Commit Graph

89 Commits

Author SHA1 Message Date
stevenhorsman
5c618dc8e2 tests: Switch nginx images to use version.yaml details
- Swap out the hard-coded nginx registry and verisons for reading
the test image details for version.yaml
which can also ensure that the quay.io mirror is used
rather than the docker hub versions which can hit pull limits
- Try setting imagePullPoliycy Always to fix issues with the arm CI

Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-12-02 10:04:09 +01:00
Manuel Huber
7e20118c8e tests: nvidia: move secret definitions to bottom
The add_allow_all_policy_to_yaml in tests_common.sh needs some
improvements so that this function can support pod manifests with
different resource kinds. For now, moving the Secret definition
to the bottom so that we can create a default policy for the Pod.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-21 09:24:15 +01:00
Manuel Huber
477ca3980b tests: nvidia: cc: Re-enable multi GPU test case
Use the pod name variable so that kubectl wait finds the pod. Currently,
kubectl waits for nvidia-nim-llama-3-2-nv-embedqa-1b-v2, not for
nvidia-nim-llama-3-2-nv-embedqa-1b-v2-tee

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-11-20 10:05:46 +01:00
Fabiano Fidêncio
94ed4051b0 tests: nvidia: cc: Increase RAM for NIM pods
Those need to pull the models inside the guest, and the guest has 50% of
its memory "allowed" to be used as tmpfs, so, we gotta usa the RAM that
we have.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-18 22:29:42 +01:00
Fabiano Fidêncio
e5062a056e tests: nvidia: cc: Adjust timeouts on NIM pods
Timeout increases for confidential computing slowness:
* livenessProbe:
  * initialDelaySeconds: 15 → 120 seconds
  * timeoutSeconds: 1 → 10 seconds
  * failureThreshold: 3 → 10

* readinessProbe:
  * initialDelaySeconds: 15 → 120 seconds
  * timeoutSeconds: 1 → 10 seconds
  * failureThreshold: 3 → 10

* startupProbe:
  * initialDelaySeconds: 40 → 180 seconds
  * timeoutSeconds: 1 → 10 seconds
  * failureThreshold: 180 → 300

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-18 22:29:42 +01:00
Fabiano Fidêncio
4d314e8676 tests: nvidia: nims: Adjust to CC
There are several changes needed in order to get this test working with
CC, and yet we still are skipping it.

Basically, we need to:
* Pull an authenticated image inside the guest, which requires:
 * Using Trustee to release the credential
   * We still depend on a PR to be merged on Trustee side
     * https://github.com/confidential-containers/trustee/pull/1035
   * We still depend on a Trustee bump (including the PR above) on our
     side

Apart from those changes, I ended up "duplicating" the tests by adding a
"-tee" version of those, which already have:
* The proper kbs annotations set up
* Dropped host mounts
* Increases the memory needed

Last but not least, as "bats" probably means "being a terrible script",
I had to re-arrange a few things otherwise the tests would not even run
due to bats-isms that I am sincerely not able to pin-point.

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-10 13:01:30 +01:00
Manuel Huber
c6dc176a03 tests: nvidia: cc: Enable NIMs tests
Same deal as the previous commut, just enabling the tests here, with the
same list of improvements that we will need to go through in order to
get is working in a perfect way.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-06 16:28:33 +01:00
Manuel Huber
8ca77f2655 tests: nvidia: cc: Run CUDA vectorAdd tests on CC mode
While the primary goal of this change is to detect regressions to the
NVIDIA SNP GPU scenario, various improvements to reflect a more
realistic CC setting are planned in subsequent changes, such as:

* moving away from the overlayfs snapshotter
* disabling filesystem sharing
* applying a pod security policy
* activating the GPUs only after attestation
* using a refined approach for GPU cold-plugging without requiring
  annotations
* revisiting pod timeout and overhead parameters (the podOverhead value
  was increased due to CUDA vectorAdd requiring about 6Gi of
  podOverhead, as well as the inference and embedqa requiring at least
  12Gi, respectively, 14Gi of podOverhead to run without invoking the
  host's oom-killer. We will revisit this aspect after addressing
  points 1. and 2.)

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>
2025-11-06 16:28:33 +01:00
Manuel Huber
be32b77baf ci: Add NVIDIA CUDA vectoradd test
This change adds a CUDA vectoradd test case and makes enabling NVRC
tracing optional and idempotent.

