From aafd16515c7b099494ef54183e6e9da329a711f4 Mon Sep 17 00:00:00 2001 From: Manuel Huber Date: Fri, 12 Jun 2026 22:29:47 +0000 Subject: [PATCH] tests: use limits for Kata workload manifests Kata sizes VM CPU and memory from OCI limits, not Kubernetes resource requests. Requests are consumed by the Kubernetes control plane, but they do not drive Kata VM or sandbox sizing today. Convert the straightforward Kata workload manifests and kata-deploy examples from resource requests to limits so the declared resources match the values Kata uses for VM provisioning. Keep requests where the fixture intentionally validates Kubernetes request/limit behavior. Update fixture expectations affected by the conversion. The LimitRange fixture is limit-only at 500m. Raise the policy deployment limits to 500m and 800Mi. These tests boot CoCo/runtime-rs sandboxes with policy/initdata, and the former 100m/100Mi values became real runtime limits after the conversion, which is too constrained for the CI environments. Leave PVC storage requests, explicit request/limit validation fixtures, the env resourceFieldRef request, and non-Kata workload examples unchanged where requests are handled outside the Kata shim resource sizing path. If Kata later grows request-aware sandbox sizing, for example through Sandbox API based resource plumbing, these requests can be reintroduced where they carry the intended semantics. Signed-off-by: Manuel Huber Assisted-by: OpenAI Codex --- tests/integration/kubernetes/k8s-memory.bats | 5 +++++ .../runtimeclass_workloads/inotify-configmap-pod.yaml | 2 -- .../runtimeclass_workloads/k8s-layered-sc-deployment.yaml | 6 +++--- .../runtimeclass_workloads/k8s-pod-sc-deployment.yaml | 6 +++--- .../k8s-pod-sc-nobodyupdate-deployment.yaml | 6 +++--- .../k8s-pod-sc-supplementalgroups-deployment.yaml | 6 +++--- .../runtimeclass_workloads/k8s-policy-deployment.yaml | 6 +++--- .../kubernetes/runtimeclass_workloads/limit-range.yaml | 2 -- .../runtimeclass_workloads/numa-topology-gpu-test.yaml.in | 3 --- .../runtimeclass_workloads/numa-topology-test.yaml.in | 3 --- .../kubernetes/runtimeclass_workloads/pod-burstable.yaml | 2 -- .../kubernetes/runtimeclass_workloads/pod-guaranteed.yaml | 3 --- .../kubernetes/runtimeclass_workloads/pod-hugepage.yaml | 3 --- .../kubernetes/runtimeclass_workloads/pod-memory-limit.yaml | 2 ++ .../kubernetes/runtimeclass_workloads/pod-oom.yaml | 4 ---- .../runtimeclass_workloads/redis-master-deployment.yaml | 2 +- .../kata-deploy/examples/test-deploy-kata-clh.yaml | 2 +- .../kata-deploy/examples/test-deploy-kata-dragonball.yaml | 2 +- .../packaging/kata-deploy/examples/test-deploy-kata-fc.yaml | 2 +- .../kata-deploy/examples/test-deploy-kata-qemu.yaml | 2 +- .../kata-deploy/examples/test-deploy-kata-stratovirt.yaml | 2 +- 21 files changed, 28 insertions(+), 43 deletions(-) diff --git a/tests/integration/kubernetes/k8s-memory.bats b/tests/integration/kubernetes/k8s-memory.bats index 2ad0b4f5ab..e4267033aa 100644 --- a/tests/integration/kubernetes/k8s-memory.bats +++ b/tests/integration/kubernetes/k8s-memory.bats @@ -23,6 +23,9 @@ setup_yaml() { @test "Exceeding memory constraints" { + # pod-memory-limit.yaml has a fixed 700Mi request. Rendering a lower + # limit makes the pod invalid, so the Kubernetes API rejects it before + # the stress workload can start. memory_limit_size="50Mi" allocated_size="250M" @@ -41,6 +44,8 @@ setup_yaml() { } @test "Running within memory constraints" { + # Render a limit above the fixed 700Mi request. Kubernetes accepts the + # pod, and the workload allocates less than the configured request/limit. memory_limit_size="800Mi" allocated_size="150M" diff --git a/tests/integration/kubernetes/runtimeclass_workloads/inotify-configmap-pod.yaml b/tests/integration/kubernetes/runtimeclass_workloads/inotify-configmap-pod.yaml index 2e23864bf0..d53b6c5b2e 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/inotify-configmap-pod.