github/kata-containers
1
0
Fork 1
mirror of https://github.com/kata-containers/kata-containers.git synced 2025-07-05 19:47:53 +00:00
Code Issues Projects Releases Wiki Activity

Merge pull request #9398 from microsoft/danmihai1/policy-test-cleanup

Browse Source 
tests: k8s: improve the Agent Policy tests
This commit is contained in:
Dan Mihai 2024-04-08 15:37:07 -07:00 committed by GitHub
commit f60c9eaec3
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
19 changed files with 155 additions and 107 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
tests/integration/kubernetes/k8s-empty-dirs.bats
View File

@ -21,11 +21,14 @@ setup() {
pod_name="sharevol-kata" pod_name="sharevol-kata"
get_pod_config_dir get_pod_config_dir
pod_logs_file="" pod_logs_file=""
yaml_file="${pod_config_dir}/pod-empty-dir.yaml"
add_allow_all_policy_to_yaml "${yaml_file}"
} }
@test "Empty dir volumes" { @test "Empty dir volumes" {
# Create the pod # Create the pod
kubectl create -f "${pod_config_dir}/pod-empty-dir.yaml" kubectl create -f "${yaml_file}"
# Check pod creation # Check pod creation
kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"

4
tests/integration/kubernetes/k8s-exec-rejected.bats
View File

@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash"
load "${BATS_TEST_DIRNAME}/tests_common.sh" load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() { setup() {
policy_tests_enabled || skip "Policy tests are disabled."
get_pod_config_dir get_pod_config_dir
pod_name="policy-exec-rejected" pod_name="policy-exec-rejected"
pod_yaml="${pod_config_dir}/k8s-policy-exec-rejected.yaml" pod_yaml="${pod_config_dir}/k8s-policy-exec-rejected.yaml"
@ -36,6 +38,8 @@ setup() {
} }
teardown() { teardown() {
policy_tests_enabled || skip "Policy tests are disabled."
# Debugging information # Debugging information
kubectl describe "pod/$pod_name" kubectl describe "pod/$pod_name"

6
tests/integration/kubernetes/k8s-footloose.bats
View File

@ -23,6 +23,10 @@ setup() {
sed -e "/\${ssh_key}/r ${public_key_path}" -e "/\${ssh_key}/d" \ sed -e "/\${ssh_key}/r ${public_key_path}" -e "/\${ssh_key}/d" \
"${pod_config_dir}/footloose-configmap.yaml" > "$configmap_yaml" "${pod_config_dir}/footloose-configmap.yaml" > "$configmap_yaml"
sed -i 's/ssh-rsa/ ssh-rsa/' "$configmap_yaml" sed -i 's/ssh-rsa/ ssh-rsa/' "$configmap_yaml"
# Add an "allow all" policy to the pod yaml file.
pod_yaml="${pod_config_dir}/pod-footloose.yaml"
add_allow_all_policy_to_yaml "${pod_yaml}"
} }
@test "Footloose pod" { @test "Footloose pod" {
@ -33,7 +37,7 @@ setup() {
kubectl create -f "$configmap_yaml" kubectl create -f "$configmap_yaml"
# Create pod # Create pod
kubectl create -f "${pod_config_dir}/pod-footloose.yaml" kubectl create -f "${pod_yaml}"
# Check pod creation # Check pod creation
kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"

