From 7b691455c27e7c94c5df3531c11c176325b74e95 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Fri, 26 Jul 2024 17:18:29 +0000 Subject: [PATCH] tests: k8s: hard-coded policy for any platform Users of AUTO_GENERATE_POLICY=yes: - Already tested *auto-generated* policy on any platform. - Will be able to test *hard-coded* policy too on any platform, after this change. CI continues to test hard-coded policies just on the platforms listed here, but testing those policies locally (outside of CI) on other platforms can be useful too. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/k8s-exec-rejected.bats | 4 ++-- tests/integration/kubernetes/tests_common.sh | 12 +++++++----- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/tests/integration/kubernetes/k8s-exec-rejected.bats b/tests/integration/kubernetes/k8s-exec-rejected.bats index 978ee8a5ad..e6dbe67c04 100644 --- a/tests/integration/kubernetes/k8s-exec-rejected.bats +++ b/tests/integration/kubernetes/k8s-exec-rejected.bats @@ -9,7 +9,7 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { - policy_tests_enabled || skip "Policy tests are disabled." + hard_coded_policy_tests_enabled || skip "Policy tests are disabled." get_pod_config_dir pod_name="policy-exec-rejected" @@ -38,7 +38,7 @@ setup() { } teardown() { - policy_tests_enabled || skip "Policy tests are disabled." + hard_coded_policy_tests_enabled || skip "Policy tests are disabled." # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index 6ed0e42ac2..21114f9f2a 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -306,16 +306,18 @@ set_namespace_to_policy_settings() { mv "${settings_dir}/new-genpolicy-settings.json" "${settings_dir}/genpolicy-settings.json" } -policy_tests_enabled() { - # The Guest images for these platforms have been built using AGENT_POLICY=yes - - # see kata-deploy-binaries.sh. +hard_coded_policy_tests_enabled() { + # CI is testing hard-coded policies just on a the platforms listed here. Outside of CI, + # users can enable testing of the same policies (plus the auto-generated policies) by + # specifying AUTO_GENERATE_POLICY=yes. local enabled_hypervisors="qemu-coco-dev qemu-sev qemu-snp qemu-tdx" [[ " $enabled_hypervisors " =~ " ${KATA_HYPERVISOR} " ]] || \ - [ "${KATA_HOST_OS}" == "cbl-mariner" ] + [ "${KATA_HOST_OS}" == "cbl-mariner" ] || \ + auto_generate_policy_enabled } add_allow_all_policy_to_yaml() { - policy_tests_enabled || return 0 + hard_coded_policy_tests_enabled || return 0 local yaml_file="$1" # Previous version of yq was not ready to handle multiple objects in a single yaml.