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/inotify-configmap-pod.yaml @@ -15,8 +15,6 @@ spec: command: ["bash"] args: ["-c", "inotifywait --timeout 120 -r /config/ && [[ -L /config/config.toml ]] && echo success" ] resources: - requests: - memory: 50Mi limits: memory: 1024Mi volumeMounts: diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-layered-sc-deployment.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-layered-sc-deployment.yaml index dd2a334e8e..957465fcfe 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-layered-sc-deployment.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-layered-sc-deployment.yaml @@ -33,8 +33,8 @@ spec: securityContext: runAsUser: 3000 resources: - requests: - cpu: 100m - memory: 100Mi + limits: + cpu: 500m + memory: 800Mi ports: - containerPort: 6379 diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-deployment.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-deployment.yaml index 1059158b7d..d142634d92 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-deployment.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-deployment.yaml @@ -31,8 +31,8 @@ spec: - name: master image: quay.io/kata-containers/test-images/opstree/redis:sha256-2642c7b07713df6897fa88cbe6db85170690cf3650018ceb2ab16cfa0b4f8d48 resources: - requests: - cpu: 100m - memory: 100Mi + limits: + cpu: 500m + memory: 800Mi ports: - containerPort: 6379 diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-nobodyupdate-deployment.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-nobodyupdate-deployment.yaml index 16c86f12ca..12f99015e8 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-nobodyupdate-deployment.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-nobodyupdate-deployment.yaml @@ -30,8 +30,8 @@ spec: - name: master image: quay.io/kata-containers/test-images/opstree/redis:sha256-2642c7b07713df6897fa88cbe6db85170690cf3650018ceb2ab16cfa0b4f8d48 resources: - requests: - cpu: 100m - memory: 100Mi + limits: + cpu: 500m + memory: 800Mi ports: - containerPort: 6379 diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-supplementalgroups-deployment.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-supplementalgroups-deployment.yaml index 8ce80fc363..a4949f9b35 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-supplementalgroups-deployment.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-pod-sc-supplementalgroups-deployment.yaml @@ -35,8 +35,8 @@ spec: - name: master image: quay.io/kata-containers/test-images/opstree/redis:sha256-2642c7b07713df6897fa88cbe6db85170690cf3650018ceb2ab16cfa0b4f8d48 resources: - requests: - cpu: 100m - memory: 100Mi + limits: + cpu: 500m + memory: 800Mi ports: - containerPort: 6379 diff --git a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-deployment.yaml b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-deployment.yaml index 4bef33486c..739bf74eec 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-deployment.