Merge pull request #9073 from microsoft/danmihai1/test-genpolicy3

tests: k8s: generated policy for additional tests

src/tools/genpolicy/rules.rego

@@ -1106,7 +1106,7 @@ ExecProcessRequest {
     print("ExecProcessRequest 1: input =", input)
 
     i_command = concat(" ", input.process.Args)
-    print("ExecProcessRequest 3: i_command =", i_command)
+    print("ExecProcessRequest 1: i_command =", i_command)
 
     some p_command in policy_data.request_defaults.ExecProcessRequest.commands
     print("ExecProcessRequest 1: p_command =", p_command)

tests/integration/kubernetes/k8s-caps.bats

@@ -11,6 +11,17 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 setup() {
         pod_name="pod-caps"
         get_pod_config_dir
+
+        yaml_file="${pod_config_dir}/pod-caps.yaml"
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+	command="cat /proc/self/status"
+	exec_command="sh -c ${command}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
+
 # We expect the capabilities mask to very per distribution, runtime
 # configuration. Even for this, we should expect a few common items to
 # not be set in the mask unless we are failing to apply capabilities. If
@@ -29,7 +40,7 @@ setup() {
 
 @test "Check capabilities of pod" {
         # Create pod
-        kubectl create -f "${pod_config_dir}/pod-caps.yaml"
+        kubectl create -f "${yaml_file}"
         # Check pod creation
         kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
 
@@ -41,7 +52,7 @@ setup() {
         waitForProcess "$wait_time" "$sleep_time" "$cmd"
 
         # Verify expected capabilities from exec context:
-        kubectl exec "$pod_name" -- sh -c "cat /proc/self/status" | grep -q "$expected"
+        kubectl exec "$pod_name" -- sh -c "${command}" | grep -q "$expected"
 }
 
 teardown() {
@@ -50,6 +61,7 @@ teardown() {
         echo "$expected"
         echo "observed: "
         kubectl logs "pod/$pod_name"
-        kubectl exec "$pod_name" -- sh -c "cat /proc/self/status | grep Cap"
+        kubectl exec "$pod_name" -- sh -c "${command}" | grep Cap
         kubectl delete pod "$pod_name"
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }

tests/integration/kubernetes/k8s-configmap.bats

@@ -10,6 +10,17 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
 setup() {
 	get_pod_config_dir
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+	cmd="env"
+	exec_command="sh -c ${cmd}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+
+	configmap_yaml_file="${pod_config_dir}/configmap.yaml"
+	pod_yaml_file="${pod_config_dir}/pod-configmap.yaml"
+
+	auto_generate_policy "${policy_settings_dir}" "${pod_yaml_file}" "${configmap_yaml_file}"
 }
 
 @test "ConfigMap for a pod" {
@@ -17,19 +28,18 @@ setup() {
 	pod_name="config-env-test-pod"
 
 	# Create ConfigMap
-	kubectl create -f "${pod_config_dir}/configmap.yaml"
+	kubectl create -f "${configmap_yaml_file}"
 
 	# View the values of the keys
 	kubectl get configmaps $config_name -o yaml | grep -q "data-"
 
 	# Create a pod that consumes the ConfigMap
-	kubectl create -f "${pod_config_dir}/pod-configmap.yaml"
+	kubectl create -f "${pod_yaml_file}"
 
 	# Check pod creation
 	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
 
 	# Check env
-	cmd="env"
 	kubectl exec $pod_name -- sh -c $cmd | grep "KUBE_CONFIG_1=value-1"
 	kubectl exec $pod_name -- sh -c $cmd | grep "KUBE_CONFIG_2=value-2"
 }
@@ -40,4 +50,6 @@ teardown() {
 
 	kubectl delete pod "$pod_name"
 	kubectl delete configmap "$config_name"
+
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }

tests/integration/kubernetes/k8s-copy-file.bats

@@ -39,8 +39,6 @@ setup() {
 	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
 
 	auto_generate_policy "${policy_settings_dir}" "${pod_config}"
-	delete_tmp_policy_settings_dir "${policy_settings_dir}"
-	policy_settings_dir=""
 
