Commit Graph

17168 Commits

Author SHA1 Message Date
Fupan Li
c376ab5de7 runtime-rs: fix the issue of hot-unplug memory smaller
It should do nothing instead of return an error when
hot-unplug the memory to the size smaller than static
plugged memory size.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-11-10 14:17:44 +08:00
Fupan Li
200abc815c tests: fix the issue of missing teardown pods
Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-11-10 10:30:17 +08:00
Fupan Li
333d12dc47 runtime: fix the issue of update interface error
Since the network device hotplug is an asynchronous operation,
it's possible that the hotplug operation had returned, but
the network device hasn't ready in guest, thus it's better to
retry on this operation to wait until the device ready in guest.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-11-07 11:29:57 +08:00
Fabiano Fidêncio
a591cda466 gatekeeper: Adjust the nvidia gpu test name
With the change made to the matrix when the CC GPU runner was added,
there was a change in the job name (@sprt saw that coming, but I
didn't).

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-06 16:28:33 +01:00
Manuel Huber
c6dc176a03 tests: nvidia: cc: Enable NIMs tests
Same deal as the previous commut, just enabling the tests here, with the
same list of improvements that we will need to go through in order to
get is working in a perfect way.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-06 16:28:33 +01:00
Manuel Huber
8ca77f2655 tests: nvidia: cc: Run CUDA vectorAdd tests on CC mode
While the primary goal of this change is to detect regressions to the
NVIDIA SNP GPU scenario, various improvements to reflect a more
realistic CC setting are planned in subsequent changes, such as:

* moving away from the overlayfs snapshotter
* disabling filesystem sharing
* applying a pod security policy
* activating the GPUs only after attestation
* using a refined approach for GPU cold-plugging without requiring
  annotations
* revisiting pod timeout and overhead parameters (the podOverhead value
  was increased due to CUDA vectorAdd requiring about 6Gi of
  podOverhead, as well as the inference and embedqa requiring at least
  12Gi, respectively, 14Gi of podOverhead to run without invoking the
  host's oom-killer. We will revisit this aspect after addressing
  points 1. and 2.)

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-06 16:28:33 +01:00
Manuel Huber
25ce0afd52 kata-deploy: Allow the CDI annotation for CC GPU cases
For the nvidia-gpu-snp and nvidia-gpu-tdx we must set containerd to
allow the CDI annotation to be passed to down.

This solution may become obsolete soon enough, but the cleanest way to
have it properly working is by adding it here (even if we remove it
before the next release).

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-06 16:28:33 +01:00
Manuel Huber
c91edf884b runtimeclasses: nvidia: Bump TEE podOverhead
It's been noticed that as more RAM is needed to run the CC tests, we
also need to update the podOverhead of the NVIDIA CC runtime classes to
avoid getting OOM Killed.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-06 16:28:33 +01:00
Fupan Li
aac2a37ff5 runtime-rs: enable pselect6 syscall for dragonball seccomp
Since the nerdctl's network hook would call pselect6 syscall
by xtables-nft-multi, thus we'd better add it to the seccomp's
whitelist.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-11-06 11:17:57 +01:00
Hyounggyu Choi
ff429072b6 Merge pull request #11924 from BbolroC/fix-static-checks-actionspz
ci: Fix failing static checks to enable IBM actionspz - Z specific
2025-11-06 09:04:04 +01:00
Zvonko Kaiser
fce6a75899 Merge pull request #12027 from fidencio/topic/kata-deploy-make-ALLOWED_HYPERVISOR_ANNOTATIONS-per-arch
kata-deploy: Add per arch ALLOWED_HYPERVISOR_ANNOTATIONS
2025-11-05 18:20:14 -05:00
Manuel Huber
d8953f67c5 ci: Onboard another NVIDIA machine
Let's add a new NVIDIA machine, which later on will be used for CC
related tests.

