From 39805822fc42226a2acf4817475c343372fdfd9e Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 16:18:31 +0000 Subject: [PATCH 01/17] tests: k8s: reduce policy testing complexity Don't add the "allow all" policy to all the test YAML files anymore. After this change, the k8s tests assume that all the Kata CI Guest rootfs image files either: - Don't support Agent Policy at all, or - Include an "allow all" default policy. This relience/assumption will be addressed in a future commit. Fixes: #9395 Signed-off-by: Dan Mihai --- tests/integration/kubernetes/run_kubernetes_tests.sh | 9 --------- 1 file changed, 9 deletions(-) diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh index a55d13e155..1f36a187c6 100755 --- a/tests/integration/kubernetes/run_kubernetes_tests.sh +++ b/tests/integration/kubernetes/run_kubernetes_tests.sh @@ -131,14 +131,6 @@ add_policy_to_yaml() { esac } -add_policy_to_successful_tests() { - info "Add policy to test YAML files" - for K8S_TEST_YAML in runtimeclass_workloads_work/*.yaml - do - add_policy_to_yaml "${K8S_TEST_YAML}" - done -} - test_successful_actions() { info "Test actions that must be successful" for K8S_TEST_ENTRY in ${K8S_TEST_UNION[@]} @@ -169,7 +161,6 @@ fi if policy_tests_enabled; then ensure_yq run_policy_specific_tests - add_policy_to_successful_tests else info "Policy tests are disabled on this platform" fi From ef22bd8a2b0adbcc0025e0a4001016255386c7cd Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 18:11:49 +0000 Subject: [PATCH 02/17] tests: k8s: replace run_policy_specific_tests Check from: - k8s-exec-rejected.bats - k8s-policy-set-keys.bats if policy testing is enabled or not, to reduce the complexity of run_kubernetes_tests.sh. After these changes, there are no policy specific commands left in run_kubernetes_tests.sh. add_allow_all_policy_to_yaml() is moving out of run_kubernetes_tests.sh too, but it not used yet. It will be used in future commits. Fixes: #9395 Signed-off-by: Dan Mihai --- .../kubernetes/k8s-exec-rejected.bats | 4 + .../kubernetes/k8s-policy-set-keys.bats | 4 + .../kubernetes/run_kubernetes_tests.sh | 81 +++---------------- tests/integration/kubernetes/tests_common.sh | 48 +++++++++++ 4 files changed, 65 insertions(+), 72 deletions(-) diff --git a/tests/integration/kubernetes/k8s-exec-rejected.bats b/tests/integration/kubernetes/k8s-exec-rejected.bats index 469c709856..0c9057c107 100644 --- a/tests/integration/kubernetes/k8s-exec-rejected.bats +++ b/tests/integration/kubernetes/k8s-exec-rejected.bats @@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { + policy_tests_enabled || skip "Policy tests are disabled." + get_pod_config_dir pod_name="policy-exec-rejected" pod_yaml="${pod_config_dir}/k8s-policy-exec-rejected.yaml" @@ -36,6 +38,8 @@ setup() { } teardown() { + policy_tests_enabled || skip "Policy tests are disabled." + # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/k8s-policy-set-keys.bats b/tests/integration/kubernetes/k8s-policy-set-keys.bats index f1727a8da7..d1de0018f7 100644 --- a/tests/integration/kubernetes/k8s-policy-set-keys.bats +++ b/tests/integration/kubernetes/k8s-policy-set-keys.bats @@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash" load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { + policy_tests_enabled || skip "Policy tests are disabled." + get_pod_config_dir pod_name="set-keys-test" pod_yaml="${pod_config_dir}/k8s-policy-set-keys.yaml" @@ -35,6 +37,8 @@ setup() { } teardown() { + policy_tests_enabled || skip "Policy tests are disabled." + # Debugging information kubectl describe "pod/$pod_name" diff --git a/tests/integration/kubernetes/run_kubernetes_tests.sh b/tests/integration/kubernetes/run_kubernetes_tests.sh index 1f36a187c6..c7d6c597d8 