tests: k8s: k8s-exec.bats auto-generated policy

Auto-generate policy for k8s-exec.bats. Fixes: #9247 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-06-27 07:48:55 +00:00 · 2024-02-08 15:27:58 +00:00 · 2024-02-08 15:27:58 +00:00 · 88b7a44271
commit 88b7a44271
parent b3a02d5e06
1 changed files with 29 additions and 5 deletions
--- a/tests/integration/kubernetes/k8s-exec.bats
+++ b/tests/integration/kubernetes/k8s-exec.bats
@ -13,11 +13,32 @@ setup() {
 	pod_name="busybox"
 	first_container_name="first-test-container"
 	second_container_name="second-test-container"
+
+	test_yaml_file="${pod_config_dir}/test-busybox-pod.yaml"
+	cp "$pod_config_dir/busybox-pod.yaml" "${test_yaml_file}"
+
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+
+	date_command="date"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${date_command}"
+	sh_command="sh"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${sh_command}"
+	env_command="env"
+	add_exec_to_policy_settings "${policy_settings_dir}" "${env_command}"
+
+	allowed_requests=(
+		"CloseStdinRequest"
+		"ReadStreamRequest"
+		"WriteStreamRequest"
+	)
+	add_requests_to_policy_settings "${policy_settings_dir}" "${allowed_requests[@]}"
+
+	auto_generate_policy "${policy_settings_dir}" "${test_yaml_file}"
 }

@test "Kubectl exec" {
 	# Create the pod
-	kubectl create -f "${pod_config_dir}/busybox-pod.yaml"
+	kubectl create -f "${test_yaml_file}"

 	# Get pod specification
 	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
@ -28,10 +49,10 @@ setup() {
 	# see: https://github.com/kata-containers/tests/issues/2770
 	# kubectl exec -i "$pod_name" -- ls -tl /
 	# kubectl exec -it "$pod_name" -- ls -tl /
-	kubectl exec "$pod_name" -- date
+	kubectl exec "$pod_name" -- "$date_command"

 	## Case for stdin
-	kubectl exec -i "$pod_name" -- sh <<-EOF
+	kubectl exec -i "$pod_name" -- "$sh_command" <<-EOF
 echo abc > /tmp/abc.txt
 grep abc /tmp/abc.txt
 exit
@ -48,11 +69,11 @@ EOF"

 	## Cases for target container
 	### First container
-	container_name=$(kubectl exec $pod_name -c $first_container_name -- env | grep CONTAINER_NAME)
+	container_name=$(kubectl exec $pod_name -c $first_container_name -- $env_command | grep CONTAINER_NAME)
 	[ "$container_name" == "CONTAINER_NAME=$first_container_name" ]

 	### Second container
-	container_name=$(kubectl exec $pod_name -c $second_container_name -- env | grep CONTAINER_NAME)
+	container_name=$(kubectl exec $pod_name -c $second_container_name -- $env_command | grep CONTAINER_NAME)
 	[ "$container_name" == "CONTAINER_NAME=$second_container_name" ]

 }
@ -62,4 +83,7 @@ teardown() {
 	kubectl describe "pod/$pod_name"

 	kubectl delete pod "$pod_name"
+
+	rm "${test_yaml_file}"
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
 }