7
tests/integration/kubernetes/k8s-guest-pull-image.bats
View File

@ -30,6 +30,7 @@ setup() {
echo "Pod $runc_pod_config file:" echo "Pod $runc_pod_config file:"
cat $runc_pod_config cat $runc_pod_config
add_allow_all_policy_to_yaml "$runc_pod_config"
k8s_create_pod "$runc_pod_config" k8s_create_pod "$runc_pod_config"
echo "Runc pod test-e2e is running" echo "Runc pod test-e2e is running"
@ -49,6 +50,7 @@ setup() {
echo "Pod $kata_pod_with_nydus_config file:" echo "Pod $kata_pod_with_nydus_config file:"
cat $kata_pod_with_nydus_config cat $kata_pod_with_nydus_config
add_allow_all_policy_to_yaml "$kata_pod_with_nydus_config"
k8s_create_pod "$kata_pod_with_nydus_config" k8s_create_pod "$kata_pod_with_nydus_config"
echo "Kata pod test-e2e with nydus annotation is running" echo "Kata pod test-e2e with nydus annotation is running"
@ -93,6 +95,7 @@ setup() {
echo "Pod $kata_pod_with_nydus_config file:" echo "Pod $kata_pod_with_nydus_config file:"
cat $kata_pod_with_nydus_config cat $kata_pod_with_nydus_config
add_allow_all_policy_to_yaml "$kata_pod_with_nydus_config"
k8s_create_pod "$kata_pod_with_nydus_config" k8s_create_pod "$kata_pod_with_nydus_config"
} }
@ -113,6 +116,7 @@ setup() {
echo "Pod $kata_pod_with_nydus_config file:" echo "Pod $kata_pod_with_nydus_config file:"
cat $kata_pod_with_nydus_config cat $kata_pod_with_nydus_config
add_allow_all_policy_to_yaml "$kata_pod_with_nydus_config"
k8s_create_pod "$kata_pod_with_nydus_config" k8s_create_pod "$kata_pod_with_nydus_config"
echo "Kata pod test-e2e with nydus annotation is running" echo "Kata pod test-e2e with nydus annotation is running"
@ -134,6 +138,7 @@ setup() {
echo "Pod $kata_pod_without_nydus_config file:" echo "Pod $kata_pod_without_nydus_config file:"
cat $kata_pod_without_nydus_config cat $kata_pod_without_nydus_config
add_allow_all_policy_to_yaml "$kata_pod_without_nydus_config"
k8s_create_pod "$kata_pod_without_nydus_config" k8s_create_pod "$kata_pod_without_nydus_config"
echo "Kata pod test-e2e without nydus annotation is running" echo "Kata pod test-e2e without nydus annotation is running"
@ -163,6 +168,7 @@ setup() {
echo "Pod $kata_pod_without_nydus_config file:" echo "Pod $kata_pod_without_nydus_config file:"
cat $kata_pod_without_nydus_config cat $kata_pod_without_nydus_config
add_allow_all_policy_to_yaml "$kata_pod_without_nydus_config"
k8s_create_pod "$kata_pod_without_nydus_config" k8s_create_pod "$kata_pod_without_nydus_config"
echo "Kata pod test-e2e without nydus annotation is running" echo "Kata pod test-e2e without nydus annotation is running"
@ -189,6 +195,7 @@ setup() {
echo "Pod $kata_pod_with_nydus_config file:" echo "Pod $kata_pod_with_nydus_config file:"
cat $kata_pod_with_nydus_config cat $kata_pod_with_nydus_config
add_allow_all_policy_to_yaml "$kata_pod_with_nydus_config"
k8s_create_pod "$kata_pod_with_nydus_config" k8s_create_pod "$kata_pod_with_nydus_config"
echo "Kata pod test-e2e with nydus annotation is running" echo "Kata pod test-e2e with nydus annotation is running"

5
tests/integration/kubernetes/k8s-inotify.bats
View File

@ -14,6 +14,9 @@ setup() {
issue_url="https://github.com/kata-containers/kata-containers/issues/8906" issue_url="https://github.com/kata-containers/kata-containers/issues/8906"
[ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})" [ "${KATA_HYPERVISOR}" == "qemu-se" ] && skip "test not working for IBM Z LPAR (see ${issue_url})"
get_pod_config_dir get_pod_config_dir
pod_yaml="${pod_config_dir}"/inotify-configmap-pod.yaml
add_allow_all_policy_to_yaml "${pod_yaml}"
} }
@test "configmap update works, and preserves symlinks" { @test "configmap update works, and preserves symlinks" {
@ -23,7 +26,7 @@ setup() {
kubectl apply -f "${pod_config_dir}"/inotify-configmap.yaml kubectl apply -f "${pod_config_dir}"/inotify-configmap.yaml
# Create deployment that expects identity-certs # Create deployment that expects identity-certs
kubectl apply -f "${pod_config_dir}"/inotify-configmap-pod.yaml kubectl apply -f "${pod_yaml}"
kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
# Update configmap # Update configmap

