diff --git a/tests/integration/kubernetes/k8s-policy-pod.bats b/tests/integration/kubernetes/k8s-policy-pod.bats index 435319ed3f..8d88caab17 100644 --- a/tests/integration/kubernetes/k8s-policy-pod.bats +++ b/tests/integration/kubernetes/k8s-policy-pod.bats @@ -8,6 +8,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/tests_common.sh" +issue="https://github.com/kata-containers/kata-containers/issues/10297" + setup() { auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled." @@ -37,6 +39,9 @@ setup() { # Save some time by executing genpolicy a single time. if [ "${BATS_TEST_NUMBER}" == "1" ]; then + # Work around #10297 if needed. + prometheus_image_supported || replace_prometheus_image + # Save pre-generated yaml files cp "${correct_configmap_yaml}" "${pre_generate_configmap_yaml}" cp "${correct_pod_yaml}" "${pre_generate_pod_yaml}" @@ -54,6 +59,22 @@ setup() { cp "${pre_generate_pod_yaml}" "${testcase_pre_generate_pod_yaml}" } +prometheus_image_supported() { + [[ "${SNAPSHOTTER:-}" == "nydus" ]] && return 1 + return 0 +} + +replace_prometheus_image() { + info "Replacing prometheus image with busybox to work around ${issue}" + + yq -i \ + '.spec.containers[0].name = "busybox"' \ + "${correct_pod_yaml}" + yq -i \ + '.spec.containers[0].image = "quay.io/prometheus/busybox:latest"' \ + "${correct_pod_yaml}" +} + # Common function for several test cases from this bats script. wait_for_pod_ready() { kubectl create -f "${correct_configmap_yaml}" @@ -210,6 +231,8 @@ test_pod_policy_error() { } @test "Successful pod: runAsUser having the same value as the UID from the container image" { + prometheus_image_supported || skip "Test case not supported due to ${issue}" + # This container image specifies user = "nobody" that corresponds to UID = 65534. Setting # the same value for runAsUser in the YAML file doesn't change the auto-generated Policy. yq -i \ @@ -222,6 +245,8 @@ test_pod_policy_error() { } @test "Policy failure: unexpected UID = 0" { + prometheus_image_supported || skip "Test case not supported due to ${issue}" + # Change the container UID to 0 after the policy has been generated, and verify that the # change gets rejected by the policy. UID = 0 is the default value from genpolicy, but # this container image specifies user = "nobody" that corresponds to UID = 65534.