 	# Create pod
 	kubectl create -f "${pod_config}"
@@ -78,8 +76,6 @@ setup() {
 	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
 
 	auto_generate_policy "${policy_settings_dir}" "${pod_config}"
-	delete_tmp_policy_settings_dir "${policy_settings_dir}"
-	policy_settings_dir=""
 
 	# Create pod
 	kubectl create -f "${pod_config}"

tests/integration/kubernetes/k8s-cpu-ns.bats

@@ -28,18 +28,42 @@ setup() {
 	total_cpu_container=1
 
 	get_pod_config_dir
+	yaml_file="${pod_config_dir}/pod-cpu.yaml"
+
+	# Add policy to the yaml file
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+	num_cpus_cmd='grep -e "^processor" /proc/cpuinfo |wc -l'
+	exec_command="sh -c ${num_cpus_cmd}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+
+	quotasyspath_cmd="cat ${quotasyspath}"
+	exec_command="sh -c ${quotasyspath_cmd}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+
+	periodsyspath_cmd="cat $periodsyspath"
+	exec_command="sh -c ${periodsyspath_cmd}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+
+	sharessyspath_cmd="cat $sharessyspath"
+	exec_command="sh -c ${sharessyspath_cmd}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+
+	add_exec_to_policy_settings "${policy_settings_dir}" "sh -c "
+
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
 }
 
 @test "Check CPU constraints" {
 	# Create the pod
-	kubectl create -f "${pod_config_dir}/pod-cpu.yaml"
+	kubectl create -f "${yaml_file}"
 
 	# Check pod creation
 	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
 
 	retries="10"
 
-	num_cpus_cmd='grep -e "^processor" /proc/cpuinfo |wc -l'
 	# Check the total of cpus
 	for _ in $(seq 1 "$retries"); do
 		# Get number of cpus
@@ -54,17 +78,18 @@ setup() {
 
 	# Check the total of requests
 	total_requests_container=$(kubectl exec $pod_name -c $container_name \
-		-- sh -c "cat $sharessyspath")
+		-- sh -c "$sharessyspath_cmd")
+	info "total_requests_container = $total_requests_container"
 
 	[ "$total_requests_container" -eq "$total_requests" ]
 
 	# Check the cpus inside the container
 
 	total_cpu_quota=$(kubectl exec $pod_name -c $container_name \
-		-- sh -c "cat $quotasyspath")
+		-- sh -c "$quotasyspath_cmd")
 
 	total_cpu_period=$(kubectl exec $pod_name -c $container_name \
-		-- sh -c "cat $periodsyspath")
+		-- sh -c "$periodsyspath_cmd")
 
 	division_quota_period=$(echo $((total_cpu_quota/total_cpu_period)))
 
@@ -84,4 +109,6 @@ teardown() {
 	kubectl describe "pod/$pod_name"
 
 	kubectl delete pod "$pod_name"
+
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }

tests/integration/kubernetes/k8s-credentials-secrets.bats

@@ -13,6 +13,17 @@ setup() {
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
 
 	get_pod_config_dir
+	pod_yaml_file="${pod_config_dir}/pod-secret.yaml"
+	cmd="ls /tmp/secret-volume"
+
+	# Add policy to the pod yaml file
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+	exec_command="sh -c ${cmd}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+
+	auto_generate_policy "${policy_settings_dir}" "${pod_yaml_file}"
 }
 
 @test "Credentials using secrets" {
@@ -27,13 +38,12 @@ setup() {
 	kubectl get secret "${secret_name}" -o yaml | grep "type: Opaque"
 
 	# Create a pod that has access to the secret through a volume
-	kubectl create -f "${pod_config_dir}/pod-secret.yaml"
+	kubectl create -f "${pod_yaml_file}"
 
