tests: Mimic node debugger with full privileges

This commit addresses an issue with handling loop devices
via a node debugger due to restricted privileges.
It runs a pod with full privileges, allowing it to mount
the host root to `/host`, similar to the node debugger.
This change enables us to run tests for trusted image storage
using the `qemu-coco-dev` runtime class.

Fixes: #10133

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>

tests/integration/kubernetes/runtimeclass_workloads/custom-node-debugger.yaml

@@ -0,0 +1,37 @@
+#
+# Copyright (c) IBM Corp. 2024
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Pod
+metadata:
+  name: custom-node-debugger
+spec:
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: kubernetes.io/hostname
+            operator: In
+            values:
+            - ${NODE_NAME}
+  containers:
+  - name: node-debugger-container
+    image: quay.io/bedrock/ubuntu:latest
+    command: ["/bin/sh", "-c", "sleep infinity"]
+    stdin: true
+    tty: true
+    securityContext:
+      privileged: true
+      runAsUser: 0
+      allowPrivilegeEscalation: true
+    volumeMounts:
+    - name: host-root
+      mountPath: /host
+  volumes:
+  - name: host-root
+    hostPath:
+      path: /
+      type: Directory

tests/integration/kubernetes/tests_common.sh

@@ -104,7 +104,7 @@ exec_host() {
 	local old_debugger_pods=($(kubectl get pods -o name | grep node-debugger))
 
 	# Run a debug pod
-	kubectl debug -q "node/${node}" --image=quay.io/bedrock/ubuntu:latest -- chroot /host bash -c "sleep infinity" >&2
+	NODE_NAME="${node}" envsubst < runtimeclass_workloads/custom-node-debugger.yaml | kubectl apply -f - > /dev/null
 
 	# Identify the new debugger pod
 	local new_debugger_pod=$(get_new_debugger_pod "${old_debugger_pods[@]}")