From 83056457d6bf49510f6f2235b9f0a13875f11077 Mon Sep 17 00:00:00 2001
From: Dan Mihai <dmihai@microsoft.com>
Date: Fri, 26 Jul 2024 18:48:18 +0000
Subject: [PATCH 1/3] tests: k8s-policy-pod: avoid word splitting

Avoid potential word splitting when using array of command args array.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
---
 tests/integration/kubernetes/k8s-policy-pod.bats | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/integration/kubernetes/k8s-policy-pod.bats b/tests/integration/kubernetes/k8s-policy-pod.bats
index db01d3d2d2..57a2c4e3bc 100644
--- a/tests/integration/kubernetes/k8s-policy-pod.bats
+++ b/tests/integration/kubernetes/k8s-policy-pod.bats
@@ -64,7 +64,7 @@ wait_for_pod_ready() {
 
 @test "Able to read env variables sourced from configmap using envFrom" {
 	wait_for_pod_ready
-	expected_env_var=$(kubectl exec "${pod_name}" -- ${exec_command[@]})
+	expected_env_var=$(kubectl exec "${pod_name}" -- "${exec_command[@]}")
 	[ "$expected_env_var" = "value-3" ] || fail "expected_env_var is not equal to value-3"
 }
 

From 7b691455c27e7c94c5df3531c11c176325b74e95 Mon Sep 17 00:00:00 2001
From: Dan Mihai <dmihai@microsoft.com>
Date: Fri, 26 Jul 2024 17:18:29 +0000
Subject: [PATCH 2/3] tests: k8s: hard-coded policy for any platform

Users of AUTO_GENERATE_POLICY=yes:

- Already tested *auto-generated* policy on any platform.
- Will be able to test *hard-coded* policy too on any platform, after
  this change.

CI continues to test hard-coded policies just on the platforms listed
here, but testing those policies locally (outside of CI) on other
platforms can be useful too.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
---
 tests/integration/kubernetes/k8s-exec-rejected.bats |  4 ++--
 tests/integration/kubernetes/tests_common.sh        | 12 +++++++-----
 2 files changed, 9 insertions(+), 7 deletions(-)

diff --git a/tests/integration/kubernetes/k8s-exec-rejected.bats b/tests/integration/kubernetes/k8s-exec-rejected.bats
index 978ee8a5ad..e6dbe67c04 100644
--- a/tests/integration/kubernetes/k8s-exec-rejected.bats
+++ b/tests/integration/kubernetes/k8s-exec-rejected.bats
@@ -9,7 +9,7 @@ load "${BATS_TEST_DIRNAME}/../../common.bash"
 load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
 setup() {
-	policy_tests_enabled || skip "Policy tests are disabled."
+	hard_coded_policy_tests_enabled || skip "Policy tests are disabled."
 
 	get_pod_config_dir
 	pod_name="policy-exec-rejected"
@@ -38,7 +38,7 @@ setup() {
 }
 
 teardown() {
-	policy_tests_enabled || skip "Policy tests are disabled."
+	hard_coded_policy_tests_enabled || skip "Policy tests are disabled."
 
 	# Debugging information
 	kubectl describe "pod/$pod_name"
diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh
index 6ed0e42ac2..21114f9f2a 100644
--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@@ -306,16 +306,18 @@ set_namespace_to_policy_settings() {
 	mv "${settings_dir}/new-genpolicy-settings.json" "${settings_dir}/genpolicy-settings.json"
 }
 
-policy_tests_enabled() {
-	# The Guest images for these platforms have been built using AGENT_POLICY=yes -
-	# see kata-deploy-binaries.sh.
+hard_coded_policy_tests_enabled() {
+	# CI is testing hard-coded policies just on a the platforms listed here. Outside of CI,
+	# users can enable testing of the same policies (plus the auto-generated policies) by
+	# specifying AUTO_GENERATE_POLICY=yes.
 	local enabled_hypervisors="qemu-coco-dev qemu-sev qemu-snp qemu-tdx"
 	[[ " $enabled_hypervisors " =~ " ${KATA_HYPERVISOR} " ]] || \
-		[ "${KATA_HOST_OS}" == "cbl-mariner" ]
+		[ "${KATA_HOST_OS}" == "cbl-mariner" ] || \
+		auto_generate_policy_enabled
 }
 
 add_allow_all_policy_to_yaml() {
-	policy_tests_enabled || return 0
+	hard_coded_policy_tests_enabled || return 0
 
 	local yaml_file="$1"
 	# Previous version of yq was not ready to handle multiple objects in a single yaml.

