tests: k8s: additional policy testing utilities

1. add_requests_to_policy_settings allows one or more ttrpc requests from the Host to the Guest. Example: add_requests_to_policy_settings "${policy_settings_dir}" \ "ReadStreamRequest" "WriteStreamRequest" 2. add_copy_from_host_to_policy_settings allows executing on the Guest the commands initiated behind the scenes by "kubectl cp" from the Host to the Guest. Example: add_copy_from_host_to_policy_settings "${policy_settings_dir}" 3. add_copy_from_guest_to_policy_settings allows executing on the Guest the commands initiated behind the scenes by "kubectl cp" from the Guest to the Host. Example: add_copy_from_guest_to_policy_settings "${policy_settings_dir}" \ "/tmp/file.txt" Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-08-01 07:47:15 +00:00 · 2024-02-07 22:38:26 +00:00 · 2024-02-07 22:38:26 +00:00 · 1179306afa
commit 1179306afa
parent 9a780aa98f
2 changed files with 43 additions and 8 deletions
--- a/tests/integration/kubernetes/k8s-attach-handlers.bats
+++ b/tests/integration/kubernetes/k8s-attach-handlers.bats
@ -23,9 +23,12 @@ setup() {

 	# Add policy to yaml
 	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+	
 	display_message="cat /usr/share/message"
 	exec_command="sh -c ${display_message}"
 	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+	
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
 	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
 }

--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@ -175,12 +175,44 @@ add_exec_to_policy_settings() {
 		"${settings_dir}/new-genpolicy-settings.json"
 	mv "${settings_dir}/new-genpolicy-settings.json" \
 		"${settings_dir}/genpolicy-settings.json"
-
-	# Change genpolicy settings to allow kubectl to read the output of the command being executed.
-	info "${settings_dir}/genpolicy-settings.json: allowing ReadStreamRequest"
-	jq '.request_defaults.ReadStreamRequest |= true' \
-		"${settings_dir}"/genpolicy-settings.json > \
-		"${settings_dir}"/new-genpolicy-settings.json
-	mv "${settings_dir}"/new-genpolicy-settings.json \
-		"${settings_dir}"/genpolicy-settings.json
+}
+
+# Change genpolicy settings to allow one or more ttrpc requests from the Host to the Guest.
+add_requests_to_policy_settings() {
+	declare -r settings_dir="$1"
+	shift
+	declare -r requests=("$@")
+
+	auto_generate_policy_enabled || return 0
+
+	for request in ${requests[@]}
+	do
+		info "${settings_dir}/genpolicy-settings.json: allowing ${request}"
+		jq ".request_defaults.${request} |= true" \
+			"${settings_dir}"/genpolicy-settings.json > \
+			"${settings_dir}"/new-genpolicy-settings.json
+		mv "${settings_dir}"/new-genpolicy-settings.json \
+			"${settings_dir}"/genpolicy-settings.json
+	done
+}
+
+# Change genpolicy settings to allow executing on the Guest VM the commands
+# used by "kubectl cp" from the Host to the Guest.
+add_copy_from_host_to_policy_settings() {
+	declare -r genpolicy_settings_dir="$1"
+
+	exec_command="test -d /tmp"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+	exec_command="tar -xmf - -C /tmp"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+}
+
+# Change genpolicy settings to allow executing on the Guest VM the commands
+# used by "kubectl cp" from the Guest to the Host.
+add_copy_from_guest_to_policy_settings() {
+	declare -r genpolicy_settings_dir="$1"
+	declare -r copied_file="$2"
+
+	exec_command="tar cf - ${copied_file}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
 }