mirror of
https://github.com/kata-containers/kata-containers.git
synced 2026-07-07 02:29:00 +00:00
tests: set identity for guest-pull pods
Use the new helpers when guest-pull tests generate pods under automatic policy generation. Populate the securityContext values that matter for these images: supplemental groups are set explicitly, while root UID and GID defaults are left omitted. This keeps runtime requests aligned with the generated policy without requiring default-zero identity fields. Signed-off-by: Manuel Huber <manuelh@nvidia.com> Assisted-by: OpenAI Codex <codex@openai.com>
This commit is contained in:
@@ -22,6 +22,7 @@ setup() {
|
||||
|
||||
setup_common || die "setup_common failed"
|
||||
AUTHENTICATED_IMAGE="${AUTHENTICATED_IMAGE:-quay.io/kata-containers/confidential-containers-auth:test}"
|
||||
authenticated_image_supplemental_groups="10"
|
||||
AUTHENTICATED_IMAGE_USER=${AUTHENTICATED_IMAGE_USER:-}
|
||||
AUTHENTICATED_IMAGE_PASSWORD=${AUTHENTICATED_IMAGE_PASSWORD:-}
|
||||
CREDENTIALS_KBS_URI="kbs:///default/credentials/test"
|
||||
@@ -90,7 +91,8 @@ EOF
|
||||
|
||||
setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} ${AUTHENTICATED_IMAGE_PASSWORD}
|
||||
|
||||
create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node"
|
||||
create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node" \
|
||||
"" "" "${authenticated_image_supplemental_groups}"
|
||||
yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
@@ -105,7 +107,8 @@ EOF
|
||||
|
||||
setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} "junk"
|
||||
|
||||
create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node"
|
||||
create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node" \
|
||||
"" "" "${authenticated_image_supplemental_groups}"
|
||||
yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
@@ -119,7 +122,8 @@ EOF
|
||||
@test "Test that creating a container from an authenticated image, with no credentials fails" {
|
||||
|
||||
# Create pod config, but don't add agent.image_registry_auth annotation
|
||||
create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "" "" "resource" "$node"
|
||||
create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "" "" "resource" "$node" \
|
||||
"" "" "${authenticated_image_supplemental_groups}"
|
||||
yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
@@ -136,7 +140,8 @@ EOF
|
||||
setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} ${AUTHENTICATED_IMAGE_PASSWORD}
|
||||
|
||||
initdata=$(get_initdata_with_auth_registry_config)
|
||||
create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}"
|
||||
create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" \
|
||||
"" "" "${authenticated_image_supplemental_groups}"
|
||||
yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
@@ -153,7 +158,8 @@ EOF
|
||||
setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} "junk"
|
||||
|
||||
initdata=$(get_initdata_with_auth_registry_config)
|
||||
create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}"
|
||||
create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" \
|
||||
"" "" "${authenticated_image_supplemental_groups}"
|
||||
yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
@@ -169,7 +175,8 @@ EOF
|
||||
|
||||
# Create pod config, but don't add image_registry_auth to initdata
|
||||
initdata=$(get_initdata_with_cdh_image_section "")
|
||||
create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}"
|
||||
create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" \
|
||||
"" "" "${authenticated_image_supplemental_groups}"
|
||||
yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
|
||||
@@ -26,6 +26,7 @@ setup() {
|
||||
UNSIGNED_PROTECTED_REGISTRY_IMAGE="ghcr.io/confidential-containers/test-container-image-rs:unsigned"
|
||||
COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE="ghcr.io/confidential-containers/test-container-image-rs:cosign-signed"
|
||||
COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE="ghcr.io/confidential-containers/test-container-image-rs:cosign-signed-key2"
|
||||
test_image_supplemental_groups="10"
|
||||
SECURITY_POLICY_KBS_URI="kbs:///default/security-policy/test"
|