100755 --- a/tests/integration/kubernetes/run_kubernetes_tests.sh +++ b/tests/integration/kubernetes/run_kubernetes_tests.sh @@ -15,8 +15,6 @@ KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}" K8S_TEST_DEBUG="${K8S_TEST_DEBUG:-false}" K8S_TEST_HOST_TYPE="${K8S_TEST_HOST_TYPE:-small}" -ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(base64 -w 0 runtimeclass_workloads_work/allow-all.rego)}" - if [ -n "${K8S_TEST_UNION:-}" ]; then K8S_TEST_UNION=($K8S_TEST_UNION) else @@ -37,6 +35,7 @@ else "k8s-empty-dirs.bats" \ "k8s-env.bats" \ "k8s-exec.bats" \ + "k8s-exec-rejected.bats" \ "k8s-file-volume.bats" \ "k8s-inotify.bats" \ "k8s-job.bats" \ @@ -51,6 +50,7 @@ else "k8s-optional-empty-secret.bats" \ "k8s-pid-ns.bats" \ "k8s-pod-quota.bats" \ + "k8s-policy-set-keys.bats" \ "k8s-port-forward.bats" \ "k8s-projected-volume.bats" \ "k8s-qos-pods.bats" \ @@ -88,69 +88,6 @@ else esac fi -policy_tests_enabled() { - # The Guest images for these platforms have been built using AGENT_POLICY=yes - - # see kata-deploy-binaries.sh. - [ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ - [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HOST_OS}" == "cbl-mariner" ] -} - -add_policy_to_yaml() { - local yaml_file="$1" - local resource_kind="$(yq read ${yaml_file} kind)" - - case "${resource_kind}" in - - Pod) - echo "Adding policy to ${resource_kind} from ${yaml_file}" - ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${K8S_TEST_YAML}" \ - 'metadata.annotations."io.katacontainers.config.agent.policy"' \ - "${ALLOW_ALL_POLICY}" - ;; - - Deployment|Job|ReplicationController) - echo "Adding policy to ${resource_kind} from ${yaml_file}" - ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${K8S_TEST_YAML}" \ - 'spec.template.metadata.annotations."io.katacontainers.config.agent.policy"' \ - "${ALLOW_ALL_POLICY}" - ;; - - List) - echo "Issue #7765: adding policy to ${resource_kind} from ${yaml_file} is not implemented yet" - ;; - - ConfigMap|LimitRange|Namespace|PersistentVolume|PersistentVolumeClaim|RuntimeClass|Secret|Service) - echo "Policy is not required for ${resource_kind} from ${yaml_file}" - ;; - - *) - echo "k8s resource type ${resource_kind} from ${yaml_file} is not yet supported for policy testing" - return 1 - ;; - - esac -} - -test_successful_actions() { - info "Test actions that must be successful" - for K8S_TEST_ENTRY in ${K8S_TEST_UNION[@]} - do - info "$(kubectl get pods --all-namespaces 2>&1)" - info "Executing ${K8S_TEST_ENTRY}" - bats --show-output-of-passing-tests "${K8S_TEST_ENTRY}" - done -} - -run_policy_specific_tests() { - info "$(kubectl get pods --all-namespaces 2>&1)" - info "Executing k8s-exec-rejected.bats" - bats --show-output-of-passing-tests k8s-exec-rejected.bats - - info "$(kubectl get pods --all-namespaces 2>&1)" - info "Executing k8s-policy-set-keys.bats" - bats --show-output-of-passing-tests k8s-policy-set-keys.bats -} - # we may need to skip a few test cases when running on non-x86_64 arch arch_config_file="${kubernetes_dir}/filter_out_per_arch/${TARGET_ARCH}.yaml" if [ -f "${arch_config_file}" ]; then @@ -158,11 +95,11 @@ if [ -f "${arch_config_file}" ]; then mapfile -d " " -t K8S_TEST_UNION <<< "${arch_k8s_test_union}" fi -if policy_tests_enabled; then - ensure_yq - run_policy_specific_tests -else - info "Policy tests are disabled on this platform" -fi +ensure_yq -test_successful_actions +for K8S_TEST_ENTRY in ${K8S_TEST_UNION[@]} +do + info "$(kubectl get pods --all-namespaces 2>&1)" + info "Executing ${K8S_TEST_ENTRY}" + bats --show-output-of-passing-tests "${K8S_TEST_ENTRY}" +done diff --git a/tests/integration/kubernetes/tests_common.sh b/tests/integration/kubernetes/tests_common.sh index 13ee2392c9..31c09ceabc 