build(deps): bump molecule from 25.12.0 to 26.2.0 in the molecule group

Bumps the molecule group with 1 update: [molecule](https://github.com/ansible-community/molecule).


Updates `molecule` from 25.12.0 to 26.2.0
- [Release notes](https://github.com/ansible-community/molecule/releases)
- [Commits](https://github.com/ansible-community/molecule/compare/v25.12.0...v26.2.0)

---
updated-dependencies:
- dependency-name: molecule
  dependency-version: 26.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
  dependency-group: molecule
...

Signed-off-by: dependabot[bot] <support@github.com>

roles/kubernetes-apps/ansible/defaults/main.yml

@@ -88,5 +88,36 @@ dns_autoscaler_affinity: {}
 #   app: kube-prometheus-stack-kube-etcd
 #   release: prometheus-stack
 
+# Netchecker
+deploy_netchecker: false
+netchecker_port: 31081
+agent_report_interval: 15
+netcheck_namespace: default
+
+# Limits for netchecker apps
+netchecker_agent_cpu_limit: 30m
+netchecker_agent_memory_limit: 100M
+netchecker_agent_cpu_requests: 15m
+netchecker_agent_memory_requests: 64M
+netchecker_server_cpu_limit: 100m
+netchecker_server_memory_limit: 256M
+netchecker_server_cpu_requests: 50m
+netchecker_server_memory_requests: 64M
+netchecker_etcd_cpu_limit: 200m
+netchecker_etcd_memory_limit: 256M
+netchecker_etcd_cpu_requests: 100m
+netchecker_etcd_memory_requests: 128M
+
+# SecurityContext (user/group)
+netchecker_agent_user: 1000
+netchecker_server_user: 1000
+netchecker_agent_group: 1000
+netchecker_server_group: 1000
+
+# Log levels
+netchecker_agent_log_level: 5
+netchecker_server_log_level: 5
+netchecker_etcd_log_level: info
+
 # Policy Controllers
 # policy_controller_extra_tolerations: [{effect: NoSchedule, operator: "Exists"}]

roles/kubernetes-apps/ansible/tasks/main.yml

@@ -87,3 +87,25 @@
   when: etcd_metrics_port is defined and etcd_metrics_service_labels is defined
   tags:
     - etcd_metrics
+
+- name: Kubernetes Apps | Netchecker
+  command:
+    cmd: "{{ kubectl_apply_stdin }}"
+    stdin: "{{ lookup('template', item) }}"
+  delegate_to: "{{ groups['kube_control_plane'][0] }}"
+  run_once: true
+  vars:
+    k8s_namespace: "{{ netcheck_namespace }}"
+  when: deploy_netchecker
+  tags:
+    - netchecker
+  loop:
+    - netchecker-ns.yml.j2
+    - netchecker-agent-sa.yml.j2
+    - netchecker-agent-ds.yml.j2
+    - netchecker-agent-hostnet-ds.yml.j2
+    - netchecker-server-sa.yml.j2
+    - netchecker-server-clusterrole.yml.j2
+    - netchecker-server-clusterrolebinding.yml.j2
+    - netchecker-server-deployment.yml.j2
+    - netchecker-server-svc.yml.j2