32
tests/integration/kubernetes/k8s-liveness-probes.bats
View File

@ -19,8 +19,12 @@ setup() {
@test "Liveness probe" { @test "Liveness probe" {
pod_name="liveness-exec" pod_name="liveness-exec"
yaml_file="${pod_config_dir}/probe-pod-liveness.yaml"
cp "${pod_config_dir}/pod-liveness.yaml" "${yaml_file}"
add_allow_all_policy_to_yaml "${yaml_file}"
# Create pod # Create pod
kubectl create -f "${pod_config_dir}/pod-liveness.yaml" kubectl create -f "${yaml_file}"
# Check pod creation # Check pod creation
kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
@ -36,10 +40,16 @@ setup() {
@test "Liveness http probe" { @test "Liveness http probe" {
pod_name="liveness-http" pod_name="liveness-http"
# Create pod # Create pod specification.
yaml_file="${pod_config_dir}/http-pod-liveness.yaml"
sed -e "s#\${agnhost_image}#${agnhost_name}:${agnhost_version}#" \ sed -e "s#\${agnhost_image}#${agnhost_name}:${agnhost_version}#" \
"${pod_config_dir}/pod-http-liveness.yaml" |\ "${pod_config_dir}/pod-http-liveness.yaml" > "${yaml_file}"
kubectl create -f -
add_allow_all_policy_to_yaml "${yaml_file}"
# Create pod
kubectl create -f "${yaml_file}"
# Check pod creation # Check pod creation
kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
@ -56,10 +66,16 @@ setup() {
@test "Liveness tcp probe" { @test "Liveness tcp probe" {
pod_name="tcptest" pod_name="tcptest"
# Create pod # Create pod specification.
yaml_file="${pod_config_dir}/tcp-pod-liveness.yaml"
sed -e "s#\${agnhost_image}#${agnhost_name}:${agnhost_version}#" \ sed -e "s#\${agnhost_image}#${agnhost_name}:${agnhost_version}#" \
"${pod_config_dir}/pod-tcp-liveness.yaml" |\ "${pod_config_dir}/pod-tcp-liveness.yaml" > "${yaml_file}"
kubectl create -f -
add_allow_all_policy_to_yaml "${yaml_file}"
# Create pod
kubectl create -f "${yaml_file}"
# Check pod creation # Check pod creation
kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"
@ -77,4 +93,6 @@ teardown() {
kubectl describe "pod/$pod_name" kubectl describe "pod/$pod_name"
kubectl delete pod "$pod_name" kubectl delete pod "$pod_name"
rm -f "${yaml_file}"
} }

3
tests/integration/kubernetes/k8s-measured-rootfs.bats
View File

@ -41,6 +41,9 @@ teardown() {
# Run on a specific node so we know from where to inspect the logs # Run on a specific node so we know from where to inspect the logs
set_node "$pod_config" "$node" set_node "$pod_config" "$node"
# Add an "allow all" policy if policy testing is enabled.
add_allow_all_policy_to_yaml "$pod_config"
# For debug sake # For debug sake
echo "Pod $pod_config file:" echo "Pod $pod_config file:"
cat $pod_config cat $pod_config

