tests/k8s: add k8s-measured-rootfs.bats

Implements the following test case: Scenario: Check incorrect hash fails **Given** I have a version of kata installed that has a kernel with the initramfs built and config with rootfs_verity.scheme=dm-verity rootfs_verity.hash=<incorrect hash of rootfs> set in the kernel_params **When** I try and create a container a basic pod **Then** The pod is doesn't run **And** Ideally we'd get a helpful message to indicate why Currently on CI only qemu-tdx is built with measured rootfs support in the kernel, so the test is restriced to that runtimeclass. Fixes #7415 Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2025-08-30 23:37:45 +00:00 · 2023-10-19 18:32:58 -03:00
parent 1eae657b91
commit 48bdca4c49
2 changed files with 53 additions and 0 deletions
--- a/tests/integration/kubernetes/k8s-measured-rootfs.bats
+++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats
@@ -0,0 +1,52 @@
+#!/usr/bin/env bats
+#
+# Copyright (c) 2023 Red Hat
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+load "${BATS_TEST_DIRNAME}/lib.sh"
+load "${BATS_TEST_DIRNAME}/tests_common.sh"
+
+check_and_skip() {
+	# Currently the only kernel built with measured rootfs support is
+	# the kernel-tdx-experimental.
+	[ "${KATA_HYPERVISOR}" = "qemu-tdx" ] || \
+		skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR"
+}
+
+setup() {
+	check_and_skip
+	setup_common
+}
+
+teardown() {
+	check_and_skip
+
+	kubectl describe -f "${pod_config}" || true
+	kubectl delete -f "${pod_config}" || true
+}
+
+@test "Test cannnot launch pod with measured boot enabled and incorrect hash" {
+	pod_config="$(new_pod_config nginx "kata-${KATA_HYPERVISOR}")"
+
+	incorrect_hash="5180b1568c2ba972e4e06ee0a55976acae8329f2a5d1d2004395635e1ec4a76e"
+
+	# Despite the kernel being built with support, it is not currently enabled
+	# on configuration.toml. To avoid editing that file on the worker node,
+	# here it will be enabled via pod annotations.
+	set_metadata_annotation "$pod_config" \
+		"io.katacontainers.config.hypervisor.kernel_params" \
+		"rootfs_verity.scheme=dm-verity rootfs_verity.hash=$incorrect_hash"
+	# Run on a specific node so we know from where to inspect the logs
+	set_node "$pod_config" "$node"
+
+	# For debug sake
+	echo "Pod $pod_config file:"
+	cat $pod_config
+
+	assert_pod_fail "$pod_config"
+
+	assert_logs_contain "$node" kata "$node_start_time" \
+		'verity: .* metadata block .* is corrupted'
+}
--- a/tests/integration/kubernetes/run_kubernetes_tests.sh
+++ b/tests/integration/kubernetes/run_kubernetes_tests.sh
@@ -38,6 +38,7 @@ else
 		"k8s-kill-all-process-in-container.bats" \
 		"k8s-limit-range.bats" \
 		"k8s-liveness-probes.bats" \
+		"k8s-measured-rootfs.bats" \
 		"k8s-memory.bats" \
 		"k8s-nested-configmap-secret.bats" \
 		"k8s-oom.bats" \