100644 --- a/tests/integration/kubernetes/tests_common.sh +++ b/tests/integration/kubernetes/tests_common.sh @@ -33,6 +33,10 @@ dragonball_limitations="https://github.com/kata-containers/kata-containers/issue # overwrite it. export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/config}" +# ALLOW_ALL_POLICY is a Rego policy that allows all the Agent ttrpc requests. +K8S_TEST_DIR="${kubernetes_dir:-"${BATS_TEST_DIRNAME}"}" +ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(base64 -w 0 "${K8S_TEST_DIR}/../../../src/kata-opa/allow-all.rego")}" + # Common setup for tests. # # Global variables exported: @@ -252,3 +256,47 @@ set_namespace_to_policy_settings() { "${settings_dir}/new-genpolicy-settings.json" mv "${settings_dir}/new-genpolicy-settings.json" "${settings_dir}/genpolicy-settings.json" } + +policy_tests_enabled() { + # The Guest images for these platforms have been built using AGENT_POLICY=yes - + # see kata-deploy-binaries.sh. + [ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \ + [ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HOST_OS}" == "cbl-mariner" ] +} + +add_allow_all_policy_to_yaml() { + policy_tests_enabled || return 0 + + local yaml_file="$1" + local resource_kind="$(yq read ${yaml_file} kind)" + + case "${resource_kind}" in + + Pod) + info "Adding allow all policy to ${resource_kind} from ${yaml_file}" + ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${yaml_file}" \ + 'metadata.annotations."io.katacontainers.config.agent.policy"' \ + "${ALLOW_ALL_POLICY}" + ;; + + Deployment|Job|ReplicationController) + info "Adding allow all policy to ${resource_kind} from ${yaml_file}" + ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${yaml_file}" \ + 'spec.template.metadata.annotations."io.katacontainers.config.agent.policy"' \ + "${ALLOW_ALL_POLICY}" + ;; + + List) + die "Issue #7765: adding allow all policy to ${resource_kind} from ${yaml_file} is not implemented yet" + ;; + + ConfigMap|LimitRange|Namespace|PersistentVolume|PersistentVolumeClaim|RuntimeClass|Secret|Service) + die "Policy is not required for ${resource_kind} from ${yaml_file}" + ;; + + *) + die "k8s resource type ${resource_kind} from ${yaml_file} is not yet supported for policy testing" + ;; + + esac +} From 18f5e55667e74de2b045664301acae515b45a386 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:21:36 +0000 Subject: [PATCH 03/17] tests: k8s-empty-dirs.bats allow all policy Use the "allow all" policy for k8s-empty-dirs.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/k8s-empty-dirs.bats | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/k8s-empty-dirs.bats b/tests/integration/kubernetes/k8s-empty-dirs.bats index 0bf901caaa..93b189517b 100644 --- a/tests/integration/kubernetes/k8s-empty-dirs.bats +++ b/tests/integration/kubernetes/k8s-empty-dirs.bats @@ -21,11 +21,14 @@ setup() { pod_name="sharevol-kata" get_pod_config_dir pod_logs_file="" + + yaml_file="${pod_config_dir}/pod-empty-dir.yaml" + add_allow_all_policy_to_yaml "${yaml_file}" } @test "Empty dir volumes" { # Create the pod - kubectl create -f "${pod_config_dir}/pod-empty-dir.yaml" + kubectl create -f "${yaml_file}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" From be3797ef7c77a59ee2a5e1930eb605252be5cfc2 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:23:36 +0000 Subject: [PATCH 04/17] tests: k8s-footloose.bats allow all policy Use the "allow all" policy for k8s-footloose.