Refactor: Rename networking-dpdk-cpu-pinning-exec-probe to performanc…

expected_results.yaml

@@ -70,7 +70,7 @@ testCases:
     - platform-alteration-isredhat-release
     - platform-alteration-tainted-node-kernel
   fail:
-    - affiliated-certification-container-is-certified-digest     # test container image is not certified
+    - affiliated-certification-container-is-certified-digest # test container image is not certified
   skip:
     - access-control-sys-ptrace-capability
     - access-control-sys-nice-realtime-capability
@@ -80,7 +80,6 @@ testCases:
     - lifecycle-cpu-isolation
     - lifecycle-statefulset-scaling
     - lifecycle-storage-provisioner
-    - networking-dpdk-cpu-pinning-exec-probe
     - networking-icmpv6-connectivity
     - networking-restart-on-reboot-sriov-pod
     - networking-network-attachment-definition-sriov-mtu
@@ -94,6 +93,7 @@ testCases:
     - operator-pods-no-hugepages
     - operator-multiple-same-operators
     - operator-catalogsource-bundle-count
+    - performance-cpu-pinning-no-exec-probes
     - performance-exclusive-cpu-pool-rt-scheduling-policy
     - performance-isolated-cpu-pool-rt-scheduling-policy
     - performance-shared-cpu-pool-non-rt-scheduling-policy

pkg/provider/filters.go

@@ -18,10 +18,6 @@ package provider
 
 import (
 	"fmt"
-	"strings"
-
-	"github.com/redhat-best-practices-for-k8s/certsuite/internal/clientsholder"
-	"github.com/redhat-best-practices-for-k8s/certsuite/internal/log"
 )
 
 // GetGuaranteedPodsWithExclusiveCPUs returns a slice of Pod objects that are guaranteed to have exclusive CPUs.
@@ -113,11 +109,6 @@ func (env *TestEnvironment) GetHugepagesPods() []*Pod {
 	return filteredPods
 }
 
-// GetCPUPinningPodsWithDpdk returns a slice of Pods that have CPU pinning enabled with DPDK.
-func (env *TestEnvironment) GetCPUPinningPodsWithDpdk() []*Pod {
-	return filterDPDKRunningPods(env.GetGuaranteedPodsWithExclusiveCPUs())
-}
-
 func filterPodsWithoutHostPID(pods []*Pod) []*Pod {
 	var withoutHostPIDPods []*Pod
 
@@ -130,31 +121,6 @@ func filterPodsWithoutHostPID(pods []*Pod) []*Pod {
 	return withoutHostPIDPods
 }
 
-func filterDPDKRunningPods(pods []*Pod) []*Pod {
-	var filteredPods []*Pod
-	const (
-		dpdkDriver           = "vfio-pci"
-		findDeviceSubCommand = "find /sys -name"
-	)
-	o := clientsholder.GetClientsHolder()
-	for _, pod := range pods {
-		if len(pod.MultusPCIs) == 0 {
-			continue
-		}
-		ctx := clientsholder.NewContext(pod.Namespace, pod.Name, pod.Spec.Containers[0].Name)
-		findCommand := fmt.Sprintf("%s '%s'", findDeviceSubCommand, pod.MultusPCIs[0])
-		outStr, errStr, err := o.ExecCommandContainer(ctx, findCommand)
-		if err != nil || errStr != "" {
-			log.Error("Failed to execute command %s in probe %s, errStr: %s, err: %v", findCommand, pod.String(), errStr, err)
-			continue
-		}
-		if strings.Contains(outStr, dpdkDriver) {
-			filteredPods = append(filteredPods, pod)
-		}
-	}
-	return filteredPods
-}
-
 // GetShareProcessNamespacePods returns a slice of Pod objects that have the ShareProcessNamespace flag set to true.
 // It iterates over the Pods in the TestEnvironment and filters out the ones that do not have the ShareProcessNamespace flag set.
 // The filtered Pods are then returned as a slice.

pkg/testhelper/testhelper.go

@@ -446,16 +446,6 @@ func GetDaemonSetFailedToSpawnSkipFn(env *provider.TestEnvironment) func() (bool
 	}
 }
 