For now the current tests are skipped in the CC capable machine.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-05 23:23:08 +01:00
Fabiano Fidêncio
b2ee64a2d6 kata-deploy: scripts: Ensure we don't add duplicated values
Let's now make sure that we don't add duplicated values to any of our
entries, making the script as sane as possible for sequential runs.

Vibed with Cursor's help!

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-05 19:48:24 +01:00
Fabiano Fidêncio
78ae79d153 kata-deploy: scripts: Add helper functions to avoid duplicated items
Let's add some helper functions, not yet used, to avoid adding
duplicated items.

This idea is an expansion of Choi's idea to avoid setting duplicated
items, and it'll help on making the whole script idempotent on
sequential runs.

Vibed with Cursor's help!

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-05 19:48:24 +01:00
Fabiano Fidêncio
f773368d93 kata-deploy: Add per arch ALLOWED_HYPERVISOR_ANNOTATIONS
I know, this is not simplifying much things for now, but it has a good
intent in the background and will serve as base for making the
kata-deploy helm chart more user friendly.

With that said, let's add ALLOWED_HYPERVISOR_ANNOTATIONS per arch, while
adding support to set something like "qemu:foo,bar clh:bar foobar
barfoo". Why? Because in the future we'll have a better way to set this
per shim (and the shim is per arch ...).

More details of what we'll do in the future are being discussed here:
https://github.com/kata-containers/kata-containers/issues/12024

Anyways, the variables are **DELIBERATELY** not exposed to the chart for
now, as those will be later on when addressing the issue mentioned
above.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-05 19:45:34 +01:00
Fabiano Fidêncio
66e133e096 kata-deploy: Add missing runtimeClasses
When the runtimeClasses were added, as part of 7cfa826804, the
firecracker runtimeClass ended up missing from the dictionary.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-05 19:07:28 +01:00
Anton Ippolitov
23c46b8a00 docs: Update devmapper containerd plugin name
The Firecracker installation docs had an outaded containerd configuration for the devmapper plugin.
This commit updates the instructions so that they are compatible with more recent versions of containerd.

Signed-off-by: Anton Ippolitov <anton.ippolitov@datadoghq.com>
2025-11-05 18:42:29 +01:00
Fabiano Fidêncio
ace9cf942d tests: guest-pull: Fix names
When added, I've mistakenly used the wrong test-type name, which is now
fixed and should be enough to trigger the tests correctly.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-05 18:21:48 +01:00
Hyounggyu Choi
4ee2037974 GHA: Run runtime tests on self-hosted runners for P/Z
On IBM actionspz P/Z runners, the following error was observed during
runtime tests:

```
host system doesn't support vsock: stat /dev/vhost-vsock: no such file or directory
```

Since loading the vsock module on the fly is not permitted, this commit
moves the runtime tests back to self-hosted runners for P/Z.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-11-05 16:35:04 +00:00
Hyounggyu Choi
32da38273a agent/tests: Skip if kernel module is not found
On IBM actionspz Z runners, the following error occurs when running
`modprobe`:

```
modprobe: FATAL: Module bridge not found in directory /lib/modules/6.8.0-85-generic
```

Additionally, there are no files under `/lib/modules`, for example:

```
total 0
drwxr-xr-x 1 root root    0 Aug  5 13:09 .
drwxr-xr-x 1 root root 2.0K Oct  1 22:59 ..
```

This commit skips the `test_load_kernel_module` test if the module is
not found or if running `modprobe` is not permitted.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-11-05 16:35:04 +00:00
Hyounggyu Choi
075de4dc62 agent/tests: Skip test if error is EACCES (permission denied)
On IBM actionspz Z runners, write operations on network interfaces
are not allowed, even for the root user.
This commit skips the `add_update_addresses` test if the operation
fails with EACCES (-13, permission denied).