Signed-off-by: Manuel Huber <manuelh@nvidia.com>
2025-10-28 19:12:16 +01:00
Saul Paredes
395f237fc2 tests: k8s: use default-initdata.toml when auto-generating policy
- copy default-initdata.toml in create_tmp_policy_settings_dir, so it can be modified by other tests if needed
- make auto_generate_policy use default-initdata.toml by default
- add auto_generate_policy_no_added_flags, so it may be used by tests that don't want to use default-initdata.toml by default

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-10-13 10:47:53 -07:00
Aurélien Bombo
6e451e3da0 tests/k8s: Add test for privileged containers
This adds an integration test to verify that privileged containers work
properly when deploying Kata with kata-deploy.

This is a follow-up to #11878.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-07 09:59:05 -05:00
Dan Mihai
5e46f814dd Merge pull request #11832 from kata-containers/sprt/dev-hostpath
runtime: Simplify mounting guest devices when using hostPath volumes
2025-10-06 12:36:36 -07:00
Manuel Huber
4b7c1db064 ci: Add test case for openvpn
Introduce new test case which verifies that openvpn clients and servers
can run as Kata pods and can successfully establish a connection.
Volatile certificates and keys are generated by an initialization
container and injected into the client and server containers.
This scenario requires TUN/TAP support for the UVM kernel.

Signed-off-by: Manuel Huber <mahuber@microsoft.com>
Co-authored-by: Manuel Huber <manuelh@nvidia.com>
2025-10-02 11:40:49 +02:00
Aurélien Bombo
5c21b1faf3 runtime: Simplify mounting guest devices when using hostPath volumes
This change crystallizes and simplifies the current handling of /dev
hostPath mounts with virtually no functional change.

Before this change:

 - If a mount DESTINATION is in /dev and it is a non-regular file on the HOST,
   the shim passes the OCI bind mount as is to the guest (e.g.
   /dev/kmsg:/dev/kmsg). The container rightfully sees the GUEST device.

 - If the mount DESTINATION does not exist on the host, the shim relies on
   k8s/containerd to automatically create a directory (ie. non-regular file) on
   the HOST. The shim then also passes the OCI bind mount as is to the guest.  The
   container rightfully sees the GUEST device.

 - For other /dev mounts, the shim passes the device major/minor to the guest
   over virtio-fs. The container rightfully sees the GUEST device.

After this change:

 - If a mount SOURCE is in /dev and it is a non-regular file on the HOST,
   the shim passes the OCI bind mount as is to the guest. The container
   rightfully sees the GUEST device.

 - The shim does not anymore rely on k8s/containerd to create missing mount
   directories. Instead it explicitely handles missing mount SOURCES, and
   treats them like the previous bullet point.

 - The shim no longer uses virtio-fs to pass /dev device major/minor to the
   guest, instead it passes the OCI bind mount as is.

Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2025-10-01 15:32:21 -05:00
Hyounggyu Choi
c961f70b7e ci: Remove DL3007 ignore comment for base image
The Hadolint warning DL3007 (pin the version explicitly) is no
longer applicable.

We have updated the base image to use a specific version
digest, which satisfies the linter's requirement for reproducible
builds. This commit removes the corresponding inline ignore comment.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-09-25 15:46:39 +02:00
Hyounggyu Choi
e9653eae6e GHA: Pin Alpine to 3.20 for tee-unencrypted image
We recently hit the following error during build:

```
RUN ssh-keygen -t ed25519 -f /etc/ssh/ssh_host_ed25519_key -P ""
OpenSSL version mismatch. Built against 3050003f, you have 30500010
```

This happened because `alpine:latest` moved forward and the `ssh-keygen`
binary in the base image was compiled against a newer OpenSSL version
that is not available at runtime.
Pinning the base image to the stable release (3.20) avoids the mismatch
and ensures consistent builds.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2025-09-25 11:49:04 +02:00
Cameron Baird
bdd98ec623 ci: Add test case for iptables, exercised via istio init container
Introduce new test case in k8s-iptables.bats which verifies that
workloads can configure iptables in the UVM.

