Nokia CMM 23.2.0 Certification Note

Updated -

Nokia CMM 23.2.0 CNF has been certified on OCP 4.10.3

The following temporary exceptions have been granted to Nokia CMM 23.2.0 CNF certification on OCP 4.10.3 using CNF certification suite version 4.1.0

Please, reach you to your Nokia representative for utilizing CMM for a specific configuration.

CNF test failure Reason for Failure Reason for temporary exception
access-control-pod-automount-service-account-token serviceaccount npv-cmm-34:default is not configured with automountServiceAccountToken set to false, impacting most pods in cmm CMM uses the service token to interact with api server. It use this for some provisioning functionality, labelling of some POD, read data from configmap etc. Temporary exception is granted for this CMM23.2.0 version.
access-control-host-resource-CAPABILITY_CHECK CMM Containers were found with escalated privilege security context capabilities. CMM pods use capabilities – NET_RAW, NET_ADMIN and IPC_LOCK. for the IP related functioning and many shm operations internally. Temporary exception is granted or this CMM23.2.0 version since IP related functioning will use these capabilities.
networking-nftables [common, networking, networking-nftables output of "nftable list ruleset" is not empty, it's config on container: alms pod: cmm34-qa-alms-0 ns: npv-cmm-34 log: table ip filter This is needed for IPs provisioned to handling traffic. Temporary exception is granted for this CMM23.2.0 version
networking-iptables [common, networking, networking-iptables output of "iptables-save" is not empty, there is iptables configuration on container: alms pod: cmm34-qa-alms-0 ns: npv-cmm-34 CMM uses iptables for traffic control inside pod. Temporary exception is granted for this CMM23.2.0 version,
networking-network-policy-deny-all Deny-all network policy not found for ingress/egress Deny all egress not used currently, Temporary exception is granted for this CMM23.2.0 version, Nokia will fix this in next release.
access-control/one-process-per-container CMM pod has more than one process running Currently design is that every CMM pod is single container based – for save overall resources used by CNF, as multi containers require more resources than all in one design, Temporary exception is granted for this CMM23.2.0 version
common, access-control, access-control-namespace-resource-quota Pod running in a namespace that does not have a ResourceQuota applied current release doesn't include resource quota assignment for namespace. Temporary exception is granted for this CMM23.2.0 version, Nokia will included this in next release(CMM23.5.0)
common, access-control, access-control-ssh-daemons CMM pods are running ssh daemon SSH usages in the code (about 100 total calls - ssh/scp): 1. Monitor of various services across PODs and single utility to report in NECC (OAM pod). 2. Database support commands (dbcli). 3. Log collection support. 4. CMM initialization (token files). 5. Misc config manager (cmNB). 6. OSSU automated software upgrade(creation of backup, restore and other functionality done from operator POD). Temporary exception is granted for this CMM23.2.0 version.
common, platform-alteration, platform-alteration-base-image CMM pod Changes made in folders: [/usr/lib, /usr/sbin] Temporary exception is granted for this CMM23.2.0 version, Nokia will fix this in next release (CMM23.5.0).
common, lifecycle, lifecycle-pod-high-availability ALMS and CTCS should have more than one replica set ALMS and CTCS are singleton PODs. For other PODs replica count can be > 1. Permenant exception is granted for this case
common, lifecycle, lifecycle-statefulset-scaling Scaling test failed The test seems won't work to edit the replica count in the HPA. CMM uses CRD for reading the replica count.suggest to do this for example: kubectl patch CMM cmm -n npv-cmm-34 --type='json' -p='[{"op": "replace", "path": "/spec/global/scale/amms/minReplicas", "value": 1}]' Note: NECC is not a scalable POD – it’s a OAM management POD and its count is always 3. Temporary exception is granted for this CMM23.2.0 version.
common, lifecycle, lifecycle-cpu-isolation runtime class is missing for CMM pods Runtimeclass not used currently. Temporary exception is granted for this CMM23.2.0 version, Nokia will fix this in next release (CMM23.5.0)

Comments