operator: Add no hugepages test

_typos.toml

@@ -3,4 +3,4 @@ iif = "iif"
 ono = "ono"
 
 [files]
-extend-exclude = ["depends-on.json", "go.mod", "results.html", "cmd/certsuite/claim/compare/testdata", "docs/assets/images/*.svg"]
+extend-exclude = ["depends-on.json", "go.mod", "results.html", "cmd/certsuite/claim/compare/testdata", "docs/assets/images/*.svg", "*.js"]

tests/accesscontrol/securitycontextcontainer/securitycontextcontainer.go

@@ -186,7 +186,7 @@ func (category CategoryID) String() string {
 
 // GetContainerSCC is update the containerSCC according capability of container(cut)
 // Returns:
-//   - ContainerSCC: struct that updated according continer(cut)
+//   - ContainerSCC: struct that updated according container(cut)
 //
 //nolint:gocritic
 func GetContainerSCC(cut *provider.Container, containerSCC ContainerSCC) ContainerSCC {

tests/identifiers/doclinks.go

@@ -114,6 +114,7 @@ const (
 	TestOperatorRunAsNonRootDocLink                     = DocOperatorRequirement
 	TestOperatorAutomountTokensDocLink                  = DocOperatorRequirement
 	TestOperatorReadOnlyFilesystemDocLink               = DocOperatorRequirement
+	TestOperatorPodsNoHugepagesDocLink                  = DocOperatorRequirement
 
 	// Observability Test Suite
 	TestLoggingIdentifierDocLink                            = "https://redhat-best-practices-for-k8s.github.io/guide/#redhat-best-practices-for-k8s-logging"

tests/identifiers/identifiers.go

@@ -129,6 +129,7 @@ var (
 	TestOperatorCrdVersioningIdentifier               claim.Identifier
 	TestOperatorCrdSchemaIdentifier                   claim.Identifier
 	TestOperatorSingleCrdOwnerIdentifier              claim.Identifier
+	TestOperatorPodsNoHugepages                       claim.Identifier
 	TestPodNodeSelectorAndAffinityBestPractices       claim.Identifier
 	TestPodHighAvailabilityBestPractices              claim.Identifier
 	TestPodClusterRoleBindingsBestPracticesIdentifier claim.Identifier
@@ -1047,6 +1048,22 @@ that Node's kernel may not have the same hacks.'`,
 		},
 		TagCommon)
 
+	TestOperatorPodsNoHugepages = AddCatalogEntry(
+		"operator-pods-no-hugepages",
+		common.OperatorTestKey,
+		`Tests that check that the pods do not have hugepages enabled.`,
+		OperatorPodsNoHugepagesRemediation,
+		NoExceptions,
+		TestOperatorPodsNoHugepagesDocLink,
+		false,
+		map[string]string{
+			FarEdge:  Optional,
+			Telco:    Optional,
+			NonTelco: Optional,
+			Extended: Optional,
+		},
+		TagCommon)
+
 	TestPodNodeSelectorAndAffinityBestPractices = AddCatalogEntry(
 		"pod-scheduling",
 		common.LifecycleTestKey,

tests/identifiers/remediation.go

@@ -95,6 +95,8 @@ const (
 
 	OperatorSingleCrdOwnerRemediation = `Ensure that a CRD is owned by only one Operator`
 
+	OperatorPodsNoHugepagesRemediation = `Ensure that the pods are not using hugepages`
+
 	PodNodeSelectorAndAffinityBestPracticesRemediation = `In most cases, Pod's should not specify their host Nodes through nodeSelector or nodeAffinity. However, there are cases in which workloads require specialized hardware specific to a particular class of Node.`
 
 	PodHighAvailabilityBestPracticesRemediation = `In high availability cases, Pod podAntiAffinity rule should be specified for pod scheduling and pod replica value is set to more than 1 .`

tests/operator/suite.go

@@ -123,6 +123,13 @@ func LoadChecks() {
 			testOperatorContainersReadOnlyFilesystem(c, &env)
 			return nil
 		}))
+
+	checksGroup.Add(checksdb.NewCheck(identifiers.GetTestIDAndLabels(identifiers.TestOperatorPodsNoHugepages)).
+		WithSkipCheckFn(testhelper.GetNoOperatorsSkipFn(&env)).
+		WithCheckFn(func(c *checksdb.Check) error {
+			testOperatorPodsNoHugepages(c, &env)
+			return nil
+		}))
 }
 
 // This function check if the Operator CRD version follows K8s versioning
@@ -464,3 +471,24 @@ func testOperatorContainersReadOnlyFilesystem(check *checksdb.Check, env *provid
 		check.SetResult(compliantObjects, nonCompliantObjects)
 	}
 }
+
+func testOperatorPodsNoHugepages(check *checksdb.Check, env *provider.TestEnvironment) {
+	var compliantObjects []*testhelper.ReportObject
+	var nonCompliantObjects []*testhelper.ReportObject
+
+	for csv, pods := range env.CSVToPodListMap {
+		CsvResult := SplitCsv(csv)
+		check.LogInfo("Name of csv: %q in namespaces: %q", CsvResult.NameCsv, CsvResult.Namespace)
+		for _, pod := range pods {
+			check.LogInfo("Testing Pod %q in namespace %q", pod.Name, pod.Namespace)
+			if pod.HasHugepages() {
+				check.LogError("Pod %q in namespace %q has hugepages", pod.Name, pod.Namespace)
+				nonCompliantObjects = append(nonCompliantObjects, testhelper.NewPodReportObject(pod.Namespace, pod.Name, "Pod has hugepages", false))
+			} else {
+				check.LogInfo("Pod %q in namespace %q has no hugepages", pod.Name, pod.Namespace)
+				compliantObjects = append(compliantObjects, testhelper.NewPodReportObject(pod.Namespace, pod.Name, "Pod has no hugepages", true))
+			}
+		}
+		check.SetResult(compliantObjects, nonCompliantObjects)
+	}
+}