 	# Check pod creation
 	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
 
 	# List the files
-	cmd="ls /tmp/secret-volume"
 	kubectl exec $pod_name -- sh -c "$cmd" | grep -w "password"
 	kubectl exec $pod_name -- sh -c "$cmd" | grep -w "username"
 
@@ -59,4 +69,6 @@ teardown() {
 
 	kubectl delete pod "$pod_name" "$second_pod_name"
 	kubectl delete secret "$secret_name"
+
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }

tests/integration/kubernetes/k8s-custom-dns.bats

@@ -12,11 +12,21 @@ setup() {
 	pod_name="custom-dns-test"
 	file_name="/etc/resolv.conf"
 	get_pod_config_dir
+	yaml_file="${pod_config_dir}/pod-custom-dns.yaml"
+
+	# Add policy to the yaml file
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+	exec_command="cat ${file_name}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+
+	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
 }
 
 @test "Check custom dns" {
 	# Create the pod
-	kubectl create -f "${pod_config_dir}/pod-custom-dns.yaml"
+	kubectl create -f "${yaml_file}"
 
 	# Check pod creation
 	kubectl wait --for=condition=Ready --timeout=$timeout pod $pod_name
@@ -31,4 +41,6 @@ teardown() {
 	kubectl describe "pod/$pod_name"
 
 	kubectl delete pod "$pod_name"
+
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }

tests/integration/kubernetes/k8s-env.bats

@@ -11,17 +11,27 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 setup() {
 	pod_name="test-env"
 	get_pod_config_dir
+
+	yaml_file="${pod_config_dir}/pod-env.yaml"
+	cmd="printenv"
+
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+	exec_command="sh -c ${cmd}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
 }
 
 @test "Environment variables" {
 	# Create pod
-	kubectl create -f "${pod_config_dir}/pod-env.yaml"
+	kubectl create -f "${yaml_file}"
 
 	# Check pod creation
 	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
 
 	# Print environment variables
-	cmd="printenv"
 	kubectl exec $pod_name -- sh -c $cmd | grep "MY_POD_NAME=$pod_name"
 	kubectl exec $pod_name -- sh -c $cmd | \
 		grep "HOST_IP=\([0-9]\+\(\.\|$\)\)\{4\}"
@@ -37,4 +47,6 @@ teardown() {
 	kubectl describe "pod/$pod_name"
 
 	kubectl delete pod "$pod_name"
+
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }

tests/integration/kubernetes/k8s-file-volume.bats

@@ -19,32 +19,49 @@ setup() {
 	mount_path="/tmp/foo.txt"
 	file_body="test"
 	get_pod_config_dir
-}
 
-@test "Test readonly volume for pods" {
 	# Write test body to temp file
 	exec_host "$node" "echo "$file_body" > $tmp_file"
 
 	# Create test yaml
-	sed -e "s|HOST_FILE|$tmp_file|" ${pod_config_dir}/pod-file-volume.yaml > ${pod_config_dir}/test-pod-file-volume.yaml
+	test_yaml="${pod_config_dir}/test-pod-file-volume.yaml"
-	sed -i "s|MOUNT_PATH|$mount_path|" ${pod_config_dir}/test-pod-file-volume.yaml
-	sed -i "s|NODE|$node|" ${pod_config_dir}/test-pod-file-volume.yaml
 
+	sed -e "s|HOST_FILE|$tmp_file|" ${pod_config_dir}/pod-file-volume.yaml > "${test_yaml}"
+	sed -i "s|MOUNT_PATH|$mount_path|" "${test_yaml}"
+	sed -i "s|NODE|$node|" "${test_yaml}"
+
+	# Add policy to the yaml file
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+	command="cat $mount_path"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${command}"
+
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+	auto_generate_policy "${policy_settings_dir}" "${test_yaml}"
+
+	return 0
+}
+
+@test "Test readonly volume for pods" {
 	# Create pod
-	kubectl create -f "${pod_config_dir}/test-pod-file-volume.yaml"
+	kubectl create -f "${test_yaml}"
 