From 3e348e9768b176c7c37f075a41ea92f3846c4a9a Mon Sep 17 00:00:00 2001
From: Dan Mihai <dmihai@microsoft.com>
Date: Fri, 26 Jul 2024 17:41:00 +0000
Subject: [PATCH 3/3] tests: k8s: rename hard-coded policy test script

Rename k8s-exec-rejected.bats to k8s-policy-hard-coded.bats, getting
ready to test additional hard-coded policies using the same script.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
---
 ...{k8s-exec-rejected.bats => k8s-policy-hard-coded.bats} | 8 ++++----
 tests/integration/kubernetes/run_kubernetes_tests.sh      | 2 +-
 ...licy-exec-rejected.yaml => k8s-policy-hard-coded.yaml} | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)
 rename tests/integration/kubernetes/{k8s-exec-rejected.bats => k8s-policy-hard-coded.bats} (91%)
 rename tests/integration/kubernetes/runtimeclass_workloads/{k8s-policy-exec-rejected.yaml => k8s-policy-hard-coded.yaml} (93%)

diff --git a/tests/integration/kubernetes/k8s-exec-rejected.bats b/tests/integration/kubernetes/k8s-policy-hard-coded.bats
similarity index 91%
rename from tests/integration/kubernetes/k8s-exec-rejected.bats
rename to tests/integration/kubernetes/k8s-policy-hard-coded.bats
index e6dbe67c04..9246506739 100644
--- a/tests/integration/kubernetes/k8s-exec-rejected.bats
+++ b/tests/integration/kubernetes/k8s-policy-hard-coded.bats
@@ -12,16 +12,16 @@ setup() {
 	hard_coded_policy_tests_enabled || skip "Policy tests are disabled."
 
 	get_pod_config_dir
-	pod_name="policy-exec-rejected"
-	pod_yaml="${pod_config_dir}/k8s-policy-exec-rejected.yaml"
-	allow_all_except_exec_policy=$(base64 -w 0 "${pod_config_dir}/allow-all-except-exec-process.rego")
+	pod_name="hard-coded-policy-pod"
+	pod_yaml="${pod_config_dir}/k8s-policy-hard-coded.yaml"
 }
 
 @test "Kubectl exec rejected by policy" {
 	# Add to the YAML file a policy that rejects ExecProcessRequest.
+	allow_all_except_exec_policy=$(base64 -w 0 "${pod_config_dir}/allow-all-except-exec-process.rego")
 	yq -i \
 		".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${allow_all_except_exec_policy}\"" \
-  "${pod_yaml}"
+		"${pod_yaml}"
 
 	# Create the pod
 	kubectl create -f "${pod_yaml}"
diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh
index 7d2402ebbd..51f33ac482 100755
--- a/tests/integration/kubernetes/run_kubernetes_tests.sh
+++ b/tests/integration/kubernetes/run_kubernetes_tests.sh
@@ -41,7 +41,6 @@ else
 		"k8s-empty-dirs.bats" \
 		"k8s-env.bats" \
 		"k8s-exec.bats" \
-		"k8s-exec-rejected.bats" \
 		"k8s-file-volume.bats" \
 		"k8s-inotify.bats" \
 		"k8s-job.bats" \
@@ -56,6 +55,7 @@ else
 		"k8s-optional-empty-secret.bats" \
 		"k8s-pid-ns.bats" \
 		"k8s-pod-quota.bats" \
+		"k8s-policy-hard-coded.bats" \
 		"k8s-policy-job.bats" \
 		"k8s-policy-pod.bats" \
 		"k8s-policy-pvc.bats" \
diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-exec-rejected.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-hard-coded.yaml
similarity index 93%
rename from tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-exec-rejected.yaml
rename to tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-hard-coded.yaml
index e3c285d13f..10e8363a86 100644
--- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-exec-rejected.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-hard-coded.yaml
@@ -6,7 +6,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: policy-exec-rejected
+  name: hard-coded-policy-pod
 spec:
   terminationGracePeriodSeconds: 0
   shareProcessNamespace: true