||||
policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
|
||||
}
|
||||
@@ -88,7 +89,8 @@ EOF
|
||||
# We want to set the default policy to be reject to rule out false positives
|
||||
setup_kbs_image_policy "reject"
|
||||
|
||||
create_coco_pod_yaml "${UNSIGNED_UNPROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node"
|
||||
create_coco_pod_yaml "${UNSIGNED_UNPROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" \
|
||||
"" "" "${test_image_supplemental_groups}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
# For debug sake
|
||||
@@ -102,7 +104,8 @@ EOF
|
||||
# We want to leave the default policy to be insecureAcceptAnything to rule out false negatives
|
||||
setup_kbs_image_policy
|
||||
|
||||
create_coco_pod_yaml "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node"
|
||||
create_coco_pod_yaml "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" \
|
||||
"" "" "${test_image_supplemental_groups}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
# For debug sake
|
||||
@@ -116,7 +119,8 @@ EOF
|
||||
# We want to set the default policy to be reject to rule out false positives
|
||||
setup_kbs_image_policy "reject"
|
||||
|
||||
create_coco_pod_yaml "${COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node"
|
||||
create_coco_pod_yaml "${COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" \
|
||||
"" "" "${test_image_supplemental_groups}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
# For debug sake
|
||||
@@ -130,7 +134,8 @@ EOF
|
||||
# We want to leave the default policy to be insecureAcceptAnything to rule out false negatives
|
||||
setup_kbs_image_policy
|
||||
|
||||
create_coco_pod_yaml "${COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node"
|
||||
create_coco_pod_yaml "${COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" \
|
||||
"" "" "${test_image_supplemental_groups}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
# For debug sake
|
||||
@@ -144,7 +149,8 @@ EOF
|
||||
# We want to set the default policy to be reject to rule out false positives
|
||||
setup_kbs_image_policy "reject"
|
||||
|
||||
create_coco_pod_yaml "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "" "" "resource" "$node"
|
||||
create_coco_pod_yaml "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "" "" "resource" "$node" \
|
||||
"" "" "${test_image_supplemental_groups}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
# For debug sake
|
||||
@@ -161,7 +167,8 @@ EOF
|
||||
setup_kbs_image_policy "reject"
|
||||
|
||||
initdata=$(get_initdata_with_security_policy)
|
||||
create_coco_pod_yaml_with_annotations "${UNSIGNED_UNPROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}"
|
||||
create_coco_pod_yaml_with_annotations "${UNSIGNED_UNPROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" \
|
||||
"" "" "${test_image_supplemental_groups}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
# For debug sake
|
||||
@@ -178,7 +185,8 @@ EOF
|
||||
setup_kbs_image_policy
|
||||
|
||||
initdata=$(get_initdata_with_security_policy)
|
||||
create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}"
|
||||
create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" \
|
||||
"" "" "${test_image_supplemental_groups}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
# For debug sake
|
||||
@@ -195,7 +203,8 @@ EOF
|
||||
setup_kbs_image_policy "reject"
|
||||
|
||||
initdata=$(get_initdata_with_security_policy)
|
||||
create_coco_pod_yaml_with_annotations "${COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}"
|
||||
create_coco_pod_yaml_with_annotations "${COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" \
|
||||
"" "" "${test_image_supplemental_groups}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
# For debug sake
|
||||
@@ -212,7 +221,8 @@ EOF
|
||||
setup_kbs_image_policy
|
||||
|
||||
initdata=$(get_initdata_with_security_policy)
|
||||
create_coco_pod_yaml_with_annotations "${COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE}" "" "${initdata}" "${node}"
|
||||
create_coco_pod_yaml_with_annotations "${COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE}" "" "${initdata}" "${node}" \
|
||||
