fix id

atomize large file to better reuse in different branches

Author: aireilly

main.adoc

@@ -73,6 +73,84 @@ include::modules/cnf-best-practices-openshift-operations.adoc[leveloffset=+2]
 
 include::modules/cnf-best-practices-expectations-permissions.adoc[leveloffset=+2]
 
+include::modules/cnf-best-practices-cloud-native-design-best-practices.adoc[leveloffset=+3]
+
+include::modules/cnf-best-practices-high-level-cnf-expectations.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-pod-permissions.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-logging.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-monitoring.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-cpu-allocation.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-memory-allocation.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-pods.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-pod-interaction-configuration.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-pod-exit-status.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-graceful-termination.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-pod-resource-profiles.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-storage-emptydir.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-liveness-readiness-and-startup-probes.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-affinity-anti-affinity.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-upgrade-expectations.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-taints-and-tolerations.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-requests-limits.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-use-imagepullpolicy-if-not-present.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-automount-services-for-pods.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-disruption-budgets.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-no-naked-pods.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-image-tagging.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-one-process-per-container.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-init-containers.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-security-rbac.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-custom-role-to-access-application-crds.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-multus.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-multus-macvlan.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-sr-iov-interface-settings.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-attaching-the-vf-to-a-pod.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-discovering-sr-iov-devices-properties-from-the-application.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-numa-awareness.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-platform-upgrade.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-openshift-virtualization-kubevirt.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-vm-image-import-recommendations-cdi.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-working-with-large-vm-disk-images.adoc[leveloffset=+5]
+
+include::modules/cnf-best-practices-operator-best-practices.adoc[leveloffset=+4]
+
+include::modules/cnf-best-practices-cnf-operator-requirements.adoc[leveloffset=+5]
+
 include::modules/cnf-best-practices-requirements-cnf-reqs.adoc[leveloffset=+2]
 
 include::modules/cnf-best-practices-copyright.adoc[leveloffset=+1]

modules/cnf-best-practices-affinity-anti-affinity.adoc

@@ -0,0 +1,47 @@
+[id="cnf-best-practices-affinity-anti-affinity"]
+= Affinity and anti-affinity
+
+In OpenShift Container Platform pod affinity and pod anti-affinity allow you to constrain which nodes your pod are eligible to be scheduled based on the key/value labels on other pods. There are two types of affinity rules, required and preferred. Required rules must be met, whereas preferred rules are best effort.
+
+These pod affinity/anti-affinity rules are set in the pod specification as `matchExpressions` to a `labelSelector`. See link:https://docs.openshift.com/container-platform/latest/nodes/scheduling/nodes-scheduler-pod-affinity.html[Placing pods relative to other pods using affinity and anti-affinity rules] for more information. The following example `Pod` CR illustrates pod affinity:
+
+[source,yaml]
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: with-pod-affinity
+spec:
+  affinity:
+    podAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        - labelSelector:
+            matchExpressions:
+            - key: security
+              operator: In
+              values:
+                - S1
+        topologyKey: failure-domain.beta.kubernetes.io/zone
+  containers:
+    - name: with-pod-affinity
+      image: docker.io/ocpqe/hello-pod
+----
+
+.CNF requirement
+[IMPORTANT]
+====
+Pods that need to be co-located on the same node need affinity rules. Pods that should not be
+co-located for resiliency purposes require anti-affinity rules.
+
+See test case link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#lifecycle-affinity-required-pods[lifecycle-affinity-required-pods]
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+Pods that perform the same microservice and could be disrupted if multiple members of the service are
+unavailable must implement affinity/anti-affinity group rules or spread the pods across nodes to prevent disruption in the event of node failures, patches, or upgrades.
+
+See test case link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#lifecycle-pod-high-availability[lifecycle-pod-high-availability]
+====
+

modules/cnf-best-practices-attaching-the-vf-to-a-pod.adoc

@@ -0,0 +1,22 @@
+[id="cnf-best-practices-attaching-the-vf-to-a-pod"]
+= Attaching the VF to a pod
+
+Once the right network attachment definition is found, applying the `k8s.v1.cni.cncf.io/networks` annotation with the name of the network attachment definition to the pod will add the additional network interfaces in the pod namespace, as per the following example:
+
+[source,yaml]
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: sample-pod
+  annotations:
+    k8s.v1.cni.cncf.io/networks: |-
+      [
+        {
+          "name": "net1",
+          "mac": "20:04:0f:f1:88:01",
+          "ips": ["192.168.10.1/24", "2001::1/64"]
+         }
+      ]
+----
+

modules/cnf-best-practices-automount-services-for-pods.adoc

@@ -0,0 +1,18 @@
+[id="cnf-best-practices-automount-services-for-pods"]
+= Automount services for pods
+
+Pods which do not require API access should set the value of `automountServiceAccountToken` to false within the pod spec, for example:
+
+[source,yaml]
+----
+apiVersion: v1
+kind: Pod
+metadata:
+  name: my-pod
+spec:
+  serviceAccountName: examplesvcacct
+  automountServiceAccountToken: false
+----
+
+See test case link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#access-control-pod-automount-service-account-token[access-control-pod-automount-service-account-token]
+