 	# Check pod creation
 	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
 
 	# Validate file volume body inside the pod
-	file_in_container=$(kubectl exec $pod_name -- cat $mount_path)
+	file_in_container=$(kubectl exec $pod_name -- $command)
 	[ "$file_body" == "$file_in_container" ]
 }
 
 teardown() {
 	[ "${KATA_HYPERVISOR}" == "firecracker" ] && skip "test not working see: ${fc_limitations}"
 	[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
+
+	kubectl describe pod "$pod_name"
+
 	kubectl delete pod "$pod_name"
 	exec_host "$node" rm -f $tmp_file
-	rm -f ${pod_config_dir}/test-pod-file-volume.yaml.yaml
+	rm -f "${test_yaml}"
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }

tests/integration/kubernetes/k8s-job.bats

@@ -10,13 +10,17 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
 setup() {
 	get_pod_config_dir
+	job_name="job-pi-test"
+	yaml_file="${pod_config_dir}/job.yaml"
+
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
 }
 
 @test "Run a job to completion" {
-	job_name="job-pi-test"
-
 	# Create job
-	kubectl apply -f "${pod_config_dir}/job.yaml"
+	kubectl apply -f "${yaml_file}"
 
 	# Verify job
 	kubectl describe jobs/"$job_name" | grep "SuccessfulCreate"
@@ -45,10 +49,11 @@ teardown() {
 	echo "$output"
 	[[ "$output" =~ "No resources found" ]]
 
-
 	kubectl delete jobs/"$job_name"
 	# Verify that the job is not running
 	run kubectl get jobs
 	echo "$output"
 	[[ "$output" =~ "No resources found" ]]
+
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }

tests/integration/kubernetes/k8s-kill-all-process-in-container.bats

@@ -13,18 +13,27 @@ setup() {
 	first_container_name="first-test-container"
 
 	get_pod_config_dir
+	yaml_file="${pod_config_dir}/initcontainer-shareprocesspid.yaml"
+
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+	command="ps"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${command}"
+
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
 }
 
 @test "Kill all processes in container" {
 	# Create the pod
-	kubectl create -f "${pod_config_dir}/initcontainer-shareprocesspid.yaml"
+	kubectl create -f "${yaml_file}"
 
 	# Check pod creation
 	kubectl wait --for=condition=Ready --timeout=$timeout pod $pod_name
 
 	# Check PID from first container
 	first_pid_container=$(kubectl exec $pod_name -c $first_container_name \
-		-- ps | grep "tail" || true)
+		-- $command | grep "tail" || true)
 	# Verify that the tail process didn't exist
 	[ -z $first_pid_container ] || die "found processes pid: $first_pid_container" 
 }
@@ -34,4 +43,6 @@ teardown() {
 	kubectl describe "pod/$pod_name"
 
 	kubectl delete pod "$pod_name"
+
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }

tests/integration/kubernetes/k8s-limit-range.bats

@@ -12,6 +12,11 @@ setup() {
 	get_pod_config_dir
 	namespace_name="default-cpu-example"
 	pod_name="default-cpu-test"
+	pod_yaml="${pod_config_dir}/pod-cpu-defaults.yaml"
+
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+	set_namespace_to_policy_settings "${policy_settings_dir}" "${namespace_name}"
+	auto_generate_policy "${policy_settings_dir}" "${pod_yaml}"
 }
 
 @test "Limit range for storage" {
@@ -22,7 +27,7 @@ setup() {
 	kubectl create -f "${pod_config_dir}/limit-range.yaml" --namespace=${namespace_name}
 
 	# Create the pod
-	kubectl create -f "${pod_config_dir}/pod-cpu-defaults.yaml" --namespace=${namespace_name}
+	kubectl create -f "${pod_yaml}" --namespace=${namespace_name}
 