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/k8s-footloose.bats | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/k8s-footloose.bats b/tests/integration/kubernetes/k8s-footloose.bats index b8b10db7a6..47bf14f77b 100644 --- a/tests/integration/kubernetes/k8s-footloose.bats +++ b/tests/integration/kubernetes/k8s-footloose.bats @@ -23,6 +23,10 @@ setup() { sed -e "/\${ssh_key}/r ${public_key_path}" -e "/\${ssh_key}/d" \ "${pod_config_dir}/footloose-configmap.yaml" > "$configmap_yaml" sed -i 's/ssh-rsa/ ssh-rsa/' "$configmap_yaml" + + # Add an "allow all" policy to the pod yaml file. + pod_yaml="${pod_config_dir}/pod-footloose.yaml" + add_allow_all_policy_to_yaml "${pod_yaml}" } @test "Footloose pod" { @@ -33,7 +37,7 @@ setup() { kubectl create -f "$configmap_yaml" # Create pod - kubectl create -f "${pod_config_dir}/pod-footloose.yaml" + kubectl create -f "${pod_yaml}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" From bd45e948ccc338ec4b277b9099bfba6f2a68dd0f Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:24:18 +0000 Subject: [PATCH 05/17] tests: k8s-guest-pull-image.bats policy Use the "allow all" policy for k8s-guest-pull-image.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/k8s-guest-pull-image.bats | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/integration/kubernetes/k8s-guest-pull-image.bats b/tests/integration/kubernetes/k8s-guest-pull-image.bats index 7a7c5d7eba..329c868e1a 100644 --- a/tests/integration/kubernetes/k8s-guest-pull-image.bats +++ b/tests/integration/kubernetes/k8s-guest-pull-image.bats @@ -30,6 +30,7 @@ setup() { echo "Pod $runc_pod_config file:" cat $runc_pod_config + add_allow_all_policy_to_yaml "$runc_pod_config" k8s_create_pod "$runc_pod_config" echo "Runc pod test-e2e is running" @@ -49,6 +50,7 @@ setup() { echo "Pod $kata_pod_with_nydus_config file:" cat $kata_pod_with_nydus_config + add_allow_all_policy_to_yaml "$kata_pod_with_nydus_config" k8s_create_pod "$kata_pod_with_nydus_config" echo "Kata pod test-e2e with nydus annotation is running" @@ -93,6 +95,7 @@ setup() { echo "Pod $kata_pod_with_nydus_config file:" cat $kata_pod_with_nydus_config + add_allow_all_policy_to_yaml "$kata_pod_with_nydus_config" k8s_create_pod "$kata_pod_with_nydus_config" } @@ -113,6 +116,7 @@ setup() { echo "Pod $kata_pod_with_nydus_config file:" cat $kata_pod_with_nydus_config + add_allow_all_policy_to_yaml "$kata_pod_with_nydus_config" k8s_create_pod "$kata_pod_with_nydus_config" echo "Kata pod test-e2e with nydus annotation is running" @@ -134,6 +138,7 @@ setup() { echo "Pod $kata_pod_without_nydus_config file:" cat $kata_pod_without_nydus_config + add_allow_all_policy_to_yaml "$kata_pod_without_nydus_config" k8s_create_pod "$kata_pod_without_nydus_config" echo "Kata pod test-e2e without nydus annotation is running" @@ -163,6 +168,7 @@ setup() { echo "Pod $kata_pod_without_nydus_config file:" cat $kata_pod_without_nydus_config + add_allow_all_policy_to_yaml "$kata_pod_without_nydus_config" k8s_create_pod "$kata_pod_without_nydus_config" echo "Kata pod test-e2e without nydus annotation is running" @@ -189,6 +195,7 @@ setup() { echo "Pod $kata_pod_with_nydus_config file:" cat $kata_pod_with_nydus_config + add_allow_all_policy_to_yaml "$kata_pod_with_nydus_config" k8s_create_pod "$kata_pod_with_nydus_config" echo "Kata pod test-e2e with nydus annotation is running" From 9af3e4cc4a9b2c7005c988fdc388330d5b7efa8e Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:25:27 +0000 Subject: [PATCH 06/17] tests: k8s-inotify.bats allow all policy Use the "allow all" policy for k8s-inotify.