ci: Add test case for iptables, exercised via istio init container

Introduce new test case in k8s-iptables.bats which verifies that workloads can configure iptables in the UVM. Users discovered that they weren't able to do this for common usecases such as istio. Proper support for this should be built into UVM kernels. This test ensures that current and future kernel configurations don't regress this functionality. Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-09-08 12:18:57 +00:00 · 2025-08-18 22:51:12 +00:00
parent d16026f7b9
commit bdd98ec623
3 changed files with 87 additions and 0 deletions
--- a/tests/integration/kubernetes/k8s-ip6tables.bats
+++ b/tests/integration/kubernetes/k8s-ip6tables.bats
@@ -0,0 +1,47 @@
+#!/usr/bin/env bats
+#
+# Copyright (c) 2025 Microsoft Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+
+load "${BATS_TEST_DIRNAME}/lib.sh"
+load "${BATS_TEST_DIRNAME}/../../common.bash"
+load "${BATS_TEST_DIRNAME}/tests_common.sh"
+
+setup() {
+	[ "$(uname -m)" == "ppc64le" ] && skip "ip6tables tests for ppc64le"
+
+	setup_common
+	pod_name="pod-istio"
+	get_pod_config_dir
+
+	yaml_file="${pod_config_dir}/pod-istio.yaml"
+	policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
+	add_requests_to_policy_settings "${policy_settings_dir}" "ReadStreamRequest"
+	auto_generate_policy "${policy_settings_dir}" "${yaml_file}"
+}
+
+@test "Pod that performs ip6tables setup" {
+	kubectl apply -f "${yaml_file}"
+
+	# Check pod completion
+	kubectl wait --for=jsonpath="status.containerStatuses[0].state.terminated.reason"=Completed --timeout=$timeout pod "$pod_name"
+
+	# Verify that the job is completed
+	cmd="kubectl get pods -o jsonpath='{.items[*].status.phase}' | grep Succeeded"
+	waitForProcess "$wait_time" "$sleep_time" "$cmd"
+
+	# Verify the output of the pod
+	success_criterion="COMMIT"
+	kubectl logs "$pod_name" | grep "$success_criterion"
+}
+
+teardown() {
+	[ "$(uname -m)" == "ppc64le" ] && skip "ip6tables tests for ppc64le"
+	
+	# Debugging information
+	kubectl logs "$pod_name"
+
+	delete_tmp_policy_settings_dir "${policy_settings_dir}"
+	teardown_common "${node}" "${node_start_time:-}"
+}
--- a/tests/integration/kubernetes/run_kubernetes_tests.sh
+++ b/tests/integration/kubernetes/run_kubernetes_tests.sh
@@ -61,6 +61,7 @@ else
 		"k8s-file-volume.bats" \
 		"k8s-hostname.bats" \
 		"k8s-inotify.bats" \
+		"k8s-ip6tables.bats" \
 		"k8s-job.bats" \
 		"k8s-kill-all-process-in-container.bats" \
 		"k8s-limit-range.bats" \
--- a/tests/integration/kubernetes/runtimeclass_workloads/pod-istio.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-istio.yaml
@@ -0,0 +1,39 @@
+#
+# Copyright (c) 2025 Microsoft Corporation
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Pod
+metadata:
+  name: pod-istio
+spec:
+  restartPolicy: Never
+  containers:
+    - name: test-container
+      image: quay.io/kata-containers/istio/proxyv2:1.26.3
+      args:
+        - istio-iptables
+        - -p
+        - "15001"
+        - -z
+        - "15006"
+        - -u
+        - "1337"
+        - -m
+        - REDIRECT
+        - -i
+        - "*"
+        - -x
+        - ""
+        - -b
+        - "*"
+        - -d
+        - "15090,15021,15020"
+        - --log_output_level=default:info
+      securityContext:
+        capabilities:
+          add: ["NET_ADMIN", "NET_RAW"]
+          drop: ["ALL"]
+  runtimeClassName: kata
+