tests: set identity for guest-pull pods

Use the new helpers when guest-pull tests generate pods under
automatic policy generation.

Populate the securityContext values that matter for these images:
supplemental groups are set explicitly, while root UID and GID
defaults are left omitted.

This keeps runtime requests aligned with the generated policy
without requiring default-zero identity fields.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Assisted-by: OpenAI Codex <codex@openai.com>
This commit is contained in:
Manuel Huber
2026-06-02 22:16:31 +00:00
parent 6c38a86146
commit bfd6485346
5 changed files with 58 additions and 17 deletions

View File

@@ -22,6 +22,7 @@ setup() {
setup_common || die "setup_common failed"
AUTHENTICATED_IMAGE="${AUTHENTICATED_IMAGE:-quay.io/kata-containers/confidential-containers-auth:test}"
authenticated_image_supplemental_groups="10"
AUTHENTICATED_IMAGE_USER=${AUTHENTICATED_IMAGE_USER:-}
AUTHENTICATED_IMAGE_PASSWORD=${AUTHENTICATED_IMAGE_PASSWORD:-}
CREDENTIALS_KBS_URI="kbs:///default/credentials/test"
@@ -90,7 +91,8 @@ EOF
setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} ${AUTHENTICATED_IMAGE_PASSWORD}
create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node"
create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node" \
"" "" "${authenticated_image_supplemental_groups}"
yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
@@ -105,7 +107,8 @@ EOF
setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} "junk"
create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node"
create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node" \
"" "" "${authenticated_image_supplemental_groups}"
yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
@@ -119,7 +122,8 @@ EOF
@test "Test that creating a container from an authenticated image, with no credentials fails" {
# Create pod config, but don't add agent.image_registry_auth annotation
create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "" "" "resource" "$node"
create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "" "" "resource" "$node" \
"" "" "${authenticated_image_supplemental_groups}"
yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
@@ -136,7 +140,8 @@ EOF
setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} ${AUTHENTICATED_IMAGE_PASSWORD}
initdata=$(get_initdata_with_auth_registry_config)
create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}"
create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" \
"" "" "${authenticated_image_supplemental_groups}"
yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
@@ -153,7 +158,8 @@ EOF
setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} "junk"
initdata=$(get_initdata_with_auth_registry_config)
create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}"
create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" \
"" "" "${authenticated_image_supplemental_groups}"
yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
@@ -169,7 +175,8 @@ EOF
# Create pod config, but don't add image_registry_auth to initdata
initdata=$(get_initdata_with_cdh_image_section "")
create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}"
create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" \
"" "" "${authenticated_image_supplemental_groups}"
yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"

View File

@@ -26,6 +26,7 @@ setup() {
UNSIGNED_PROTECTED_REGISTRY_IMAGE="ghcr.io/confidential-containers/test-container-image-rs:unsigned"
COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE="ghcr.io/confidential-containers/test-container-image-rs:cosign-signed"
COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE="ghcr.io/confidential-containers/test-container-image-rs:cosign-signed-key2"
test_image_supplemental_groups="10"
SECURITY_POLICY_KBS_URI="kbs:///default/security-policy/test"
policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
}
@@ -88,7 +89,8 @@ EOF
# We want to set the default policy to be reject to rule out false positives
setup_kbs_image_policy "reject"
create_coco_pod_yaml "${UNSIGNED_UNPROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node"
create_coco_pod_yaml "${UNSIGNED_UNPROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" \
"" "" "${test_image_supplemental_groups}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
# For debug sake
@@ -102,7 +104,8 @@ EOF
# We want to leave the default policy to be insecureAcceptAnything to rule out false negatives
setup_kbs_image_policy
create_coco_pod_yaml "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node"
create_coco_pod_yaml "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" \
"" "" "${test_image_supplemental_groups}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
# For debug sake
@@ -116,7 +119,8 @@ EOF
# We want to set the default policy to be reject to rule out false positives
setup_kbs_image_policy "reject"
create_coco_pod_yaml "${COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node"
create_coco_pod_yaml "${COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" \
"" "" "${test_image_supplemental_groups}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
# For debug sake
@@ -130,7 +134,8 @@ EOF
# We want to leave the default policy to be insecureAcceptAnything to rule out false negatives
setup_kbs_image_policy
create_coco_pod_yaml "${COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node"
create_coco_pod_yaml "${COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" \
"" "" "${test_image_supplemental_groups}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
# For debug sake
@@ -144,7 +149,8 @@ EOF
# We want to set the default policy to be reject to rule out false positives
setup_kbs_image_policy "reject"
create_coco_pod_yaml "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "" "" "resource" "$node"
create_coco_pod_yaml "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "" "" "resource" "$node" \
"" "" "${test_image_supplemental_groups}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
# For debug sake
@@ -161,7 +167,8 @@ EOF
setup_kbs_image_policy "reject"
initdata=$(get_initdata_with_security_policy)
create_coco_pod_yaml_with_annotations "${UNSIGNED_UNPROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}"
create_coco_pod_yaml_with_annotations "${UNSIGNED_UNPROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" \
"" "" "${test_image_supplemental_groups}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
# For debug sake
@@ -178,7 +185,8 @@ EOF
setup_kbs_image_policy
initdata=$(get_initdata_with_security_policy)
create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}"
create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" \
"" "" "${test_image_supplemental_groups}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
# For debug sake
@@ -195,7 +203,8 @@ EOF
setup_kbs_image_policy "reject"
initdata=$(get_initdata_with_security_policy)
create_coco_pod_yaml_with_annotations "${COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}"
create_coco_pod_yaml_with_annotations "${COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" \
"" "" "${test_image_supplemental_groups}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
# For debug sake
@@ -212,7 +221,8 @@ EOF
setup_kbs_image_policy
initdata=$(get_initdata_with_security_policy)
create_coco_pod_yaml_with_annotations "${COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE}" "" "${initdata}" "${node}"
create_coco_pod_yaml_with_annotations "${COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE}" "" "${initdata}" "${node}" \
"" "" "${test_image_supplemental_groups}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
# For debug sake
@@ -228,7 +238,8 @@ EOF
# We want to set the default policy to be reject to rule out false positives
setup_kbs_image_policy "reject"
create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "" "${node}"
create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "" "${node}" \
"" "" "${test_image_supplemental_groups}"
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
# For debug sake