-func GetNoCPUPinningPodsSkipFn(env *provider.TestEnvironment) func() (bool, string) {
-	return func() (bool, string) {
-		if len(env.GetCPUPinningPodsWithDpdk()) == 0 {
-			return true, "no CPU pinning pods to check found"
-		}
-
-		return false, ""
-	}
-}
-
 func GetNoSRIOVPodsSkipFn(env *provider.TestEnvironment) func() (bool, string) {
 	return func() (bool, string) {
 		pods, err := env.GetPodsUsingSRIOV()

tests/identifiers/doclinks.go

@@ -11,7 +11,6 @@ const (
 	TestICMPv4ConnectivityIdentifierDocLink             = "https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-ipv4-&-ipv6"
 	TestNetworkPolicyDenyAllIdentifierDocLink           = "https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-vrfs-aka-routing-instances"
 	TestReservedExtendedPartnerPortsDocLink             = NoDocLinkExtended
-	TestDpdkCPUPinningExecProbeDocLink                  = "https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-cpu-manager-pinning"
 	TestRestartOnRebootLabelOnPodsUsingSRIOVDocLink     = NoDocLinkFarEdge
 	TestNetworkAttachmentDefinitionSRIOVUsingMTUDocLink = "https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-multus-sr-iov---macvlan"
 	TestLimitedUseOfExecProbesIdentifierDocLink         = NoDocLinkFarEdge
@@ -101,6 +100,7 @@ const (
 	TestExclusiveCPUPoolSchedulingPolicyDocLink = NoDocLinkFarEdge
 	TestIsolatedCPUPoolSchedulingPolicyDocLink  = NoDocLinkFarEdge
 	TestRtAppNoExecProbesDocLink                = NoDocLinkFarEdge
+	TestCPUPinningNoExecProbesDocLink           = "https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-cpu-manager-pinning"
 
 	// Operator Test Suite
 	DocOperatorRequirement                                                  = "https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-cnf-operator-requirements"

tests/identifiers/identifiers.go

@@ -89,7 +89,6 @@ var (
 	TestAffinityRequiredPods                                         claim.Identifier
 	TestContainerPostStartIdentifier                                 claim.Identifier
 	TestContainerPrestopIdentifier                                   claim.Identifier
-	TestDpdkCPUPinningExecProbe                                      claim.Identifier
 	TestSysAdminIdentifier                                           claim.Identifier
 	TestNetAdminIdentifier                                           claim.Identifier
 	TestNetRawIdentifier                                             claim.Identifier
@@ -101,6 +100,7 @@ var (
 	TestExclusiveCPUPoolSchedulingPolicy                             claim.Identifier
 	TestIsolatedCPUPoolSchedulingPolicy                              claim.Identifier
 	TestRtAppNoExecProbes                                            claim.Identifier
+	TestCPUPinningNoExecProbes                                       claim.Identifier
 	TestRestartOnRebootLabelOnPodsUsingSRIOV                         claim.Identifier
 	TestSecConNonRootUserIDIdentifier                                claim.Identifier
 	TestNetworkAttachmentDefinitionSRIOVUsingMTU                     claim.Identifier
@@ -393,22 +393,6 @@ func InitCatalog() map[claim.Identifier]claim.TestCaseDescription {
 		},
 		TagTelco)
 
-	TestDpdkCPUPinningExecProbe = AddCatalogEntry(
-		"dpdk-cpu-pinning-exec-probe",
-		common.NetworkingTestKey,
-		`If a workload is doing CPU pinning, exec probes may not be used.`,
-		DpdkCPUPinningExecProbeRemediation,
-		NoDocumentedProcess,
-		TestDpdkCPUPinningExecProbeDocLink,
-		true,
-		map[string]string{
-			FarEdge:  Mandatory,
-			Telco:    Mandatory,
-			NonTelco: Optional,
-			Extended: Mandatory,
-		},
-		TagTelco)
-
 	TestNetAdminIdentifier = AddCatalogEntry(
 		"net-admin-capability-check",
 		common.AccessControlTestKey,
@@ -569,6 +553,22 @@ func InitCatalog() map[claim.Identifier]claim.TestCaseDescription {
 		},
 		TagFarEdge)
 
+	TestCPUPinningNoExecProbes = AddCatalogEntry(
+		"cpu-pinning-no-exec-probes",
+		common.PerformanceTestKey,
+		`Workloads utilizing CPU pinning (Guaranteed QoS with exclusive CPUs) should not use exec probes. Exec probes run a command within the container, which could interfere with latency-sensitive workloads and cause performance degradation.`,
+		CPUPinningNoExecProbesRemediation,
+		NoDocumentedProcess,
+		TestCPUPinningNoExecProbesDocLink,
+		true,
+		map[string]string{
+			FarEdge:  Mandatory,
+			Telco:    Mandatory,
+			NonTelco: Optional,
+			Extended: Mandatory,
+		},
+		TagTelco)
+
 	TestRestartOnRebootLabelOnPodsUsingSRIOV = AddCatalogEntry(
 		"restart-on-reboot-sriov-pod",
 		common.NetworkingTestKey,