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/k8s-inotify.bats | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/k8s-inotify.bats b/tests/integration/kubernetes/k8s-inotify.bats index a06bf6774f..193cf99dc3 100644 --- a/tests/integration/kubernetes/k8s-inotify.bats +++ b/tests/integration/kubernetes/k8s-inotify.bats @@ -14,6 +14,9 @@ setup() { issue_url="https://github.com/kata-containers/kata-containers/issues/8906" [ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})" get_pod_config_dir + + pod_yaml="${pod_config_dir}"/inotify-configmap-pod.yaml + add_allow_all_policy_to_yaml "${pod_yaml}" } @test "configmap update works, and preserves symlinks" { @@ -23,7 +26,7 @@ setup() { kubectl apply -f "${pod_config_dir}"/inotify-configmap.yaml # Create deployment that expects identity-certs - kubectl apply -f "${pod_config_dir}"/inotify-configmap-pod.yaml + kubectl apply -f "${pod_yaml}" kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" # Update configmap From 2821326a7e3c0ccf892310ee4f65a78686d7195f Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:27:46 +0000 Subject: [PATCH 07/17] tests: k8s-liveness-probes.bats allow all policy Use the "allow all" policy for k8s-liveness-probes.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- .../kubernetes/k8s-liveness-probes.bats | 32 +++++++++++++++---- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/tests/integration/kubernetes/k8s-liveness-probes.bats b/tests/integration/kubernetes/k8s-liveness-probes.bats index 5c8a736e78..ea8d51c41e 100644 --- a/tests/integration/kubernetes/k8s-liveness-probes.bats +++ b/tests/integration/kubernetes/k8s-liveness-probes.bats @@ -19,8 +19,12 @@ setup() { @test "Liveness probe" { pod_name="liveness-exec" + yaml_file="${pod_config_dir}/probe-pod-liveness.yaml" + cp "${pod_config_dir}/pod-liveness.yaml" "${yaml_file}" + add_allow_all_policy_to_yaml "${yaml_file}" + # Create pod - kubectl create -f "${pod_config_dir}/pod-liveness.yaml" + kubectl create -f "${yaml_file}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" @@ -36,10 +40,16 @@ setup() { @test "Liveness http probe" { pod_name="liveness-http" - # Create pod + # Create pod specification. + yaml_file="${pod_config_dir}/http-pod-liveness.yaml" + sed -e "s#\${agnhost_image}#${agnhost_name}:${agnhost_version}#" \ - "${pod_config_dir}/pod-http-liveness.yaml" |\ - kubectl create -f - + "${pod_config_dir}/pod-http-liveness.yaml" > "${yaml_file}" + + add_allow_all_policy_to_yaml "${yaml_file}" + + # Create pod + kubectl create -f "${yaml_file}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" @@ -56,10 +66,16 @@ setup() { @test "Liveness tcp probe" { pod_name="tcptest" - # Create pod + # Create pod specification. + yaml_file="${pod_config_dir}/tcp-pod-liveness.yaml" + sed -e "s#\${agnhost_image}#${agnhost_name}:${agnhost_version}#" \ - "${pod_config_dir}/pod-tcp-liveness.yaml" |\ - kubectl create -f - + "${pod_config_dir}/pod-tcp-liveness.yaml" > "${yaml_file}" + + add_allow_all_policy_to_yaml "${yaml_file}" + + # Create pod + kubectl create -f "${yaml_file}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" @@ -77,4 +93,6 @@ teardown() { kubectl describe "pod/$pod_name" kubectl delete pod "$pod_name" + + rm -f "${yaml_file}" } From e4ff6b1d91e25a5121ea3a02628570662f637db5 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:31:37 +0000 Subject: [PATCH 08/17] tests: k8s-measured-rootfs.bats allow all policy Use the "allow all" policy for k8s-measured-rootfs.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/k8s-measured-rootfs.bats | 3 +++ 1 file changed, 3 insertions(+) diff --git a/tests/integration/kubernetes/k8s-measured-rootfs.bats b/tests/integration/kubernetes/k8s-measured-rootfs.bats index a98f96c6a8..cee9466926 100644 --- a/tests/integration/kubernetes/k8s-measured-rootfs.bats +++ b/tests/integration/kubernetes/k8s-measured-rootfs.bats @@ -41,6 +41,9 @@ teardown() { # Run on a specific node so we know from where to inspect the logs set_node "$pod_config" "$node" + # Add an "allow all" policy if policy testing is enabled. + add_allow_all_policy_to_yaml "$pod_config" + # For debug sake echo "Pod $pod_config file:" cat $pod_config From ba23758a423eda317458b4db0e5d943c63764042 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:32:35 +0000 Subject: [PATCH 09/17] tests: k8s-optional-empty-secret.bats policy Use the "allow all" policy for k8s-optional-empty-secret.