 	# Get pod specification
 	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" --namespace="$namespace_name"
@@ -34,8 +39,10 @@ setup() {
 
 teardown() {
 	# Debugging information
-	kubectl describe "pod/$pod_name"
+	kubectl describe "pod/$pod_name" -n "$namespace_name"
 
-	kubectl delete pod "$pod_name"
+	kubectl delete pod "$pod_name" -n "$namespace_name"
 	kubectl delete namespaces "$namespace_name"
+
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }

tests/integration/kubernetes/k8s-memory.bats

@@ -24,29 +24,39 @@ setup_yaml() {
 @test "Exceeding memory constraints" {
 	memory_limit_size="50Mi"
 	allocated_size="250M"
+
 	# Create test .yaml
-	setup_yaml > "${pod_config_dir}/test_exceed_memory.yaml"
+	test_yaml="${pod_config_dir}/test_exceed_memory.yaml"
+	setup_yaml > "${test_yaml}"
+
+	# Add policy to yaml file
+	auto_generate_policy "${pod_config_dir}" "${test_yaml}"
 
 	# Create the pod exceeding memory constraints
-	run kubectl create -f "${pod_config_dir}/test_exceed_memory.yaml"
+	run kubectl create -f "${test_yaml}"
 	[ "$status" -ne 0 ]
 
-	rm -f "${pod_config_dir}/test_exceed_memory.yaml"
+	rm -f "${test_yaml}"
 }
 
 @test "Running within memory constraints" {
 	memory_limit_size="600Mi"
 	allocated_size="150M"
+
 	# Create test .yaml
-	setup_yaml > "${pod_config_dir}/test_within_memory.yaml"
+	test_yaml="${pod_config_dir}/test_within_memory.yaml"
+	setup_yaml > "${test_yaml}"
+
+	# Add policy to yaml file
+	auto_generate_policy "${pod_config_dir}" "${test_yaml}"
 
 	# Create the pod within memory constraints
-	kubectl create -f "${pod_config_dir}/test_within_memory.yaml"
+	kubectl create -f "${test_yaml}"
 
 	# Check pod creation
 	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
 
-	rm -f "${pod_config_dir}/test_within_memory.yaml"
+	rm -f "${test_yaml}"
 	kubectl delete pod "$pod_name"
 }
 

tests/integration/kubernetes/k8s-number-cpus.bats

@@ -13,12 +13,22 @@ setup() {
 	pod_name="cpu-test"
 	container_name="c1"
 	get_pod_config_dir
+	yaml_file="${pod_config_dir}/pod-number-cpu.yaml"
+
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+	num_cpus_cmd='cat /proc/cpuinfo |grep processor|wc -l'
+	exec_command="sh -c ${num_cpus_cmd}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
 }
 
 # Skip on aarch64 due to missing cpu hotplug related functionality.
 @test "Check number of cpus" {
 	# Create pod
-	kubectl create -f "${pod_config_dir}/pod-number-cpu.yaml"
+	kubectl create -f "${yaml_file}"
 
 	# Check pod creation
 	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
@@ -26,7 +36,6 @@ setup() {
 	retries="10"
 	max_number_cpus="3"
 
-	num_cpus_cmd='cat /proc/cpuinfo |grep processor|wc -l'
 	for _ in $(seq 1 "$retries"); do
 		# Get number of cpus
 		number_cpus=$(kubectl exec pod/"$pod_name" -c "$container_name" \
@@ -46,4 +55,6 @@ teardown() {
 	kubectl describe "pod/$pod_name"
 
 	kubectl delete pod "$pod_name"
+
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }

tests/integration/kubernetes/k8s-oom.bats

@@ -13,11 +13,14 @@ setup() {
 
 	pod_name="pod-oom"
 	get_pod_config_dir
+
+	yaml_file="${pod_config_dir}/$pod_name.yaml"
+	auto_generate_policy "${pod_config_dir}" "${yaml_file}"
 }
 
