mirror of
https://github.com/kata-containers/kata-containers.git
synced 2025-08-29 04:51:34 +00:00
tests/k8s: add k8s-measured-rootfs.bats
Implements the following test case: Scenario: Check incorrect hash fails **Given** I have a version of kata installed that has a kernel with the initramfs built and config with rootfs_verity.scheme=dm-verity rootfs_verity.hash=<incorrect hash of rootfs> set in the kernel_params **When** I try and create a container a basic pod **Then** The pod is doesn't run **And** Ideally we'd get a helpful message to indicate why Currently on CI only qemu-tdx is built with measured rootfs support in the kernel, so the test is restriced to that runtimeclass. Fixes #7415 Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
This commit is contained in:
parent
1eae657b91
commit
48bdca4c49
52
tests/integration/kubernetes/k8s-measured-rootfs.bats
Normal file
52
tests/integration/kubernetes/k8s-measured-rootfs.bats
Normal file
@ -0,0 +1,52 @@
|
||||
#!/usr/bin/env bats
|
||||
#
|
||||
# Copyright (c) 2023 Red Hat
|
||||
#
|
||||
# SPDX-License-Identifier: Apache-2.0
|
||||
#
|
||||
|
||||
load "${BATS_TEST_DIRNAME}/lib.sh"
|
||||
load "${BATS_TEST_DIRNAME}/tests_common.sh"
|
||||
|
||||
check_and_skip() {
|
||||
# Currently the only kernel built with measured rootfs support is
|
||||
# the kernel-tdx-experimental.
|
||||
[ "${KATA_HYPERVISOR}" = "qemu-tdx" ] || \
|
||||
skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR"
|
||||
}
|
||||
|
||||
setup() {
|
||||
check_and_skip
|
||||
setup_common
|
||||
}
|
||||
|
||||
teardown() {
|
||||
check_and_skip
|
||||
|
||||
kubectl describe -f "${pod_config}" || true
|
||||
kubectl delete -f "${pod_config}" || true
|
||||
}
|
||||
|
||||
@test "Test cannnot launch pod with measured boot enabled and incorrect hash" {
|
||||
pod_config="$(new_pod_config nginx "kata-${KATA_HYPERVISOR}")"
|
||||
|
||||
incorrect_hash="5180b1568c2ba972e4e06ee0a55976acae8329f2a5d1d2004395635e1ec4a76e"
|
||||
|
||||
# Despite the kernel being built with support, it is not currently enabled
|
||||
# on configuration.toml. To avoid editing that file on the worker node,
|
||||
# here it will be enabled via pod annotations.
|
||||
set_metadata_annotation "$pod_config" \
|
||||
"io.katacontainers.config.hypervisor.kernel_params" \
|
||||
"rootfs_verity.scheme=dm-verity rootfs_verity.hash=$incorrect_hash"
|
||||
# Run on a specific node so we know from where to inspect the logs
|
||||
set_node "$pod_config" "$node"
|
||||
|
||||
# For debug sake
|
||||
echo "Pod $pod_config file:"
|
||||
cat $pod_config
|
||||
|
||||
assert_pod_fail "$pod_config"
|
||||
|
||||
assert_logs_contain "$node" kata "$node_start_time" \
|
||||
'verity: .* metadata block .* is corrupted'
|
||||
}
|
@ -38,6 +38,7 @@ else
|
||||
"k8s-kill-all-process-in-container.bats" \
|
||||
"k8s-limit-range.bats" \
|
||||
"k8s-liveness-probes.bats" \
|
||||
"k8s-measured-rootfs.bats" \
|
||||
"k8s-memory.bats" \
|
||||
"k8s-nested-configmap-secret.bats" \
|
||||
"k8s-oom.bats" \
|
||||
|
Loading…
Reference in New Issue
Block a user