From bfd648534675dcd03b2592f5688997c7dd50056d Mon Sep 17 00:00:00 2001 From: Manuel Huber Date: Tue, 2 Jun 2026 22:16:31 +0000 Subject: [PATCH] tests: set identity for guest-pull pods Use the new helpers when guest-pull tests generate pods under automatic policy generation. Populate the securityContext values that matter for these images: supplemental groups are set explicitly, while root UID and GID defaults are left omitted. This keeps runtime requests aligned with the generated policy without requiring default-zero identity fields. Signed-off-by: Manuel Huber Assisted-by: OpenAI Codex --- .../k8s-guest-pull-image-authenticated.bats | 19 ++++++++---- .../k8s-guest-pull-image-signature.bats | 31 +++++++++++++------ .../kubernetes/k8s-guest-pull-image.bats | 13 +++++++- .../kubernetes/k8s-policy-pod.bats | 1 + tests/integration/kubernetes/tests_common.sh | 11 +++++++ 5 files changed, 58 insertions(+), 17 deletions(-) diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats b/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats index ba631e450d..2bb63ea869 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats @@ -22,6 +22,7 @@ setup() { setup_common || die "setup_common failed" AUTHENTICATED_IMAGE="${AUTHENTICATED_IMAGE:-quay.io/kata-containers/confidential-containers-auth:test}" + authenticated_image_supplemental_groups="10" AUTHENTICATED_IMAGE_USER=${AUTHENTICATED_IMAGE_USER:-} AUTHENTICATED_IMAGE_PASSWORD=${AUTHENTICATED_IMAGE_PASSWORD:-} CREDENTIALS_KBS_URI="kbs:///default/credentials/test" @@ -90,7 +91,8 @@ EOF setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} ${AUTHENTICATED_IMAGE_PASSWORD} - create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node" + create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node" \ + "" "" "${authenticated_image_supplemental_groups}" yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" @@ -105,7 +107,8 @@ EOF setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} "junk" - create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node" + create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "kbs:///default/credentials/test" "" "resource" "$node" \ + "" "" "${authenticated_image_supplemental_groups}" yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" @@ -119,7 +122,8 @@ EOF @test "Test that creating a container from an authenticated image, with no credentials fails" { # Create pod config, but don't add agent.image_registry_auth annotation - create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "" "" "resource" "$node" + create_coco_pod_yaml "${AUTHENTICATED_IMAGE}" "" "" "" "resource" "$node" \ + "" "" "${authenticated_image_supplemental_groups}" yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" @@ -136,7 +140,8 @@ EOF setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} ${AUTHENTICATED_IMAGE_PASSWORD} initdata=$(get_initdata_with_auth_registry_config) - create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" + create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" \ + "" "" "${authenticated_image_supplemental_groups}" yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" @@ -153,7 +158,8 @@ EOF setup_kbs_credentials "${AUTHENTICATED_IMAGE}" ${AUTHENTICATED_IMAGE_USER} "junk" initdata=$(get_initdata_with_auth_registry_config) - create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" + create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" \ + "" "" "${authenticated_image_supplemental_groups}" yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" @@ -169,7 +175,8 @@ EOF # Create pod config, but don't add image_registry_auth to initdata initdata=$(get_initdata_with_cdh_image_section "") - create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" + create_coco_pod_yaml_with_annotations "${AUTHENTICATED_IMAGE}" "" "${initdata}" "${node}" \ + "" "" "${authenticated_image_supplemental_groups}" yq -i ".spec.imagePullSecrets[0].name = \"cococred\"" "${kata_pod}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" diff --git a/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats b/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats index ab61187d25..5cd235e02e 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image-signature.bats @@ -26,6 +26,7 @@ setup() { UNSIGNED_PROTECTED_REGISTRY_IMAGE="ghcr.io/confidential-containers/test-container-image-rs:unsigned" COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE="ghcr.io/confidential-containers/test-container-image-rs:cosign-signed" COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE="ghcr.io/confidential-containers/test-container-image-rs:cosign-signed-key2" + test_image_supplemental_groups="10" SECURITY_POLICY_KBS_URI="kbs:///default/security-policy/test" policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")" } @@ -88,7 +89,8 @@ EOF # We want to set the default policy to be reject to rule out false positives setup_kbs_image_policy "reject" - create_coco_pod_yaml "${UNSIGNED_UNPROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" + create_coco_pod_yaml "${UNSIGNED_UNPROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" \ + "" "" "${test_image_supplemental_groups}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" # For debug sake @@ -102,7 +104,8 @@ EOF # We want to leave the default policy to be insecureAcceptAnything to rule out false negatives setup_kbs_image_policy - create_coco_pod_yaml "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" + create_coco_pod_yaml "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" \ + "" "" "${test_image_supplemental_groups}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" # For debug sake @@ -116,7 +119,8 @@ EOF # We want to set the default policy to be reject to rule out false positives setup_kbs_image_policy "reject" - create_coco_pod_yaml "${COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" + create_coco_pod_yaml "${COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" \ + "" "" "${test_image_supplemental_groups}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" # For debug sake @@ -130,7 +134,8 @@ EOF # We want to leave the default policy to be insecureAcceptAnything to rule out false negatives setup_kbs_image_policy - create_coco_pod_yaml "${COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" + create_coco_pod_yaml "${COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE}" "${SECURITY_POLICY_KBS_URI}" "" "" "resource" "$node" \ + "" "" "${test_image_supplemental_groups}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" # For debug sake @@ -144,7 +149,8 @@ EOF # We want to set the default policy to be reject to rule out false positives setup_kbs_image_policy "reject" - create_coco_pod_yaml "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "" "" "resource" "$node" + create_coco_pod_yaml "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "" "" "resource" "$node" \ + "" "" "${test_image_supplemental_groups}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" # For debug sake @@ -161,7 +167,8 @@ EOF setup_kbs_image_policy "reject" initdata=$(get_initdata_with_security_policy) - create_coco_pod_yaml_with_annotations "${UNSIGNED_UNPROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" + create_coco_pod_yaml_with_annotations "${UNSIGNED_UNPROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" \ + "" "" "${test_image_supplemental_groups}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" # For debug sake @@ -178,7 +185,8 @@ EOF setup_kbs_image_policy initdata=$(get_initdata_with_security_policy) - create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" + create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" \ + "" "" "${test_image_supplemental_groups}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" # For debug sake @@ -195,7 +203,8 @@ EOF setup_kbs_image_policy "reject" initdata=$(get_initdata_with_security_policy) - create_coco_pod_yaml_with_annotations "${COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" + create_coco_pod_yaml_with_annotations "${COSIGN_SIGNED_PROTECTED_REGISTRY_IMAGE}" "" "${initdata}" "${node}" \ + "" "" "${test_image_supplemental_groups}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" # For debug sake @@ -212,7 +221,8 @@ EOF setup_kbs_image_policy initdata=$(get_initdata_with_security_policy) - create_coco_pod_yaml_with_annotations "${COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE}" "" "${initdata}" "${node}" + create_coco_pod_yaml_with_annotations "${COSIGNED_SIGNED_PROTECTED_REGISTRY_WRONG_KEY_IMAGE}" "" "${initdata}" "${node}" \ + "" "" "${test_image_supplemental_groups}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" # For debug sake @@ -228,7 +238,8 @@ EOF # We want to set the default policy to be reject to rule out false positives setup_kbs_image_policy "reject" - create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "" "${node}" + create_coco_pod_yaml_with_annotations "${UNSIGNED_PROTECTED_REGISTRY_IMAGE}" "" "" "${node}" \ + "" "" "${test_image_supplemental_groups}" auto_generate_policy "${policy_settings_dir}" "${kata_pod}" # For debug sake diff --git a/tests/integration/kubernetes/k8s-guest-pull-image.bats b/tests/integration/kubernetes/k8s-guest-pull-image.bats index f8f114b588..8488f573b0 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image.bats @@ -24,6 +24,12 @@ setup() { unencrypted_image="quay.io/prometheus/busybox:latest" image_pulled_time_less_than_default_time="ghcr.io/confidential-containers/test-container:rust-1.79.0" # unpacked size: 1.41GB large_image="quay.io/confidential-containers/test-images:largeimage" # unpacked size: 2.15GB + unencrypted_image_supplemental_groups="" + large_image_supplemental_groups="" + if auto_generate_policy_enabled; then + unencrypted_image_supplemental_groups="10" + large_image_supplemental_groups="1, 2, 3, 4, 6, 10, 11, 20, 26, 27" + fi pod_config_template="${pod_config_dir}/pod-guest-pull-in-trusted-storage.yaml.in" storage_config_template="${pod_config_dir}/confidential/trusted-storage.yaml.in" policy_settings_dir="$(create_tmp_policy_settings_dir "${pod_config_dir}")" @@ -49,7 +55,8 @@ setup() { kubectl delete -f "$runc_pod_config" # 2. Create one kata pod with the $unencrypted_image image and nydus annotation - kata_pod_with_nydus_config="$(new_pod_config "$unencrypted_image" "kata-${KATA_HYPERVISOR}")" + kata_pod_with_nydus_config="$(new_pod_config "$unencrypted_image" "kata-${KATA_HYPERVISOR}" \ + "" "" "$unencrypted_image_supplemental_groups")" set_node "$kata_pod_with_nydus_config" "$node" set_container_command "$kata_pod_with_nydus_config" "0" "sleep" "30" @@ -162,6 +169,8 @@ setup() { pod_config=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${pod_config_template}").XXXXXX.yaml") IMAGE="$large_image" NODE_NAME="$node" envsubst < "$pod_config_template" > "$pod_config" + ! auto_generate_policy_enabled || set_pod_spec_security_context "$pod_config" ".spec" \ + "" "" "$large_image_supplemental_groups" # Set a short CreateContainerRequest timeout in the annotation to fail to pull image in guest create_container_timeout=10 @@ -218,6 +227,8 @@ setup() { pod_config=$(mktemp "${BATS_FILE_TMPDIR}/$(basename "${pod_config_template}").XXXXXX.yaml") IMAGE="$large_image" NODE_NAME="$node" envsubst < "$pod_config_template" > "$pod_config" + ! auto_generate_policy_enabled || set_pod_spec_security_context "$pod_config" ".spec" \ + "" "" "$large_image_supplemental_groups" # Set CreateContainerRequest timeout in the annotation to pull large image in guest # Bare-metal CI runners' kubelets are configured with an equivalent runtimeRequestTimeout of 600s diff --git a/tests/integration/kubernetes/k8s-policy-pod.bats b/tests/integration/kubernetes/k8s-policy-pod.bats index 1f0dc17fc6..a4798666c1 100644 --- a/tests/integration/kubernetes/k8s-policy-pod.bats +++ b/tests/integration/kubernetes/k8s-policy-pod.bats @@ -80,6 +80,7 @@ replace_prometheus_image() { yq -i \ '.spec.containers[0].image = "quay.io/prometheus/busybox:latest"' \ "${correct_pod_yaml}" + set_pod_spec_security_context "${correct_pod_yaml}" ".spec" "" "" "10" } wait_for_pod_ready() { diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index f76566c07a..95f6756378 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -738,6 +738,17 @@ set_nginx_image() { nginx_image="${nginx_registry}@${nginx_digest}" NGINX_IMAGE="${nginx_image}" envsubst < "${input_yaml}" > "${output_yaml}" + + auto_generate_policy_enabled || return 0 + + case "$(yq -r 'select(documentIndex == 0) | .kind' "${output_yaml}")" in + Pod) + set_pod_spec_security_context "${output_yaml}" ".spec" "" "" "1, 2, 3, 4, 6, 10, 11, 20, 26, 27" + ;; + Deployment|ReplicationController) + set_pod_spec_security_context "${output_yaml}" ".spec.template.spec" "" "" "1, 2, 3, 4, 6, 10, 11, 20, 26, 27" + ;; + esac } print_node_journal_since_test_start() {