"" "" "${test_image_supplemental_groups}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
# For debug sake
|
||||
@@ -228,7 +238,8 @@ EOF
|
||||
# We want to set the default policy to be reject to rule out false positives
|
||||
setup_kbs_image_policy "reject"
|
||||
|
||||
create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "" "${node}"
|
||||
create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "" "${node}" \
|
||||
"" "" "${test_image_supplemental_groups}"
|
||||
auto_generate_policy "${policy_settings_dir}" "${kata_pod}"
|
||||
|
||||
# For debug sake
|
||||
|
||||
@@ -24,6 +24,12 @@ setup() {
|
||||
unencrypted_image="quay.io/prometheus/busybox:latest"
|
||||
image_pulled_time_less_than_default_time="ghcr.io/confidential-containers/test-container:rust-1.79.0" # unpacked size: 1.41GB
|
||||
large_image="quay.io/confidential-containers/test-images:largeimage" # unpacked size: 2.15GB
|
||||
unencrypted_image_supplemental_groups=""
|
||||
large_image_supplemental_groups=""
|
||||
if auto_generate_policy_enabled; then
|
||||
unencrypted_image_supplemental_groups="10"
|
||||
large_image_supplemental_groups="1, 2, 3, 4, 6, 10, 11, 20, 26, 27"
|
||||
fi
|
||||
pod_config_template="${pod_config_dir}/pod-guest-pull-in-trusted-storage.yaml.in"
|
||||
storage_config_template="${pod_config_dir}/confidential/trusted-storage.yaml.in"
|
||||
policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")"
|
||||
@@ -49,7 +55,8 @@ setup() {
|
||||
kubectl delete -f "$runc_pod_config"
|
||||
|
||||
# 2. Create one kata pod with the $unencrypted_image image and nydus annotation
|
||||
kata_pod_with_nydus_config="$(new_pod_config "$unencrypted_image" "kata-${KATA_HYPERVISOR}")"
|
||||
kata_pod_with_nydus_config="$(new_pod_config "$unencrypted_image" "kata-${KATA_HYPERVISOR}" \
|
||||
"" "" "$unencrypted_image_supplemental_groups")"
|
||||
set_node "$kata_pod_with_nydus_config" "$node"
|
||||
set_container_command "$kata_pod_with_nydus_config" "0" "sleep" "30"
|
||||
|
||||
@@ -162,6 +169,8 @@ setup() {
|
||||
|
||||
pod_config=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${pod_config_template}").XXXXXX.yaml")
|
||||
IMAGE="$large_image" NODE_NAME="$node" envsubst < "$pod_config_template" > "$pod_config"
|
||||
! auto_generate_policy_enabled || set_pod_spec_security_context "$pod_config" ".spec" \
|
||||
"" "" "$large_image_supplemental_groups"
|
||||
|
||||
# Set a short CreateContainerRequest timeout in the annotation to fail to pull image in guest
|
||||
create_container_timeout=10
|
||||
@@ -218,6 +227,8 @@ setup() {
|
||||
|
||||
pod_config=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${pod_config_template}").XXXXXX.yaml")
|
||||
IMAGE="$large_image" NODE_NAME="$node" envsubst < "$pod_config_template" > "$pod_config"
|
||||
! auto_generate_policy_enabled || set_pod_spec_security_context "$pod_config" ".spec" \
|
||||
"" "" "$large_image_supplemental_groups"
|
||||
|
||||
# Set CreateContainerRequest timeout in the annotation to pull large image in guest
|
||||
# Bare-metal CI runners' kubelets are configured with an equivalent runtimeRequestTimeout of 600s
|
||||
|
||||
@@ -80,6 +80,7 @@ replace_prometheus_image() {
|
||||
yq -i \
|
||||
'.spec.containers[0].image = "quay.io/prometheus/busybox:latest"' \
|
||||
"${correct_pod_yaml}"
|
||||
set_pod_spec_security_context "${correct_pod_yaml}" ".spec" "" "" "10"
|
||||
}
|
||||
|
||||
wait_for_pod_ready() {
|
||||
|
||||
@@ -738,6 +738,17 @@ set_nginx_image() {
|
||||
nginx_image="${nginx_registry}@${nginx_digest}"
|
||||
|
||||
NGINX_IMAGE="${nginx_image}" envsubst < "${input_yaml}" > "${output_yaml}"
|
||||
|
||||
auto_generate_policy_enabled || return 0
|
||||
|
||||
case "$(yq -r 'select(documentIndex == 0) | .kind' "${output_yaml}")" in
|
||||
Pod)
|
||||
set_pod_spec_security_context "${output_yaml}" ".spec" "" "" "1, 2, 3, 4, 6, 10, 11, 20, 26, 27"
|
||||
;;
|
||||
Deployment|ReplicationController)
|
||||
set_pod_spec_security_context "${output_yaml}" ".spec.template.spec" "" "" "1, 2, 3, 4, 6, 10, 11, 20, 26, 27"
|
||||
;;
|
||||
esac
|
||||
}
|
||||
|
||||
print_node_journal_since_test_start() {
|
||||
|
||||
Reference in New Issue
Block a user