tests: k8s: clarify the need to use containerd.sock

Modify the permissions of containerd.sock just when genpolicy needs
access to this socket, when testing GENPOLICY_PULL_METHOD=containerd.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>

tests/integration/kubernetes/gha-run.sh

@@ -289,6 +289,12 @@ function run_tests() {
 		sudo containerd config default | sudo tee /etc/containerd/config.toml > /dev/null
 		echo "containerd config has been set to default"
 		sudo systemctl restart containerd && sudo systemctl is-active containerd
+
+		# Allow genpolicy to access the containerd image pull APIs without sudo.
+		local socket_wait_time=30
+		local socket_sleep_time=3
+		local cmd="sudo chmod a+rw /var/run/containerd/containerd.sock"
+		waitForProcess "${socket_wait_time}" "${socket_sleep_time}" "$cmd"
 	fi
 
 	set_test_cluster_namespace

tests/integration/kubernetes/tests_common.sh

@@ -143,9 +143,6 @@ create_common_genpolicy_settings() {
 
 	# Set the default namespace of Kata CI tests in the genpolicy settings.
 	set_namespace_to_policy_settings "${genpolicy_settings_dir}" "${TEST_CLUSTER_NAMESPACE}"
-
-	# allow genpolicy to access containerd without sudo
-	sudo chmod a+rw /var/run/containerd/containerd.sock
 }
 
 # If auto-generated policy testing is enabled, make a copy of the common genpolicy settings