From 68c8c3171825119882d5c8f803fde884a3ae63ad Mon Sep 17 00:00:00 2001 From: Archana Choudhary Date: Thu, 22 May 2025 14:39:18 +0000 Subject: [PATCH] genpolicy: tests: add test for config_map volumes This patch adds test for config_map volumes. Signed-off-by: Archana Choudhary --- src/tools/genpolicy/tests/policy/main.rs | 5 + .../volumes/config_map/config_map.yaml | 7 + .../volumes/config_map/pod.yaml | 21 +++ .../volumes/config_map/testcases.json | 151 ++++++++++++++++++ 4 files changed, 184 insertions(+) create mode 100644 src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/config_map.yaml create mode 100644 src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/pod.yaml create mode 100644 src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json diff --git a/src/tools/genpolicy/tests/policy/main.rs b/src/tools/genpolicy/tests/policy/main.rs index e6c730c9c5..c657f1c6e6 100644 --- a/src/tools/genpolicy/tests/policy/main.rs +++ b/src/tools/genpolicy/tests/policy/main.rs @@ -284,4 +284,9 @@ mod tests { async fn test_create_container_mounts() { runtests("createcontainer/volumes/emptydir").await; } + + #[tokio::test] + async fn test_create_container_volumes_config_map() { + runtests("createcontainer/volumes/config_map").await; + } } diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/config_map.yaml b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/config_map.yaml new file mode 100644 index 0000000000..426cb22e86 --- /dev/null +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/config_map.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: config-map1 +data: + simple_value1: value1 diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/pod.yaml b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/pod.yaml new file mode 100644 index 0000000000..bd49e5243d --- /dev/null +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/pod.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: v1 +kind: Pod +metadata: + name: dummy +spec: + runtimeClassName: kata-cc-isolation + containers: + - name: dummy + image: "registry.k8s.io/pause:3.6@sha256:3d380ca8864549e74af4b29c10f9cb0956236dfb01c40ca076fb6c37253234db" + volumeMounts: + - name: config + mountPath: /config + readOnly: true + volumes: + - name: config + configMap: + name: config-map1 + items: + - key: simple_value1 + path: simple_value1 diff --git a/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json new file mode 100644 index 0000000000..88cdfd2838 --- /dev/null +++ b/src/tools/genpolicy/tests/policy/testdata/createcontainer/volumes/config_map/testcases.json @@ -0,0 +1,151 @@ +[ + { + "description": "CreateContainer with config map volume", + "allowed": true, + "request": { + "type": "CreateContainer", + "OCI": { + "Version": "1.1.0", + "Annotations": { + "io.kubernetes.cri.sandbox-name": "dummy", + "io.kubernetes.cri.sandbox-namespace": "default", + "io.kubernetes.cri.container-type": "container", + "io.katacontainers.pkg.oci.container_type": "pod_container", + "io.katacontainers.pkg.oci.bundle_path": "/run/containerd/io.containerd.runtime.v2.task/k8s.io/bundle-id", + "io.kubernetes.cri.sandbox-id": "0000000000000000000000000000000000000000000000000000000000000000", + "io.kubernetes.cri.container-name": "dummy" + }, + "Linux": { + "GIDMappings": [], + "MountLabel": "", + "Resources": { + "Devices": [] + }, + "RootfsPropagation": "", + "Namespaces": [ + { + "Path": "", + "Type": "ipc" + }, + { + "Path": "", + "Type": "uts" + }, + { + "Path": "", + "Type": "mount" + }, + { + "Path": "/run/netns/podns", + "Type": "network" + } + ], + "MaskedPaths": [ + "/proc/acpi", + "/proc/asound", + "/proc/kcore", + "/proc/keys", + "/proc/latency_stats", + "/proc/timer_list", + "/proc/timer_stats", + "/proc/sched_debug", + "/sys/firmware", + "/proc/scsi" + ], + "ReadonlyPaths": [ + "/proc/bus", + "/proc/fs", + "/proc/irq", + "/proc/sys", + "/proc/sysrq-trigger" + ] + }, + "Process": { + "SelinuxLabel": "", + "User": { + "Username": "", + "UID": 65535, + "AdditionalGids": [ + 0 + ] + }, + "Args": [ + "/pause" + ], + "Cwd": "/", + "NoNewPrivileges": false, + "Capabilities": { + "Ambient": [], + "Bounding": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Effective": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ], + "Permitted": [ + "CAP_CHOWN", + "CAP_DAC_OVERRIDE", + "CAP_FSETID", + "CAP_FOWNER", + "CAP_MKNOD", + "CAP_NET_RAW", + "CAP_SETGID", + "CAP_SETUID", + "CAP_SETFCAP", + "CAP_SETPCAP", + "CAP_NET_BIND_SERVICE", + "CAP_SYS_CHROOT", + "CAP_KILL", + "CAP_AUDIT_WRITE" + ] + } + }, + "Root": { + "Readonly": false, + "Path": "/run/kata-containers/shared/containers/bundle-id/rootfs" + } + }, + "storages": [ + { + "driver": "watchable-bind", + "driver_options": [], + "source": "/run/kata-containers/shared/containers/bundle-id-a1b2c3d4e5f6g7h8-config", + "fstype": "bind", + "options": [ + "rbind", + "rprivate", + "ro" + ], + "mount_point": "/run/kata-containers/shared/containers/watchable/bundle-id-a1b2c3d4e5f6g7h8-config", + "fs_group": null + } + ] + } + } +]