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/k8s-policy-deployment.yaml @@ -30,8 +30,8 @@ spec: - name: master image: quay.io/kata-containers/test-images/opstree/redis:sha256-2642c7b07713df6897fa88cbe6db85170690cf3650018ceb2ab16cfa0b4f8d48 resources: - requests: - cpu: 100m - memory: 100Mi + limits: + cpu: 500m + memory: 800Mi ports: - containerPort: 6379 diff --git a/tests/integration/kubernetes/runtimeclass_workloads/limit-range.yaml b/tests/integration/kubernetes/runtimeclass_workloads/limit-range.yaml index 8f774a2774..24b33ecb77 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/limit-range.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/limit-range.yaml @@ -10,7 +10,5 @@ metadata: spec: limits: - default: - cpu: 1 - defaultRequest: cpu: 0.5 type: Container diff --git a/tests/integration/kubernetes/runtimeclass_workloads/numa-topology-gpu-test.yaml.in b/tests/integration/kubernetes/runtimeclass_workloads/numa-topology-gpu-test.yaml.in index 7167fa271c..cc0dcdcfed 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/numa-topology-gpu-test.yaml.in +++ b/tests/integration/kubernetes/runtimeclass_workloads/numa-topology-gpu-test.yaml.in @@ -15,9 +15,6 @@ spec: - name: numa-check image: "quay.io/kata-containers/numa:2026-05-15@sha256:a863fcf95fcbbf63352b0555a61a62537f74399dc4bca826a2e42d001e26accb" resources: - requests: - cpu: "1" - memory: "1Gi" limits: cpu: "${NUMA_TEST_VCPUS}" memory: "${NUMA_TEST_MEMORY}" diff --git a/tests/integration/kubernetes/runtimeclass_workloads/numa-topology-test.yaml.in b/tests/integration/kubernetes/runtimeclass_workloads/numa-topology-test.yaml.in index 731e75a32d..0251c536b6 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/numa-topology-test.yaml.in +++ b/tests/integration/kubernetes/runtimeclass_workloads/numa-topology-test.yaml.in @@ -15,9 +15,6 @@ spec: - name: numa-check image: "quay.io/kata-containers/numa:2026-05-15@sha256:a863fcf95fcbbf63352b0555a61a62537f74399dc4bca826a2e42d001e26accb" resources: - requests: - cpu: "1" - memory: "1Gi" limits: cpu: "${NUMA_TEST_VCPUS}" memory: "${NUMA_TEST_MEMORY}" diff --git a/tests/integration/kubernetes/runtimeclass_workloads/pod-burstable.yaml b/tests/integration/kubernetes/runtimeclass_workloads/pod-burstable.yaml index 0bd6616781..231fb338c9 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/pod-burstable.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-burstable.yaml @@ -16,5 +16,3 @@ spec: resources: limits: memory: "800Mi" - requests: - memory: "600Mi" diff --git a/tests/integration/kubernetes/runtimeclass_workloads/pod-guaranteed.yaml b/tests/integration/kubernetes/runtimeclass_workloads/pod-guaranteed.yaml index 981210229d..374521fb22 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/pod-guaranteed.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-guaranteed.yaml @@ -17,6 +17,3 @@ spec: limits: memory: "600Mi" cpu: "700m" - requests: - memory: "600Mi" - cpu: "700m" diff --git a/tests/integration/kubernetes/runtimeclass_workloads/pod-hugepage.yaml b/tests/integration/kubernetes/runtimeclass_workloads/pod-hugepage.yaml index 8156f7bcbb..cb05b78783 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/pod-hugepage.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-hugepage.yaml @@ -21,9 +21,6 @@ spec: limits: hugepages-${hugepages_size}: 512Mi memory: 512Mi - requests: - hugepages-${hugepages_size}: 512Mi - memory: 512Mi volumes: - name: hugepage emptyDir: diff --git a/tests/integration/kubernetes/runtimeclass_workloads/pod-memory-limit.yaml b/tests/integration/kubernetes/runtimeclass_workloads/pod-memory-limit.yaml index a8b17655a0..a78560e32d 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/pod-memory-limit.