github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-09-17 23:07:55 +00:00
Code Issues Projects Releases Wiki Activity

tests: update tests that manually set policy

Browse Source 
Use new initdata annotation instead

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
This commit is contained in:
Saul Paredes
2025-08-27 16:29:33 -07:00
parent 2d8c3206c7
commit b5352af1ee
3 changed files with 32 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
tests/integration/kubernetes/k8s-policy-hard-coded.bats
View File

@@ -18,9 +18,9 @@ setup() {
@test "Kubectl exec rejected by policy" { @test "Kubectl exec rejected by policy" {
# Add to the YAML file a policy that rejects ExecProcessRequest. # Add to the YAML file a policy that rejects ExecProcessRequest.
allow_all_except_exec_policy=$(base64 -w 0 "${pod_config_dir}/allow-all-except-exec-process.rego") allow_all_except_exec_policy=$(encode_policy_in_init_data "${pod_config_dir}/allow-all-except-exec-process.rego")
yq -i \ yq -i \
".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${allow_all_except_exec_policy}\"" \ ".metadata.annotations.\"io.katacontainers.config.hypervisor.cc_init_data\" = \"${allow_all_except_exec_policy}\"" \
"${pod_yaml}" "${pod_yaml}"
# Create the pod # Create the pod
@@ -45,10 +45,9 @@ setup() {
# Warning: this is an insecure policy that shouldn't be used when protecting the confidentiality # Warning: this is an insecure policy that shouldn't be used when protecting the confidentiality
# of a pod is important. However, this policy could be useful while debugging a pod. # of a pod is important. However, this policy could be useful while debugging a pod.
policy_text=$(printf "package agent_policy\ndefault AllowRequestsFailingPolicy := true") policy_text=$(printf "package agent_policy\ndefault AllowRequestsFailingPolicy := true")
policy_base64=$(echo "${policy_text}" | base64 -w 0 -) policy_base64=$(encode_policy_in_init_data "$policy_text")
yq -i \ yq -i \
".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${policy_base64}\"" \ ".metadata.annotations.\"io.katacontainers.config.hypervisor.cc_init_data\" = \"${policy_base64}\"" \
"${pod_yaml}" "${pod_yaml}"
# Create the pod # Create the pod

2
tests/integration/kubernetes/k8s-policy-pod.bats
View File

@@ -211,7 +211,7 @@ test_pod_policy_error() {
"--runtime-class-names=other-${runtime_class_name}" "--runtime-class-names=other-${runtime_class_name}"
# Check that the pod yaml does not contain a policy annotation. # Check that the pod yaml does not contain a policy annotation.
run ! grep -q "io.katacontainers.config.agent.policy" "${testcase_pre_generate_pod_yaml}" run ! grep -q "io.katacontainers.config.hypervisor.cc_init_data" "${testcase_pre_generate_pod_yaml}"
} }
@test "ExecProcessRequest tests" { @test "ExecProcessRequest tests" {

32
tests/integration/kubernetes/tests_common.sh
View File

@@ -34,9 +34,7 @@ export dragonball_limitations="https://github.com/kata-containers/kata-container
# overwrite it. # overwrite it.
export KUBECONFIG="${KUBECONFIG:-${HOME}/.kube/config}" export KUBECONFIG="${KUBECONFIG:-${HOME}/.kube/config}"
# ALLOW_ALL_POLICY is a Rego policy that allows all the Agent ttrpc requests.
K8S_TEST_DIR="${kubernetes_dir:-"${BATS_TEST_DIRNAME}"}" K8S_TEST_DIR="${kubernetes_dir:-"${BATS_TEST_DIRNAME}"}"
ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(base64 -w 0 "${K8S_TEST_DIR}/../../../src/kata-opa/allow-all.rego")}"
AUTO_GENERATE_POLICY="${AUTO_GENERATE_POLICY:-}" AUTO_GENERATE_POLICY="${AUTO_GENERATE_POLICY:-}"
GENPOLICY_PULL_METHOD="${GENPOLICY_PULL_METHOD:-}" GENPOLICY_PULL_METHOD="${GENPOLICY_PULL_METHOD:-}"
@@ -294,6 +292,31 @@ hard_coded_policy_tests_enabled() {
[[ "${enabled}" == "yes" ]] [[ "${enabled}" == "yes" ]]
} }
encode_policy_in_init_data() {
local input="$1" # either a filename or a policy
local POLICY
# if input is a file, read its contents
if [[ -f "$input" ]]; then
POLICY="$(< "$input")"
else
POLICY="$input"
fi
cat <<EOF | gzip -c | base64
version = "0.1.0"
algorithm = "sha256"
[data]
"policy.rego" = '''
$POLICY
'''
EOF
}
# ALLOW_ALL_POLICY is a Rego policy that allows all the Agent ttrpc requests.
ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(encode_policy_in_init_data "${K8S_TEST_DIR}/../../../src/kata-opa/allow-all.rego")}"
add_allow_all_policy_to_yaml() { add_allow_all_policy_to_yaml() {
hard_coded_policy_tests_enabled || return 0 hard_coded_policy_tests_enabled || return 0
@@ -305,18 +328,17 @@ add_allow_all_policy_to_yaml() {
resource_kind=$(yq .kind "${yaml_file}" | head -1) resource_kind=$(yq .kind "${yaml_file}" | head -1)
case "${resource_kind}" in case "${resource_kind}" in
Pod) Pod)
info "Adding allow all policy to ${resource_kind} from ${yaml_file}" info "Adding allow all policy to ${resource_kind} from ${yaml_file}"
yq -i \ yq -i \
".metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${ALLOW_ALL_POLICY}\"" \ ".metadata.annotations.\"io.katacontainers.config.hypervisor.cc_init_data\" = \"${ALLOW_ALL_POLICY}\"" \
"${yaml_file}" "${yaml_file}"
;; ;;
Deployment|Job|ReplicationController) Deployment|Job|ReplicationController)
info "Adding allow all policy to ${resource_kind} from ${yaml_file}" info "Adding allow all policy to ${resource_kind} from ${yaml_file}"
yq -i \ yq -i \
".spec.template.metadata.annotations.\"io.katacontainers.config.agent.policy\" = \"${ALLOW_ALL_POLICY}\"" \ ".spec.template.metadata.annotations.\"io.katacontainers.config.hypervisor.cc_init_data\" = \"${ALLOW_ALL_POLICY}\"" \
"${yaml_file}" "${yaml_file}"
;; ;;