From 48bdca4c49010d5c347c255b342e0918cc1cb5c7 Mon Sep 17 00:00:00 2001 From: Wainer dos Santos Moschetta Date: Thu, 19 Oct 2023 18:32:58 -0300 Subject: [PATCH] tests/k8s: add k8s-measured-rootfs.bats Implements the following test case: Scenario: Check incorrect hash fails **Given** I have a version of kata installed that has a kernel with the initramfs built and config with rootfs_verity.scheme=dm-verity rootfs_verity.hash= set in the kernel_params **When** I try and create a container a basic pod **Then** The pod is doesn't run **And** Ideally we'd get a helpful message to indicate why Currently on CI only qemu-tdx is built with measured rootfs support in the kernel, so the test is restriced to that runtimeclass. Fixes #7415 Signed-off-by: Wainer dos Santos Moschetta --- .../kubernetes/k8s-measured-rootfs.bats | 52 +++++++++++++++++++ .../kubernetes/run_kubernetes_tests.sh | 1 + 2 files changed, 53 insertions(+) create mode 100644 tests/integration/kubernetes/k8s-measured-rootfs.bats diff --git a/tests/integration/kubernetes/k8s-measured-rootfs.bats b/tests/integration/kubernetes/k8s-measured-rootfs.bats new file mode 100644 index 0000000000..a98f96c6a8 --- /dev/null +++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats @@ -0,0 +1,52 @@ +#!/usr/bin/env bats +# +# Copyright (c) 2023 Red Hat +# +# SPDX-License-Identifier: Apache-2.0 +# + +load "${BATS_TEST_DIRNAME}/lib.sh" +load "${BATS_TEST_DIRNAME}/tests_common.sh" + +check_and_skip() { + # Currently the only kernel built with measured rootfs support is + # the kernel-tdx-experimental. + [ "${KATA_HYPERVISOR}" = "qemu-tdx" ] || \ + skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR" +} + +setup() { + check_and_skip + setup_common +} + +teardown() { + check_and_skip + + kubectl describe -f "${pod_config}" || true + kubectl delete -f "${pod_config}" || true +} + +@test "Test cannnot launch pod with measured boot enabled and incorrect hash" { + pod_config="$(new_pod_config nginx "kata-${KATA_HYPERVISOR}")" + + incorrect_hash="5180b1568c2ba972e4e06ee0a55976acae8329f2a5d1d2004395635e1ec4a76e" + + # Despite the kernel being built with support, it is not currently enabled + # on configuration.toml. To avoid editing that file on the worker node, + # here it will be enabled via pod annotations. + set_metadata_annotation "$pod_config" \ + "io.katacontainers.config.hypervisor.kernel_params" \ + "rootfs_verity.scheme=dm-verity rootfs_verity.hash=$incorrect_hash" + # Run on a specific node so we know from where to inspect the logs + set_node "$pod_config" "$node" + + # For debug sake + echo "Pod $pod_config file:" + cat $pod_config + + assert_pod_fail "$pod_config" + + assert_logs_contain "$node" kata "$node_start_time" \ + 'verity: .* metadata block .* is corrupted' +} \ No newline at end of file diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh index b16c22ae64..40500c237d 100644 --- a/tests/integration/kubernetes/run_kubernetes_tests.sh +++ b/tests/integration/kubernetes/run_kubernetes_tests.sh @@ -38,6 +38,7 @@ else "k8s-kill-all-process-in-container.bats" \ "k8s-limit-range.bats" \ "k8s-liveness-probes.bats" \ + "k8s-measured-rootfs.bats" \ "k8s-memory.bats" \ "k8s-nested-configmap-secret.bats" \ "k8s-oom.bats" \