16
tests/integration/kubernetes/k8s-nginx-connectivity.bats
View File

@ -15,15 +15,19 @@ setup() {
deployment="nginx-deployment" deployment="nginx-deployment"
get_pod_config_dir get_pod_config_dir
# Create test .yaml
yaml_file="${pod_config_dir}/test-${deployment}.yaml"
sed -e "s/\${nginx_version}/${nginx_image}/" \
"${pod_config_dir}/${deployment}.yaml" > "${yaml_file}"
add_allow_all_policy_to_yaml "${yaml_file}"
} }
@test "Verify nginx connectivity between pods" { @test "Verify nginx connectivity between pods" {
# Create test .yaml kubectl create -f "${yaml_file}"
sed -e "s/\${nginx_version}/${nginx_image}/" \
"${pod_config_dir}/${deployment}.yaml" > "${pod_config_dir}/test-${deployment}.yaml"
kubectl create -f "${pod_config_dir}/test-${deployment}.yaml"
kubectl wait --for=condition=Available --timeout=$timeout deployment/${deployment} kubectl wait --for=condition=Available --timeout=$timeout deployment/${deployment}
kubectl expose deployment/${deployment} kubectl expose deployment/${deployment}
@ -46,7 +50,7 @@ teardown() {
kubectl get service/${deployment} -o yaml kubectl get service/${deployment} -o yaml
kubectl get endpoints/${deployment} -o yaml kubectl get endpoints/${deployment} -o yaml
rm -f "${pod_config_dir}/test-${deployment}.yaml" rm -f "${yaml_file}"
kubectl delete deployment "$deployment" kubectl delete deployment "$deployment"
kubectl delete service "$deployment" kubectl delete service "$deployment"
kubectl delete pod "$busybox_pod" kubectl delete pod "$busybox_pod"

5
tests/integration/kubernetes/k8s-optional-empty-secret.bats
View File

@ -10,6 +10,9 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() { setup() {
get_pod_config_dir get_pod_config_dir
pod_yaml="${pod_config_dir}/pod-optional-empty-secret.yaml"
add_allow_all_policy_to_yaml "${pod_yaml}"
} }
@test "Optional and Empty Secret Volume for a pod" { @test "Optional and Empty Secret Volume for a pod" {
@ -20,7 +23,7 @@ setup() {
kubectl create secret generic "$secret_name" kubectl create secret generic "$secret_name"
# Create a pod that consumes the "empty-secret" and "optional-missing-secret" Secrets as volumes # Create a pod that consumes the "empty-secret" and "optional-missing-secret" Secrets as volumes
kubectl create -f "${pod_config_dir}/pod-optional-empty-secret.yaml" kubectl create -f "${pod_yaml}"
# Check pod creation # Check pod creation
kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"

7
tests/integration/kubernetes/k8s-pod-quota.bats
View File

@ -11,6 +11,9 @@ setup() {
[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: https://github.com/kata-containers/kata-containers/issues/7873" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: https://github.com/kata-containers/kata-containers/issues/7873"
get_pod_config_dir get_pod_config_dir
deployment_yaml="${pod_config_dir}/pod-quota-deployment.yaml"
add_allow_all_policy_to_yaml "${deployment_yaml}"
} }
@test "Pod quota" { @test "Pod quota" {
@ -25,7 +28,7 @@ setup() {
--output=yaml | grep 'pods: "2"' --output=yaml | grep 'pods: "2"'
# Create deployment # Create deployment
kubectl create -f "${pod_config_dir}/pod-quota-deployment.yaml" kubectl create -f "${deployment_yaml}"
# View deployment # View deployment
kubectl wait --for=condition=Available --timeout=$timeout \ kubectl wait --for=condition=Available --timeout=$timeout \
@ -39,6 +42,6 @@ teardown() {
kubectl describe deployment ${deployment_name} kubectl describe deployment ${deployment_name}
# Clean-up # Clean-up
kubectl delete -f "${pod_config_dir}/pod-quota-deployment.yaml" kubectl delete -f "${deployment_yaml}"
kubectl delete -f "${pod_config_dir}/resource-quota.yaml" kubectl delete -f "${pod_config_dir}/resource-quota.yaml"
} }