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/k8s-optional-empty-secret.bats | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/k8s-optional-empty-secret.bats b/tests/integration/kubernetes/k8s-optional-empty-secret.bats index 9586034167..ad98b6c3f3 100644 --- a/tests/integration/kubernetes/k8s-optional-empty-secret.bats +++ b/tests/integration/kubernetes/k8s-optional-empty-secret.bats @@ -10,6 +10,9 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { get_pod_config_dir + + pod_yaml="${pod_config_dir}/pod-optional-empty-secret.yaml" + add_allow_all_policy_to_yaml "${pod_yaml}" } @test "Optional and Empty Secret Volume for a pod" { @@ -20,7 +23,7 @@ setup() { kubectl create secret generic "$secret_name" # Create a pod that consumes the "empty-secret" and "optional-missing-secret" Secrets as volumes - kubectl create -f "${pod_config_dir}/pod-optional-empty-secret.yaml" + kubectl create -f "${pod_yaml}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" From 3f94e2ee1b9c971e88b122f12f36031f4f2cb8be Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:33:58 +0000 Subject: [PATCH 10/17] tests: k8s-pod-quota.bats allow all policy Use the "allow all" policy for k8s-pod-quota.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/k8s-pod-quota.bats | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/integration/kubernetes/k8s-pod-quota.bats b/tests/integration/kubernetes/k8s-pod-quota.bats index f74d8a595c..2d7f26ee3b 100644 --- a/tests/integration/kubernetes/k8s-pod-quota.bats +++ b/tests/integration/kubernetes/k8s-pod-quota.bats @@ -11,6 +11,9 @@ setup() { [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: https://github.com/kata-containers/kata-containers/issues/7873" get_pod_config_dir + + deployment_yaml="${pod_config_dir}/pod-quota-deployment.yaml" + add_allow_all_policy_to_yaml "${deployment_yaml}" } @test "Pod quota" { @@ -25,7 +28,7 @@ setup() { --output=yaml | grep 'pods: "2"' # Create deployment - kubectl create -f "${pod_config_dir}/pod-quota-deployment.yaml" + kubectl create -f "${deployment_yaml}" # View deployment kubectl wait --for=condition=Available --timeout=$timeout \ @@ -39,6 +42,6 @@ teardown() { kubectl describe deployment ${deployment_name} # Clean-up - kubectl delete -f "${pod_config_dir}/pod-quota-deployment.yaml" + kubectl delete -f "${deployment_yaml}" kubectl delete -f "${pod_config_dir}/resource-quota.yaml" } From 543e40b80c1ff40815b1b51c9a0bcf4e25bddae0 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:35:49 +0000 Subject: [PATCH 11/17] tests: k8s-projected-volume.bats allow all policy Use the "allow all" policy for k8s-projected-volume.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/k8s-projected-volume.bats | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/k8s-projected-volume.bats b/tests/integration/kubernetes/k8s-projected-volume.bats index 87160eeb50..5d9f336a79 100644 --- a/tests/integration/kubernetes/k8s-projected-volume.bats +++ b/tests/integration/kubernetes/k8s-projected-volume.bats @@ -13,6 +13,9 @@ setup() { [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" get_pod_config_dir + + pod_yaml="${pod_config_dir}/pod-projected-volume.yaml" + add_allow_all_policy_to_yaml "${pod_yaml}" } @test "Projected volume" { @@ -32,7 +35,7 @@ setup() { kubectl create secret generic pass --from-file=$SECOND_TMP_FILE # Create pod - kubectl create -f "${pod_config_dir}/pod-projected-volume.yaml" + kubectl create -f "${pod_yaml}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" From 02a050b47ef2a74661c1efdbddcc556691fad442 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:37:34 +0000 Subject: [PATCH 12/17] tests: k8s-seccomp.bats allow all policy Use the "allow all" policy for k8s-seccomp.