tests: k8s: enable AUTO_GENERATE_POLICY

Enable AUTO_GENERATE_POLICY for one of the Kata CI K8s test platforms. Additional platforms will be enabled after testing them. When AUTO_GENERATE_POLICY is enabled, create genpolicy settings that are common for all tests. Some of the tests will make temporary copies of these common settings and customize them as needed. Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-09-17 23:07:55 +00:00 · 2024-02-01 21:35:18 +00:00
parent 05b2e4f606
commit 0de407f8b7
3 changed files with 19 additions and 7 deletions
--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@@ -169,6 +169,11 @@ function run_tests() {
 	[ "$platform" = "kcli" ] && \
 		export KUBECONFIG="$HOME/.kcli/clusters/${CLUSTER_NAME:-kata-k8s}/auth/kubeconfig"

+	# Enable auto-generated policy for CI images that support policy.
+	#
+	# TODO: enable testing auto-generated policy for other types of hosts too.
+	[ "${KATA_HOST_OS}" = "cbl-mariner" ] && export AUTO_GENERATE_POLICY="yes"
+
 	set_test_cluster_namespace

 	pushd "${kubernetes_dir}"
--- a/tests/integration/kubernetes/setup.sh
+++ b/tests/integration/kubernetes/setup.sh
@@ -19,22 +19,29 @@ else
    )
 fi

-kubernetes_dir=$(dirname "$(readlink -f "$0")")
+declare -r kubernetes_dir=$(dirname "$(readlink -f "$0")")
 source "${kubernetes_dir}/../../common.bash"
+source "${kubernetes_dir}/tests_common.sh"

 reset_workloads_work_dir() {
 	rm -rf ${kubernetes_dir}/runtimeclass_workloads_work
 	cp -R ${kubernetes_dir}/runtimeclass_workloads ${kubernetes_dir}/runtimeclass_workloads_work
-	copy_test_policy_files
+	setup_policy_files
 }

-copy_test_policy_files() {
-	local kata_opa_dir="${kubernetes_dir}/../../../src/kata-opa"
+setup_policy_files() {
+	declare -r kata_opa_dir="${kubernetes_dir}/../../../src/kata-opa"
+	declare -r workloads_work_dir="${kubernetes_dir}/runtimeclass_workloads_work"

+	# Copy hard-coded policy files used for basic policy testing.
 	for policy_file in ${K8S_TEST_POLICY_FILES[@]}
 	do
 		cp "${kata_opa_dir}/${policy_file}" ${kubernetes_dir}/runtimeclass_workloads_work/
 	done
+
+	# For testing more sophisticated policies, create genpolicy settings that are common for all tests.
+	# Some of the tests will make temporary copies of these common settings and customize them as needed.
+	create_common_genpolicy_settings "${workloads_work_dir}"
 }

 add_kernel_initrd_annotations_to_yaml() {
--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@@ -105,9 +105,9 @@ create_common_genpolicy_settings() {
 	cp "${default_genpolicy_settings_dir}/rules.rego" "${genpolicy_settings_dir}"

 	# Set the default namespace of Kata CI tests in the genpolicy settings.
-	info "${genpolicy_settings_dir}/genpolicy-settings.json: default namespace: ${test_cluster_namespace}"
-	jq --arg test_cluster_namespace "${test_cluster_namespace}" \
-		'.cluster_config.default_namespace |= $test_cluster_namespace' \
+	info "${genpolicy_settings_dir}/genpolicy-settings.json: default namespace: ${TEST_CLUSTER_NAMESPACE}"
+	jq --arg TEST_CLUSTER_NAMESPACE "${TEST_CLUSTER_NAMESPACE}" \
+		'.cluster_config.default_namespace |= $TEST_CLUSTER_NAMESPACE' \
 		"${genpolicy_settings_dir}/genpolicy-settings.json" > \
 		"${genpolicy_settings_dir}/new-genpolicy-settings.json"
 	mv "${genpolicy_settings_dir}/new-genpolicy-settings.json" "${genpolicy_settings_dir}/genpolicy-settings.json"