From c1247cc2549c410932e59c44df0c142b84151c0e Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Thu, 11 Jul 2024 15:37:45 +0000 Subject: [PATCH] tests: k8s: explain the default containerd settings Explain why the containerd settings on the local machine get set to containerd's defaults when testing GENPOLICY_PULL_METHOD=containerd. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/gha-run.sh | 16 +++++++++++----- 1 file changed, 11 insertions(+), 5 deletions(-) diff --git a/tests/integration/kubernetes/gha-run.sh b/tests/integration/kubernetes/gha-run.sh index de17c202f6..7daa3d69f4 100755 --- a/tests/integration/kubernetes/gha-run.sh +++ b/tests/integration/kubernetes/gha-run.sh @@ -271,15 +271,21 @@ function run_tests() { [ "$platform" = "kcli" ] && \ export KUBECONFIG="$HOME/.kcli/clusters/${CLUSTER_NAME:-kata-k8s}/auth/kubeconfig" - # Enable auto-generated policy for CI images that support policy - # and enable cri plugin in containerd config. # TODO: enable testing auto-generated policy for other types of hosts too. - if [ "${KATA_HOST_OS}" = "cbl-mariner" ]; then - export AUTO_GENERATE_POLICY="yes" + fi - # set default containerd config + if [ "${AUTO_GENERATE_POLICY}" = "yes" ] && [ "${GENPOLICY_PULL_METHOD}" = "containerd" ]; then + # containerd's config on the local machine (where kubectl and genpolicy are executed by CI), + # might have been provided by a distro-specific package that disables the cri plug-in by using: + # + # disabled_plugins = ["cri"] + # + # When testing genpolicy's container image pull through containerd the cri plug-in must be + # enabled. Therefore, use containerd's default settings instead of distro's defaults. Note that + # the k8s test cluster nodes have their own containerd settings (created by kata-deploy), + # independent from the local settings being created here. sudo containerd config default | sudo tee /etc/containerd/config.toml > /dev/null echo "containerd config has been set to default" sudo systemctl restart containerd && sudo systemctl is-active containerd