diff --git a/tests/integration/kubernetes/k8s-empty-dirs.bats b/tests/integration/kubernetes/k8s-empty-dirs.bats index 0bf901caaa..93b189517b 100644 --- a/tests/integration/kubernetes/k8s-empty-dirs.bats +++ b/tests/integration/kubernetes/k8s-empty-dirs.bats @@ -21,11 +21,14 @@ setup() { pod_name="sharevol-kata" get_pod_config_dir pod_logs_file="" + + yaml_file="${pod_config_dir}/pod-empty-dir.yaml" + add_allow_all_policy_to_yaml "${yaml_file}" } @test "Empty dir volumes" { # Create the pod - kubectl create -f "${pod_config_dir}/pod-empty-dir.yaml" + kubectl create -f "${yaml_file}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" diff --git a/tests/integration/kubernetes/k8s-exec-rejected.bats b/tests/integration/kubernetes/k8s-exec-rejected.bats index 469c709856..0c9057c107 100644 --- a/tests/integration/kubernetes/k8s-exec-rejected.bats +++ b/tests/integration/kubernetes/k8s-exec-rejected.bats @@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { + policy_tests_enabled || skip "Policy tests are disabled." + get_pod_config_dir pod_name="policy-exec-rejected" pod_yaml="${pod_config_dir}/k8s-policy-exec-rejected.yaml" @@ -36,6 +38,8 @@ setup() { } teardown() { + policy_tests_enabled || skip "Policy tests are disabled." + # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/k8s-footloose.bats b/tests/integration/kubernetes/k8s-footloose.bats index b8b10db7a6..47bf14f77b 100644 --- a/tests/integration/kubernetes/k8s-footloose.bats +++ b/tests/integration/kubernetes/k8s-footloose.bats @@ -23,6 +23,10 @@ setup() { sed -e "/\${ssh_key}/r ${public_key_path}" -e "/\${ssh_key}/d" \ "${pod_config_dir}/footloose-configmap.yaml" > "$configmap_yaml" sed -i 's/ssh-rsa/ ssh-rsa/' "$configmap_yaml" + + # Add an "allow all" policy to the pod yaml file. + pod_yaml="${pod_config_dir}/pod-footloose.yaml" + add_allow_all_policy_to_yaml "${pod_yaml}" } @test "Footloose pod" { @@ -33,7 +37,7 @@ setup() { kubectl create -f "$configmap_yaml" # Create pod - kubectl create -f "${pod_config_dir}/pod-footloose.yaml" + kubectl create -f "${pod_yaml}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" diff --git a/tests/integration/kubernetes/k8s-guest-pull-image.bats b/tests/integration/kubernetes/k8s-guest-pull-image.bats index 7a7c5d7eba..329c868e1a 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image.bats @@ -30,6 +30,7 @@ setup() { echo "Pod $runc_pod_config file:" cat $runc_pod_config + add_allow_all_policy_to_yaml "$runc_pod_config" k8s_create_pod "$runc_pod_config" echo "Runc pod test-e2e is running" @@ -49,6 +50,7 @@ setup() { echo "Pod $kata_pod_with_nydus_config file:" cat $kata_pod_with_nydus_config + add_allow_all_policy_to_yaml "$kata_pod_with_nydus_config" k8s_create_pod "$kata_pod_with_nydus_config" echo "Kata pod test-e2e with nydus annotation is running" @@ -93,6 +95,7 @@ setup() { echo "Pod $kata_pod_with_nydus_config file:" cat $kata_pod_with_nydus_config + add_allow_all_policy_to_yaml "$kata_pod_with_nydus_config" k8s_create_pod "$kata_pod_with_nydus_config" } @@ -113,6 +116,7 @@ setup() { echo "Pod $kata_pod_with_nydus_config file:" cat $kata_pod_with_nydus_config + add_allow_all_policy_to_yaml "$kata_pod_with_nydus_config" k8s_create_pod "$kata_pod_with_nydus_config" echo "Kata pod test-e2e with nydus annotation is running" @@ -134,6 +138,7 @@ setup() { echo "Pod $kata_pod_without_nydus_config file:" cat $kata_pod_without_nydus_config + add_allow_all_policy_to_yaml "$kata_pod_without_nydus_config" k8s_create_pod "$kata_pod_without_nydus_config" echo "Kata pod test-e2e without nydus annotation is running" @@ -163,6 +168,7 @@ setup() { echo "Pod $kata_pod_without_nydus_config file:" cat $kata_pod_without_nydus_config + add_allow_all_policy_to_yaml "$kata_pod_without_nydus_config" k8s_create_pod "$kata_pod_without_nydus_config" echo "Kata pod test-e2e without nydus annotation is running" @@ -189,6 +195,7 @@ setup() { echo "Pod $kata_pod_with_nydus_config file:" cat $kata_pod_with_nydus_config + add_allow_all_policy_to_yaml "$kata_pod_with_nydus_config" k8s_create_pod "$kata_pod_with_nydus_config" echo "Kata pod test-e2e with nydus annotation is running" diff --git a/tests/integration/kubernetes/k8s-inotify.bats b/tests/integration/kubernetes/k8s-inotify.bats index a06bf6774f..193cf99dc3 100644 --- a/tests/integration/kubernetes/k8s-inotify.bats +++ b/tests/integration/kubernetes/k8s-inotify.bats @@ -14,6 +14,9 @@ setup() { issue_url="https://github.com/kata-containers/kata-containers/issues/8906" [ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})" get_pod_config_dir + + pod_yaml="${pod_config_dir}"/inotify-configmap-pod.yaml + add_allow_all_policy_to_yaml "${pod_yaml}" } @test "configmap update works, and preserves symlinks" { @@ -23,7 +26,7 @@ setup() { kubectl apply -f "${pod_config_dir}"/inotify-configmap.yaml # Create deployment that expects identity-certs - kubectl apply -f "${pod_config_dir}"/inotify-configmap-pod.yaml + kubectl apply -f "${pod_yaml}" kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" # Update configmap diff --git a/tests/integration/kubernetes/k8s-liveness-probes.bats b/tests/integration/kubernetes/k8s-liveness-probes.bats index 5c8a736e78..ea8d51c41e 100644 --- a/tests/integration/kubernetes/k8s-liveness-probes.bats +++ b/tests/integration/kubernetes/k8s-liveness-probes.bats @@ -19,8 +19,12 @@ setup() { @test "Liveness probe" { pod_name="liveness-exec" + yaml_file="${pod_config_dir}/probe-pod-liveness.yaml" + cp "${pod_config_dir}/pod-liveness.yaml" "${yaml_file}" + add_allow_all_policy_to_yaml "${yaml_file}" + # Create pod - kubectl create -f "${pod_config_dir}/pod-liveness.yaml" + kubectl create -f "${yaml_file}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" @@ -36,10 +40,16 @@ setup() { @test "Liveness http probe" { pod_name="liveness-http" - # Create pod + # Create pod specification. + yaml_file="${pod_config_dir}/http-pod-liveness.yaml" + sed -e "s#\${agnhost_image}#${agnhost_name}:${agnhost_version}#" \ - "${pod_config_dir}/pod-http-liveness.yaml" |\ - kubectl create -f - + "${pod_config_dir}/pod-http-liveness.yaml" > "${yaml_file}" + + add_allow_all_policy_to_yaml "${yaml_file}" + + # Create pod + kubectl create -f "${yaml_file}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" @@ -56,10 +66,16 @@ setup() { @test "Liveness tcp probe" { pod_name="tcptest" - # Create pod + # Create pod specification. + yaml_file="${pod_config_dir}/tcp-pod-liveness.yaml" + sed -e "s#\${agnhost_image}#${agnhost_name}:${agnhost_version}#" \ - "${pod_config_dir}/pod-tcp-liveness.yaml" |\ - kubectl create -f - + "${pod_config_dir}/pod-tcp-liveness.yaml" > "${yaml_file}" + + add_allow_all_policy_to_yaml "${yaml_file}" + + # Create pod + kubectl create -f "${yaml_file}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" @@ -77,4 +93,6 @@ teardown() { kubectl describe "pod/$pod_name" kubectl delete pod "$pod_name" + + rm -f "${yaml_file}" } diff --git a/tests/integration/kubernetes/k8s-measured-rootfs.bats b/tests/integration/kubernetes/k8s-measured-rootfs.bats index a98f96c6a8..cee9466926 100644 --- a/tests/integration/kubernetes/k8s-measured-rootfs.bats +++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats @@ -41,6 +41,9 @@ teardown() { # Run on a specific node so we know from where to inspect the logs set_node "$pod_config" "$node" + # Add an "allow all" policy if policy testing is enabled. + add_allow_all_policy_to_yaml "$pod_config" + # For debug sake echo "Pod $pod_config file:" cat $pod_config diff --git a/tests/integration/kubernetes/k8s-nginx-connectivity.bats b/tests/integration/kubernetes/k8s-nginx-connectivity.bats index bc7271dc86..73c4426fb3 100644 --- a/tests/integration/kubernetes/k8s-nginx-connectivity.bats +++ b/tests/integration/kubernetes/k8s-nginx-connectivity.bats @@ -15,15 +15,19 @@ setup() { deployment="nginx-deployment" get_pod_config_dir + + # Create test .yaml + yaml_file="${pod_config_dir}/test-${deployment}.yaml" + + sed -e "s/\${nginx_version}/${nginx_image}/" \ + "${pod_config_dir}/${deployment}.yaml" > "${yaml_file}" + + add_allow_all_policy_to_yaml "${yaml_file}" } @test "Verify nginx connectivity between pods" { - # Create test .yaml - sed -e "s/\${nginx_version}/${nginx_image}/" \ - "${pod_config_dir}/${deployment}.yaml" > "${pod_config_dir}/test-${deployment}.yaml" - - kubectl create -f "${pod_config_dir}/test-${deployment}.yaml" + kubectl create -f "${yaml_file}" kubectl wait --for=condition=Available --timeout=$timeout deployment/${deployment} kubectl expose deployment/${deployment} @@ -46,7 +50,7 @@ teardown() { kubectl get service/${deployment} -o yaml kubectl get endpoints/${deployment} -o yaml - rm -f "${pod_config_dir}/test-${deployment}.yaml" + rm -f "${yaml_file}" kubectl delete deployment "$deployment" kubectl delete service "$deployment" kubectl delete pod "$busybox_pod" diff --git a/tests/integration/kubernetes/k8s-optional-empty-secret.bats b/tests/integration/kubernetes/k8s-optional-empty-secret.bats index 9586034167..ad98b6c3f3 100644 --- a/tests/integration/kubernetes/k8s-optional-empty-secret.bats +++ b/tests/integration/kubernetes/k8s-optional-empty-secret.bats @@ -10,6 +10,9 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { get_pod_config_dir + + pod_yaml="${pod_config_dir}/pod-optional-empty-secret.yaml" + add_allow_all_policy_to_yaml "${pod_yaml}" } @test "Optional and Empty Secret Volume for a pod" { @@ -20,7 +23,7 @@ setup() { kubectl create secret generic "$secret_name" # Create a pod that consumes the "empty-secret" and "optional-missing-secret" Secrets as volumes - kubectl create -f "${pod_config_dir}/pod-optional-empty-secret.yaml" + kubectl create -f "${pod_yaml}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" diff --git a/tests/integration/kubernetes/k8s-pod-quota.bats b/tests/integration/kubernetes/k8s-pod-quota.bats index f74d8a595c..2d7f26ee3b 100644 --- a/tests/integration/kubernetes/k8s-pod-quota.bats +++ b/tests/integration/kubernetes/k8s-pod-quota.bats @@ -11,6 +11,9 @@ setup() { [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: https://github.com/kata-containers/kata-containers/issues/7873" get_pod_config_dir + + deployment_yaml="${pod_config_dir}/pod-quota-deployment.yaml" + add_allow_all_policy_to_yaml "${deployment_yaml}" } @test "Pod quota" { @@ -25,7 +28,7 @@ setup() { --output=yaml | grep 'pods: "2"' # Create deployment - kubectl create -f "${pod_config_dir}/pod-quota-deployment.yaml" + kubectl create -f "${deployment_yaml}" # View deployment kubectl wait --for=condition=Available --timeout=$timeout \ @@ -39,6 +42,6 @@ teardown() { kubectl describe deployment ${deployment_name} # Clean-up - kubectl delete -f "${pod_config_dir}/pod-quota-deployment.yaml" + kubectl delete -f "${deployment_yaml}" kubectl delete -f "${pod_config_dir}/resource-quota.yaml" } diff --git a/tests/integration/kubernetes/k8s-policy-set-keys.bats b/tests/integration/kubernetes/k8s-policy-set-keys.bats index f1727a8da7..d1de0018f7 100644 --- a/tests/integration/kubernetes/k8s-policy-set-keys.bats +++ b/tests/integration/kubernetes/k8s-policy-set-keys.bats @@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { + policy_tests_enabled || skip "Policy tests are disabled." + get_pod_config_dir pod_name="set-keys-test" pod_yaml="${pod_config_dir}/k8s-policy-set-keys.yaml" @@ -35,6 +37,8 @@ setup() { } teardown() { + policy_tests_enabled || skip "Policy tests are disabled." + # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/k8s-projected-volume.bats b/tests/integration/kubernetes/k8s-projected-volume.bats index 87160eeb50..5d9f336a79 100644 --- a/tests/integration/kubernetes/k8s-projected-volume.bats +++ b/tests/integration/kubernetes/k8s-projected-volume.bats @@ -13,6 +13,9 @@ setup() { [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" get_pod_config_dir + + pod_yaml="${pod_config_dir}/pod-projected-volume.yaml" + add_allow_all_policy_to_yaml "${pod_yaml}" } @test "Projected volume" { @@ -32,7 +35,7 @@ setup() { kubectl create secret generic pass --from-file=$SECOND_TMP_FILE # Create pod - kubectl create -f "${pod_config_dir}/pod-projected-volume.yaml" + kubectl create -f "${pod_yaml}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" diff --git a/tests/integration/kubernetes/k8s-sandbox-vcpus-allocation.bats b/tests/integration/kubernetes/k8s-sandbox-vcpus-allocation.bats index 0b0d7678e7..8f18c0adee 100644 --- a/tests/integration/kubernetes/k8s-sandbox-vcpus-allocation.bats +++ b/tests/integration/kubernetes/k8s-sandbox-vcpus-allocation.bats @@ -15,11 +15,14 @@ setup() { get_pod_config_dir pods=( "vcpus-less-than-one-with-no-limits" "vcpus-less-than-one-with-limits" "vcpus-more-than-one-with-limits" ) expected_vcpus=( 1 1 2 ) + + yaml_file="${pod_config_dir}/pod-sandbox-vcpus-allocation.yaml" + add_allow_all_policy_to_yaml "${yaml_file}" } @test "Check the number vcpus are correctly allocated to the sandbox" { # Create the pods - kubectl create -f "${pod_config_dir}/pod-sandbox-vcpus-allocation.yaml" + kubectl create -f "${yaml_file}" # Wait for completion kubectl wait --for=jsonpath='{.status.phase}'=Succeeded --timeout=$timeout pod --all @@ -38,5 +41,5 @@ teardown() { kubectl logs ${pod} done - kubectl delete -f "${pod_config_dir}/pod-sandbox-vcpus-allocation.yaml" + kubectl delete -f "${yaml_file}" } diff --git a/tests/integration/kubernetes/k8s-seccomp.bats b/tests/integration/kubernetes/k8s-seccomp.bats index c6a840cb3c..20d219dbdc 100644 --- a/tests/integration/kubernetes/k8s-seccomp.bats +++ b/tests/integration/kubernetes/k8s-seccomp.bats @@ -10,12 +10,15 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { pod_name="seccomp-container" get_pod_config_dir + + yaml_file="${pod_config_dir}/pod-seccomp.yaml" + add_allow_all_policy_to_yaml "${yaml_file}" } @test "Support seccomp runtime/default profile" { expected_seccomp_mode="2" # Create pod - kubectl create -f "${pod_config_dir}/pod-seccomp.yaml" + kubectl create -f "${yaml_file}" # Wait it to complete cmd="kubectl get pods ${pod_name} | grep Completed" @@ -31,5 +34,5 @@ teardown() { echo "seccomp mode is ${seccomp_mode}, expected $expected_seccomp_mode" kubectl describe "pod/${pod_name}" - kubectl delete -f "${pod_config_dir}/pod-seccomp.yaml" || true + kubectl delete -f "${yaml_file}" || true } diff --git a/tests/integration/kubernetes/k8s-security-context.bats b/tests/integration/kubernetes/k8s-security-context.bats index a8f9d7ba9e..9bbf53be41 100644 --- a/tests/integration/kubernetes/k8s-security-context.bats +++ b/tests/integration/kubernetes/k8s-security-context.bats @@ -10,13 +10,16 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { get_pod_config_dir + + yaml_file="${pod_config_dir}/pod-security-context.yaml" + add_allow_all_policy_to_yaml "${yaml_file}" } @test "Security context" { pod_name="security-context-test" # Create pod - kubectl