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-11-05 16:35:04 +00:00
Hyounggyu Choi
3f84b623a3 agent/tests: Skip RNG reseeding test on restricted environments
On IBM actionspz Z runners, the ioctl system call is not allowed even
for the root user. There is likely an additional security mechanism
(such as AppArmor or seccomp) in place on Ubuntu runners.
This commit introduces a new helper, `is_permission_error()`,
which skips the test if ioctl operations in `reseed_rng()` are not
permitted.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-11-05 16:35:04 +00:00
Hyounggyu Choi
c2abc4da34 agent/tests: Use detected filesystem for baremounted points
The IBM actionspz Z runners mount /dev as tmpfs, while other systems
use devtmpfs. This difference causes an assertion failure for
test_already_baremounted.
This commit sets the detected filesystem for bare-mounted points
as the expected value.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-11-05 16:35:04 +00:00
Hyounggyu Choi
faa048893d agent/tests: Handle error messages differetnly based on root filesystem
The root filesystem for IBM actionspz Z runners is `btrfs` instead of `ext4`.
The error message differs when an unprivileged user tries to perform a bind mount.
This commit adjusts the handling of error messages based on the detected root
filesystem type.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-11-05 16:35:04 +00:00
Fupan Li
0df6c795d8 runtime-rs: disable the default static resource management
Since the qemu & cloud-hypervisor support the cpu & memory
hotplug now, thus disable the static resource management
for qemu and cloud-hypervisor by default.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-11-05 16:59:13 +01:00
Fupan Li
02ecab40e4 tests: disable the cpu hotplug test for coco dev runtime
Since qemu-coco-dev-runtime-rs and qemu-coco-dev had disabled the
cpu&memory hotplug by enable static_sandbox_resource_mgmt, thus
we should disable the cpu hotplug test for those two runtime.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-11-05 16:59:13 +01:00
Fupan Li
1fc05491a2 tests: enable the cpu hotplug test for dragonball etc
Since the qemu, cloud-hypervisor and dragonball had supported the
cpu hotplug on runtime-rs, thus enable the cpu hotplug test in CI.

Signed-off-by: Fupan Li <fupan.lfp@antgroup.com>
2025-11-05 16:59:13 +01:00
Fabiano Fidêncio
0a0de4e6e3 Revert "tests: Do not enable NFD on s390x"
This reverts commit c75a46d17f, as NFD now
publishes an s390x image (and also a ppc64le one).

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-05 16:06:33 +01:00
Manuel Huber
1561d7fbba runtime: Clear outer CDI annotations
Pod annotations from the outer runtime are being used for cold-plugging
CDI devices. We need to ensure that these annotations don't leak into
the inner runtime for which specific container (sibling) annotations
are being created. Without this change, the inner runtime receives both
annotations, leading to failing CDI injection as an outer runtime
annotation observed in the guest translates to an unresolvable CDI
device, for example, cdi.k8s.io/gpu: "nvidia.com/pgpu=0".

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-04 23:18:00 +01:00
Fabiano Fidêncio
1dfbb14093 tests: Stop testing on stratovirt
Stratovirt has been failing for a considerable amount of time, with no
sign of someone watching it and being actively working on a fix.

With this we also stop building and shipping stratovirt as part of our
release as we cannot test it.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-04 10:22:46 +01:00
Fabiano Fidêncio
02f47d3f18 helm: uninstall: Take nodeSelector into consideration
As we're already doing for the install part, but this bit was missed
during review.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-04 09:29:35 +01:00
Fabiano Fidêncio
5b01eaf929 tests: Align kata-deploy helm's uninstall
Let's use the same method both on the kata-deploy and k8s tests.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-04 09:29:35 +01:00
Fabiano Fidêncio
4293cdf846 tests: Add stability tests for experimental-force-guest-pull
A few weeks ago we've tested nydus-snapshotter with this approach, and
we DID find issues with it.