4
tests/integration/kubernetes/k8s-policy-set-keys.bats
View File

@ -9,6 +9,8 @@ load "${BATS_TEST_DIRNAME}/../../common.bash"
load "${BATS_TEST_DIRNAME}/tests_common.sh" load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() { setup() {
policy_tests_enabled || skip "Policy tests are disabled."
get_pod_config_dir get_pod_config_dir
pod_name="set-keys-test" pod_name="set-keys-test"
pod_yaml="${pod_config_dir}/k8s-policy-set-keys.yaml" pod_yaml="${pod_config_dir}/k8s-policy-set-keys.yaml"
@ -35,6 +37,8 @@ setup() {
} }
teardown() { teardown() {
policy_tests_enabled || skip "Policy tests are disabled."
# Debugging information # Debugging information
kubectl describe "pod/$pod_name" kubectl describe "pod/$pod_name"

5
tests/integration/kubernetes/k8s-projected-volume.bats
View File

@ -13,6 +13,9 @@ setup() {
[ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}" [ "${KATA_HYPERVISOR}" == "fc" ] && skip "test not working see: ${fc_limitations}"
get_pod_config_dir get_pod_config_dir
pod_yaml="${pod_config_dir}/pod-projected-volume.yaml"
add_allow_all_policy_to_yaml "${pod_yaml}"
} }
@test "Projected volume" { @test "Projected volume" {
@ -32,7 +35,7 @@ setup() {
kubectl create secret generic pass --from-file=$SECOND_TMP_FILE kubectl create secret generic pass --from-file=$SECOND_TMP_FILE
# Create pod # Create pod
kubectl create -f "${pod_config_dir}/pod-projected-volume.yaml" kubectl create -f "${pod_yaml}"
# Check pod creation # Check pod creation
kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"

7
tests/integration/kubernetes/k8s-sandbox-vcpus-allocation.bats
View File

@ -15,11 +15,14 @@ setup() {
get_pod_config_dir get_pod_config_dir
pods=( "vcpus-less-than-one-with-no-limits" "vcpus-less-than-one-with-limits" "vcpus-more-than-one-with-limits" ) pods=( "vcpus-less-than-one-with-no-limits" "vcpus-less-than-one-with-limits" "vcpus-more-than-one-with-limits" )
expected_vcpus=( 1 1 2 ) expected_vcpus=( 1 1 2 )
yaml_file="${pod_config_dir}/pod-sandbox-vcpus-allocation.yaml"
add_allow_all_policy_to_yaml "${yaml_file}"
} }
@test "Check the number vcpus are correctly allocated to the sandbox" { @test "Check the number vcpus are correctly allocated to the sandbox" {
# Create the pods # Create the pods
kubectl create -f "${pod_config_dir}/pod-sandbox-vcpus-allocation.yaml" kubectl create -f "${yaml_file}"
# Wait for completion # Wait for completion
kubectl wait --for=jsonpath='{.status.phase}'=Succeeded --timeout=$timeout pod --all kubectl wait --for=jsonpath='{.status.phase}'=Succeeded --timeout=$timeout pod --all
@ -38,5 +41,5 @@ teardown() {
kubectl logs ${pod} kubectl logs ${pod}
done done
kubectl delete -f "${pod_config_dir}/pod-sandbox-vcpus-allocation.yaml" kubectl delete -f "${yaml_file}"
} }

