tests: k8s: replace run_policy_specific_tests

Check from: - k8s-exec-rejected.bats - k8s-policy-set-keys.bats if policy testing is enabled or not, to reduce the complexity of run_kubernetes_tests.sh. After these changes, there are no policy specific commands left in run_kubernetes_tests.sh. add_allow_all_policy_to_yaml() is moving out of run_kubernetes_tests.sh too, but it not used yet. It will be used in future commits. Fixes: #9395 Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-07-31 07:19:06 +00:00 · 2024-04-02 18:11:49 +00:00 · 2024-04-02 18:11:49 +00:00 · ef22bd8a2b
commit ef22bd8a2b
parent 39805822fc
4 changed files with 65 additions and 72 deletions
--- a/tests/integration/kubernetes/k8s-exec-rejected.bats
+++ b/tests/integration/kubernetes/k8s-exec-rejected.bats
@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash"
 load "${BATS_TEST_DIRNAME}/tests_common.sh"

 setup() {
+	policy_tests_enabled || skip "Policy tests are disabled."
+
 	get_pod_config_dir
 	pod_name="policy-exec-rejected"
 	pod_yaml="${pod_config_dir}/k8s-policy-exec-rejected.yaml"
@ -36,6 +38,8 @@ setup() {
 }

 teardown() {
+	policy_tests_enabled || skip "Policy tests are disabled."
+
 	# Debugging information
 	kubectl describe "pod/$pod_name"

--- a/tests/integration/kubernetes/k8s-policy-set-keys.bats
+++ b/tests/integration/kubernetes/k8s-policy-set-keys.bats
@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash"
 load "${BATS_TEST_DIRNAME}/tests_common.sh"

 setup() {
+	policy_tests_enabled || skip "Policy tests are disabled."
+
 	get_pod_config_dir
 	pod_name="set-keys-test"
 	pod_yaml="${pod_config_dir}/k8s-policy-set-keys.yaml"
@ -35,6 +37,8 @@ setup() {
 }

 teardown() {
+	policy_tests_enabled || skip "Policy tests are disabled."
+
 	# Debugging information
 	kubectl describe "pod/$pod_name"

--- a/tests/integration/kubernetes/run_kubernetes_tests.sh
+++ b/tests/integration/kubernetes/run_kubernetes_tests.sh
@ -15,8 +15,6 @@ KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}"
 K8S_TEST_DEBUG="${K8S_TEST_DEBUG:-false}"
 K8S_TEST_HOST_TYPE="${K8S_TEST_HOST_TYPE:-small}"

-ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(base64 -w 0 runtimeclass_workloads_work/allow-all.rego)}"
-
 if [ -n "${K8S_TEST_UNION:-}" ]; then
 	K8S_TEST_UNION=($K8S_TEST_UNION)
 else
@ -37,6 +35,7 @@ else
 		"k8s-empty-dirs.bats" \
 		"k8s-env.bats" \
 		"k8s-exec.bats" \
+		"k8s-exec-rejected.bats" \
 		"k8s-file-volume.bats" \
 		"k8s-inotify.bats" \
 		"k8s-job.bats" \
@ -51,6 +50,7 @@ else
 		"k8s-optional-empty-secret.bats" \
 		"k8s-pid-ns.bats" \
 		"k8s-pod-quota.bats" \
+		"k8s-policy-set-keys.bats" \
 		"k8s-port-forward.bats" \
 		"k8s-projected-volume.bats" \
 		"k8s-qos-pods.bats" \
@ -88,69 +88,6 @@ else
 	esac
 fi

