From 2870f7c2dda04d67c9cc3127c898000b705d9b38 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Wed, 13 May 2026 17:01:50 +0100 Subject: [PATCH 1/2] ci: Move measure-rootfs to run on TEE PRs k8s-measured-rootfs only runs on confidential runtime, so we should move it into the subset on tests that run on TEEs Signed-off-by: stevenhorsman --- tests/integration/kubernetes/run_kubernetes_tests.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh index 388323a74e..6e4f64f45b 100755 --- a/tests/integration/kubernetes/run_kubernetes_tests.sh +++ b/tests/integration/kubernetes/run_kubernetes_tests.sh @@ -45,6 +45,7 @@ else "k8s-guest-pull-image-authenticated.bats" \ "k8s-guest-pull-image-signature.bats" \ "k8s-confidential-attestation.bats" \ + "k8s-measured-rootfs.bats" \ ) K8S_TEST_SMALL_HOST_TEE_POLICY_UNION=( \ @@ -84,7 +85,6 @@ else "k8s-kill-all-process-in-container.bats" \ "k8s-limit-range.bats" \ "k8s-liveness-probes.bats" \ - "k8s-measured-rootfs.bats" \ "k8s-memory.bats" \ "k8s-nested-configmap-secret.bats" \ "k8s-oom.bats" \ From 5c55726d11e28c7457196aefc8e75053ffc83011 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Wed, 13 May 2026 17:17:48 +0100 Subject: [PATCH 2/2] tests/k8s: Update measured-rootfs image Try and switch the docker nginx image to our versions.yaml one so we avoid rate limit issues Signed-off-by: stevenhorsman --- tests/integration/kubernetes/k8s-measured-rootfs.bats | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/k8s-measured-rootfs.bats b/tests/integration/kubernetes/k8s-measured-rootfs.bats index 927972e555..40436b8d6b 100644 --- a/tests/integration/kubernetes/k8s-measured-rootfs.bats +++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats @@ -36,7 +36,12 @@ setup() { } @test "Test cannot launch pod with measured boot enabled and incorrect hash" { - pod_config="$(new_pod_config nginx "kata-${KATA_HYPERVISOR}")" + ensure_yq + nginx_registry=$(get_from_kata_deps ".docker_images.nginx.registry") + nginx_digest=$(get_from_kata_deps ".docker_images.nginx.digest") + nginx_image="${nginx_registry}@${nginx_digest}" + + pod_config="$(new_pod_config "${nginx_image}" "kata-${KATA_HYPERVISOR}")" auto_generate_policy "${pod_config_dir}" "${pod_config}" incorrect_hash="1111111111111111111111111111111111111111111111111111111111111111"