test/k8s: Add basic attestation test

- Add basic test case to check that a ruuning pod can use the api-server-rest (and attestation-agent and confidential-data-hub indirectly) to get a resource from a remote KBS Fixes #9057 Signed-off-by: Gabriela Cervantes <gabriela.cervantes.tellez@intel.com> Co-authored-by: Linda Yu <linda.yu@intel.com> Co-authored-by: stevenhorsman <steven@uk.ibm.com> Co-authored-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2025-09-18 07:18:27 +00:00 · 2024-02-22 20:43:01 +00:00
parent f0edec84f6
commit 6d85025e59
6 changed files with 110 additions and 9 deletions
--- a/tests/gha-run-k8s-common.sh
+++ b/tests/gha-run-k8s-common.sh
@@ -4,10 +4,6 @@
 #
 # SPDX-License-Identifier: Apache-2.0

-set -o errexit
-set -o nounset
-set -o pipefail
-
 tests_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 source "${tests_dir}/common.bash"

--- a/tests/integration/kubernetes/confidential_kbs.sh
+++ b/tests/integration/kubernetes/confidential_kbs.sh
@@ -7,10 +7,6 @@
 # Provides a library to deal with the CoCo KBS
 #

-set -o errexit
-set -o nounset
-set -o pipefail
-
 kubernetes_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 # shellcheck disable=1091
 source "${kubernetes_dir}/../../gha-run-k8s-common.sh"
@@ -416,7 +412,6 @@ _handle_ingress_aks() {
 	popd
 }

-
 # Implements the ingress handler for servernode
 # this is useful on kcli or anywhere where cluster IPs are accessible
 # from the testing machines.
--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@@ -246,6 +246,7 @@ function install_kbs_client() {
 }

 function run_tests() {
+	ensure_yq
 	platform="${1:-}"

 	[ "$platform" = "kcli" ] && \
--- a/tests/integration/kubernetes/k8s-confidential-attestation.bats
+++ b/tests/integration/kubernetes/k8s-confidential-attestation.bats
@@ -0,0 +1,89 @@
+#!/usr/bin/env bats
+# Copyright 2024 IBM Corporation
+# Copyright 2024 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+load "${BATS_TEST_DIRNAME}/lib.sh"
+load "${BATS_TEST_DIRNAME}/confidential_common.sh"
+load "${BATS_TEST_DIRNAME}/confidential_kbs.sh"
+
+export KBS="${KBS:-false}"
+export test_key="aatest"
+export KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}"
+export AA_KBC="${AA_KBC:-cc_kbc}"
+
+setup() {
+	confidential_setup || skip "Test not supported for ${KATA_HYPERVISOR}."
+
+	if [ "${KBS}" = "false" ]; then
+		skip "Test skipped as KBS not setup"
+	fi
+
+	setup_common
+	get_pod_config_dir
+
+#	setup_unencrypted_confidential_pod
+
+	export K8S_TEST_YAML="${pod_config_dir}/pod-attestable.yaml"
+	# Schedule on a known node so that later it can print the system's logs for
+	# debugging.
+	set_node "$K8S_TEST_YAML" "$node"
+
+	if [[ " ${SUPPORTED_NON_TEE_HYPERVISORS} " =~ " ${KATA_HYPERVISOR} " ]]; then
+		set_metadata_annotation "${K8S_TEST_YAML}" \
+			"io.katacontainers.config.hypervisor.image" \
+			"/opt/kata/share/kata-containers/kata-containers-confidential.img"
+	fi
+
+	kbs_set_resource "default" "aa" "key" "$test_key"
+	kbs_set_allow_all_resources
+}
+
+@test "Get CDH resource" {
+	local CC_KBS_ADDR
+	export CC_KBS_ADDR=$(kbs_k8s_svc_http_addr)
+	kernel_params_annotation="io.katacontainers.config.hypervisor.kernel_params"
+	kernel_params_value="agent.guest_components_rest_api=resource"
+
+	# Based on current config we still need to pass the agent.aa_kbc_params, but this might change
+	# as the CDH/Attestaiton-agent config gets updated
+	if [ "${AA_KBC}" = "cc_kbc" ]; then
+		kernel_params_value+=" agent.aa_kbc_params=cc_kbc::${CC_KBS_ADDR}"
+	fi
+
+	set_metadata_annotation "${K8S_TEST_YAML}" \
+			"${kernel_params_annotation}" \
+			"${kernel_params_value}"
+
+	kubectl apply -f "${K8S_TEST_YAML}"
+
+	# Retrieve pod name, wait for it to come up, retrieve pod ip
+	export pod_name=$(kubectl get pod -o wide | grep "aa-test-cc" | awk '{print $1;}')
+
+	# Check pod creation
+	kubectl wait --for=condition=Ready --timeout="$timeout" pod "${pod_name}"
+
+	# Wait 5s for connecting with remote KBS
+	sleep 5
+
+	kubectl logs aa-test-cc
+	kubectl logs aa-test-cc | grep -q "aatest"
+}
+
+teardown() {
+	check_hypervisor_for_confidential_tests ${KATA_HYPERVISOR} || skip "Test not supported for ${KATA_HYPERVISOR}."
+
+	if [ "${KBS}" = "false" ]; then
+		skip "Test skipped as KBS not setup"
+	fi
+
+	[ -n "${pod_name:-}" ] && kubectl describe "pod/${pod_name}" || true
+	[ -n "${pod_config_dir:-}" ] && kubectl delete -f "${K8S_TEST_YAML}" || true
+
+	if [ -n "${node_start_time}:-}" ]; then
+		echo "DEBUG: system logs of node '$node' since test start time ($node_start_time)"
+		print_node_journal "$node" "kata" --since "$node_start_time" || true
+	fi
+}
--- a/tests/integration/kubernetes/run_kubernetes_tests.sh
+++ b/tests/integration/kubernetes/run_kubernetes_tests.sh
@@ -26,6 +26,7 @@ else
 	# more details https://github.com/kata-containers/kata-containers/issues/8337
 	K8S_TEST_SMALL_HOST_UNION=( \
 		"k8s-guest-pull-image.bats" \
+		"k8s-confidential-attestation.bats" \
 		"k8s-confidential.bats" \
 		"k8s-attach-handlers.bats" \
 		"k8s-caps.bats" \
--- a/tests/integration/kubernetes/runtimeclass_workloads/pod-attestable.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-attestable.yaml
@@ -0,0 +1,19 @@
+# Copyright (c) 2023-2024 Intel Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Pod
+metadata:
+  name: aa-test-cc
+spec:
+  runtimeClassName: kata
+  containers:
+    - name: bash-curl
+      image: storytel/alpine-bash-curl:latest
+      imagePullPolicy: Always
+      command:
+        - sh
+        - -c
+        - |
+          curl http://127.0.0.1:8006/cdh/resource/default/aa/key; sleep 1000