Now, let's also test this with `experimental_force_guest_pull`.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-04 09:02:19 +01:00
Dan Mihai
6a4c336ca0 Merge pull request #12016 from microsoft/danmihai1/early-wait-abort
tests: k8s: reduce test time for unexpected CreateContainerRequest errors
2025-11-03 12:04:56 -08:00
Fabiano Fidêncio
3107533953 tests: Adjust to runtimeClass creation by the chart
It's just a follow-up on the previous commit where we move away from the
runtimeClass creation inside the script, and instead we do it using the
chart itself.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-03 17:32:18 +01:00
Fabiano Fidêncio
12f3b206eb Revert "kata-deploy: Allow setting the default runtime class name"
This reverts commit be05e1370c, which is
not a problem as we never released such option.

 Conflicts:
	tools/packaging/kata-deploy/helm-chart/README.md

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-03 17:32:18 +01:00
Fabiano Fidêncio
7cfa826804 kata-deploy: Let helm deal with runtimeClass creation
We had this logic inside the script when we didn't use the helm chart.
However, this only makes the shim script more convoluted for no reason.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-03 17:32:18 +01:00
Fabiano Fidêncio
14039c9089 golang: Update to 1.24.9
In order to fix:
```

=== Running govulncheck on containerd-shim-kata-v2 ===
 Vulnerabilities found in containerd-shim-kata-v2:
=== Symbol Results ===

Vulnerability #1: GO-2025-4015
    Excessive CPU consumption in Reader.ReadResponse in net/textproto
  More info: https://pkg.go.dev/vuln/GO-2025-4015
  Standard library
    Found in: net/textproto@go1.24.6
    Fixed in: net/textproto@go1.24.8
    Vulnerable symbols found:
      #1: textproto.Reader.ReadResponse

Vulnerability #2: GO-2025-4014
    Unbounded allocation when parsing GNU sparse map in archive/tar
  More info: https://pkg.go.dev/vuln/GO-2025-4014
  Standard library
    Found in: archive/tar@go1.24.6
    Fixed in: archive/tar@go1.24.8
    Vulnerable symbols found:
      #1: tar.Reader.Next

Vulnerability #3: GO-2025-4013
    Panic when validating certificates with DSA public keys in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4013
  Standard library
    Found in: crypto/x509@go1.24.6
    Fixed in: crypto/x509@go1.24.8
    Vulnerable symbols found:
      #1: x509.Certificate.Verify
      #2: x509.Certificate.Verify

Vulnerability #4: GO-2025-4012
    Lack of limit when parsing cookies can cause memory exhaustion in net/http
  More info: https://pkg.go.dev/vuln/GO-2025-4012
  Standard library
    Found in: net/http@go1.24.6
    Fixed in: net/http@go1.24.8
    Vulnerable symbols found:
      #1: http.Client.Do
      #2: http.Client.Get
      #3: http.Client.Head
      #4: http.Client.Post
      #5: http.Client.PostForm
      Use '-show traces' to see the other 9 found symbols

Vulnerability #5: GO-2025-4011
    Parsing DER payload can cause memory exhaustion in encoding/asn1
  More info: https://pkg.go.dev/vuln/GO-2025-4011
  Standard library
    Found in: encoding/asn1@go1.24.6
    Fixed in: encoding/asn1@go1.24.8
    Vulnerable symbols found:
      #1: asn1.Unmarshal
      #2: asn1.UnmarshalWithParams

Vulnerability #6: GO-2025-4010
    Insufficient validation of bracketed IPv6 hostnames in net/url
  More info: https://pkg.go.dev/vuln/GO-2025-4010
  Standard library
    Found in: net/url@go1.24.6
    Fixed in: net/url@go1.24.8
    Vulnerable symbols found:
      #1: url.JoinPath
      #2: url.Parse
      #3: url.ParseRequestURI
      #4: url.URL.Parse
      #5: url.URL.UnmarshalBinary

Vulnerability #7: GO-2025-4009
    Quadratic complexity when parsing some invalid inputs in encoding/pem
  More info: https://pkg.go.dev/vuln/GO-2025-4009
  Standard library
    Found in: encoding/pem@go1.24.6
    Fixed in: encoding/pem@go1.24.8
    Vulnerable symbols found:
      #1: pem.Decode

Vulnerability #8: GO-2025-4008
    ALPN negotiation error contains attacker controlled information in
    crypto/tls
  More info: https://pkg.go.dev/vuln/GO-2025-4008
  Standard library
    Found in: crypto/tls@go1.24.6
    Fixed in: crypto/tls@go1.24.8
    Vulnerable symbols found:
      #1: tls.Conn.Handshake
      #2: tls.Conn.HandshakeContext
      #3: tls.Conn.Read
      #4: tls.Conn.Write
      #5: tls.Dial
      Use '-show traces' to see the other 4 found symbols

Vulnerability #9: GO-2025-4007
    Quadratic complexity when checking name constraints in crypto/x509
  More info: https://pkg.go.dev/vuln/GO-2025-4007
  Standard library
    Found in: crypto/x509@go1.24.6
    Fixed in: crypto/x509@go1.24.9
    Vulnerable symbols found:
      #1: x509.CertPool.AppendCertsFromPEM
      #2: x509.Certificate.CheckCRLSignature
      #3: x509.Certificate.CheckSignature
      #4: x509.Certificate.CheckSignatureFrom
      #5: x509.Certificate.CreateCRL
      Use '-show traces' to see the other 27 found symbols

Vulnerability #10: GO-2025-4006
    Excessive CPU consumption in ParseAddress in net/mail
  More info: https://pkg.go.dev/vuln/GO-2025-4006
  Standard library
    Found in: net/mail@go1.24.6
    Fixed in: net/mail@go1.24.8
    Vulnerable symbols found:
      #1: mail.AddressParser.Parse
      #2: mail.AddressParser.ParseList
      #3: mail.Header.AddressList
      #4: mail.ParseAddress
      #5: mail.ParseAddressList
```

