From 8088064b8b72c35c8d596fd2b18a1e170046b7b1 Mon Sep 17 00:00:00 2001 From: Hyounggyu Choi Date: Mon, 24 Mar 2025 18:27:36 +0100 Subject: [PATCH] tests: Set default policy before running sealed secrets tests The test `Cannot get CDH resource when deny-all policy is set` completes with a KBS policy set to deny-all. This affects the future TEE test (e.g. k8s-sealed-secrets.bats) which makes a request against KBS. This commit introduces kbs_set_default_policy() and puts it to the setup() in k8s-sealed-secrets.bats. Signed-off-by: Hyounggyu Choi --- tests/integration/kubernetes/confidential_kbs.sh | 5 +++++ tests/integration/kubernetes/k8s-sealed-secret.bats | 2 ++ 2 files changed, 7 insertions(+) diff --git a/tests/integration/kubernetes/confidential_kbs.sh b/tests/integration/kubernetes/confidential_kbs.sh index 27ada6f23a..d0d9c2f6b8 100644 --- a/tests/integration/kubernetes/confidential_kbs.sh +++ b/tests/integration/kubernetes/confidential_kbs.sh @@ -39,6 +39,11 @@ kbs_set_allow_all_resources() { "${COCO_KBS_DIR}/sample_policies/allow_all.rego" } +kbs_set_default_policy() { + kbs_set_resources_policy \ + "${COCO_KBS_DIR}/src/policy_engine/opa/default_policy.rego" +} + # Set "deny all" policy to resources. # kbs_set_deny_all_resources() { diff --git a/tests/integration/kubernetes/k8s-sealed-secret.bats b/tests/integration/kubernetes/k8s-sealed-secret.bats index 3b9fce422b..311f1baf57 100644 --- a/tests/integration/kubernetes/k8s-sealed-secret.bats +++ b/tests/integration/kubernetes/k8s-sealed-secret.bats @@ -70,6 +70,8 @@ setup() { if ! is_confidential_hardware; then kbs_set_allow_all_resources + else + kbs_set_default_policy fi }