7
tests/integration/kubernetes/k8s-seccomp.bats
View File

@ -10,12 +10,15 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() { setup() {
pod_name="seccomp-container" pod_name="seccomp-container"
get_pod_config_dir get_pod_config_dir
yaml_file="${pod_config_dir}/pod-seccomp.yaml"
add_allow_all_policy_to_yaml "${yaml_file}"
} }
@test "Support seccomp runtime/default profile" { @test "Support seccomp runtime/default profile" {
expected_seccomp_mode="2" expected_seccomp_mode="2"
# Create pod # Create pod
kubectl create -f "${pod_config_dir}/pod-seccomp.yaml" kubectl create -f "${yaml_file}"
# Wait it to complete # Wait it to complete
cmd="kubectl get pods ${pod_name} | grep Completed" cmd="kubectl get pods ${pod_name} | grep Completed"
@ -31,5 +34,5 @@ teardown() {
echo "seccomp mode is ${seccomp_mode}, expected $expected_seccomp_mode" echo "seccomp mode is ${seccomp_mode}, expected $expected_seccomp_mode"
kubectl describe "pod/${pod_name}" kubectl describe "pod/${pod_name}"
kubectl delete -f "${pod_config_dir}/pod-seccomp.yaml" || true kubectl delete -f "${yaml_file}" || true
} }

5
tests/integration/kubernetes/k8s-security-context.bats
View File

@ -10,13 +10,16 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() { setup() {
get_pod_config_dir get_pod_config_dir
yaml_file="${pod_config_dir}/pod-security-context.yaml"
add_allow_all_policy_to_yaml "${yaml_file}"
} }
@test "Security context" { @test "Security context" {
pod_name="security-context-test" pod_name="security-context-test"
# Create pod # Create pod
kubectl create -f "${pod_config_dir}/pod-security-context.yaml" kubectl create -f "${yaml_file}"
# Check pod creation # Check pod creation
kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name" kubectl wait --for=condition=Ready --timeout=$timeout pod "$pod_name"

5
tests/integration/kubernetes/k8s-sysctls.bats
View File

@ -11,11 +11,14 @@ load "${BATS_TEST_DIRNAME}/tests_common.sh"
setup() { setup() {
pod_name="sysctl-test" pod_name="sysctl-test"
get_pod_config_dir get_pod_config_dir
yaml_file="${pod_config_dir}/pod-sysctl.yaml"
add_allow_all_policy_to_yaml "${yaml_file}"
} }
@test "Setting sysctl" { @test "Setting sysctl" {
# Create pod # Create pod
kubectl apply -f "${pod_config_dir}/pod-sysctl.yaml" kubectl apply -f "${yaml_file}"
# Check pod creation # Check pod creation
kubectl wait --for=condition=Ready --timeout=$timeout pod $pod_name kubectl wait --for=condition=Ready --timeout=$timeout pod $pod_name

1
tests/integration/kubernetes/k8s-volume.bats
View File

@ -26,6 +26,7 @@ setup() {
sed -e "s|tmp_data|${tmp_file}|g" ${pod_config_dir}/pv-volume.yaml > "$pv_yaml" sed -e "s|tmp_data|${tmp_file}|g" ${pod_config_dir}/pv-volume.yaml > "$pv_yaml"
sed -e "s|NODE|${node}|g" "${pod_config_dir}/pv-pod.yaml" > "$pod_yaml" sed -e "s|NODE|${node}|g" "${pod_config_dir}/pv-pod.yaml" > "$pod_yaml"
add_allow_all_policy_to_yaml "${pod_yaml}"
} }
@test "Create Persistent Volume" { @test "Create Persistent Volume" {