-policy_tests_enabled() {
-	# The Guest images for these platforms have been built using AGENT_POLICY=yes -
-	# see kata-deploy-binaries.sh.
-	[ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \
-		[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HOST_OS}" == "cbl-mariner" ]
-}
-
-add_policy_to_yaml() {
-	local yaml_file="$1"
-	local resource_kind="$(yq read ${yaml_file} kind)"
-
-	case "${resource_kind}" in
-
-	Pod)
-		echo "Adding policy to ${resource_kind} from ${yaml_file}"
-		ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${K8S_TEST_YAML}" \
-			'metadata.annotations."io.katacontainers.config.agent.policy"' \
-			"${ALLOW_ALL_POLICY}"
-		;;
-
-	Deployment|Job|ReplicationController)
-		echo "Adding policy to ${resource_kind} from ${yaml_file}"
-		ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${K8S_TEST_YAML}" \
-			'spec.template.metadata.annotations."io.katacontainers.config.agent.policy"' \
-			"${ALLOW_ALL_POLICY}"
-		;;
-
-	List)
-		echo "Issue #7765: adding policy to ${resource_kind} from ${yaml_file} is not implemented yet"
-		;;
-
-	ConfigMap|LimitRange|Namespace|PersistentVolume|PersistentVolumeClaim|RuntimeClass|Secret|Service)
-		echo "Policy is not required for ${resource_kind} from ${yaml_file}"
-		;;
-
-	*)
-		echo "k8s resource type ${resource_kind} from ${yaml_file} is not yet supported for policy testing"
-		return 1
-		;;
-
-	esac
-}
-
-test_successful_actions() {
-	info "Test actions that must be successful"
-	for K8S_TEST_ENTRY in ${K8S_TEST_UNION[@]}
-	do
-		info "$(kubectl get pods --all-namespaces 2>&1)"
-		info "Executing ${K8S_TEST_ENTRY}"
-		bats --show-output-of-passing-tests "${K8S_TEST_ENTRY}"
-	done
-}
-
-run_policy_specific_tests() {
-	info "$(kubectl get pods --all-namespaces 2>&1)"
-	info "Executing k8s-exec-rejected.bats"
-	bats --show-output-of-passing-tests k8s-exec-rejected.bats
-
-	info "$(kubectl get pods --all-namespaces 2>&1)"
-	info "Executing k8s-policy-set-keys.bats"
-	bats --show-output-of-passing-tests k8s-policy-set-keys.bats
-}
-
 # we may need to skip a few test cases when running on non-x86_64 arch
 arch_config_file="${kubernetes_dir}/filter_out_per_arch/${TARGET_ARCH}.yaml"
 if [ -f "${arch_config_file}" ]; then
@ -158,11 +95,11 @@ if [ -f "${arch_config_file}" ]; then
 	mapfile -d " " -t K8S_TEST_UNION <<< "${arch_k8s_test_union}"
 fi

-if policy_tests_enabled; then
-	ensure_yq
-	run_policy_specific_tests
-else
-	info "Policy tests are disabled on this platform"
-fi
+ensure_yq

-test_successful_actions
+for K8S_TEST_ENTRY in ${K8S_TEST_UNION[@]}
+do
+	info "$(kubectl get pods --all-namespaces 2>&1)"
+	info "Executing ${K8S_TEST_ENTRY}"
+	bats --show-output-of-passing-tests "${K8S_TEST_ENTRY}"
+done
--- a/tests/integration/kubernetes/tests_common.sh
+++ b/tests/integration/kubernetes/tests_common.sh
@ -33,6 +33,10 @@ dragonball_limitations="https://github.com/kata-containers/kata-containers/issue
 # overwrite it.
 export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/config}"

+# ALLOW_ALL_POLICY is a Rego policy that allows all the Agent ttrpc requests.
+K8S_TEST_DIR="${kubernetes_dir:-"${BATS_TEST_DIRNAME}"}"
+ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(base64 -w 0 "${K8S_TEST_DIR}/../../../src/kata-opa/allow-all.rego")}"
+
 # Common setup for tests.
 #
 # Global variables exported:
@ -252,3 +256,47 @@ set_namespace_to_policy_settings() {
 		"${settings_dir}/new-genpolicy-settings.json"
 	mv "${settings_dir}/new-genpolicy-settings.json" "${settings_dir}/genpolicy-settings.json"
 }
+
+policy_tests_enabled() {
+	# The Guest images for these platforms have been built using AGENT_POLICY=yes -
+	# see kata-deploy-binaries.sh.
+	[ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \
+		[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HOST_OS}" == "cbl-mariner" ]
+}
+
+add_allow_all_policy_to_yaml() {
+	policy_tests_enabled || return 0
+
+	local yaml_file="$1"
+	local resource_kind="$(yq read ${yaml_file} kind)"
+
+	case "${resource_kind}" in
+
+	Pod)
+		info "Adding allow all policy to ${resource_kind} from ${yaml_file}"
+		ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${yaml_file}" \
+			'metadata.annotations."io.katacontainers.config.agent.policy"' \
+			"${ALLOW_ALL_POLICY}"
+		;;
+
+	Deployment|Job|ReplicationController)
+		info "Adding allow all policy to ${resource_kind} from ${yaml_file}"
+		ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${yaml_file}" \
+			'spec.template.metadata.annotations."io.katacontainers.config.agent.policy"' \
+			"${ALLOW_ALL_POLICY}"
+		;;
+
+	List)
+		die "Issue #7765: adding allow all policy to ${resource_kind} from ${yaml_file} is not implemented yet"
+		;;
+
+	ConfigMap|LimitRange|Namespace|PersistentVolume|PersistentVolumeClaim|RuntimeClass|Secret|Service)
+		die "Policy is not required for ${resource_kind} from ${yaml_file}"
+		;;
+
+	*)
+		die "k8s resource type ${resource_kind} from ${yaml_file} is not yet supported for policy testing"
+		;;
+
+	esac
+}