modules/cnf-best-practices-cloud-native-design-best-practices.adoc

@@ -0,0 +1,36 @@
+[id="cnf-best-practices-cloud-native-design-best-practices"]
+= Cloud-native design best practices
+
+The following best practices highlight some key principles of cloud-native application design.
+
+Single purpose w/messaging interface::
+A container should address a single purpose with a well-defined (typically RESTful API) messaging interface. The motivation here is that such a container image is more reusable and more replaceable/upgradeable.
+
+High observability::
+A container must provide APIs for the platform to observe the container health and act accordingly. These APIs include health checks (liveness and readiness), logging to stderr and stdout for log aggregation (by tools such as `Logstash` or `Filebeat`), and integrate with tracing and metrics-gathering libraries (such as `Prometheus` or `Metricbeat`).
+
+Lifecycle conformance::
+A container must receive important events from the platform and conform/react to these events properly. For example, a container should catch SIGTERM or SIGKILL from the platform and shut down as quickly as possible. Other typically important events from the platform are PostStart to initialize before servicing requests and PreStop to release resources cleanly before shutting down.
+
+See test cases link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#lifecycle-container-shutdown[lifecycle-container-shutdown], link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#lifecycle-container-startup[lifecycle-container-startup]
+
+Image immutability::
+Container images are meant to be immutable; i.e. customized images for different environments should typically not be built. Instead, an external means for storing and retrieving configurations that vary across environments for the container should be used. Additionally, the container image should NOT dynamically install additional packages at runtime.
+
+Process disposability::
+Containers should be as ephemeral as possible and ready to be replaced by another container instance at any point in time. There are many reasons to replace a container, such as failing a health check, scaling down the application, migrating the containers to a different host, platform resource starvation, or another issue.
++
+This means that containerized applications must keep their state externalized or distributed and redundant. To store files or block level data, persistent volume claims should be used. For information such as user sessions, use of an external, low-latency, key-value store such as redis should be used. Process disposability also requires that the application should be quick in starting up and shutting down, and even be ready for a sudden, complete hardware failure.
++
+Another helpful practice in implementing this principle is to create small containers. Containers in cloud-native environments may be automatically scheduled and started on different hosts. Having smaller containers leads to quicker start-up times because before being restarted, containers need to be physically copied to the host system.
++
+A corollary of this practice is to "retry instead of crashing", for example, When one service in your application depends on another service, it should not crash when the other service is unreachable. For example, your API service is starting up and detects the database is unreachable. Instead of failing and refusing to start, you design it to retry the connection. While the database connection is down the API can respond with a 503 status code, telling the clients that the service is currently unavailable. This practice should already be followed by applications, but if you are working in a containerized environment where instances are disposable, then the need for it becomes more obvious.
++
+Also related to this, by default containers are launched with shared images using COW filesystems which only exist as long as the container exists. Mounting Persistent Volume Claims enables a container to have persistent physical storage. Clearly defining the abstraction for what storage is persisted promotes the idea that instances are disposable.
+
+.CNF requirement
+[IMPORTANT]
+====
+Application design should conform to cloud-native design principles to the maximum extent possible.
+====
+

modules/cnf-best-practices-cnf-operator-requirements.adoc

@@ -0,0 +1,116 @@
+[id="cnf-best-practices-cnf-operator-requirements"]
+= CNF Operator requirements
+
+.CNF requirement
+[IMPORTANT]
+====
+Operators should be certified against the openshift version of the cluster they will be deployed on.
+
+See test case link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#affiliated-certification-operator-is-certified[affiliated-certification-operator-is-certified]
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+Operators must be compatible with our version of openshift
+
+* See link:https://redhat-connect.gitbook.io/openshift-badges/badges/cloud-native-network-functions-cnf[Redhat Partner Guide for CNF Certification]
+
+* See link:https://sdk.operatorframework.io/docs/best-practices/[Redhat Operator SDK & Best Practices], link:https://olm.operatorframework.io/docs/best-practices/[OLM Best Practices]
+
+See test case link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#platform-alteration-ocp-lifecycle[platform-alteration-ocp-lifecycle]
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+Operators must be in OLM bundle format (Operator Framework).
+
+See test case link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#operator-install-source[operator-install-source]
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+Must be able to function without the use of openshift routes or ingress objects.
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+All custom resources for operators require podspecs for both pod image override as well pod quotas.
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+Operators must not use daemonsets
+
+See test case link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#lifecycle-pod-owner-type[lifecycle-pod-owner-type]
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+The OLM operator CSV must support the "all namespaces" install method if the operator is upstream software. If the operator is a proprietary cnf operator it must support single namespaced installation. It is recommended for an operator to support all OLM install modes to ensure flexibility in our environment.
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+The operator must default to watch all namespaces if the target namespace is left NULL or empty string as this is how the OLM global-operators operator group functions.
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+All operator and operand images must be referenced using digest image tags "@sha256". Openshift "imagecontentsourcepolicy" objects (ICSP) only support mirror-by-digest at this time.
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+For general third party upstream operators (example: mongodb), the OLM package is recommended to be located within the Red Hat registries below to support our image mirror policy:
+
+* `quay.io`
+
+* `registry.redhat.io`
+
+* `registry.connect.redhat.com`
+
+* `registry.access.redhat.com`
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+Operators that are proprietary to a cnf application must ensure that their CRD's are unique, and will not conflict with other operators in the cluster.
+
+See test case link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#observability-crd-status[observability-crd-status]
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+If a cnf application requires a specific version of a third party non-proprietary operator for their app to function they will need to re-package the upstream third party operator and modify the api's so that it will not conflict with the globally installed operator version.
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+Successful operator installation and runtime must be validated in pre-deployment lab environments before being allowed to be deployed to production.
+
+See test case link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#operator-install-status-succeeded[operator-install-status-succeeded]
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+All required RBAC must be included in the OLM operator bundle so that it's managed by OLM.
+====
+
+.CNF requirement
+[IMPORTANT]
+====
+It is not recommended for a cnf application to share a proprietary operator with another cnf application if that application does not share the same version lifecycle. If a cnf application does share an operator the CRDs must be backwards compatible.
+====