 @test "Test OOM events for pods" {
 	# Create pod
-	kubectl create -f "${pod_config_dir}/$pod_name.yaml"
+	kubectl create -f "${yaml_file}"
 
 	# Check pod creation
 	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"

tests/integration/kubernetes/k8s-optional-empty-configmap.bats

@@ -10,6 +10,20 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
 setup() {
 	get_pod_config_dir
+
+	pod_yaml="${pod_config_dir}/pod-optional-empty-configmap.yaml"
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+	empty_command="ls /empty-config"
+	exec_command="sh -c ${empty_command}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+
+	optional_command="ls /optional-missing-config"
+	exec_command="sh -c ${optional_command}"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
+
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+	auto_generate_policy "${policy_settings_dir}" "${pod_yaml}"
 }
 
 @test "Optional and Empty ConfigMap Volume for a pod" {
@@ -20,13 +34,13 @@ setup() {
 	kubectl create configmap "$config_name"
 
 	# Create a pod that consumes the "empty-config" and "optional-missing-config" ConfigMaps as volumes
-	kubectl create -f "${pod_config_dir}/pod-optional-empty-configmap.yaml"
+	kubectl create -f "${pod_yaml}"
 
 	# Check pod creation
 	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
 
 	# Check configmap folders exist
-	kubectl exec $pod_name -- sh -c ls /empty-config
+	kubectl exec $pod_name -- sh -c "${empty_command}"
 	kubectl exec $pod_name -- sh -c ls /optional-missing-config
 }
 
@@ -36,4 +50,6 @@ teardown() {
 
 	kubectl delete pod "$pod_name"
 	kubectl delete configmap "$config_name"
+
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }

tests/integration/kubernetes/tests_common.sh

@@ -130,12 +130,7 @@ create_common_genpolicy_settings() {
 	cp "${default_genpolicy_settings_dir}/rules.rego" "${genpolicy_settings_dir}"
 
 	# Set the default namespace of Kata CI tests in the genpolicy settings.
-	info "${genpolicy_settings_dir}/genpolicy-settings.json: default namespace: ${TEST_CLUSTER_NAMESPACE}"
+	set_namespace_to_policy_settings "${genpolicy_settings_dir}" "${TEST_CLUSTER_NAMESPACE}"
-	jq --arg TEST_CLUSTER_NAMESPACE "${TEST_CLUSTER_NAMESPACE}" \
-		'.cluster_config.default_namespace |= $TEST_CLUSTER_NAMESPACE' \
-		"${genpolicy_settings_dir}/genpolicy-settings.json" > \
-		"${genpolicy_settings_dir}/new-genpolicy-settings.json"
-	mv "${genpolicy_settings_dir}/new-genpolicy-settings.json" "${genpolicy_settings_dir}/genpolicy-settings.json"
 }
 
 # If auto-generated policy testing is enabled, make a copy of the common genpolicy settings
@@ -241,3 +236,19 @@ add_copy_from_guest_to_policy_settings() {
 	exec_command="tar cf - ${copied_file}"
 	add_exec_to_policy_settings "${policy_settings_dir}" "${exec_command}"
 }
+
+# Change genpolicy settings to allow "kubectl exec" to execute a command
+# and to read console output from a test pod.
+set_namespace_to_policy_settings() {
+	declare -r settings_dir="$1"
+	declare -r namespace="$2"
+
+	auto_generate_policy_enabled || return 0
+
+	info "${settings_dir}/genpolicy-settings.json: namespace: ${namespace}"
+	jq --arg namespace "${namespace}" \
+		'.cluster_config.default_namespace |= $namespace' \
+		"${settings_dir}/genpolicy-settings.json" > \
+		"${settings_dir}/new-genpolicy-settings.json"
+	mv "${settings_dir}/new-genpolicy-settings.json" "${settings_dir}/genpolicy-settings.json"
+}