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-03 16:57:22 +01:00
Dan Mihai
c563ee99fa tests: policy-rc: detect create container errors early
During the ${wait_time} for an expected condition, if
CreateContainerRequest was NOT expected to fail: detect possible
CreateContainerRequest failures early and abort the wait.

For example, before this change:

not ok 1 Successful replication controller with auto-generated policy in 123335ms
ok 2 Policy failure: unexpected container command in 14601ms
ok 3 Policy failure: unexpected volume mountPath in 14443ms
ok 4 Policy failure: unexpected host device mapping in 14515ms
ok 5 Policy failure: unexpected securityContext.allowPrivilegeEscalation in 14485ms
ok 6 Policy failure: unexpected capability in 14382ms
ok 7 Policy failure: unexpected UID = 1000 in 14578ms

After this change:

not ok 1 Successful replication controller with auto-generated policy in 17108ms
ok 2 Policy failure: unexpected container command in 14427ms
ok 3 Policy failure: unexpected volume mountPath in 14636ms
ok 4 Policy failure: unexpected host device mapping in 14493ms
ok 5 Policy failure: unexpected securityContext.allowPrivilegeEscalation in 14554ms
ok 6 Policy failure: unexpected capability in 15087ms
ok 7 Policy failure: unexpected UID = 1000 in 14371ms

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-11-03 15:55:55 +00:00
Dan Mihai
319400dc0d tests: policy-pvc: detect create container errors early
During the ${wait_time} for an expected condition, if
CreateContainerRequest was NOT expected to fail: detect possible
CreateContainerRequest failures early and abort the wait.

For example, before this change:

not ok 1 Successful pod with auto-generated policy in 94852ms
ok 2 Policy failure: unexpected device mount in 17807ms

After this change:

not ok 1 Successful pod with auto-generated policy in 35194ms
ok 2 Policy failure: unexpected device mount in 21355ms

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-11-03 15:55:55 +00:00
Dan Mihai
1914fcb812 tests: policy-log: detect create container errors early
During the ${wait_time} for an expected condition, if
CreateContainerRequest was NOT expected to fail: detect possible
CreateContainerRequest failures early and abort the wait.