View File

@@ -24,6 +24,12 @@ setup() {
unencrypted_image="quay.io/prometheus/busybox:latest"
image_pulled_time_less_than_default_time="ghcr.io/confidential-containers/test-container:rust-1.79.0" # unpacked size: 1.41GB
large_image="quay.io/confidential-containers/test-images:largeimage" # unpacked size: 2.15GB
unencrypted_image_supplemental_groups=""
large_image_supplemental_groups=""
if auto_generate_policy_enabled; then
unencrypted_image_supplemental_groups="10"
large_image_supplemental_groups="1, 2, 3, 4, 6, 10, 11, 20, 26, 27"
fi
pod_config_template="${pod_config_dir}/pod-guest-pull-in-trusted-storage.yaml.in"
storage_config_template="${pod_config_dir}/confidential/trusted-storage.yaml.in"
policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
@@ -49,7 +55,8 @@ setup() {
kubectl delete -f "$runc_pod_config"
# 2. Create one kata pod with the $unencrypted_image image and nydus annotation
kata_pod_with_nydus_config="$(new_pod_config "$unencrypted_image" "kata-${KATA_HYPERVISOR}")"
kata_pod_with_nydus_config="$(new_pod_config "$unencrypted_image" "kata-${KATA_HYPERVISOR}" \
"" "" "$unencrypted_image_supplemental_groups")"
set_node "$kata_pod_with_nydus_config" "$node"
set_container_command "$kata_pod_with_nydus_config" "0" "sleep" "30"
@@ -162,6 +169,8 @@ setup() {
pod_config=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${pod_config_template}").XXXXXX.yaml")
IMAGE="$large_image" NODE_NAME="$node" envsubst < "$pod_config_template" > "$pod_config"
! auto_generate_policy_enabled || set_pod_spec_security_context "$pod_config" ".spec" \
"" "" "$large_image_supplemental_groups"
# Set a short CreateContainerRequest timeout in the annotation to fail to pull image in guest
create_container_timeout=10
@@ -218,6 +227,8 @@ setup() {
pod_config=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${pod_config_template}").XXXXXX.yaml")
IMAGE="$large_image" NODE_NAME="$node" envsubst < "$pod_config_template" > "$pod_config"
! auto_generate_policy_enabled || set_pod_spec_security_context "$pod_config" ".spec" \
"" "" "$large_image_supplemental_groups"
# Set CreateContainerRequest timeout in the annotation to pull large image in guest
# Bare-metal CI runners' kubelets are configured with an equivalent runtimeRequestTimeout of 600s

View File

@@ -80,6 +80,7 @@ replace_prometheus_image() {
yq -i \
'.spec.containers[0].image = "quay.io/prometheus/busybox:latest"' \
"${correct_pod_yaml}"
set_pod_spec_security_context "${correct_pod_yaml}" ".spec" "" "" "10"
}
wait_for_pod_ready() {

View File

@@ -738,6 +738,17 @@ set_nginx_image() {
nginx_image="${nginx_registry}@${nginx_digest}"
NGINX_IMAGE="${nginx_image}" envsubst < "${input_yaml}" > "${output_yaml}"
auto_generate_policy_enabled || return 0
case "$(yq -r 'select(documentIndex == 0) | .kind' "${output_yaml}")" in
Pod)
set_pod_spec_security_context "${output_yaml}" ".spec" "" "" "1, 2, 3, 4, 6, 10, 11, 20, 26, 27"
;;
Deployment|ReplicationController)
set_pod_spec_security_context "${output_yaml}" ".spec.template.spec" "" "" "1, 2, 3, 4, 6, 10, 11, 20, 26, 27"
;;
esac
}
print_node_journal_since_test_start() {