the CNF.
+The hardcoded ip address test will scan all of the CNF's workload resources and check for any static, hardcoded ip addresses being used in the configuration. CIDR notation is allowed and will not cause the test to fail. IP addresses that are justified by application logic are possible to be included in `hardcoded_ip_exceptions` in the [CNF configuration](https://github.com/lfn-cnti/testsuite/blob/main/CNF_TESTSUITE_YML_USAGE.md) and will be excluded from violation reports.
+Expectation: That no hardcoded IP addresses are found in the Kubernetes workload resources for the CNF unless they are in CIDR format or explicitly listed in `hardcoded_ip_exceptions`.
 
 #### Rationale
 
diff --git a/sample-cnfs/sample_coredns/chart/values.yaml b/sample-cnfs/sample_coredns/chart/values.yaml
@@ -32,6 +32,7 @@ service:
   annotations:
     prometheus.io/scrape: "true"
     prometheus.io/port: "9153"
+    hardcodedIpTest: "8.8.8.8 4.4.4.4"
 
 serviceAccount:
   create: false
diff --git a/sample-cnfs/sample_coredns/cnf-testsuite.yml b/sample-cnfs/sample_coredns/cnf-testsuite.yml
@@ -5,3 +5,7 @@ deployments:
   - name: coredns
     helm_directory: chart
     namespace: cnfspace
+common:
+  hardcoded_ip_exceptions:
+    - ip: 8.8.8.8
+    - ip: 4.4.4.4
diff --git a/src/tasks/utils/cnf_installation/config_versions/config_v2.cr b/src/tasks/utils/cnf_installation/config_versions/config_v2.cr
@@ -17,7 +17,8 @@ module CNFInstall
              white_list_container_names = [] of String,
              docker_insecure_registries = [] of String,
              image_registry_fqdns = {} of String => String,
-             five_g_parameters = FiveGParameters.new()
+             five_g_parameters = FiveGParameters.new(),
+             hardcoded_ip_exceptions = [] of HardcodedIPsAllowed
       def initialize()
       end
     end
@@ -125,5 +126,9 @@ module CNFInstall
         end
       end
     end
+
+    class HardcodedIPsAllowed < CNFInstall::Config::ConfigBase
+      getter ip : String
+    end
   end
 end
diff --git a/src/tasks/workload/configuration.cr b/src/tasks/workload/configuration.cr
@@ -213,26 +213,24 @@ desc "Does the CNF have hardcoded IPs in the K8s resource configuration"
 task "hardcoded_ip_addresses_in_k8s_runtime_configuration" do |t, args|
   task_response = CNFManager::Task.task_runner(args, task: t) do |args, config|
     current_dir = FileUtils.pwd
-    allowed_ip_adresses = [
+    allowed_ip_addresses = [
       "127.0.0.1",
       "0.0.0.0"
     ]
+    hardcoded_ip_exceptions = config.common.hardcoded_ip_exceptions
 
     found_violations = [] of NamedTuple(line_number: Int32, line: String)
     line_number = 1
     File.open(COMMON_MANIFEST_FILE_PATH) do |file|
       file.each_line do |line|
         ip_adress_regex = /((?:\d{1,3}\.){3}\d{1,3})(?:\/(\d{1,2}))?/
-
         if line.matches?(/NOTES:/)
           break
         elsif matches = line.scan(ip_adress_regex)
           matches.each do |match|
             ip = match[1]
             cidr_suffix = match[2]?
-
-            next if allowed_ip_adresses.includes?(ip) || cidr_suffix
-          
+            next if allowed_ip_addresses.includes?(ip) || hardcoded_ip_exceptions.any? { |e| e.ip == ip } || cidr_suffix
             found_violations << {line_number: line_number, line: line.strip}
           end
         end