roles/kubernetes-apps/ansible/templates/netchecker-agent-ds.yml.j2

@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: netchecker-agent
+  name: netchecker-agent
+  namespace: {{ netcheck_namespace }}
+spec:
+  selector:
+    matchLabels:
+      app: netchecker-agent
+  template:
+    metadata:
+      name: netchecker-agent
+      labels:
+        app: netchecker-agent
+    spec:
+      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+      nodeSelector:
+        kubernetes.io/os: linux
+      containers:
+        - name: netchecker-agent
+          image: "{{ netcheck_agent_image_repo }}:{{ netcheck_agent_image_tag }}"
+          imagePullPolicy: {{ k8s_image_pull_policy }}
+          env:
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: MY_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          args:
+            - "-v={{ netchecker_agent_log_level }}"
+            - "-alsologtostderr=true"
+            - "-serverendpoint=netchecker-service:8081"
+            - "-reportinterval={{ agent_report_interval }}"
+          resources:
+            limits:
+              cpu: {{ netchecker_agent_cpu_limit }}
+              memory: {{ netchecker_agent_memory_limit }}
+            requests:
+              cpu: {{ netchecker_agent_cpu_requests }}
+              memory: {{ netchecker_agent_memory_requests }}
+          securityContext:
+            runAsUser: {{ netchecker_agent_user | default('0') }}
+            runAsGroup: {{ netchecker_agent_group | default('0') }}
+      serviceAccountName: netchecker-agent
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 100%
+    type: RollingUpdate

roles/kubernetes-apps/ansible/templates/netchecker-agent-hostnet-ds.yml.j2

@@ -0,0 +1,58 @@
+apiVersion: apps/v1
+kind: DaemonSet
+metadata:
+  labels:
+    app: netchecker-agent-hostnet
+  name: netchecker-agent-hostnet
+  namespace: {{ netcheck_namespace }}
+spec:
+  selector:
+    matchLabels:
+      app: netchecker-agent-hostnet
+  template:
+    metadata:
+      name: netchecker-agent-hostnet
+      labels:
+        app: netchecker-agent-hostnet
+    spec:
+      hostNetwork: true
+      dnsPolicy: ClusterFirstWithHostNet
+      nodeSelector:
+        kubernetes.io/os: linux
+      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-node-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+      containers:
+        - name: netchecker-agent
+          image: "{{ netcheck_agent_image_repo }}:{{ netcheck_agent_image_tag }}"
+          imagePullPolicy: {{ k8s_image_pull_policy }}
+          env:
+            - name: MY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+            - name: MY_NODE_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: spec.nodeName
+          args:
+            - "-v={{ netchecker_agent_log_level }}"
+            - "-alsologtostderr=true"
+            - "-serverendpoint=netchecker-service:8081"
+            - "-reportinterval={{ agent_report_interval }}"
+          resources:
+            limits:
+              cpu: {{ netchecker_agent_cpu_limit }}
+              memory: {{ netchecker_agent_memory_limit }}
+            requests:
+              cpu: {{ netchecker_agent_cpu_requests }}
+              memory: {{ netchecker_agent_memory_requests }}
+          securityContext:
+            runAsUser: {{ netchecker_agent_user | default('0') }}
+            runAsGroup: {{ netchecker_agent_group | default('0') }}
+      serviceAccountName: netchecker-agent
+  updateStrategy:
+    rollingUpdate:
+      maxUnavailable: 100%
+    type: RollingUpdate

roles/kubernetes-apps/ansible/templates/netchecker-agent-sa.yml.j2

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: netchecker-agent
+  namespace: {{ netcheck_namespace }}

roles/kubernetes-apps/ansible/templates/netchecker-ns.yml.j2

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "{{ netcheck_namespace }}"
+  labels:
+    name: "{{ netcheck_namespace }}"

roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrole.yml.j2

@@ -0,0 +1,9 @@
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: netchecker-server
+  namespace: {{ netcheck_namespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["list", "get"]

roles/kubernetes-apps/ansible/templates/netchecker-server-clusterrolebinding.yml.j2

@@ -0,0 +1,13 @@
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: netchecker-server
+  namespace: {{ netcheck_namespace }}
+subjects:
+  - kind: ServiceAccount
+    name: netchecker-server
+    namespace: {{ netcheck_namespace }}
+roleRef:
+  kind: ClusterRole
+  name: netchecker-server
+  apiGroup: rbac.authorization.k8s.io