90
tests/integration/kubernetes/run_kubernetes_tests.sh
View File

@ -15,8 +15,6 @@ KATA_HYPERVISOR="${KATA_HYPERVISOR:-qemu}"
K8S_TEST_DEBUG="${K8S_TEST_DEBUG:-false}" K8S_TEST_DEBUG="${K8S_TEST_DEBUG:-false}"
K8S_TEST_HOST_TYPE="${K8S_TEST_HOST_TYPE:-small}" K8S_TEST_HOST_TYPE="${K8S_TEST_HOST_TYPE:-small}"
ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(base64 -w 0 runtimeclass_workloads_work/allow-all.rego)}"
if [ -n "${K8S_TEST_UNION:-}" ]; then if [ -n "${K8S_TEST_UNION:-}" ]; then
K8S_TEST_UNION=($K8S_TEST_UNION) K8S_TEST_UNION=($K8S_TEST_UNION)
else else
@ -38,6 +36,7 @@ else
"k8s-empty-dirs.bats" \ "k8s-empty-dirs.bats" \
"k8s-env.bats" \ "k8s-env.bats" \
"k8s-exec.bats" \ "k8s-exec.bats" \
"k8s-exec-rejected.bats" \
"k8s-file-volume.bats" \ "k8s-file-volume.bats" \
"k8s-inotify.bats" \ "k8s-inotify.bats" \
"k8s-job.bats" \ "k8s-job.bats" \
@ -52,6 +51,7 @@ else
"k8s-optional-empty-secret.bats" \ "k8s-optional-empty-secret.bats" \
"k8s-pid-ns.bats" \ "k8s-pid-ns.bats" \
"k8s-pod-quota.bats" \ "k8s-pod-quota.bats" \
"k8s-policy-set-keys.bats" \
"k8s-port-forward.bats" \ "k8s-port-forward.bats" \
"k8s-projected-volume.bats" \ "k8s-projected-volume.bats" \
"k8s-qos-pods.bats" \ "k8s-qos-pods.bats" \
@ -89,77 +89,6 @@ else
esac esac
fi fi
policy_tests_enabled() {
# The Guest images for these platforms have been built using AGENT_POLICY=yes -
# see kata-deploy-binaries.sh.
[ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \
[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HOST_OS}" == "cbl-mariner" ]
}
add_policy_to_yaml() {
local yaml_file="$1"
local resource_kind="$(yq read ${yaml_file} kind)"
case "${resource_kind}" in
Pod)
echo "Adding policy to ${resource_kind} from ${yaml_file}"
ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${K8S_TEST_YAML}" \
'metadata.annotations."io.katacontainers.config.agent.policy"' \
"${ALLOW_ALL_POLICY}"
;;
Deployment|Job|ReplicationController)
echo "Adding policy to ${resource_kind} from ${yaml_file}"
ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${K8S_TEST_YAML}" \
'spec.template.metadata.annotations."io.katacontainers.config.agent.policy"' \
"${ALLOW_ALL_POLICY}"
;;
List)
echo "Issue #7765: adding policy to ${resource_kind} from ${yaml_file} is not implemented yet"
;;
ConfigMap|LimitRange|Namespace|PersistentVolume|PersistentVolumeClaim|RuntimeClass|Secret|Service)
echo "Policy is not required for ${resource_kind} from ${yaml_file}"
;;
*)
echo "k8s resource type ${resource_kind} from ${yaml_file} is not yet supported for policy testing"
return 1
;;
esac
}
add_policy_to_successful_tests() {
info "Add policy to test YAML files"
for K8S_TEST_YAML in runtimeclass_workloads_work/*.yaml
do
add_policy_to_yaml "${K8S_TEST_YAML}"
done
}
test_successful_actions() {
info "Test actions that must be successful"
for K8S_TEST_ENTRY in ${K8S_TEST_UNION[@]}
do
info "$(kubectl get pods --all-namespaces 2>&1)"
info "Executing ${K8S_TEST_ENTRY}"
bats --show-output-of-passing-tests "${K8S_TEST_ENTRY}"
done
}
run_policy_specific_tests() {
info "$(kubectl get pods --all-namespaces 2>&1)"
info "Executing k8s-exec-rejected.bats"
bats --show-output-of-passing-tests k8s-exec-rejected.bats
info "$(kubectl get pods --all-namespaces 2>&1)"
info "Executing k8s-policy-set-keys.bats"
bats --show-output-of-passing-tests k8s-policy-set-keys.bats
}
# we may need to skip a few test cases when running on non-x86_64 arch # we may need to skip a few test cases when running on non-x86_64 arch
arch_config_file="${kubernetes_dir}/filter_out_per_arch/${TARGET_ARCH}.yaml" arch_config_file="${kubernetes_dir}/filter_out_per_arch/${TARGET_ARCH}.yaml"
if [ -f "${arch_config_file}" ]; then if [ -f "${arch_config_file}" ]; then
@ -167,12 +96,11 @@ if [ -f "${arch_config_file}" ]; then
mapfile -d " " -t K8S_TEST_UNION <<< "${arch_k8s_test_union}" mapfile -d " " -t K8S_TEST_UNION <<< "${arch_k8s_test_union}"
fi fi
if policy_tests_enabled; then ensure_yq
ensure_yq
run_policy_specific_tests
add_policy_to_successful_tests
else
info "Policy tests are disabled on this platform"
fi
test_successful_actions for K8S_TEST_ENTRY in ${K8S_TEST_UNION[@]}
do
info "$(kubectl get pods --all-namespaces 2>&1)"
info "Executing ${K8S_TEST_ENTRY}"
bats --show-output-of-passing-tests "${K8S_TEST_ENTRY}"
done