modules/cnf-best-practices-cpu-allocation.adoc

@@ -0,0 +1,7 @@
+[id="cnf-best-practices-cpu-allocation"]
+= CPU allocation
+
+It is important to note that when the OpenShift scheduler is placing pods, it first reviews the Pod CPU request and schedules it if there is a node that meets the requirements. It will then impose the CPU "Limits" to ensure the Pod doesn't consume more than the intended allocation. The limit can never be lower than the request.
+
+NUMA Configuration:: OpenShift provides a topology manager which leverages the CPU manager and Device manager to help associate processes to CPUs. Topology manager handles NUMA affinity. This feature is available as of OpenShift 4.6. For some examples on how to leverage the topology manager and creating workloads that work in real time, see link:https://docs.openshift.com/container-platform/4.12/scalability_and_performance/cnf-numa-aware-scheduling.html[Scheduling NUMA-aware workloads] and link:https://docs.openshift.com/container-platform/4.12/scalability_and_performance/cnf-low-latency-tuning.html[Low latency tuning].
+

modules/cnf-best-practices-custom-role-to-access-application-crds.adoc

@@ -0,0 +1,12 @@
+[id="cnf-best-practices-custom-role-to-access-application-crds"]
+= Custom role to access application CRDs
+
+If an application requires installing/deploying CRDs (Custom Resource Definitions), the application must provide a role that allows necessary permissions to create CRs within the CRDs. The custom role to access CRDs must not create any permissions to access any other API resources than the CRDs.
+
+.CNF requirement
+[IMPORTANT]
+====
+If an application creates CRDs; it must supply a role to access those CRDs and no other API resources/
+permissions.
+====
+

modules/cnf-best-practices-discovering-sr-iov-devices-properties-from-the-application.adoc

@@ -0,0 +1,29 @@
+[id="cnf-best-practices-discovering-sr-iov-devices-properties-from-the-application"]
+= Discovering SR-IOV devices properties from the application
+
+All the properties of the interfaces are added to the pod's `k8s.v1.cni.cncf.io/network-status` annotation. The annotation is json-formatted and for each network object contains information such as IPs (where available), MAC address, PCI address. For example:
+
+[source,yaml]
+----
+k8s.v1.cni.cncf.io/network-status: |-
+  [{
+      "name": "",
+      "interface": "eth0",
+      "ips": [
+        "10.132.3.148"
+        ],
+      "mac": "0a:58:0a:84:03:94",
+      "default": true,
+      "dns": {}
+   }]
+----
+
+[NOTE]
+====
+the IP information is not available if the driver specified is `vf-io`.
+====
+
+The same annotation is available as a file content inside the pod, at the `/etc/podnetinfo/annotations` path. A convenience library is available to easily consume those informations from the application (bindings in C and Go).
+
+For more information, see link:https://docs.openshift.com/container-platform/latest/networking/hardware_networks/about-sriov.html[About Single Root I/O Virtualization (SR-IOV) hardware networks].
+

modules/cnf-best-practices-disruption-budgets.adoc

@@ -0,0 +1,9 @@
+[id="cnf-best-practices-disruption-budgets"]
+==== Disruption budgets
+
+When managing the platform there are at least two types of disruptions that can occur. They are voluntary and involuntary. When dealing with voluntary disruptions a pod disruption budget can be set that determines how many replicas of the application must remain running at any given time. For example, consider the case where an administrator is shutting down a node for
+
+maintenance and the node has to be drained. If there is a pod disruption budget set then OpenShift will respect that and ensure that the required number of pods are available by bringing up pods on different nodes before draining the current node.
+
+See test case link:https://github.com/test-network-function/cnf-certification-test/blob/main/CATALOG.md#observability-pod-disruption-budget[observability-pod-disruption-budget]
+