roles/kubernetes-apps/ansible/templates/netchecker-server-deployment.yml.j2

@@ -0,0 +1,86 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: netchecker-server
+  namespace: {{ netcheck_namespace }}
+  labels:
+    app: netchecker-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: netchecker-server
+  template:
+    metadata:
+      name: netchecker-server
+      labels:
+        app: netchecker-server
+    spec:
+      priorityClassName: {% if netcheck_namespace == 'kube-system' %}system-cluster-critical{% else %}k8s-cluster-critical{% endif %}{{ '' }}
+      volumes:
+        - name: etcd-data
+          emptyDir: {}
+      containers:
+        - name: netchecker-server
+          image: "{{ netcheck_server_image_repo }}:{{ netcheck_server_image_tag }}"
+          imagePullPolicy: {{ k8s_image_pull_policy }}
+          resources:
+            limits:
+              cpu: {{ netchecker_server_cpu_limit }}
+              memory: {{ netchecker_server_memory_limit }}
+            requests:
+              cpu: {{ netchecker_server_cpu_requests }}
+              memory: {{ netchecker_server_memory_requests }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ['ALL']
+            runAsUser: {{ netchecker_server_user | default('0') }}
+            runAsGroup: {{ netchecker_server_group | default('0') }}
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+          ports:
+            - containerPort: 8081
+          args:
+            - -v={{ netchecker_server_log_level }}
+            - -logtostderr
+            - -kubeproxyinit=false
+            - -endpoint=0.0.0.0:8081
+            - -etcd-endpoints=http://127.0.0.1:2379
+        - name: etcd
+          image: "{{ etcd_image_repo }}:{{ netcheck_etcd_image_tag }}"
+          imagePullPolicy: {{ k8s_image_pull_policy }}
+          env:
+            - name: ETCD_LOG_LEVEL
+              value: "{{ netchecker_etcd_log_level }}"
+          command:
+            - etcd
+            - --listen-client-urls=http://127.0.0.1:2379
+            - --advertise-client-urls=http://127.0.0.1:2379
+            - --data-dir=/var/lib/etcd
+            - --enable-v2
+            - --force-new-cluster
+          volumeMounts:
+            - mountPath: /var/lib/etcd
+              name: etcd-data
+          resources:
+            limits:
+              cpu: {{ netchecker_etcd_cpu_limit }}
+              memory: {{ netchecker_etcd_memory_limit }}
+            requests:
+              cpu: {{ netchecker_etcd_cpu_requests }}
+              memory: {{ netchecker_etcd_memory_requests }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop: ['ALL']
+            runAsUser: {{ netchecker_server_user | default('0') }}
+            runAsGroup: {{ netchecker_server_group | default('0') }}
+            runAsNonRoot: true
+            seccompProfile:
+              type: RuntimeDefault
+      tolerations:
+        - effect: NoSchedule
+          operator: Exists
+      serviceAccountName: netchecker-server

roles/kubernetes-apps/ansible/templates/netchecker-server-sa.yml.j2

@@ -0,0 +1,5 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: netchecker-server
+  namespace: {{ netcheck_namespace }}

roles/kubernetes-apps/ansible/templates/netchecker-server-svc.yml.j2

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: netchecker-service
+  namespace: {{ netcheck_namespace }}
+spec:
+  selector:
+    app: netchecker-server
+  ports:
+    -
+      protocol: TCP
+      port: 8081
+      targetPort: 8081
+      nodePort: {{ netchecker_port }}
+  type: NodePort