48
tests/integration/kubernetes/tests_common.sh
View File

@ -33,6 +33,10 @@ dragonball_limitations="https://github.com/kata-containers/kata-containers/issue
# overwrite it. # overwrite it.
export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/config}" export KUBECONFIG="${KUBECONFIG:-$HOME/.kube/config}"
# ALLOW_ALL_POLICY is a Rego policy that allows all the Agent ttrpc requests.
K8S_TEST_DIR="${kubernetes_dir:-"${BATS_TEST_DIRNAME}"}"
ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY:-$(base64 -w 0 "${K8S_TEST_DIR}/../../../src/kata-opa/allow-all.rego")}"
# Common setup for tests. # Common setup for tests.
# #
# Global variables exported: # Global variables exported:
@ -252,3 +256,47 @@ set_namespace_to_policy_settings() {
"${settings_dir}/new-genpolicy-settings.json" "${settings_dir}/new-genpolicy-settings.json"
mv "${settings_dir}/new-genpolicy-settings.json" "${settings_dir}/genpolicy-settings.json" mv "${settings_dir}/new-genpolicy-settings.json" "${settings_dir}/genpolicy-settings.json"
} }
policy_tests_enabled() {
# The Guest images for these platforms have been built using AGENT_POLICY=yes -
# see kata-deploy-binaries.sh.
[ "${KATA_HYPERVISOR}" == "qemu-sev" ] || [ "${KATA_HYPERVISOR}" == "qemu-snp" ] || \
[ "${KATA_HYPERVISOR}" == "qemu-tdx" ] || [ "${KATA_HOST_OS}" == "cbl-mariner" ]
}
add_allow_all_policy_to_yaml() {
policy_tests_enabled || return 0
local yaml_file="$1"
local resource_kind="$(yq read ${yaml_file} kind)"
case "${resource_kind}" in
Pod)
info "Adding allow all policy to ${resource_kind} from ${yaml_file}"
ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${yaml_file}" \
'metadata.annotations."io.katacontainers.config.agent.policy"' \
"${ALLOW_ALL_POLICY}"
;;
Deployment|Job|ReplicationController)
info "Adding allow all policy to ${resource_kind} from ${yaml_file}"
ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${yaml_file}" \
'spec.template.metadata.annotations."io.katacontainers.config.agent.policy"' \
"${ALLOW_ALL_POLICY}"
;;
List)
die "Issue #7765: adding allow all policy to ${resource_kind} from ${yaml_file} is not implemented yet"
;;
ConfigMap|LimitRange|Namespace|PersistentVolume|PersistentVolumeClaim|RuntimeClass|Secret|Service)
die "Policy is not required for ${resource_kind} from ${yaml_file}"
;;
*)
die "k8s resource type ${resource_kind} from ${yaml_file} is not yet supported for policy testing"
;;
esac
}