tests/identifiers/impact.go

@@ -27,7 +27,7 @@ const (
 	TestICMPv4ConnectivityIdentifierImpact             = `Failure indicates potential network isolation issues that could prevent workload components from communicating, leading to service degradation or complete application failure.`
 	TestNetworkPolicyDenyAllIdentifierImpact           = `Without default deny-all network policies, workloads are exposed to lateral movement attacks and unauthorized network access, compromising security posture and potentially enabling data breaches.`
 	TestReservedExtendedPartnerPortsImpact             = `Using reserved ports can cause port conflicts with essential platform services, leading to service startup failures and unpredictable application behavior.`
-	TestDpdkCPUPinningExecProbeImpact                  = `Exec probes on CPU-pinned DPDK workloads can cause performance degradation, interrupt real-time operations, and potentially crash applications due to resource contention.`
+	TestCPUPinningNoExecProbesImpact                   = `Exec probes on workloads with CPU pinning (exclusive CPUs) can cause performance degradation, interrupt latency-sensitive operations, and potentially crash applications due to resource contention. Any workload requiring exclusive CPUs inherently needs non-interruptible task execution.`
 	TestRestartOnRebootLabelOnPodsUsingSRIOVImpact     = `Without restart-on-reboot labels, SRIOV-enabled pods may fail to recover from a race condition between kubernetes services startup and SR-IOV device plugin configuration on StarlingX AIO systems, causing SR-IOV devices to disappear from running pods when FPGA devices are reset.`
 	TestNetworkAttachmentDefinitionSRIOVUsingMTUImpact = `Incorrect MTU settings can cause packet fragmentation, network performance issues, and connectivity failures in high-performance networking scenarios.`
 	TestLimitedUseOfExecProbesIdentifierImpact         = `Excessive exec probes can overwhelm system resources, degrade performance, and interfere with critical application operations in resource-constrained environments.`
@@ -169,7 +169,7 @@ var ImpactMap = map[string]string{
 	"networking-icmpv4-connectivity":                     TestICMPv4ConnectivityIdentifierImpact,
 	"networking-network-policy-deny-all":                 TestNetworkPolicyDenyAllIdentifierImpact,
 	"networking-reserved-partner-ports":                  TestReservedExtendedPartnerPortsImpact,
-	"networking-dpdk-cpu-pinning-exec-probe":             TestDpdkCPUPinningExecProbeImpact,
+	"performance-cpu-pinning-no-exec-probes":             TestCPUPinningNoExecProbesImpact,
 	"networking-restart-on-reboot-sriov-pod":             TestRestartOnRebootLabelOnPodsUsingSRIOVImpact,
 	"networking-network-attachment-definition-sriov-mtu": TestNetworkAttachmentDefinitionSRIOVUsingMTUImpact,
 	"performance-max-resources-exec-probes":              TestLimitedUseOfExecProbesIdentifierImpact,

tests/identifiers/remediation.go

@@ -188,8 +188,6 @@ const (
 
 	ContainerPortNameFormatRemediation = `Ensure that the container's ports name follow our partner naming conventions`
 
-	DpdkCPUPinningExecProbeRemediation = "If the workload is doing CPU pinning and running a DPDK process do not use exec probes (executing a command within the container) as it may pile up and block the node eventually."
-
 	CheckStorageProvisionerRemediation = `Use a non-local storage (e.g. no kubernetes.io/no-provisioner and no topolvm.io provisioners) in multinode clusters. Local storage are recommended for single node clusters only, but a single local provisioner should be installed.`
 
 	ExclusiveCPUPoolRemediation = `Ensure that if one container in a Pod selects an exclusive CPU pool the rest also select this type of CPU pool`
@@ -202,6 +200,8 @@ const (
 
 	RtAppNoExecProbesRemediation = `Ensure that if one container runs a real time application exec probes are not used`
 
+	CPUPinningNoExecProbesRemediation = `Workloads that use CPU pinning (Guaranteed QoS with exclusive CPUs) should not use exec probes. Use httpGet or tcpSocket probes instead, as exec probes can interfere with latency-sensitive workloads requiring non-interruptible task execution.`
+
 	SRIOVPodsRestartOnRebootLabelRemediation = `Ensure that the label restart-on-reboot exists on pods that use SRIOV network interfaces.`
 