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/k8s-seccomp.bats | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/integration/kubernetes/k8s-seccomp.bats b/tests/integration/kubernetes/k8s-seccomp.bats index c6a840cb3c..20d219dbdc 100644 --- a/tests/integration/kubernetes/k8s-seccomp.bats +++ b/tests/integration/kubernetes/k8s-seccomp.bats @@ -10,12 +10,15 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { pod_name="seccomp-container" get_pod_config_dir + + yaml_file="${pod_config_dir}/pod-seccomp.yaml" + add_allow_all_policy_to_yaml "${yaml_file}" } @test "Support seccomp runtime/default profile" { expected_seccomp_mode="2" # Create pod - kubectl create -f "${pod_config_dir}/pod-seccomp.yaml" + kubectl create -f "${yaml_file}" # Wait it to complete cmd="kubectl get pods ${pod_name} | grep Completed" @@ -31,5 +34,5 @@ teardown() { echo "seccomp mode is ${seccomp_mode}, expected $expected_seccomp_mode" kubectl describe "pod/${pod_name}" - kubectl delete -f "${pod_config_dir}/pod-seccomp.yaml" || true + kubectl delete -f "${yaml_file}" || true } From 839993f245664ebaf758a407c10029678e33edae Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:38:20 +0000 Subject: [PATCH 13/17] tests: k8s-security-context.bats allow all policy Use the "allow all" policy for k8s-security-context.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/k8s-security-context.bats | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/k8s-security-context.bats b/tests/integration/kubernetes/k8s-security-context.bats index a8f9d7ba9e..9bbf53be41 100644 --- a/tests/integration/kubernetes/k8s-security-context.bats +++ b/tests/integration/kubernetes/k8s-security-context.bats @@ -10,13 +10,16 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { get_pod_config_dir + + yaml_file="${pod_config_dir}/pod-security-context.yaml" + add_allow_all_policy_to_yaml "${yaml_file}" } @test "Security context" { pod_name="security-context-test" # Create pod - kubectl create -f "${pod_config_dir}/pod-security-context.yaml" + kubectl create -f "${yaml_file}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" From 04085d8442187a32acdcd25ba98fe7ea4b753ab7 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:39:13 +0000 Subject: [PATCH 14/17] tests: k8s-sysctls.bats allow all policy Use the "allow all" policy for k8s-sysctls.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/k8s-sysctls.bats | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/tests/integration/kubernetes/k8s-sysctls.bats b/tests/integration/kubernetes/k8s-sysctls.bats index aca6c50d1a..cea2b9fb47 100644 --- a/tests/integration/kubernetes/k8s-sysctls.bats +++ b/tests/integration/kubernetes/k8s-sysctls.bats @@ -11,11 +11,14 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh" setup() { pod_name="sysctl-test" get_pod_config_dir + + yaml_file="${pod_config_dir}/pod-sysctl.yaml" + add_allow_all_policy_to_yaml "${yaml_file}" } @test "Setting sysctl" { # Create pod - kubectl apply -f "${pod_config_dir}/pod-sysctl.yaml" + kubectl apply -f "${yaml_file}" # Check pod creation kubectl wait --for=condition=Ready --timeout=$timeout pod $pod_name From 5dcf64ef34520f55a3b82ab116094fed093c27cb Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:40:07 +0000 Subject: [PATCH 15/17] tests: k8s-volume.bats allow all policy Use the "allow all" policy for k8s-volume.