Merge pull request #9185 from microsoft/saulparedes/genpolicy_add_containerd_pull

genpolicy: Add optional toggle to pull images using containerd
2025-09-24 18:27:10 +00:00 · 2024-04-09 12:29:19 -07:00
parent 89353249fc 51498ba99a
commit ea31df8bff
29 changed files with 965 additions and 83 deletions
--- a/tests/integration/kubernetes/filter_out_per_arch/aarch64.yaml
+++ b/tests/integration/kubernetes/filter_out_per_arch/aarch64.yaml
@@ -24,3 +24,4 @@ kubernetes:
  - k8s-number-cpus
  - k8s-oom
  - k8s-qos-pods
+  - k8s-pod-manifest-v1.bats
--- a/tests/integration/kubernetes/filter_out_per_arch/ppc64le.yaml
+++ b/tests/integration/kubernetes/filter_out_per_arch/ppc64le.yaml
@@ -12,3 +12,4 @@ kubernetes:
  - k8s-limit-range
  - k8s-number-cpus
  - k8s-oom
+  - k8s-pod-manifest-v1.bats
--- a/tests/integration/kubernetes/filter_out_per_arch/s390x.yaml
+++ b/tests/integration/kubernetes/filter_out_per_arch/s390x.yaml
@@ -7,3 +7,4 @@ kubernetes:
  - k8s-caps
  - k8s-inotify
  - k8s-sandbox-vcpus-allocation # see https://github.com/kata-containers/kata-containers/issues/9093
+  - k8s-pod-manifest-v1.bats
--- a/tests/integration/kubernetes/gha-run.sh
+++ b/tests/integration/kubernetes/gha-run.sh
@@ -33,6 +33,7 @@ HTTPS_PROXY="${HTTPS_PROXY:-${https_proxy:-}}"
 NO_PROXY="${NO_PROXY:-${no_proxy:-}}"
 export AUTO_GENERATE_POLICY="${AUTO_GENERATE_POLICY:-no}"
 export TEST_CLUSTER_NAMESPACE="${TEST_CLUSTER_NAMESPACE:-kata-containers-k8s-tests}"
+export GENPOLICY_PULL_METHOD="${GENPOLICY_PULL_METHOD:-oci-distribution-client}"

 function configure_devmapper() {
 	sudo mkdir -p /var/lib/containerd/devmapper
@@ -252,10 +253,19 @@ function run_tests() {
 	[ "$platform" = "kcli" ] && \
 		export KUBECONFIG="$HOME/.kcli/clusters/${CLUSTER_NAME:-kata-k8s}/auth/kubeconfig"

-	# Enable auto-generated policy for CI images that support policy.
-	#
+	# Enable auto-generated policy for CI images that support policy
+	# and enable cri plugin in containerd config.
 	# TODO: enable testing auto-generated policy for other types of hosts too.
-	[ "${KATA_HOST_OS}" = "cbl-mariner" ] && export AUTO_GENERATE_POLICY="yes"
+
+	if [ "${KATA_HOST_OS}" = "cbl-mariner" ]; then
+
+		export AUTO_GENERATE_POLICY="yes"
+
+		# set default containerd config
+		sudo containerd config default | sudo tee /etc/containerd/config.toml > /dev/null
+		echo "containerd config has been set to default"
+		sudo systemctl restart containerd && sudo systemctl is-active containerd
+	fi

 	set_test_cluster_namespace

--- a/tests/integration/kubernetes/k8s-pod-manifest-v1.bats
+++ b/tests/integration/kubernetes/k8s-pod-manifest-v1.bats
@@ -0,0 +1,31 @@
+#!/usr/bin/env bats
+#
+# Copyright (c) 2024 Microsoft.
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+
+load "${BATS_TEST_DIRNAME}/../../common.bash"
+load "${BATS_TEST_DIRNAME}/tests_common.sh"
+
+setup() {
+	get_pod_config_dir
+	pod_name="nginxhttps"
+	pod_yaml="${pod_config_dir}/pod-manifest-v1.yaml"
+	auto_generate_policy "${pod_config_dir}" "${pod_yaml}"
+}
+
+@test "Deploy manifest v1 pod" {
+
+	kubectl create -f "${pod_yaml}"
+
+	# Wait for pod to start
+	kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
+}
+
+teardown() {
+	# Debugging information
+	kubectl describe "pod/$pod_name"
+
+	kubectl delete pod "$pod_name"
+}
--- a/tests/integration/kubernetes/run_kubernetes_tests.sh
+++ b/tests/integration/kubernetes/run_kubernetes_tests.sh
@@ -64,6 +64,10 @@ else
 		"k8s-nginx-connectivity.bats" \
 	)

+	if [ "${GENPOLICY_PULL_METHOD}" == "containerd" ]; then
+		K8S_TEST_SMALL_HOST_UNION+=("k8s-pod-manifest-v1.bats")
+	fi
+
 	K8S_TEST_NORMAL_HOST_UNION=( \
 		"k8s-number-cpus.bats" \
 		"k8s-parallel.bats" \
--- a/tests/integration/kubernetes/runtimeclass_workloads/pod-manifest-v1.yaml
+++ b/tests/integration/kubernetes/runtimeclass_workloads/pod-manifest-v1.yaml
@@ -0,0 +1,18 @@
+#
+# Copyright (c) 2024 Microsoft
+#
+# SPDX-License-Identifier: Apache-2.0
+#
+apiVersion: v1
+kind: Pod
+metadata:
+  name: nginxhttps
+  
+spec:
+  runtimeClassName: kata
+  terminationGracePeriodSeconds: 0
+  containers:
+    - name: nginxhttps
+      image: "docker.io/ymqytw/nginxhttps:1.5"
+      ports:
+        - containerPort: 80
--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@@ -135,6 +135,9 @@ create_common_genpolicy_settings() {

 	# Set the default namespace of Kata CI tests in the genpolicy settings.
 	set_namespace_to_policy_settings "${genpolicy_settings_dir}" "${TEST_CLUSTER_NAMESPACE}"
+
+	# allow genpolicy to access containerd without sudo
+	sudo chmod a+rw /var/run/containerd/containerd.sock
 }

 # If auto-generated policy testing is enabled, make a copy of the common genpolicy settings
@@ -170,7 +173,6 @@ auto_generate_policy() {
 	declare -r config_map_yaml_file="$3"

 	auto_generate_policy_enabled || return 0
-
 	local genpolicy_command="RUST_LOG=info /opt/kata/bin/genpolicy -u -y ${yaml_file}"
 	genpolicy_command+=" -p ${settings_dir}/rules.rego"
 	genpolicy_command+=" -j ${settings_dir}/genpolicy-settings.json"
@@ -179,6 +181,10 @@ auto_generate_policy() {
 		genpolicy_command+=" -c ${config_map_yaml_file}"
 	fi

+	if [ "${GENPOLICY_PULL_METHOD}" == "containerd" ]; then
+		genpolicy_command+=" -d"
+	fi
+
 	info "Executing: ${genpolicy_command}"
 	eval "${genpolicy_command}"
 }