From 1179306afa86101d5beaddec2dce39f821c3501e Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Wed, 7 Feb 2024 22:38:26 +0000 Subject: [PATCH] tests: k8s: additional policy testing utilities 1. add_requests_to_policy_settings allows one or more ttrpc requests from the Host to the Guest. Example: add_requests_to_policy_settings "${policy_settings_dir}" \ "ReadStreamRequest" "WriteStreamRequest" 2. add_copy_from_host_to_policy_settings allows executing on the Guest the commands initiated behind the scenes by "kubectl cp" from the Host to the Guest. Example: add_copy_from_host_to_policy_settings "${policy_settings_dir}" 3. add_copy_from_guest_to_policy_settings allows executing on the Guest the commands initiated behind the scenes by "kubectl cp" from the Guest to the Host. Example: add_copy_from_guest_to_policy_settings "${policy_settings_dir}" \ "/tmp/file.txt" Signed-off-by: Dan Mihai --- .../kubernetes/k8s-attach-handlers.bats | 3 ++ tests/integration/kubernetes/tests_common.sh | 48 +++++++++++++++---- 2 files changed, 43 insertions(+), 8 deletions(-) diff --git a/tests/integration/kubernetes/k8s-attach-handlers.bats b/tests/integration/kubernetes/k8s-attach-handlers.bats index fa38534ed2..7fb96908b6 100644 --- a/tests/integration/kubernetes/k8s-attach-handlers.bats +++ b/tests/integration/kubernetes/k8s-attach-handlers.bats @@ -23,9 +23,12 @@ setup() { # Add policy to yaml policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")" + display_message="cat /usr/share/message" exec_command="sh -c ${display_message}" add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}" + + add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest" auto_generate_policy "${policy_settings_dir}" "${yaml_file}" } diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index a7e3397cc1..200ee87443 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -175,12 +175,44 @@ add_exec_to_policy_settings() { "${settings_dir}/new-genpolicy-settings.json" mv "${settings_dir}/new-genpolicy-settings.json" \ "${settings_dir}/genpolicy-settings.json" - - # Change genpolicy settings to allow kubectl to read the output of the command being executed. - info "${settings_dir}/genpolicy-settings.json: allowing ReadStreamRequest" - jq '.request_defaults.ReadStreamRequest |= true' \ - "${settings_dir}"/genpolicy-settings.json > \ - "${settings_dir}"/new-genpolicy-settings.json - mv "${settings_dir}"/new-genpolicy-settings.json \ - "${settings_dir}"/genpolicy-settings.json +} + +# Change genpolicy settings to allow one or more ttrpc requests from the Host to the Guest. +add_requests_to_policy_settings() { + declare -r settings_dir="$1" + shift + declare -r requests=("$@") + + auto_generate_policy_enabled || return 0 + + for request in ${requests[@]} + do + info "${settings_dir}/genpolicy-settings.json: allowing ${request}" + jq ".request_defaults.${request} |= true" \ + "${settings_dir}"/genpolicy-settings.json > \ + "${settings_dir}"/new-genpolicy-settings.json + mv "${settings_dir}"/new-genpolicy-settings.json \ + "${settings_dir}"/genpolicy-settings.json + done +} + +# Change genpolicy settings to allow executing on the Guest VM the commands +# used by "kubectl cp" from the Host to the Guest. +add_copy_from_host_to_policy_settings() { + declare -r genpolicy_settings_dir="$1" + + exec_command="test -d /tmp" + add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}" + exec_command="tar -xmf - -C /tmp" + add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}" +} + +# Change genpolicy settings to allow executing on the Guest VM the commands +# used by "kubectl cp" from the Guest to the Host. +add_copy_from_guest_to_policy_settings() { + declare -r genpolicy_settings_dir="$1" + declare -r copied_file="$2" + + exec_command="tar cf - ${copied_file}" + add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}" }