For example, before this change:

not ok 1 Logs empty when ReadStreamRequest is blocked in 102257ms

After this change:

not ok 1 Logs empty when ReadStreamRequest is blocked in 17339ms

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-11-03 15:55:55 +00:00
Dan Mihai
a0bd9e02ca tests: policy-job: detect create container errors early
During the ${wait_time} for an expected condition, if
CreateContainerRequest was NOT expected to fail: detect possible
CreateContainerRequest failures early and abort the wait.

For example, before this change:

not ok 1 Successful job with auto-generated policy in 107111ms
ok 2 Policy failure: unexpected environment variable in 7920ms
ok 3 Policy failure: unexpected command line argument in 7874ms
ok 4 Policy failure: unexpected emptyDir volume in 7823ms
ok 5 Policy failure: unexpected projected volume in 7812ms
ok 6 Policy failure: unexpected readOnlyRootFilesystem in 7903ms
ok 7 Policy failure: unexpected UID = 222 in 7720ms

After this change:

not ok 1 Successful job with auto-generated policy in 10271ms
ok 2 Policy failure: unexpected environment variable in 8018ms
ok 3 Policy failure: unexpected command line argument in 7886ms
ok 4 Policy failure: unexpected emptyDir volume in 7621ms
ok 5 Policy failure: unexpected projected volume in 7843ms
ok 6 Policy failure: unexpected readOnlyRootFilesystem in 7632ms
ok 7 Policy failure: unexpected UID = 222 in 7619ms

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-11-03 15:55:55 +00:00
Dan Mihai
992c91371c tests: policy-deployment-sc: detect create container errors early
During the ${wait_time} for an expected condition, if
CreateContainerRequest was NOT expected to fail: detect possible
CreateContainerRequest failures early and abort the wait.

For example, before this change:

ok 1 Successful sc deployment with auto-generated policy and container image volumes in 14769ms
ok 2 Successful sc with fsGroup/supplementalGroup deployment with auto-generated policy and container image volumes in 8384ms
not ok 3 Successful sc deployment with security context choosing another valid user in 136149ms
ok 4 Successful layered sc deployment with auto-generated policy and container image volumes in 8862ms
ok 5 Policy failure: unexpected GID = 0 for layered securityContext deployment in 7941ms
ok 6 Policy failure: malicious root group added via supplementalGroups deployment in 11612ms

After:

ok 1 Successful sc deployment with auto-generated policy and container image volumes in 15230ms
ok 2 Successful sc with fsGroup/supplementalGroup deployment with auto-generated policy and container image volumes in 9364ms
not ok 3 Successful sc deployment with security context choosing another valid user in 11060ms
ok 4 Successful layered sc deployment with auto-generated policy and container image volumes in 9124ms
ok 5 Policy failure: unexpected GID = 0 for layered securityContext deployment in 7919ms
ok 6 Policy failure: malicious root group added via supplementalGroups deployment in 11666ms

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-11-03 15:55:55 +00:00
Dan Mihai
704ee76f1e tests: policy-deployment-sc: reduced redundancy
Call common function instead of copy/paste of three commands.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-11-03 15:55:55 +00:00
Dan Mihai
2cafb10a6a tests: policy-pod: detect create container errors early
During the ${wait_time} for an expected condition, if
CreateContainerRequest was NOT expected to fail: detect possible
CreateContainerRequest failures early and abort the wait.

For example, before this change:

not ok 1 Successful pod with auto-generated policy in 110801ms
not ok 2 Able to read env variables sourced from configmap using envFrom in 94104ms
not ok 3 Successful pod with auto-generated policy and runtimeClassName filter in 95838ms
not ok 4 Successful pod with auto-generated policy and custom layers cache path in 110712ms
ok 5 Policy failure: unexpected container image in 8113ms
ok 6 Policy failure: unexpected privileged security context in 7943ms
ok 7 Policy failure: unexpected terminationMessagePath in 11530ms
ok 8 Policy failure: unexpected hostPath volume mount in 7970ms
ok 9 Policy failure: unexpected config map in 7933ms
not ok 10 Policy failure: unexpected lifecycle.postStart.exec.command in 112677ms
ok 11 RuntimeClassName filter: no policy in 2302ms
not ok 12 ExecProcessRequest tests in 93946ms
not ok 13 Successful pod: runAsUser having the same value as the UID from the container image in 94003ms
ok 14 Policy failure: unexpected UID = 0 in 8016ms
ok 15 Policy failure: unexpected UID = 1234 in 7850ms