 	SRIOVNetworkAttachmentDefinitionMTURemediation = `Ensure that the MTU of the SR-IOV network attachment definition is set explicitly.`

tests/networking/suite.go

@@ -133,15 +133,6 @@ func LoadChecks() {
 			return nil
 		}))
 
-	// DPDK CPU pinning exec probe test case
-	checksGroup.Add(checksdb.NewCheck(identifiers.GetTestIDAndLabels(identifiers.TestDpdkCPUPinningExecProbe)).
-		WithSkipCheckFn(testhelper.GetNoCPUPinningPodsSkipFn(&env)).
-		WithCheckFn(func(c *checksdb.Check) error {
-			dpdkPods := env.GetCPUPinningPodsWithDpdk()
-			testExecProbDenyAtCPUPinning(c, dpdkPods)
-			return nil
-		}))
-
 	// Restart on reboot label test case
 	checksGroup.Add(checksdb.NewCheck(identifiers.GetTestIDAndLabels(identifiers.TestRestartOnRebootLabelOnPodsUsingSRIOV)).
 		WithSkipCheckFn(testhelper.GetNoSRIOVPodsSkipFn(&env)).
@@ -168,29 +159,6 @@ func LoadChecks() {
 		}))
 }
 
-func testExecProbDenyAtCPUPinning(check *checksdb.Check, dpdkPods []*provider.Pod) {
-	var compliantObjects []*testhelper.ReportObject
-	var nonCompliantObjects []*testhelper.ReportObject
-
-	for _, cpuPinnedPod := range dpdkPods {
-		execProbeFound := false
-		for _, cut := range cpuPinnedPod.Containers {
-			check.LogInfo("Testing Container %q", cut)
-			if cut.HasExecProbes() {
-				check.LogError("Container %q defines an exec probe", cut)
-				nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(cpuPinnedPod.Namespace, cpuPinnedPod.Name, "Exec prob is not allowed", false))
-				execProbeFound = true
-			}
-		}
-
-		if !execProbeFound {
-			check.LogInfo("Pod %q does not define any exec probe", cpuPinnedPod)
-			compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(cpuPinnedPod.Namespace, cpuPinnedPod.Name, "Exec prob is allowed", true))
-		}
-	}
-	check.SetResult(compliantObjects, nonCompliantObjects)
-}
-
 //nolint:funlen
 func testUndeclaredContainerPortsUsage(check *checksdb.Check, env *provider.TestEnvironment) {
 	var compliantObjects []*testhelper.ReportObject

tests/performance/suite.go

@@ -126,6 +126,14 @@ func LoadChecks() {
 			testLimitedUseOfExecProbes(c, &env)
 			return nil
 		}))
+
+	checksGroup.Add(checksdb.NewCheck(identifiers.GetTestIDAndLabels(identifiers.TestCPUPinningNoExecProbes)).
+		WithSkipCheckFn(skipIfNoGuaranteedPodContainersWithExclusiveCPUs).
+		WithCheckFn(func(c *checksdb.Check) error {
+			cpuPinnedPods := env.GetGuaranteedPodsWithExclusiveCPUs()
+			testCPUPinningNoExecProbes(c, cpuPinnedPods)
+			return nil
+		}))
 }
 
 //nolint:funlen
@@ -383,3 +391,26 @@ func filterProbeProcesses(allProcesses []*crclient.Process, cut *provider.Contai
 	}
 	return notExecProbeProcesses, compliantObjects
 }
+
+func testCPUPinningNoExecProbes(check *checksdb.Check, cpuPinnedPods []*provider.Pod) {
+	var compliantObjects []*testhelper.ReportObject
+	var nonCompliantObjects []*testhelper.ReportObject
+
+	for _, cpuPinnedPod := range cpuPinnedPods {
+		execProbeFound := false
+		for _, cut := range cpuPinnedPod.Containers {
+			check.LogInfo("Testing Container %q", cut)
+			if cut.HasExecProbes() {
+				check.LogError("Container %q defines an exec probe", cut)
+				nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(cpuPinnedPod.Namespace, cpuPinnedPod.Name, "Exec probe is not allowed on CPU-pinned pods", false))
+				execProbeFound = true
+			}
+		}
+
+		if !execProbeFound {
+			check.LogInfo("Pod %q does not define any exec probe", cpuPinnedPod)
+			compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(cpuPinnedPod.Namespace, cpuPinnedPod.Name, "No exec probes found", true))
+		}
+	}
+	check.SetResult(compliantObjects, nonCompliantObjects)
+}