Feat/check target connectivity

[alvlkov]

What type of PR is this?

This adds a new managed script to perform multiple checks to validate external target connectivity from Openshift cluster.

What this PR does / Why we need it?

OSD-26447

Special notes for your reviewer

Pre-checks (if applicable)

• Validated the changes in a cluster
• Included documentation changes with PR

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: alvlkov
Once this PR has been reviewed and has the lgtm label, please assign wanghaoran1988 for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@alvlkov: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[feichashao]

Hi @alvlkov , thank you for raising this PR and thank you for including a README!

The managed-script itself will run as pod in the cluster. I see the script is calling oc create another pod and runs the network utils in the new pod, is there a specific reason to run them in a new pod?

[alvlkov]

Hi @alvlkov , thank you for raising this PR and thank you for including a README!

The managed-script itself will run as pod in the cluster. I see the script is calling oc create another pod and runs the network utils in the new pod, is there a specific reason to run them in a new pod?

@feichashao thank you for the review!

Yes, there is a particular reason to create another pod. I believe the base image used by managed-script does not provide all necessary dependencies to perform the checks, i.e. nmap:

• DNS resolution check via nslookup: $ nslookup "$TARGET"
• DNS resolution via Dig: $ dig +short "$TARGET"
• ICMP check via ping: $ timeout 10 ping -c 3 "$TARGET"
• Routing Check via traceroute: $ timeout 5 traceroute -m 10 -w 1 -q 1 "$TARGET"
• Check Target Port is Open via nmap: $ timeout 5 nmap -p "$PORT" "$TARGET" 2>&1 | grep -q "$PORT/tcp open"

Other scripts as PCAP collector use the same approach and image: quay.io/app-sre/srep-network-toolbox:latest is suitable.

[feichashao]

@alvlkov thanks for the clarifications! That make sense if the image itself doesn't have the needed binaries. Probably we can add it to the image https://github.com/openshift/managed-scripts/blob/main/Dockerfile but let me discuss with the team.

[bmeng]

why do we need all permissions to SCC?

[alvlkov]

I'm open to reduce the verbs, I'm not sure what were the minimals for:

securityContext:
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      runAsUser: 1001
      capabilities:
        drop:
        - ALL
      seccompProfile:
        type: RuntimeDefault