After:

not ok 1 Successful pod with auto-generated policy in 12182ms
not ok 2 Able to read env variables sourced from configmap using envFrom in 10121ms
not ok 3 Successful pod with auto-generated policy and runtimeClassName filter in 11738ms
not ok 4 Successful pod with auto-generated policy and custom layers cache path in 26592ms
ok 5 Policy failure: unexpected container image in 7742ms
ok 6 Policy failure: unexpected privileged security context in 7949ms
ok 7 Policy failure: unexpected terminationMessagePath in 7789ms
ok 8 Policy failure: unexpected hostPath volume mount in 7887ms
ok 9 Policy failure: unexpected config map in 7818ms
not ok 10 Policy failure: unexpected lifecycle.postStart.exec.command in 9120ms
ok 11 RuntimeClassName filter: no policy in 2081ms
not ok 12 ExecProcessRequest tests in 9883ms
not ok 13 Successful pod: runAsUser having the same value as the UID from the container image in 9870ms
ok 14 Policy failure: unexpected UID = 0 in 11161ms
ok 15 Policy failure: unexpected UID = 1234 in 7814ms

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2025-11-03 15:55:55 +00:00
Alex Lyn
897ecfb503 Merge pull request #12014 from fidencio/topic/release-ensure-helm-dependencies-update
scripts: release: Run helm dependencies update
2025-11-03 16:34:17 +08:00
Fabiano Fidêncio
c539a9e90e tests: k8s: parallel: Increase timeout
We've seen a few cases where we fail the test due to timeout and when we
print the pods we just see that they've been created.

With that in mind, let's just increase the timeout a little bit.

Example:
```
not ok 1 Parallel jobs in 6250ms
 (in test file k8s-parallel.bats, line 41)
   `kubectl wait --for=condition=Ready --timeout=$timeout pod -l jobgroup=${job_name}' failed
 No resources found in kata-containers-k8s-tests namespace.
 [bats-exec-test:71] INFO: k8s configured to use runtimeclass
 job.batch/process-item-test1 created
 job.batch/process-item-test2 created
 job.batch/process-item-test3 created
 NAME                 STATUS    COMPLETIONS   DURATION   AGE
 process-item-test1   Running   0/1                      0s
 process-item-test2   Running   0/1                      0s
 process-item-test3   Running   0/1                      0s
 error: no matching resources found
 No resources found in kata-containers-k8s-tests namespace.
 No resources found in kata-containers-k8s-tests namespace.
 DEBUG: system logs of node 'aks-nodepool1-25989463-vmss000000' since test start time (2025-11-01 16:39:03)
 -- No entries --
 job.batch "process-item-test1" deleted
 job.batch "process-item-test2" deleted
 job.batch "process-item-test3" deleted
```

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-01 18:09:37 +01:00
Fabiano Fidêncio
8a5ebd5d16 tests: k8s: run QoS tests on a bigger instance
It's been failing to start quite regularly on the smaller instance.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-01 17:54:58 +01:00
Fabiano Fidêncio
157b2c32ce scripts: release: Run helm dependencies update
Otherwise we'll face issues like:
```
Error: found in Chart.yaml, but missing in charts/ directory: node-feature-discovery
```

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-01 17:54:58 +01:00
Fabiano Fidêncio
c75a46d17f tests: Do not enable NFD on s390x
As we're failing on the uninstall, which seems related to a bug on NFD
itself, but I don't have access to a s390x machine to debug, let's skip
the enablement for now and enable it back once we've experimented it
better on s390x.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-10-31 16:30:13 +01:00