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- tests/integration/kubernetes/k8s-volume.bats | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/integration/kubernetes/k8s-volume.bats b/tests/integration/kubernetes/k8s-volume.bats index 7bb69f95d1..4178f8b1e1 100644 --- a/tests/integration/kubernetes/k8s-volume.bats +++ b/tests/integration/kubernetes/k8s-volume.bats @@ -26,6 +26,7 @@ setup() { sed -e "s|tmp_data|${tmp_file}|g" ${pod_config_dir}/pv-volume.yaml > "$pv_yaml" sed -e "s|NODE|${node}|g" "${pod_config_dir}/pv-pod.yaml" > "$pod_yaml" + add_allow_all_policy_to_yaml "${pod_yaml}" } @test "Create Persistent Volume" { From 4211d93b876a77cde6f4fababfdfb6abd5168406 Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:41:21 +0000 Subject: [PATCH 16/17] tests: k8s-nginx-connectivity.bats policy Use the "allow all" policy for k8s-nginx-connectivity.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- .../kubernetes/k8s-nginx-connectivity.bats | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/tests/integration/kubernetes/k8s-nginx-connectivity.bats b/tests/integration/kubernetes/k8s-nginx-connectivity.bats index bc7271dc86..73c4426fb3 100644 --- a/tests/integration/kubernetes/k8s-nginx-connectivity.bats +++ b/tests/integration/kubernetes/k8s-nginx-connectivity.bats @@ -15,15 +15,19 @@ setup() { deployment="nginx-deployment" get_pod_config_dir + + # Create test .yaml + yaml_file="${pod_config_dir}/test-${deployment}.yaml" + + sed -e "s/\${nginx_version}/${nginx_image}/" \ + "${pod_config_dir}/${deployment}.yaml" > "${yaml_file}" + + add_allow_all_policy_to_yaml "${yaml_file}" } @test "Verify nginx connectivity between pods" { - # Create test .yaml - sed -e "s/\${nginx_version}/${nginx_image}/" \ - "${pod_config_dir}/${deployment}.yaml" > "${pod_config_dir}/test-${deployment}.yaml" - - kubectl create -f "${pod_config_dir}/test-${deployment}.yaml" + kubectl create -f "${yaml_file}" kubectl wait --for=condition=Available --timeout=$timeout deployment/${deployment} kubectl expose deployment/${deployment} @@ -46,7 +50,7 @@ teardown() { kubectl get service/${deployment} -o yaml kubectl get endpoints/${deployment} -o yaml - rm -f "${pod_config_dir}/test-${deployment}.yaml" + rm -f "${yaml_file}" kubectl delete deployment "$deployment" kubectl delete service "$deployment" kubectl delete pod "$busybox_pod" From f800bd86f66128dcbff84283c242b8b2ba24a75f Mon Sep 17 00:00:00 2001 From: Dan Mihai Date: Tue, 2 Apr 2024 19:52:36 +0000 Subject: [PATCH 17/17] tests: k8s-sandbox-vcpus-allocation.bats policy Use the "allow all" policy for k8s-sandbox-vcpus-allocation.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai --- .../kubernetes/k8s-sandbox-vcpus-allocation.bats | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/integration/kubernetes/k8s-sandbox-vcpus-allocation.bats b/tests/integration/kubernetes/k8s-sandbox-vcpus-allocation.bats index 0b0d7678e7..8f18c0adee 100644 --- a/tests/integration/kubernetes/k8s-sandbox-vcpus-allocation.bats +++ b/tests/integration/kubernetes/k8s-sandbox-vcpus-allocation.bats @@ -15,11 +15,14 @@ setup() { get_pod_config_dir pods=( "vcpus-less-than-one-with-no-limits" "vcpus-less-than-one-with-limits" "vcpus-more-than-one-with-limits" ) expected_vcpus=( 1 1 2 ) + + yaml_file="${pod_config_dir}/pod-sandbox-vcpus-allocation.yaml" + add_allow_all_policy_to_yaml "${yaml_file}" } @test "Check the number vcpus are correctly allocated to the sandbox" { # Create the pods - kubectl create -f "${pod_config_dir}/pod-sandbox-vcpus-allocation.yaml" + kubectl create -f "${yaml_file}" # Wait for completion kubectl wait --for=jsonpath='{.status.phase}'=Succeeded --timeout=$timeout pod --all @@ -38,5 +41,5 @@ teardown() { kubectl logs ${pod} done - kubectl delete -f "${pod_config_dir}/pod-sandbox-vcpus-allocation.yaml" + kubectl delete -f "${yaml_file}" }