roles/kubespray_defaults/defaults/main/download.yml

@@ -232,6 +232,13 @@ calico_apiserver_image_repo: "{{ quay_image_repo }}/calico/apiserver"
 calico_apiserver_image_tag: "v{{ calico_apiserver_version }}"
 pod_infra_image_repo: "{{ kube_image_repo }}/pause"
 pod_infra_image_tag: "{{ pod_infra_version }}"
+netcheck_version: "1.2.2"
+netcheck_agent_image_repo: "{{ docker_image_repo }}/mirantis/k8s-netchecker-agent"
+netcheck_agent_image_tag: "v{{ netcheck_version }}"
+netcheck_server_image_repo: "{{ docker_image_repo }}/mirantis/k8s-netchecker-server"
+netcheck_server_image_tag: "v{{ netcheck_version }}"
+# netchecker doesn't work with etcd>=3.6 because etcd v2 API is removed
+netcheck_etcd_image_tag: "v{{ (etcd_binary_checksums['amd64'].keys() | select('version', '3.6', '<'))[0] }}"
 cilium_image_repo: "{{ quay_image_repo }}/cilium/cilium"
 cilium_image_tag: "v{{ cilium_version }}"
 cilium_operator_image_repo: "{{ quay_image_repo }}/cilium/operator"
@@ -373,6 +380,24 @@ node_feature_discovery_image_repo: "{{ kube_image_repo }}/nfd/node-feature-disco
 node_feature_discovery_image_tag: "v{{ node_feature_discovery_version }}"
 
 downloads:
+  netcheck_server:
+    enabled: "{{ deploy_netchecker }}"
+    container: true
+    repo: "{{ netcheck_server_image_repo }}"
+    tag: "{{ netcheck_server_image_tag }}"
+    checksum: "{{ netcheck_server_digest_checksum | default(None) }}"
+    groups:
+      - k8s_cluster
+
+  netcheck_agent:
+    enabled: "{{ deploy_netchecker }}"
+    container: true
+    repo: "{{ netcheck_agent_image_repo }}"
+    tag: "{{ netcheck_agent_image_tag }}"
+    checksum: "{{ netcheck_agent_digest_checksum | default(None) }}"
+    groups:
+      - k8s_cluster
+
   etcd:
     container: "{{ etcd_deployment_type != 'host' }}"
     file: "{{ etcd_deployment_type == 'host' }}"

roles/kubespray_defaults/defaults/main/main.yml

@@ -152,6 +152,8 @@ manual_dns_server: ""
 
 # Can be host_resolvconf, docker_dns or none
 resolvconf_mode: host_resolvconf
+# Deploy netchecker app to verify DNS resolve as an HTTP service
+deploy_netchecker: false
 # Ip address of the kubernetes DNS service (called skydns for historical reasons)
 skydns_server: "{{ kube_service_subnets.split(',') | first | ansible.utils.ipaddr('net') | ansible.utils.ipaddr(3) | ansible.utils.ipaddr('address') }}"
 skydns_server_secondary: "{{ kube_service_subnets.split(',') | first | ansible.utils.ipaddr('net') | ansible.utils.ipaddr(4) | ansible.utils.ipaddr('address') }}"

roles/validate_inventory/tasks/main.yml

@@ -49,6 +49,7 @@
   assert:
     that:
       - download_run_once | type_debug == 'bool'
+      - deploy_netchecker | type_debug == 'bool'
       - download_always_pull | type_debug == 'bool'
       - helm_enabled | type_debug == 'bool'
       - openstack_lbaas_enabled | type_debug == 'bool'

tests/common_vars.yml

@@ -1,5 +1,6 @@
 ---
 # Kubespray settings for tests
+deploy_netchecker: true
 dns_min_replicas: 1
 unsafe_show_logs: true
 
@@ -28,6 +29,9 @@ crio_registries:
       - location: mirror.gcr.io
         insecure: false
 
+netcheck_agent_image_repo: "{{ quay_image_repo }}/kubespray/k8s-netchecker-agent"
+netcheck_server_image_repo: "{{ quay_image_repo }}/kubespray/k8s-netchecker-server"
+
 nginx_image_repo: "{{ quay_image_repo }}/kubespray/nginx"
 
 flannel_image_repo: "{{ quay_image_repo }}/kubespray/flannel"

tests/requirements.txt

@@ -1,4 +1,4 @@
 -r ../requirements.txt
 distlib==0.4.0 # required for building collections
-molecule==25.12.0
+molecule==26.2.0
 pytest-testinfra==10.2.2