create -f "${pod_config_dir}/pod-security-context.yaml" + kubectl create -f "${yaml_file}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" diff --git a/tests/integration/kubernetes/k8s-sysctls.bats b/tests/integration/kubernetes/k8s-sysctls.bats index aca6c50d1a..cea2b9fb47 100644 --- a/tests/integration/kubernetes/k8s-sysctls.bats +++ b/tests/integration/kubernetes/k8s-sysctls.bats @@ -11,11 +11,14 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { pod_name="sysctl-test" get_pod_config_dir + + yaml_file="${pod_config_dir}/pod-sysctl.yaml" + add_allow_all_policy_to_yaml "${yaml_file}" } @test "Setting sysctl" { # Create pod - kubectl apply -f "${pod_config_dir}/pod-sysctl.yaml" + kubectl apply -f "${yaml_file}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod $pod_name diff --git a/tests/integration/kubernetes/k8s-volume.bats b/tests/integration/kubernetes/k8s-volume.bats index 7bb69f95d1..4178f8b1e1 100644 --- a/tests/integration/kubernetes/k8s-volume.bats +++ b/tests/integration/kubernetes/k8s-volume.bats @@ -26,6 +26,7 @@ setup() { sed -e "s|tmp_data|${tmp_file}|g" ${pod_config_dir}/pv-volume.yaml > "$pv_yaml" sed -e "s|NODE|${node}|g" "${pod_config_dir}/pv-pod.yaml" > "$pod_yaml" + add_allow_all_policy_to_yaml "${pod_yaml}" } @test "Create Persistent Volume" { diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh index 864ebd100b..528e364f11 100755 --- a/tests/integration/kubernetes/run_kubernetes_tests.sh +++ b/tests/integration/kubernetes/run_kubernetes_tests.sh @@ -15,8 +15,6 @@ KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}" K8S_TEST_DEBUG="${K8S_TEST_DEBUG:-false}" K8S_TEST_HOST_TYPE="${K8S_TEST_HOST_TYPE:-small}" -ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(base64 -w 0 runtimeclass_workloads_work/allow-all.rego)}" - if [ -n "${K8S_TEST_UNION:-}" ]; then K8S_TEST_UNION=($K8S_TEST_UNION) else @@ -38,6 +36,7 @@ else "k8s-empty-dirs.bats" \ "k8s-env.bats" \ "k8s-exec.bats" \ + "k8s-exec-rejected.bats" \ "k8s-file-volume.bats" \ "k8s-inotify.bats" \ "k8s-job.bats" \ @@ -52,6 +51,7 @@ else "k8s-optional-empty-secret.bats" \ "k8s-pid-ns.bats" \ "k8s-pod-quota.bats" \ + "k8s-policy-set-keys.bats" \ "k8s-port-forward.bats" \ "k8s-projected-volume.bats" \ "k8s-qos-pods.bats" \ @@ -89,77 +89,6 @@ else esac fi -policy_tests_enabled() { - # The Guest images for these platforms have been built using AGENT_POLICY=yes - - # see kata-deploy-binaries.sh. - [ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ - [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HOST_OS}" == "cbl-mariner" ] -} - -add_policy_to_yaml() { - local yaml_file="$1" - local resource_kind="$(yq read ${yaml_file} kind)" - - case "${resource_kind}" in - - Pod) - echo "Adding policy to ${resource_kind} from ${yaml_file}" - ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${K8S_TEST_YAML}" \ - 'metadata.annotations."io.katacontainers.config.agent.policy"' \ - "${ALLOW_ALL_POLICY}" - ;; - - Deployment|Job|ReplicationController) - echo "Adding policy to ${resource_kind} from ${yaml_file}" - ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${K8S_TEST_YAML}" \ - 'spec.template.metadata.annotations."io.katacontainers.config.agent.policy"' \ - "${ALLOW_ALL_POLICY}" - ;; - - List) - echo "Issue #7765: adding policy to ${resource_kind} from ${yaml_file} is not implemented yet" - ;; - - ConfigMap|LimitRange|Namespace|PersistentVolume|PersistentVolumeClaim|RuntimeClass|Secret|Service) - echo "Policy is not required for ${resource_kind} from ${yaml_file}" - ;; - - *) - echo "k8s resource type ${resource_kind} from ${yaml_file} is not yet supported for policy testing" - return 1 - ;; - - esac -} - -add_policy_to_successful_tests() { - info "Add policy to test YAML files" - for K8S_TEST_YAML in runtimeclass_workloads_work/*.yaml - do - add_policy_to_yaml "${K8S_TEST_YAML}" - done -} - -test_successful_actions() { - info "Test actions that must be successful" - for K8S_TEST_ENTRY in ${K8S_TEST_UNION[@]} - do - info "$(kubectl get pods --all-namespaces 2>&1)" - info "Executing ${K8S_TEST_ENTRY}" - bats --show-output-of-passing-tests "${K8S_TEST_ENTRY}" - done -} - -run_policy_specific_tests() { - info "$(kubectl get pods --all-namespaces 2>&1)" - info "Executing k8s-exec-rejected.bats" - bats --show-output-of-passing-tests k8s-exec-rejected.bats - - info "$(kubectl get pods --all-namespaces 2>&1)" - info "Executing k8s-policy-set-keys.bats" - bats --show-output-of-passing-tests k8s-policy-set-keys.bats -} - # we may need to skip a few test cases when running on non-x86_64 arch arch_config_file="${kubernetes_dir}/filter_out_per_arch/${TARGET_ARCH}.yaml" if [ -f "${arch_config_file}" ]; then @@ -167,12 +96,11 @@ if [ -f "${arch_config_file}" ]; then mapfile -d " " -t K8S_TEST_UNION <<< "${arch_k8s_test_union}" fi -if policy_tests_enabled; then - ensure_yq - run_policy_specific_tests - add_policy_to_successful_tests -else - info "Policy tests are disabled on this platform" -fi +ensure_yq -test_successful_actions +for K8S_TEST_ENTRY in ${K8S_TEST_UNION[@]} +do + info "$(kubectl get pods --all-namespaces 2>&1)" + info "Executing ${K8S_TEST_ENTRY}" + bats --show-output-of-passing-tests "${K8S_TEST_ENTRY}" +done diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index 13ee2392c9..31c09ceabc 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -33,6 +33,10 @@ dragonball_limitations="https://github.com/kata-containers/kata-containers/issue # overwrite it. export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/config}" +# ALLOW_ALL_POLICY is a Rego policy that allows all the Agent ttrpc requests. +K8S_TEST_DIR="${kubernetes_dir:-"${BATS_TEST_DIRNAME}"}" +ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(base64 -w 0 "${K8S_TEST_DIR}/../../../src/kata-opa/allow-all.rego")}" + # Common setup for tests. # # Global variables exported: @@ -252,3 +256,47 @@ set_namespace_to_policy_settings() { "${settings_dir}/new-genpolicy-settings.json" mv "${settings_dir}/new-genpolicy-settings.json" "${settings_dir}/genpolicy-settings.json" } + +policy_tests_enabled() { + # The Guest images for these platforms have been built using AGENT_POLICY=yes - + # see kata-deploy-binaries.sh. + [ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HOST_OS}" == "cbl-mariner" ] +} + +add_allow_all_policy_to_yaml() { + policy_tests_enabled || return 0 + + local yaml_file="$1" + local resource_kind="$(yq read ${yaml_file} kind)" + + case "${resource_kind}" in + + Pod) + info "Adding allow all policy to ${resource_kind} from ${yaml_file}" + ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${yaml_file}" \ + 'metadata.annotations."io.katacontainers.config.agent.policy"' \ + "${ALLOW_ALL_POLICY}" + ;; + + Deployment|Job|ReplicationController) + info "Adding allow all policy to ${resource_kind} from ${yaml_file}" + ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${yaml_file}" \ + 'spec.template.metadata.annotations."io.katacontainers.config.agent.policy"' \ + "${ALLOW_ALL_POLICY}" + ;; + + List) + die "Issue #7765: adding allow all policy to ${resource_kind} from ${yaml_file} is not implemented yet" + ;; + + ConfigMap|LimitRange|Namespace|PersistentVolume|PersistentVolumeClaim|RuntimeClass|Secret|Service) + die "Policy is not required for ${resource_kind} from ${yaml_file}" + ;; + + *) + die "k8s resource type ${resource_kind} from ${yaml_file} is not yet supported for policy testing" + ;; + + esac +}