From bdd98ec623bf03a925f78bce8d64b47c5107cea8 Mon Sep 17 00:00:00 2001 From: Cameron Baird Date: Mon, 18 Aug 2025 22:51:12 +0000 Subject: [PATCH] ci: Add test case for iptables, exercised via istio init container Introduce new test case in k8s-iptables.bats which verifies that workloads can configure iptables in the UVM. Users discovered that they weren't able to do this for common usecases such as istio. Proper support for this should be built into UVM kernels. This test ensures that current and future kernel configurations don't regress this functionality. Signed-off-by: Cameron Baird --- .../integration/kubernetes/k8s-ip6tables.bats | 47 +++++++++++++++++++ .../kubernetes/run_kubernetes_tests.sh | 1 + .../runtimeclass_workloads/pod-istio.yaml | 39 +++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 tests/integration/kubernetes/k8s-ip6tables.bats create mode 100644 tests/integration/kubernetes/runtimeclass_workloads/pod-istio.yaml diff --git a/tests/integration/kubernetes/k8s-ip6tables.bats b/tests/integration/kubernetes/k8s-ip6tables.bats new file mode 100644 index 0000000000..4b9e10a4b8 --- /dev/null +++ b/tests/integration/kubernetes/k8s-ip6tables.bats @@ -0,0 +1,47 @@ +#!/usr/bin/env bats +# +# Copyright (c) 2025 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 + +load "${BATS_TEST_DIRNAME}/lib.sh" +load "${BATS_TEST_DIRNAME}/../../common.bash" +load "${BATS_TEST_DIRNAME}/tests_common.sh" + +setup() { + [ "$(uname -m)" == "ppc64le" ] && skip "ip6tables tests for ppc64le" + + setup_common + pod_name="pod-istio" + get_pod_config_dir + + yaml_file="${pod_config_dir}/pod-istio.yaml" + policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")" + add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest" + auto_generate_policy "${policy_settings_dir}" "${yaml_file}" +} + +@test "Pod that performs ip6tables setup" { + kubectl apply -f "${yaml_file}" + + # Check pod completion + kubectl wait --for=jsonpath="status.containerStatuses[0].state.terminated.reason"=Completed --timeout=$timeout pod "$pod_name" + + # Verify that the job is completed + cmd="kubectl get pods -o jsonpath='{.items[*].status.phase}' | grep Succeeded" + waitForProcess "$wait_time" "$sleep_time" "$cmd" + + # Verify the output of the pod + success_criterion="COMMIT" + kubectl logs "$pod_name" | grep "$success_criterion" +} + +teardown() { + [ "$(uname -m)" == "ppc64le" ] && skip "ip6tables tests for ppc64le" + + # Debugging information + kubectl logs "$pod_name" + + delete_tmp_policy_settings_dir "${policy_settings_dir}" + teardown_common "${node}" "${node_start_time:-}" +} diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh index 162bd4808a..aee600c408 100755 --- a/tests/integration/kubernetes/run_kubernetes_tests.sh +++ b/tests/integration/kubernetes/run_kubernetes_tests.sh @@ -61,6 +61,7 @@ else "k8s-file-volume.bats" \ "k8s-hostname.bats" \ "k8s-inotify.bats" \ + "k8s-ip6tables.bats" \ "k8s-job.bats" \ "k8s-kill-all-process-in-container.bats" \ "k8s-limit-range.bats" \ diff --git a/tests/integration/kubernetes/runtimeclass_workloads/pod-istio.yaml b/tests/integration/kubernetes/runtimeclass_workloads/pod-istio.yaml new file mode 100644 index 0000000000..7e3fb7ee06 --- /dev/null +++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-istio.yaml @@ -0,0 +1,39 @@ +# +# Copyright (c) 2025 Microsoft Corporation +# +# SPDX-License-Identifier: Apache-2.0 +# +apiVersion: v1 +kind: Pod +metadata: + name: pod-istio +spec: + restartPolicy: Never + containers: + - name: test-container + image: quay.io/kata-containers/istio/proxyv2:1.26.3 + args: + - istio-iptables + - -p + - "15001" + - -z + - "15006" + - -u + - "1337" + - -m + - REDIRECT + - -i + - "*" + - -x + - "" + - -b + - "*" + - -d + - "15090,15021,15020" + - --log_output_level=default:info + securityContext: + capabilities: + add: ["NET_ADMIN", "NET_RAW"] + drop: ["ALL"] + runtimeClassName: kata +