diff --git a/tests/integration/kubernetes/k8s-policy-hard-coded.bats b/tests/integration/kubernetes/k8s-policy-hard-coded.bats index 773ec60fe8..56e85de95f 100644 --- a/tests/integration/kubernetes/k8s-policy-hard-coded.bats +++ b/tests/integration/kubernetes/k8s-policy-hard-coded.bats @@ -18,9 +18,9 @@ setup() { @test "Kubectl exec rejected by policy" { # Add to the YAML file a policy that rejects ExecProcessRequest. - allow_all_except_exec_policy=$(base64 -w 0 "${pod_config_dir}/allow-all-except-exec-process.rego") + allow_all_except_exec_policy=$(encode_policy_in_init_data "${pod_config_dir}/allow-all-except-exec-process.rego") yq -i \ - ".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${allow_all_except_exec_policy}\"" \ + ".metadata.annotations.\"io.katacontainers.config.hypervisor.cc_init_data\" = \"${allow_all_except_exec_policy}\"" \ "${pod_yaml}" # Create the pod @@ -45,10 +45,9 @@ setup() { # Warning: this is an insecure policy that shouldn't be used when protecting the confidentiality # of a pod is important. However, this policy could be useful while debugging a pod. policy_text=$(printf "package agent_policy\ndefault AllowRequestsFailingPolicy := true") - policy_base64=$(echo "${policy_text}" | base64 -w 0 -) - + policy_base64=$(encode_policy_in_init_data "$policy_text") yq -i \ - ".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${policy_base64}\"" \ + ".metadata.annotations.\"io.katacontainers.config.hypervisor.cc_init_data\" = \"${policy_base64}\"" \ "${pod_yaml}" # Create the pod diff --git a/tests/integration/kubernetes/k8s-policy-pod.bats b/tests/integration/kubernetes/k8s-policy-pod.bats index b0c38bcd54..e4a9f3ee91 100644 --- a/tests/integration/kubernetes/k8s-policy-pod.bats +++ b/tests/integration/kubernetes/k8s-policy-pod.bats @@ -211,7 +211,7 @@ test_pod_policy_error() { "--runtime-class-names=other-${runtime_class_name}" # Check that the pod yaml does not contain a policy annotation. - run ! grep -q "io.katacontainers.config.agent.policy" "${testcase_pre_generate_pod_yaml}" + run ! grep -q "io.katacontainers.config.hypervisor.cc_init_data" "${testcase_pre_generate_pod_yaml}" } @test "ExecProcessRequest tests" { diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index 473358a579..48ece4e583 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -34,9 +34,7 @@ export dragonball_limitations="https://github.com/kata-containers/kata-container # overwrite it. export KUBECONFIG="${KUBECONFIG:-${HOME}/.kube/config}" -# ALLOW_ALL_POLICY is a Rego policy that allows all the Agent ttrpc requests. K8S_TEST_DIR="${kubernetes_dir:-"${BATS_TEST_DIRNAME}"}" -ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(base64 -w 0 "${K8S_TEST_DIR}/../../../src/kata-opa/allow-all.rego")}" AUTO_GENERATE_POLICY="${AUTO_GENERATE_POLICY:-}" GENPOLICY_PULL_METHOD="${GENPOLICY_PULL_METHOD:-}" @@ -294,6 +292,31 @@ hard_coded_policy_tests_enabled() { [[ "${enabled}" == "yes" ]] } +encode_policy_in_init_data() { + local input="$1" # either a filename or a policy + local POLICY + + # if input is a file, read its contents + if [[ -f "$input" ]]; then + POLICY="$(< "$input")" + else + POLICY="$input" + fi + + cat <