tests/testcases/040_check-network-adv.yml

@@ -13,6 +13,88 @@
 - import_role:  # noqa name[missing]
     name: cluster-dump
 
+- name: Wait for netchecker server
+  command: "{{ bin_dir }}/kubectl get pods --field-selector=status.phase==Running -o jsonpath-as-json={.items[*].metadata.name} --namespace {{ netcheck_namespace }}"
+  register: pods_json
+  until:
+    - pods_json.stdout | from_json | select('match', 'netchecker-server.*') | length == 1
+    - (pods_json.stdout | from_json | select('match', 'netchecker-agent.*') | length)
+      >= (groups['k8s_cluster'] | intersect(ansible_play_hosts) | length * 2)
+  retries: 3
+  delay: 10
+  when: inventory_hostname == groups['kube_control_plane'][0]
+
+- name: Get netchecker pods
+  command: "{{ bin_dir }}/kubectl -n {{ netcheck_namespace }} describe pod -l app={{ item }}"
+  run_once: true
+  delegate_to: "{{ groups['kube_control_plane'][0] }}"
+  with_items:
+    - netchecker-agent
+    - netchecker-agent-hostnet
+  when: not pods_json is success
+
+- name: Perform netchecker tests
+  run_once: true
+  delegate_to: "{{ groups['kube_control_plane'][0] }}"
+  block:
+    - name: Get netchecker agents
+      uri:
+        url: "http://{{ (ansible_default_ipv6.address if not (ipv4_stack | default(true)) else ansible_default_ipv4.address) | ansible.utils.ipwrap }}:{{ netchecker_port }}/api/v1/agents/"
+        return_content: true
+        headers:
+          Accept: application/json
+      register: agents
+      retries: 18
+      delay: "{{ agent_report_interval }}"
+      until:
+        - agents is success
+        - (agents.content | from_json | length) == (groups['k8s_cluster'] | length * 2)
+
+    - name: Check netchecker status
+      uri:
+        url: "http://{{ (ansible_default_ipv6.address if not (ipv4_stack | default(true)) else ansible_default_ipv4.address) | ansible.utils.ipwrap }}:{{ netchecker_port }}/api/v1/connectivity_check"
+        return_content: true
+        headers:
+          Accept: application/json
+      register: connectivity_check
+      retries: 3
+      delay: "{{ agent_report_interval }}"
+      until:
+        - connectivity_check is success
+        - connectivity_check.content | from_json
+
+  rescue:
+    - name: Get kube-proxy logs
+      command: "{{ bin_dir }}/kubectl -n kube-system logs -l k8s-app=kube-proxy"
+
+    - name: Get logs from other apps
+      command: "{{ bin_dir }}/kubectl -n kube-system logs -l k8s-app={{ item }} --all-containers"
+      with_items:
+        - kube-router
+        - flannel
+        - canal-node
+        - calico-node
+        - cilium
+
+    - name: Netchecker tests failed
+      fail:
+        msg: "netchecker tests failed"
+
+- name: Check connectivity with all netchecker agents
+  vars:
+    connectivity_check_result: "{{ connectivity_check.content | from_json }}"
+    agents_check_result: "{{ agents.content | from_json }}"
+  assert:
+    that:
+      - agents_check_result is defined
+      - connectivity_check_result is defined
+      - agents_check_result.keys() | length > 0
+      - not connectivity_check_result.Absent
+      - not connectivity_check_result.Outdated
+    msg: "Connectivity check to netchecker agents failed"
+  delegate_to: "{{ groups['kube_control_plane'][0] }}"
+  run_once: true
+
 - name: Create macvlan network conf
   command:
     cmd: "{{ bin_dir }}/kubectl create -f -"

tests/testcases/tests.yml

@@ -36,6 +36,10 @@
       when:
         - ('macvlan' not in testcase)
         - ('hardening' not in testcase)
+      vars:
+        agent_report_interval: 10
+        netcheck_namespace: default
+        netchecker_port: 31081
     - name: Testcases for kubernetes conformance
       import_tasks: 100_check-k8s-conformance.yml
       delegate_to: "{{ groups['kube_control_plane'][0] }}"