From 90ad5cd8847a9f849c2f13c78b7692e896f3c160 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Tue, 7 Oct 2025 16:08:57 +0100 Subject: [PATCH 1/5] tests/k8s: Refactor initdata annotation Create a shared get_initdata method that injects a cdh image section, so we don't duplicate the initdata structure everywhere Signed-off-by: stevenhorsman --- .../kubernetes/confidential_common.sh | 73 +++++++++++++++++++ .../integration/kubernetes/k8s-initdata.bats | 65 +---------------- 2 files changed, 74 insertions(+), 64 deletions(-) diff --git a/tests/integration/kubernetes/confidential_common.sh b/tests/integration/kubernetes/confidential_common.sh index 3f0b3e47aa..6d3e366055 100644 --- a/tests/integration/kubernetes/confidential_common.sh +++ b/tests/integration/kubernetes/confidential_common.sh @@ -213,6 +213,79 @@ function create_coco_pod_yaml_with_annotations() { fi } +function get_initdata_with_cdh_image_section() { + CDH_IMAGE_SECTION=${1:-""} + + CC_KBS_ADDRESS=$(kbs_k8s_svc_http_addr) + + initdata_annotation=$(gzip -c << EOF | base64 -w0 +version = "0.1.0" +algorithm = "sha256" +[data] +"aa.toml" = ''' +[token_configs] +[token_configs.kbs] +url = "${CC_KBS_ADDRESS}" +''' + +"cdh.toml" = ''' +[kbc] +name = "cc_kbc" +url = "${CC_KBS_ADDRESS}" + +${CDH_IMAGE_SECTION} +''' + +"policy.rego" = ''' +# Copyright (c) 2023 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# + +package agent_policy + +default AddARPNeighborsRequest := true +default AddSwapRequest := true +default CloseStdinRequest := true +default CopyFileRequest := true +default CreateContainerRequest := true +default CreateSandboxRequest := true +default DestroySandboxRequest := true +default ExecProcessRequest := true +default GetMetricsRequest := true +default GetOOMEventRequest := true +default GuestDetailsRequest := true +default ListInterfacesRequest := true +default ListRoutesRequest := true +default MemHotplugByProbeRequest := true +default OnlineCPUMemRequest := true +default PauseContainerRequest := true +default PullImageRequest := true +default ReadStreamRequest := true +default RemoveContainerRequest := true +default RemoveStaleVirtiofsShareMountsRequest := true +default ReseedRandomDevRequest := true +default ResumeContainerRequest := true +default SetGuestDateTimeRequest := true +default SetPolicyRequest := true +default SignalProcessRequest := true +default StartContainerRequest := true +default StartTracingRequest := true +default StatsContainerRequest := true +default StopTracingRequest := true +default TtyWinResizeRequest := true +default UpdateContainerRequest := true +default UpdateEphemeralMountsRequest := true +default UpdateInterfaceRequest := true +default UpdateRoutesRequest := true +default WaitProcessRequest := true +default WriteStreamRequest := true +''' +EOF + ) + echo "${initdata_annotation}" +} + confidential_teardown_common() { local node="$1" local node_start_time="$2" diff --git a/tests/integration/kubernetes/k8s-initdata.bats b/tests/integration/kubernetes/k8s-initdata.bats index e785c413d2..3401590fc8 100644 --- a/tests/integration/kubernetes/k8s-initdata.bats +++ b/tests/integration/kubernetes/k8s-initdata.bats @@ -92,72 +92,9 @@ EOF @test "Test that creating a container from an rejected image configured by initdata, fails according to policy reject" { setup_kbs_image_policy_for_initdata - CC_KBS_ADDRESS=$(kbs_k8s_svc_http_addr) - kernel_parameter="agent.image_policy_file=${SECURITY_POLICY_KBS_URI} agent.enable_signature_verification=true" - initdata_annotation=$(gzip -c << EOF | base64 -w0 -version = "0.1.0" -algorithm = "sha256" -[data] -"aa.toml" = ''' -[token_configs] -[token_configs.kbs] -url = "${CC_KBS_ADDRESS}" -''' + initdata_annotation=$(get_initdata_with_cdh_image_section "") -"cdh.toml" = ''' -[kbc] -name = "cc_kbc" -url = "${CC_KBS_ADDRESS}" -''' - -"policy.rego" = ''' -# Copyright (c) 2023 Microsoft Corporation -# -# SPDX-License-Identifier: Apache-2.0 -# - -package agent_policy - -default AddARPNeighborsRequest := true -default AddSwapRequest := true -default CloseStdinRequest := true -default CopyFileRequest := true -default CreateContainerRequest := true -default CreateSandboxRequest := true -default DestroySandboxRequest := true -default ExecProcessRequest := true -default GetMetricsRequest := true -default GetOOMEventRequest := true -default GuestDetailsRequest := true -default ListInterfacesRequest := true -default ListRoutesRequest := true -default MemHotplugByProbeRequest := true -default OnlineCPUMemRequest := true -default PauseContainerRequest := true -default PullImageRequest := true -default ReadStreamRequest := true -default RemoveContainerRequest := true -default RemoveStaleVirtiofsShareMountsRequest := true -default ReseedRandomDevRequest := true -default ResumeContainerRequest := true -default SetGuestDateTimeRequest := true -default SetPolicyRequest := true -default SignalProcessRequest := true -default StartContainerRequest := true -default StartTracingRequest := true -default StatsContainerRequest := true -default StopTracingRequest := true -default TtyWinResizeRequest := true -default UpdateContainerRequest := true -default UpdateEphemeralMountsRequest := true -default UpdateInterfaceRequest := true -default UpdateRoutesRequest := true -default WaitProcessRequest := true -default WriteStreamRequest := true -''' -EOF - ) create_coco_pod_yaml_with_annotations "${FAIL_TEST_IMAGE}" "${kernel_parameter}" "${initdata_annotation}" "${node}" # For debug sake From 7fbbd170eedf0b8a2c7e9004d8d5ac541f382830 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Mon, 6 Oct 2025 19:00:24 +0100 Subject: [PATCH 2/5] tests/k8s: Add initdata variants of oci signature tests Our current set of signature tests involve setting kernel_parameters to config the image pull process, but as of https://github.com/kata-containers/kata-containers/pull/11197 this approach is not the main way to set this configuration and the agent config has been removed. Instead we should set the configuration in the `cdh.toml` part of the initdata, so add new test cases for this. In future, when we have been through the deprecation process, we should remove the old tests Signed-off-by: stevenhorsman --- .../k8s-guest-pull-image-signature.bats | 80 +++++++++++++++++++ 1 file changed, 80 insertions(+) diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats b/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats index 8741b107eb..8c76c6e032 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats @@ -74,6 +74,17 @@ EOF kbs_set_resource "default" "cosign-public-key" "test" "${public_key}" } +function get_initdata_with_security_policy() { + + image_section_with_policy=$(cat << EOF +[image] +image_security_policy_uri = "${SECURITY_POLICY_KBS_URI}" +EOF + ) + + get_initdata_with_cdh_image_section "${image_section_with_policy}" +} + @test "Create a pod from an unsigned image, on an insecureAcceptAnything registry works" { # We want to set the default policy to be reject to rule out false positives setup_kbs_image_policy "reject" @@ -139,6 +150,75 @@ EOF echo "Kata pod test-e2e from image security policy is running" } +@test "Create a pod from an unsigned image, on an insecureAcceptAnything registry works (with initdata)" { + # We want to set the default policy to be reject to rule out false positives + setup_kbs_image_policy "reject" + + initdata=$(get_initdata_with_security_policy) + create_coco_pod_yaml_with_annotations "${UNSIGNED_UNPROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" + + # For debug sake + echo "Pod ${kata_pod}: $(cat ${kata_pod})" + + k8s_create_pod "${kata_pod}" + echo "Kata pod test-e2e from image security policy is running" +} + +@test "Create a pod from an unsigned image, on a 'restricted registry' is rejected (with initdata)" { + # We want to leave the default policy to be insecureAcceptAnything to rule out false negatives + setup_kbs_image_policy + + initdata=$(get_initdata_with_security_policy) + create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" + + # For debug sake + echo "Pod ${kata_pod}: $(cat ${kata_pod})" + + assert_pod_fail "${kata_pod}" + assert_logs_contain "${node}" kata "${node_start_time}" "Image policy rejected: Denied by policy" +} + +@test "Create a pod from a signed image, on a 'restricted registry' is successful (with initdata)" { + # We want to set the default policy to be reject to rule out false positives + setup_kbs_image_policy "reject" + + initdata=$(get_initdata_with_security_policy) + create_coco_pod_yaml_with_annotations "${COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" + + # For debug sake + echo "Pod ${kata_pod}: $(cat ${kata_pod})" + + k8s_create_pod "${kata_pod}" + echo "Kata pod test-e2e from image security policy is running" +} + +@test "Create a pod from a signed image, on a 'restricted registry', but with the wrong key is rejected (with initdata)" { + # We want to leave the default policy to be insecureAcceptAnything to rule out false negatives + setup_kbs_image_policy + + initdata=$(get_initdata_with_security_policy) + create_coco_pod_yaml_with_annotations "${COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE}" "" "${initdata}" "${node}" + + # For