feat: Add lifecycle-topology-spread-constraint test

Implements new test to ensure Deployments using TopologySpreadConstraints
include both hostname and zone topology keys to avoid manual PDB tweaking
during platform upgrades.

Test Details:
- Pass: TSC not defined OR both hostname+zone keys present
- Fail: TSC defined but missing either key
- Skips: SNO and compact clusters (not enough workers)
- Classification: Telco (Mandatory), Others (Optional)
- Tags: telco, lifecycle

Files Modified:
- tests/lifecycle/suite.go: Test implementation
- tests/identifiers/identifiers.go: Test identifier
- tests/identifiers/impact.go: Impact statement
- tests/identifiers/remediation.go: Remediation guidance
- tests/identifiers/doclinks.go: Documentation link
- expected_results.yaml: Added to skip list
- CATALOG.md: Test catalog entry (auto-generated)

Author: rocrisp

CATALOG.md

@@ -80,6 +80,7 @@ testCases:
     - lifecycle-cpu-isolation
     - lifecycle-statefulset-scaling
     - lifecycle-storage-provisioner
+    - lifecycle-topology-spread-constraint
     - networking-icmpv6-connectivity
     - networking-restart-on-reboot-sriov-pod
     - networking-network-attachment-definition-sriov-mtu

expected_results.yaml

@@ -85,6 +85,7 @@ const (
 	TestStatefulSetScalingIdentifierDocLink            = "https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-high-level-cnf-expectations"
 	TestImagePullPolicyIdentifierDocLink               = "https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-use-imagepullpolicy:-ifnotpresent"
 	TestPodRecreationIdentifierDocLink                 = "https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-upgrade-expectations"
+	TestTopologySpreadConstraintDocLink                = "https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-high-level-cnf-expectations"
 	TestLivenessProbeIdentifierDocLink                 = "https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-liveness-readiness-and-startup-probes"
 	TestReadinessProbeIdentifierDocLink                = "https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-liveness-readiness-and-startup-probes"
 	TestStartupProbeIdentifierDocLink                  = "https://redhat-best-practices-for-k8s.github.io/guide/#k8s-best-practices-liveness-readiness-and-startup-probes"

tests/identifiers/doclinks.go

@@ -143,6 +143,7 @@ var (
 	TestStatefulSetScalingIdentifier                                 claim.Identifier
 	TestImagePullPolicyIdentifier                                    claim.Identifier
 	TestPodRecreationIdentifier                                      claim.Identifier
+	TestTopologySpreadConstraint                                     claim.Identifier
 	TestPodRoleBindingsBestPracticesIdentifier                       claim.Identifier
 	TestPodServiceAccountBestPracticesIdentifier                     claim.Identifier
 	TestPodAutomountServiceAccountIdentifier                         claim.Identifier
@@ -1229,6 +1230,22 @@ that Node's kernel may not have the same hacks.'`,
 		},
 		TagCommon)
 
+	TestTopologySpreadConstraint = AddCatalogEntry(
+		"topology-spread-constraint",
+		common.LifecycleTestKey,
+		`Ensures that Deployments using TopologySpreadConstraints include constraints for both hostname and zone topology keys. This helps telco workloads avoid needing to tweak PodDisruptionBudgets before platform upgrades. If TopologySpreadConstraints is not defined, the test passes as Kubernetes scheduler implicitly uses hostname and zone constraints.`+NotApplicableSNO, //nolint:lll
+		TopologySpreadConstraintRemediation,
+		NoDocumentedProcess,
+		TestTopologySpreadConstraintDocLink,
+		true,
+		map[string]string{
+			FarEdge:  Optional,
+			Telco:    Mandatory,
+			NonTelco: Optional,
+			Extended: Optional,
+		},
+		TagTelco)
+
 	TestPodRoleBindingsBestPracticesIdentifier = AddCatalogEntry(
 		"pod-role-bindings",
 		common.AccessControlTestKey,

tests/identifiers/identifiers.go

@@ -101,6 +101,7 @@ const (
 	TestStatefulSetScalingIdentifierImpact            = `StatefulSet scaling issues can prevent proper data persistence and ordered deployment of stateful applications.`
 	TestImagePullPolicyIdentifierImpact               = `Incorrect image pull policies can cause deployment failures when image registries are unavailable or during network issues.`
 	TestPodRecreationIdentifierImpact                 = `Failed pod recreation indicates poor high availability configuration, leading to potential service outages during node failures.`
+	TestTopologySpreadConstraintImpact                = `Without proper topology spread constraints, pods may cluster on nodes causing PodDisruptionBudgets to block platform upgrades, requiring manual PDB adjustments and increasing operational complexity during maintenance windows.`
 	TestLivenessProbeIdentifierImpact                 = `Missing liveness probes prevent Kubernetes from detecting and recovering from application deadlocks and hangs.`
 	TestReadinessProbeIdentifierImpact                = `Missing readiness probes can cause traffic to be routed to non-ready pods, resulting in failed requests and poor user experience.`
 	TestStartupProbeIdentifierImpact                  = `Missing startup probes can cause slow-starting applications to be killed prematurely, preventing successful application startup.`
@@ -243,6 +244,7 @@ var ImpactMap = map[string]string{
 	"lifecycle-statefulset-scaling":              TestStatefulSetScalingIdentifierImpact,
 	"lifecycle-image-pull-policy":                TestImagePullPolicyIdentifierImpact,
 	"lifecycle-pod-recreation":                   TestPodRecreationIdentifierImpact,
+	"lifecycle-topology-spread-constraint":       TestTopologySpreadConstraintImpact,
 	"lifecycle-liveness-probe":                   TestLivenessProbeIdentifierImpact,
 	"lifecycle-readiness-probe":                  TestReadinessProbeIdentifierImpact,
 	"lifecycle-startup-probe":                    TestStartupProbeIdentifierImpact,

tests/identifiers/impact.go

@@ -127,6 +127,8 @@ const (
 
 	PodRecreationRemediation = `Ensure that the workloads Pods utilize a configuration that supports High Availability. Additionally, ensure that there are available Nodes in the OpenShift cluster that can be utilized in the event that a host Node fails.`
 
