Merge pull request #9835 from microsoft/saulparedes/test_policy_on_sev

gha: enable autogenerated policy testing on SEV and SEV-SNP
2025-07-16 16:32:03 +00:00 · 2024-07-19 07:46:01 -07:00 · 2024-07-19 07:46:01 -07:00 · 44e443678d
commit 44e443678d
parent dc97f3f540 57d2ded3e2
3 changed files with 21 additions and 7 deletions
--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@ -272,7 +272,10 @@ function run_tests() {
 		export KUBECONFIG="$HOME/.kcli/clusters/${CLUSTER_NAME:-kata-k8s}/auth/kubeconfig"

 	# TODO: enable testing auto-generated policy for other types of hosts too.
-	if [ "${KATA_HOST_OS}" = "cbl-mariner" ] || [ "${KATA_HYPERVISOR}" = "qemu-tdx" ]; then
+	if [ "${KATA_HOST_OS}" = "cbl-mariner" ] || \
+	   [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] || \
+	   [ "${KATA_HYPERVISOR}" = "qemu-sev" ] || \
+	   [ "${KATA_HYPERVISOR}" = "qemu-snp" ]; then
 		export AUTO_GENERATE_POLICY="yes"
 	fi

--- a/tests/integration/kubernetes/k8s-policy-pvc.bats
+++ b/tests/integration/kubernetes/k8s-policy-pvc.bats
@ -10,7 +10,7 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"

 setup() {
 	auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
-	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"
+	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"

 	pod_name="policy-pod-pvc"
 	pvc_name="policy-dev"
@ -55,7 +55,7 @@ test_pod_policy_error() {

 teardown() {
 	auto_generate_policy_enabled || skip "Auto-generated policy tests are disabled."
-	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"
+	( [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] ) && skip "https://github.com/kata-containers/kata-containers/issues/9846"

 	# Debugging information. Don't print the "Message:" line because it contains a truncated policy log.
 	kubectl describe pod "${pod_name}" | grep -v "Message:"
--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@ -130,23 +130,34 @@ auto_generate_policy_enabled() {
 	[ "${AUTO_GENERATE_POLICY}" == "yes" ]
 }

-# adapt common policy settings for tdx
+# adapt common policy settings for tdx or snp
 adapt_common_policy_settings_for_tdx() {
-
 	local settings_dir=$1

-	info "Adapting common policy settings for TDX"
+	info "Adapting common policy settings for TDX or SNP"
 	jq '.common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
 }

+# adapt common policy settings for qemu-sev
+adapt_common_policy_settings_for_sev() {
+	local settings_dir=$1
+
+	info "Adapting common policy settings for SEV"
+	jq '.kata_config.oci_version = "1.1.0-rc.1" | .common.cpath = "/run/kata-containers" | .volumes.configMap.mount_point = "^$(cpath)/$(bundle-id)-[a-z0-9]{16}-"' "${settings_dir}/genpolicy-settings.json" > temp.json && sudo mv temp.json "${settings_dir}/genpolicy-settings.json"
+}
+
 # adapt common policy settings for various platforms
 adapt_common_policy_settings() {

 	local settings_dir=$1

 	case "${KATA_HYPERVISOR}" in
-  		"qemu-tdx")
+  		"qemu-tdx"|"qemu-snp")
 			adapt_common_policy_settings_for_tdx "${settings_dir}"
+			;;
+  		"qemu-sev")
+			adapt_common_policy_settings_for_sev "${settings_dir}"
+			;;
 	esac
 }