{"results":[{"id":"acl-audit-log-annotation-key","text":"Audit logging for network policies is enabled via the `k8s.ovn.org/acl-logging` annotation on namespaces (for NetworkPolicy/EgressFirewall) or directly on ANP/BANP CRs.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"additional-trusted-ca-in-openshift-config","text":"The `additionalTrustedCA` ConfigMap referenced by image.config.openshift.io/cluster must be in the `openshift-config` namespace","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"admin-policy-external-route-dynamic-hop-requires-both-selectors","text":"Dynamic hops in AdminPolicyBasedExternalRoute require both `podSelector` and `namespaceSelector`","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"admin-policy-external-route-static-dynamic-hops","text":"AdminPolicyBasedExternalRoute supports two next-hop types: static (fixed IP) and dynamic (IP derived from gateway pods selected by podSelector and namespaceSelector)","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"alertingrule-must-be-in-openshift-monitoring-ns","text":"AlertingRule and AlertRelabelConfig resources must be created in the openshift-monitoring namespace; they use apiVersion monitoring.openshift.io/v1.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"alertingrule-namespace-openshift-monitoring","text":"AlertingRule resources for Network Observability alerts must be created in the `openshift-monitoring` namespace","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"alertingrule-openshift-specific","text":"AlertingRule is an OpenShift-specific CRD (`monitoring.openshift.io/v1`) that only supports alerting rules (NOT recording rules) and auto-creates a corresponding PrometheusRule in the `openshift-monitoring` namespace.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"allnamespaces-mode-global-operators-group","text":"For AllNamespaces install mode, the `openshift-operators` namespace has a default OperatorGroup called `global-operators`; no additional OperatorGroup is needed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"allnamespaces-mode-uses-openshift-operators","text":"AllNamespaces install mode uses namespace `openshift-operators`; SingleNamespace mode requires creating an OperatorGroup in the target namespace","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"allnamespaces-mode-uses-openshift-operators-namespace","text":"For AllNamespaces install mode, the Subscription goes in the `openshift-operators` namespace which already has the `global-operators` OperatorGroup — no manual OperatorGroup creation needed.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-cluster-scoped-networkpolicy-namespace-scoped","text":"AdminNetworkPolicy is cluster-scoped while NetworkPolicy is namespace-scoped","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-ingress-peers-namespaces-pods-only","text":"ANP ingress peers support only namespaces and pods; egress additionally supports nodes and networks (CIDR)","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"anp-pass-delegates-to-networkpolicy","text":"ANP Pass action delegates the traffic decision to namespace-scoped NetworkPolicy, then to BANP if no NetworkPolicy matches","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"apiserver-clientca-openshift-config","text":"The APIServer `clientCA` ConfigMap must reside in the `openshift-config` namespace with key `ca-bundle.crt`; serving certificate Secrets must be `kubernetes.io/tls` type in `openshift-config`.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appliedclusterresourcequota-openshift-specific","text":"AppliedClusterResourceQuota is an OpenShift-specific extension beyond upstream Kubernetes that enforces resource quotas across multiple namespaces.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"appliedclusterresourcequota-read-only","text":"AppliedClusterResourceQuota is a read-only projection of ClusterResourceQuota into a project namespace — only GET operations are available, and it is not created directly by users.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"approve-installplan-command","text":"Approve a pending InstallPlan: `oc patch installplan <name> -n <namespace> --type merge --patch '{\"spec\":{\"approved\":true}}'`","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"autoscaler-priority-expander-configmap-name","text":"The priority expander ConfigMap must be named `cluster-autoscaler-priority-expander` in the `openshift-machine-api` namespace; higher integer means higher priority.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"autoscaling-placement-within-governance","text":"Workload resource management (multi-level autoscaling + scheduling + storage placement) operates within the governance model: quotas force explicit resource declarations that autoscalers must respect, RBAC controls who configures scaling policies, and project-level self-provisioning governance determines which namespaces workloads can scale into.","truth_value":"IN","justification_count":1,"dependent_count":2,"challenges":[],"last_reviewed":null,"review_result":null},{"id":"aws-alb-operator-namespace","text":"The AWS Load Balancer Operator runs in the `aws-load-balancer-operator` namespace.","truth_value":"IN","justification_count":0,"dependent_count":0,"challenges":[],"last_reviewed":null,"review_result":null}],"count":373,"limit":20,"offset":0}