+	TopologySpreadConstraintRemediation = `If using TopologySpreadConstraints in your Deployment, ensure you include constraints for both 'kubernetes.io/hostname' and 'topology.kubernetes.io/zone' topology keys. Alternatively, you can omit TopologySpreadConstraints entirely to let Kubernetes scheduler use implicit hostname and zone constraints. This helps maintain workload availability during platform upgrades without manually adjusting PodDisruptionBudgets.`
+
 	SysctlConfigsRemediation = `You should recreate the node or change the sysctls, recreating is recommended because there might be other unknown changes`
 
 	ServiceMeshRemediation = `Ensure all the workload pods are using service mesh if the cluster provides it.`

tests/identifiers/remediation.go

@@ -17,6 +17,7 @@
 package lifecycle
 
 import (
+	"fmt"
 	"time"
 
 	"github.com/redhat-best-practices-for-k8s/certsuite/internal/log"
@@ -234,6 +235,16 @@ func LoadChecks() {
 			testStorageProvisioner(c, &env)
 			return nil
 		}))
+
+	// Topology Spread Constraint test
+	checksGroup.Add(checksdb.NewCheck(identifiers.GetTestIDAndLabels(identifiers.TestTopologySpreadConstraint)).
+		WithSkipCheckFn(
+			testhelper.GetNoDeploymentsUnderTestSkipFn(&env),
+			testhelper.GetNotEnoughWorkersSkipFn(&env, minWorkerNodesForLifecycle)).
+		WithCheckFn(func(c *checksdb.Check) error {
+			testTopologySpreadConstraint(c, &env)
+			return nil
+		}))
 }
 
 func testContainersPreStop(check *checksdb.Check, env *provider.TestEnvironment) {
@@ -883,3 +894,72 @@ func testStorageProvisioner(check *checksdb.Check, env *provider.TestEnvironment
 	}
 	check.SetResult(compliantObjects, nonCompliantObjects)
 }
+
+const (
+	hostnameTopologyKey = "kubernetes.io/hostname"
+	zoneTopologyKey     = "topology.kubernetes.io/zone"
+)
+
+func testTopologySpreadConstraint(check *checksdb.Check, env *provider.TestEnvironment) {
+	var compliantObjects []*testhelper.ReportObject
+	var nonCompliantObjects []*testhelper.ReportObject
+
+	for _, deployment := range env.Deployments {
+		check.LogInfo("Testing Deployment %q", deployment)
+
+		// Get the topology spread constraints from the pod template
+		tsc := deployment.Spec.Template.Spec.TopologySpreadConstraints
+
+		// Case 1: No TSC defined - PASS (implicit k8s behavior)
+		if len(tsc) == 0 {
+			check.LogInfo("Deployment %q does not define TopologySpreadConstraints (implicit scheduling is acceptable)", deployment)
+			compliantObjects = append(compliantObjects,
+				testhelper.NewDeploymentReportObject(deployment.Namespace, deployment.Name,
+					"TopologySpreadConstraints not defined (implicit Kubernetes scheduling behavior)", true))
+			continue
+		}
+
+		// Case 2: TSC is defined - must include both hostname and zone
+		check.LogInfo("Deployment %q defines TopologySpreadConstraints, checking for required topology keys", deployment)
+
+		hasHostname := false
+		hasZone := false
+
+		// Check if both required topology keys are present
+		for _, constraint := range tsc {
+			if constraint.TopologyKey == hostnameTopologyKey {
+				hasHostname = true
+				check.LogInfo("Deployment %q has hostname topology key: %s", deployment, hostnameTopologyKey)
+			}
+			if constraint.TopologyKey == zoneTopologyKey {
+				hasZone = true
+				check.LogInfo("Deployment %q has zone topology key: %s", deployment, zoneTopologyKey)
+			}
+		}
+
+		// Both hostname and zone must be present
+		if hasHostname && hasZone {
+			check.LogInfo("Deployment %q has both required topology keys (hostname and zone)", deployment)
+			compliantObjects = append(compliantObjects,
+				testhelper.NewDeploymentReportObject(deployment.Namespace, deployment.Name,
+					"TopologySpreadConstraints includes both hostname and zone topology keys", true))
+		} else {
+			// Missing one or both required keys
+			missingKeys := []string{}
+			if !hasHostname {
+				missingKeys = append(missingKeys, hostnameTopologyKey)
+			}
+			if !hasZone {
+				missingKeys = append(missingKeys, zoneTopologyKey)
+			}
+
+			check.LogError("Deployment %q TopologySpreadConstraints is missing required topology keys: %v", deployment, missingKeys)
+			nonCompliantObjects = append(nonCompliantObjects,
+				testhelper.NewDeploymentReportObject(deployment.Namespace, deployment.Name,
+					"TopologySpreadConstraints must include both hostname and zone topology keys when defined", false).
+					AddField("MissingTopologyKeys", fmt.Sprintf("%v", missingKeys)))
+		}
+	}
+
+	check.SetResult(compliantObjects, nonCompliantObjects)
+}