From 96deea52f2826472973f46460cc074e7ab78e5e8 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Fri, 20 Oct 2023 14:40:30 +0000 Subject: [PATCH] tests: more k8s-exec-rejected debug output Print more information useful for debugging. Also, use a separate YAML file for this test, instead of reusing someone else's file. Fixes: #8270 Signed-off-by: Dan Mihai --- .../kubernetes/k8s-exec-rejected.bats | 10 ++++++--- .../k8s-policy-exec-rejected.yaml | 22 +++++++++++++++++++ 2 files changed, 29 insertions(+), 3 deletions(-) create mode 100644 tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-exec-rejected.yaml diff --git a/tests/integration/kubernetes/k8s-exec-rejected.bats b/tests/integration/kubernetes/k8s-exec-rejected.bats index 9ca68af785..469c709856 100644 --- a/tests/integration/kubernetes/k8s-exec-rejected.bats +++ b/tests/integration/kubernetes/k8s-exec-rejected.bats @@ -10,8 +10,8 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { get_pod_config_dir - pod_name="busybox" - pod_yaml="${pod_config_dir}/busybox-pod.yaml" + pod_name="policy-exec-rejected" + pod_yaml="${pod_config_dir}/k8s-policy-exec-rejected.yaml" allow_all_except_exec_policy=$(base64 -w 0 "${pod_config_dir}/allow-all-except-exec-process.rego") } @@ -25,10 +25,14 @@ setup() { kubectl create -f "${pod_yaml}" # Wait for pod to start + echo "timeout=${timeout}" kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" # Try executing a command in the Pod - an action rejected by the agent policy. - kubectl exec "$pod_name" -- date 2>&1 | grep "ExecProcessRequest is blocked by policy" + exec_output=$(kubectl exec "$pod_name" -- date 2>&1) || true + echo "$exec_output" + + echo "$exec_output" | grep "ExecProcessRequest is blocked by policy" } teardown() { diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-exec-rejected.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-exec-rejected.yaml new file mode 100644 index 0000000000..e3c285d13f --- /dev/null +++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-exec-rejected.yaml @@ -0,0 +1,22 @@ +# +# Copyright (c) 2023 Microsoft +# +# SPDX-License-Identifier: Apache-2.0 +# +apiVersion: v1 +kind: Pod +metadata: + name: policy-exec-rejected +spec: + terminationGracePeriodSeconds: 0 + shareProcessNamespace: true + runtimeClassName: kata + containers: + - name: first-test-container + image: quay.io/prometheus/busybox:latest + env: + - name: CONTAINER_NAME + value: "first-test-container" + command: + - sleep + - "120"