debug sake + echo "Pod ${kata_pod}: $(cat ${kata_pod})" + + assert_pod_fail "${kata_pod}" + assert_logs_contain "${node}" kata "${node_start_time}" "Image policy rejected: Denied by policy" +} + +@test "Create a pod from an unsigned image, on a 'restricted registry' works if policy files isn't set (with initdata)" { + # We want to set the default policy to be reject to rule out false positives + setup_kbs_image_policy "reject" + + create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "" "${node}" + + # For debug sake + echo "Pod ${kata_pod}: $(cat ${kata_pod})" + + k8s_create_pod "${kata_pod}" + echo "Kata pod test-e2e from image security policy is running" +} + teardown() { if ! is_confidential_runtime_class; then skip "Test not supported for ${KATA_HYPERVISOR}." From bdc0a3cf1957f99003708d85e7ffb02f5ce35029 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Tue, 7 Oct 2025 16:24:51 +0100 Subject: [PATCH 3/5] tests/k8s: Add initdata variant of registry creds tests Our current set of authenticated registry tests involve setting kernel_params to config the image pull process, but as of kata-containers#11197 this approach is not the main way to set this configuration and the agent config has been removed. Instead we should set the configuration in the `cdh.toml` part of the initdata, so add new test cases for this. In future, when we have been through the deprecation process, we should remove the old tests Signed-off-by: stevenhorsman --- .../k8s-guest-pull-image-authenticated.bats | 56 +++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats b/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats index 3dd2cdbbd4..958e87aa1c 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats @@ -20,6 +20,7 @@ setup() { AUTHENTICATED_IMAGE="${AUTHENTICATED_IMAGE:-quay.io/kata-containers/confidential-containers-auth:test}" AUTHENTICATED_IMAGE_USER=${AUTHENTICATED_IMAGE_USER:-} AUTHENTICATED_IMAGE_PASSWORD=${AUTHENTICATED_IMAGE_PASSWORD:-} + CREDENTIALS_KBS_URI="kbs:///default/credentials/test" if [[ -z ${AUTHENTICATED_IMAGE_USER} || -z ${AUTHENTICATED_IMAGE_PASSWORD} ]]; then if [[ -n ${GITHUB_ACTION:-} ]]; then @@ -62,6 +63,17 @@ function setup_kbs_credentials() { kbs_set_resource "default" "credentials" "test" "${auth_json}" } +function get_initdata_with_auth_registry_config() { + + image_section_with_policy=$(cat << EOF +[image] +authenticated_registry_credentials_uri = "${CREDENTIALS_KBS_URI}" +EOF + ) + + get_initdata_with_cdh_image_section "${image_section_with_policy}" +} + @test "Test that creating a container from an authenticated image, with correct credentials works" { setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} ${AUTHENTICATED_IMAGE_PASSWORD} @@ -103,6 +115,50 @@ function setup_kbs_credentials() { assert_logs_contain "${node}" kata "${node_start_time}" "Not authorized" } +@test "Test that creating a container from an authenticated image, with correct credentials works (with initdata)" { + + setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} ${AUTHENTICATED_IMAGE_PASSWORD} + + initdata=$(get_initdata_with_auth_registry_config) + create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" + yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}" + + # For debug sake + echo "Pod ${kata_pod}: $(cat ${kata_pod})" + + k8s_create_pod "${kata_pod}" + echo "Kata pod test-e2e from authenticated image is running" +} + +@test "Test that creating a container from an authenticated image, with incorrect credentials fails (with initdata)" { + + setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} "junk" + + initdata=$(get_initdata_with_auth_registry_config) + create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" + yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}" + + # For debug sake + echo "Pod ${kata_pod}: $(cat ${kata_pod})" + + assert_pod_fail "${kata_pod}" + assert_logs_contain "${node}" kata "${node_start_time}" "Not authorized" +} + +@test "Test that creating a container from an authenticated image, with no credentials fails (with initdata)" { + + # Create pod config, but don't add image_registry_auth to initdata + initdata=$(get_initdata_with_cdh_image_section "") + create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" + yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}" + + # For debug sake + echo "Pod ${kata_pod}: $(cat ${kata_pod})" + + assert_pod_fail "${kata_pod}" + assert_logs_contain "${node}" kata "${node_start_time}" "Not authorized" +} + teardown() { if ! is_confidential_runtime_class; then skip "Test not supported for ${KATA_HYPERVISOR}." From 09149407fd4310fa88e690b8237a80de9a7c2791 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Mon, 13 Oct 2025 09:49:57 +0100 Subject: [PATCH 4/5] tests/k8s: Delete k8s-initdata.bats Now we have wider coverage of initdata testing in k8s-guest-pull-image-signature.bats then remove the old testing. Signed-off-by: stevenhorsman --- .../integration/kubernetes/k8s-initdata.bats | 133 ------------------ .../kubernetes/run_kubernetes_tests.sh | 1 - 2 files changed, 134 deletions(-) delete mode 100644 tests/integration/kubernetes/k8s-initdata.bats diff --git a/tests/integration/kubernetes/k8s-initdata.bats b/tests/integration/kubernetes/k8s-initdata.bats deleted file mode 100644 index 3401590fc8..0000000000 --- a/tests/integration/kubernetes/k8s-initdata.bats +++ /dev/null @@ -1,133 +0,0 @@ -#!/usr/bin/env bats -# Copyright (c) 2025 Alibaba Cloud -# -# SPDX-License-Identifier: Apache-2.0 -# - -# This test we will test initdata in the following logic -# 1. Enable image signature verification via kernel commandline -# 2. Set Trustee address via initdata -# 3. Pull an image from a banned registry -# 4. Check if the pulling fails with log `image security validation failed`, -# the initdata works. -# -# Note that if initdata does not work, the pod still fails to launch (hang at -# CreatingContainer status). The error information is -# `[CDH] [ERROR]: Get Resource failed` which internally means that the KBS URL -# has not been set correctly. -# -# TODO: After https://github.com/kata-containers/kata-containers/issues/9266 -# is resolved, both KBS URI and policy URI can be set via initdata. - -load "${BATS_TEST_DIRNAME}/lib.sh" -load "${BATS_TEST_DIRNAME}/confidential_common.sh" - -export KBS="${KBS:-false}" -export KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}" - -setup() { - if ! is_confidential_runtime_class; then - skip "Test not supported for ${KATA_HYPERVISOR}." - fi - - [ "${SNAPSHOTTER:-}" = "nydus" ] || skip "None snapshotter was found but this test requires one" - - setup_common || die "setup_common failed" - - FAIL_TEST_IMAGE="quay.io/prometheus/busybox:latest" - - SECURITY_POLICY_KBS_URI="kbs:///default/security-policy/test" -} - -function setup_kbs_image_policy_for_initdata() { - if [ "${KBS}" = "false" ]; then - skip "Test skipped as KBS not setup" - fi - - export CURRENT_ARCH=$(uname -m) - case "${CURRENT_ARCH}" in - "x86_64"|"s390x") - ;; - *) - skip "Test skipped as only x86-64 & s390x is supported, while current platform is ${CURRENT_ARCH}" - ;; - esac - - case "$KATA_HYPERVISOR" in - "qemu-tdx"|"qemu-coco-dev"|"qemu-snp"|"qemu-se"|"qemu-se-runtime-rs") - ;; - *) - skip "Test not supported for ${KATA_HYPERVISOR}." - ;; - esac - - default_policy="${1:-insecureAcceptAnything}" - policy_json=$(cat << EOF -{ - "default": [ - { - "type": "${default_policy}" - } - ], - "transports": { - "docker": { - "quay.io/prometheus": [ - { - "type": "reject" - } - ] - } - } -} -EOF - ) - - if ! is_confidential_hardware; then - kbs_set_allow_all_resources - fi - - kbs_set_resource "default" "security-policy" "test" "${policy_json}" -} - -@test "Test that creating a container from an rejected image configured by initdata, fails according to policy reject" { - setup_kbs_image_policy_for_initdata - - kernel_parameter="agent.image_policy_file=${SECURITY_POLICY_KBS_URI} agent.enable_signature_verification=true" - initdata_annotation=$(get_initdata_with_cdh_image_section "") - - create_coco_pod_yaml_with_annotations "${FAIL_TEST_IMAGE}" "${kernel_parameter}" "${initdata_annotation}" "${node}" - - # For debug sake - echo "Pod ${kata_pod}: $(cat ${kata_pod})" - - assert_pod_fail "${kata_pod}" - assert_logs_contain "${node}" kata "${node_start_time}" "Image policy rejected: Denied by policy" -} - -@test "Test that creating a container from an rejected image not configured by initdata, fails according to CDH error" { - setup_kbs_image_policy_for_initdata - - kernel_parameter="agent.image_policy_file=${SECURITY_POLICY_KBS_URI} agent.enable_signature_verification=true" - - create_coco_pod_yaml_with_annotations "${FAIL_TEST_IMAGE}" "${kernel_parameter}" "" "${node}" - - # For debug sake - echo "Pod ${kata_pod}: $(cat ${kata_pod})" - - if k8s_create_pod "${kata_pod}" ; then - echo "Expected failure, but pod ${kata_pod} launched successfully." - return 1 - fi - - assert_logs_contain "${node}" kata "${node_start_time}" "\[CDH\] \[ERROR\]: Image Client error: Initialize resource provider failed: Get resource failed" -} - -teardown() { - if ! is_confidential_runtime_class; then - skip "Test not supported for ${KATA_HYPERVISOR}." - fi - - [ "${SNAPSHOTTER:-}" = "nydus" ] || skip "None snapshotter was found but this test requires one" - - teardown_common "${node}" "${node_start_time:-}" -} diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh index f17e51552b..6ee90129ae 100755 --- a/tests/integration/kubernetes/run_kubernetes_tests.sh +++ b/tests/integration/kubernetes/run_kubernetes_tests.sh @@ -38,7 +38,6 @@ else "k8s-guest-pull-image-encrypted.bats" \ "k8s-guest-pull-image-authenticated.bats" \ "k8s-guest-pull-image-signature.bats" \ - "k8s-initdata.bats" \ "k8s-confidential-attestation.bats" \ ) From 9b086376a46ebdd864ff9c7a552b1c5c2afb95b6 Mon Sep 17 00:00:00 2001 From: stevenhorsman Date: Wed, 15 Oct 2025 14:51:54 +0100 Subject: [PATCH 5/5] tests/k8s: Skip initdata tests on tdx The new initdata variants of the tests are failing on the tdx runner, so as discussed, skip them for now: Issue #11945 Signed-off-by: stevenhorsman --- .../k8s-guest-pull-image-authenticated.bats | 6 ++++++ .../k8s-guest-pull-image-signature.bats | 15 +++++++++++++++ 2 files changed, 21 insertions(+) diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats b/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats index 958e87aa1c..edebe036a5 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats @@ -117,6 +117,8 @@ EOF @test "Test that creating a container from an authenticated image, with correct credentials works (with initdata)" { + [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && skip "https://github.com/kata-containers/kata-containers/issues/11945" + setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} ${AUTHENTICATED_IMAGE_PASSWORD} initdata=$(get_initdata_with_auth_registry_config) @@ -132,6 +134,8 @@ EOF @test "Test that creating a container from an authenticated image, with incorrect credentials fails (with initdata)" { + [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && skip "https://github.com/kata-containers/kata-containers/issues/11945" + setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} "junk" initdata=$(get_initdata_with_auth_registry_config) @@ -147,6 +151,8 @@ EOF @test "Test that creating a container from an authenticated image, with no credentials fails (with initdata)" { + [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && skip "https://github.com/kata-containers/kata-containers/issues/11945" + # Create pod config, but don't add image_registry_auth to initdata initdata=$(get_initdata_with_cdh_image_section "") create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats b/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats index 8c76c6e032..aa6fd09f3b 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats @@ -151,6 +151,9 @@ EOF } @test "Create a pod from an unsigned image, on an insecureAcceptAnything registry works (with initdata)" { + + [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && skip "https://github.com/kata-containers/kata-containers/issues/11945" + # We want to set the default policy to be reject to rule out false positives setup_kbs_image_policy "reject" @@ -165,6 +168,9 @@ EOF } @test "Create a pod from an unsigned image, on a 'restricted registry' is rejected (with initdata)" { + + [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && skip "https://github.com/kata-containers/kata-containers/issues/11945" + # We want to leave the default policy to be insecureAcceptAnything to rule out false negatives setup_kbs_image_policy @@ -179,6 +185,9 @@ EOF } @test "Create a pod from a signed image, on a 'restricted registry' is successful (with initdata)" { + + [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && skip "https://github.com/kata-containers/kata-containers/issues/11945" + # We want to set the default policy to be reject to rule out false positives setup_kbs_image_policy "reject" @@ -193,6 +202,9 @@ EOF } @test "Create a pod from a signed image, on a 'restricted registry', but with the wrong key is rejected (with initdata)" { + + [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && skip "https://github.com/kata-containers/kata-containers/issues/11945" + # We want to leave the default policy to be insecureAcceptAnything to rule out false negatives setup_kbs_image_policy @@ -207,6 +219,9 @@ EOF } @test "Create a pod from an unsigned image, on a 'restricted registry' works if policy files isn't set (with initdata)" { + + [[ "${KATA_HYPERVISOR}" == "qemu-tdx" ]] && skip "https://github.com/kata-containers/kata-containers/issues/11945" + # We want to set the default policy to be reject to rule out false positives setup_kbs_image_policy "reject"