tests: k8s: inject agent policy failures (part 3)

Auto-generate the policy and then simulate attacks from the K8s control plane by modifying the test yaml files. The policy then detects and blocks those changes. These test cases are using K8s Pods. Additional policy failures are injected during CI using other types of K8s resources - e.g., using Jobs and Replication Controllers - from separate PRs. Fixes: #9491 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-09-22 01:07:34 +00:00 · 2024-04-16 18:08:07 +00:00
parent c26dad8fe5
commit 2c4d1ef76b
4 changed files with 194 additions and 0 deletions
--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-configmap.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-configmap.yaml
@@ -0,0 +1,12 @@
+#
+# Copyright (c) 2024 Microsoft
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: policy-configmap
+data:
+  data-1: value-1
+  data-2: value-2
--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-pod.yaml
@@ -0,0 +1,26 @@
+#
+# Copyright (c) 2024 Microsoft
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Pod
+metadata:
+  name: policy-pod
+spec:
+  terminationGracePeriodSeconds: 0
+  runtimeClassName: kata
+  containers:
+    - name: busybox
+      image: quay.io/prometheus/busybox:latest
+      env:
+        - name: KUBE_CONFIG_1
+          valueFrom:
+            configMapKeyRef:
+              name: policy-configmap
+              key: data-1
+        - name: KUBE_CONFIG_2
+          valueFrom:
+            configMapKeyRef:
+              name: policy-configmap
+              key: data-2