Merge pull request #10083 from microsoft/danmihai1/policy-tests

tests: k8s: minor policy tests clean-up

tests/integration/kubernetes/k8s-policy-hard-coded.bats

@@ -9,16 +9,16 @@ load "${BATS_TEST_DIRNAME}/../../common.bash"
 load "${BATS_TEST_DIRNAME}/tests_common.sh"
 
 setup() {
-	policy_tests_enabled || skip "Policy tests are disabled."
+	hard_coded_policy_tests_enabled || skip "Policy tests are disabled."
 
 	get_pod_config_dir
-	pod_name="policy-exec-rejected"
+	pod_name="hard-coded-policy-pod"
-	pod_yaml="${pod_config_dir}/k8s-policy-exec-rejected.yaml"
+	pod_yaml="${pod_config_dir}/k8s-policy-hard-coded.yaml"
-	allow_all_except_exec_policy=$(base64 -w 0 "${pod_config_dir}/allow-all-except-exec-process.rego")
 }
 
 @test "Kubectl exec rejected by policy" {
 	# Add to the YAML file a policy that rejects ExecProcessRequest.
+	allow_all_except_exec_policy=$(base64 -w 0 "${pod_config_dir}/allow-all-except-exec-process.rego")
 	yq -i \
 		".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${allow_all_except_exec_policy}\"" \
 		"${pod_yaml}"
@@ -38,7 +38,7 @@ setup() {
 }
 
 teardown() {
-	policy_tests_enabled || skip "Policy tests are disabled."
+	hard_coded_policy_tests_enabled || skip "Policy tests are disabled."
 
 	# Debugging information
 	kubectl describe "pod/$pod_name"

tests/integration/kubernetes/k8s-policy-pod.bats

@@ -64,7 +64,7 @@ wait_for_pod_ready() {
 
 @test "Able to read env variables sourced from configmap using envFrom" {
 	wait_for_pod_ready
-	expected_env_var=$(kubectl exec "${pod_name}" -- ${exec_command[@]})
+	expected_env_var=$(kubectl exec "${pod_name}" -- "${exec_command[@]}")
 	[ "$expected_env_var" = "value-3" ] || fail "expected_env_var is not equal to value-3"
 }
 

tests/integration/kubernetes/run_kubernetes_tests.sh

@@ -41,7 +41,6 @@ else
 		"k8s-empty-dirs.bats" \
 		"k8s-env.bats" \
 		"k8s-exec.bats" \
-		"k8s-exec-rejected.bats" \
 		"k8s-file-volume.bats" \
 		"k8s-inotify.bats" \
 		"k8s-job.bats" \
@@ -56,6 +55,7 @@ else
 		"k8s-optional-empty-secret.bats" \
 		"k8s-pid-ns.bats" \
 		"k8s-pod-quota.bats" \
+		"k8s-policy-hard-coded.bats" \
 		"k8s-policy-job.bats" \
 		"k8s-policy-pod.bats" \
 		"k8s-policy-pvc.bats" \

tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-hard-coded.yaml

@@ -6,7 +6,7 @@
 apiVersion: v1
 kind: Pod
 metadata:
-  name: policy-exec-rejected
+  name: hard-coded-policy-pod
 spec:
   terminationGracePeriodSeconds: 0
   shareProcessNamespace: true

tests/integration/kubernetes/tests_common.sh

@@ -306,16 +306,18 @@ set_namespace_to_policy_settings() {
 	mv "${settings_dir}/new-genpolicy-settings.json" "${settings_dir}/genpolicy-settings.json"
 }
 
-policy_tests_enabled() {
+hard_coded_policy_tests_enabled() {
-	# The Guest images for these platforms have been built using AGENT_POLICY=yes -
+	# CI is testing hard-coded policies just on a the platforms listed here. Outside of CI,
-	# see kata-deploy-binaries.sh.
+	# users can enable testing of the same policies (plus the auto-generated policies) by
+	# specifying AUTO_GENERATE_POLICY=yes.
 	local enabled_hypervisors="qemu-coco-dev qemu-sev qemu-snp qemu-tdx"
 	[[ " $enabled_hypervisors " =~ " ${KATA_HYPERVISOR} " ]] || \
-		[ "${KATA_HOST_OS}" == "cbl-mariner" ]
+		[ "${KATA_HOST_OS}" == "cbl-mariner" ] || \
+		auto_generate_policy_enabled
 }
 
 add_allow_all_policy_to_yaml() {
-	policy_tests_enabled || return 0
+	hard_coded_policy_tests_enabled || return 0
 
 	local yaml_file="$1"
 	# Previous version of yq was not ready to handle multiple objects in a single yaml.