{"results":[{"id":"acl-audit-log-file-path","text":"Audit logs are always written to `/var/log/ovn/acl-audit-log.log` on each OVN-Kubernetes pod, regardless of additional destination configuration.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"additional-trusted-ca-in-openshift-config","text":"The `additionalTrustedCA` ConfigMap referenced by image.config.openshift.io/cluster must be in the `openshift-config` namespace","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"alerting-pipeline-rules-to-routing","text":"OpenShift alerting operates as a multi-stage pipeline: PrometheusRules define both recording and alerting rules (evaluated at 30s default intervals), AlertRelabelConfigs modify alerts before routing (supporting Replace/Keep/Drop/HashMod/LabelMap actions), Alertmanager routes and groups alerts (with inhibit rules suppressing targets when sources fire), and silences persist across pod restarts only with persistent storage — each stage transforms or filters the alert stream.","truth_value":"IN","justification_count":1,"dependent_count":1,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"alertingrule-must-be-in-openshift-monitoring-ns","text":"AlertingRule and AlertRelabelConfig resources must be created in the openshift-monitoring namespace; they use apiVersion monitoring.openshift.io/v1.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"alertmanagerconfig-v1beta1","text":"AlertmanagerConfig is at API version `monitoring.coreos.com/v1beta1` (still beta), unlike most other monitoring CRDs which are v1.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"alertrelabelconfig-modifies-before-alertmanager","text":"AlertRelabelConfig modifies alerts before Alertmanager routes them, not after.","truth_value":"IN","justification_count":0,"dependent_count":1,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"allowed-blocked-registries-mutually-exclusive","text":"`allowedRegistries` and `blockedRegistries` in image.config.openshift.io/cluster are mutually exclusive — you cannot set both","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apiserver-clientca-openshift-config","text":"The APIServer `clientCA` ConfigMap must reside in the `openshift-config` namespace with key `ca-bundle.crt`; serving certificate Secrets must be `kubernetes.io/tls` type in `openshift-config`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apiserver-etcd-encryption-resources","text":"Etcd encryption covers: secrets, configmaps, routes, oauthaccesstokens, and oauthauthorizetokens.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apiserver-resource-singleton-cluster","text":"The APIServer resource (`config.openshift.io/v1`) is cluster-scoped and the canonical instance is always named `cluster`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apiserver-shared-by-three-servers","text":"The APIServer config object holds shared settings consumed by `kube-apiserver`, `openshift-apiserver`, and `oauth-apiserver`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"application-packaging-and-delivery-model","text":"OpenShift application delivery spans packaging and image production: Helm charts and Templates define application structure with two parallel packaging mechanisms, while dual build systems (Shipwright/BuildConfig) produce container images through ImageStreams and the internal registry — creating a complete define→build→store pipeline.","truth_value":"IN","justification_count":1,"dependent_count":1,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"argocd-max-300-siteconfig-per-application","text":"Each ArgoCD application can manage a maximum of 300 SiteConfig CRs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"auth-dir-contains-kubeconfig-and-password","text":"The `auth/` directory under the install assets directory contains both `kubeconfig` and `kubeadmin-password` files","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"authentication-canonical-name-cluster","text":"The Authentication resource (`config.openshift.io/v1`) has a canonical instance name of `cluster` and is a cluster-scoped singleton.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"autoscaler-priority-expander-configmap-name","text":"The priority expander ConfigMap must be named `cluster-autoscaler-priority-expander` in the `openshift-machine-api` namespace; higher integer means higher priority.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"autoscaling-placement-within-governance","text":"Workload resource management (multi-level autoscaling + scheduling + storage placement) operates within the governance model: quotas force explicit resource declarations that autoscalers must respect, RBAC controls who configures scaling policies, and project-level self-provisioning governance determines which namespaces workloads can scale into.","truth_value":"IN","justification_count":1,"dependent_count":2,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-alb-operator-rolearn-in-subscription","text":"The `ROLEARN` environment variable is set in the Subscription spec to configure STS for the AWS Load Balancer Operator.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-default-lb-type-classic","text":"Default AWS load balancer type for OpenShift is Classic; NLB must be explicitly set via lbType: NLB in install-config.yaml.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"azure-disk-encryption-set-three-fields","text":"Azure disk encryption set configuration in ClusterCSIDriver requires three fields: name, resourceGroup, and subscriptionID.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":578,"limit":20,"offset":0}