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-memory-limit.yaml @@ -16,6 +16,8 @@ spec: resources: limits: memory: "${memory_size}" + # k8s-memory.bats renders different limits against this fixed request: + # lower values must be rejected, valid higher values should be accepted. requests: memory: "700Mi" command: ["stress"] diff --git a/tests/integration/kubernetes/runtimeclass_workloads/pod-oom.yaml b/tests/integration/kubernetes/runtimeclass_workloads/pod-oom.yaml index c0316616f7..ffdd12341d 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/pod-oom.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-oom.yaml @@ -20,8 +20,6 @@ spec: resources: limits: memory: 400Mi - requests: - memory: 400Mi - image: quay.io/kata-containers/sysbench-kata:latest imagePullPolicy: IfNotPresent name: not-oom @@ -30,5 +28,3 @@ spec: resources: limits: memory: 500Mi - requests: - memory: 500Mi diff --git a/tests/integration/kubernetes/runtimeclass_workloads/redis-master-deployment.yaml b/tests/integration/kubernetes/runtimeclass_workloads/redis-master-deployment.yaml index 218bc40719..acdf946d34 100644 --- a/tests/integration/kubernetes/runtimeclass_workloads/redis-master-deployment.yaml +++ b/tests/integration/kubernetes/runtimeclass_workloads/redis-master-deployment.yaml @@ -28,7 +28,7 @@ spec: - name: master image: quay.io/libpod/redis resources: - requests: + limits: cpu: 100m memory: 100Mi ports: diff --git a/tools/packaging/kata-deploy/examples/test-deploy-kata-clh.yaml b/tools/packaging/kata-deploy/examples/test-deploy-kata-clh.yaml index e942fa90d9..3e886a8142 100644 --- a/tools/packaging/kata-deploy/examples/test-deploy-kata-clh.yaml +++ b/tools/packaging/kata-deploy/examples/test-deploy-kata-clh.yaml @@ -23,7 +23,7 @@ spec: - containerPort: 80 protocol: TCP resources: - requests: + limits: cpu: 200m restartPolicy: Always --- diff --git a/tools/packaging/kata-deploy/examples/test-deploy-kata-dragonball.yaml b/tools/packaging/kata-deploy/examples/test-deploy-kata-dragonball.yaml index 64ab68c52b..6f1502242d 100644 --- a/tools/packaging/kata-deploy/examples/test-deploy-kata-dragonball.yaml +++ b/tools/packaging/kata-deploy/examples/test-deploy-kata-dragonball.yaml @@ -23,7 +23,7 @@ spec: - containerPort: 80 protocol: TCP resources: - requests: + limits: cpu: 200m restartPolicy: Always --- diff --git a/tools/packaging/kata-deploy/examples/test-deploy-kata-fc.yaml b/tools/packaging/kata-deploy/examples/test-deploy-kata-fc.yaml index 0386bf2adb..b727ccedf1 100644 --- a/tools/packaging/kata-deploy/examples/test-deploy-kata-fc.yaml +++ b/tools/packaging/kata-deploy/examples/test-deploy-kata-fc.yaml @@ -23,7 +23,7 @@ spec: - containerPort: 80 protocol: TCP resources: - requests: + limits: cpu: 200m restartPolicy: Always --- diff --git a/tools/packaging/kata-deploy/examples/test-deploy-kata-qemu.yaml b/tools/packaging/kata-deploy/examples/test-deploy-kata-qemu.yaml index 7a8444503d..1d6e70bc98 100644 --- a/tools/packaging/kata-deploy/examples/test-deploy-kata-qemu.yaml +++ b/tools/packaging/kata-deploy/examples/test-deploy-kata-qemu.yaml @@ -23,7 +23,7 @@ spec: - containerPort: 8080 protocol: TCP resources: - requests: + limits: cpu: 200m restartPolicy: Always --- diff --git a/tools/packaging/kata-deploy/examples/test-deploy-kata-stratovirt.yaml b/tools/packaging/kata-deploy/examples/test-deploy-kata-stratovirt.yaml index dcb3517ce1..cf72e5dcd8 100644 --- a/tools/packaging/kata-deploy/examples/test-deploy-kata-stratovirt.yaml +++ b/tools/packaging/kata-deploy/examples/test-deploy-kata-stratovirt.yaml @@ -23,7 +23,7 @@ spec: - containerPort: 80 protocol: TCP resources: - requests: + limits: cpu: 200m restartPolicy: Always ---