Users discovered that they weren't able to do this for common usecases
such as istio. Proper support for this should be built into UVM
kernels. This test ensures that current and future kernel
configurations don't regress this functionality.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-09-04 07:18:45 +02:00
Zvonko Kaiser
8be41a4e80 gpu: Add embeding service
For a simple RAG pipeline add a embeding service

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-08-14 16:34:21 +00:00
Zvonko Kaiser
8768e08258 gpu: Add embeding service
For a simple RAG pipeline add a embeding service

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-30 13:45:59 +00:00
Zvonko Kaiser
254dbd9b45 gpu: Add Pod spec for NIM llama
Pod spec for the NIM inferencing service

Signed-off-by: Zvonko Kaiser <zkaiser@nvidia.com>
2025-07-30 13:45:59 +00:00
Xuewei Niu
6aa3517393 tests: Prevent the shim from being killed in k8s-oom test
The actual memory usage on the host is equal to the hypervisor memory usage
plus the user memory usage. An OOM killer might kill the shim when the
memory limit on host is same with that of container and the container
consumes all available memory. In this case, the containerd will never
receive OOM event, but get "task exit" event. That makes the `k8s-oom.bats`
test fail.

The fix is to add a new container to increase the sandbox memory limit.
When the container "oom-test" is killed by OOM killer, there is still
available memory for the shim, so it will not be killed.

Signed-off-by: Xuewei Niu <niuxuewei.nxw@antgroup.com>
2025-07-24 23:44:21 +08:00
Archana Choudhary
e093919b42 tests: update container image for ci and unit test
This patch updates the container image for the CI test workloads:
- `k8s-layered-sc-deployment.yaml`
- `k8s-pod-sc-deployment.yaml`
- `k8s-pod-sc-nobodyupdate-deployment.yaml`
- `k8s-pod-sc-supplementalgroups-deployment.yaml`
- `k8s-policy-deployment.yaml`

Also updates unit tests:
- `test_create_container_security_context`
- `test_create_container_security_context_supplemental_groups`

This fixes tests failing due to an image pull error as the previous image is no longer available in
the container registry.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2025-06-20 10:46:56 -07:00
Cameron Baird
19d502de76 ci: Add test cases for fsGroup and supplementalGroup fields
Introduce new test case to the security context bats file which verifies
that policy works properly for a deployment yaml containing fsGroup and
supplementalGroup configuration.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-05-13 21:48:58 +00:00
stevenhorsman
f2a2117252 tests: k8s: Retry output of kubectl exec in k8s-cpu-ns
We are seeing failures in this test, where the output of
the kubectl exec command seems to be blank, so try
retrying the exec like #11024

Fixes: #11133
Signed-off-by: stevenhorsman <steven@uk.ibm.com>
2025-04-30 15:01:08 +01:00
Cameron Baird
fc75aee13a ci: Add CI tests for runAsGroup, GID policy
Introduce tests to check for policy correctness on a redis deployment
with 1. a pod-level securityContext 2. a container-level securityContext
which shadows the pod-level securityContext 3. a pod-level
securityContext which selects an existing user (nobody), causing a new GID to be selected.

Redis is an interesting container image to test with because it includes
a /etc/passwd file with existing user/group configuration of 1000:1000 baked in.

Signed-off-by: Cameron Baird <cameronbaird@microsoft.com>
2025-04-28 16:28:31 +00:00
Ryan Savino
1dbe3fb8bc tests: fix confidential ssh Dockerfile
Need to set correct permissions for ssh directories and files

Fixes: #11005

Signed-Off-By: Ryan Savino <ryan.savino@amd.com>
2025-03-10 18:31:05 -05:00
Fabiano Fidêncio
18137b1583 tests: k8s: confidential: Increase log_buf_len to 4M
Relying on dmesg is really not ideal, as we may lose important info,
mainly those which happen very early in the boot, depending on the size
of kernel ring buffer.

So, for this specific test, let's increase the kernel ring buffer, by
default, to 4M.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-23 12:04:13 +01:00
Fabiano Fidêncio
44ff602c64 tests: k8s: Be more aggressive to get OOM
Let's increase the amount of bytes allocated per VM worker, so we can
hit the OOM sooner.

Signed-off-by: Fabiano Fidêncio <fabiano@fidencio.org>
2025-01-06 21:48:20 +01:00
Saul Paredes
711d12e5db policy: support optional metadata uid field
This prevents a deserialization error when uid is specified

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-12-02 11:24:58 -08:00
Saul Paredes
461efc0dd5 tests: remove manifest v1 test
This test was meant to show support for pulling images with v1 manifest schema versions.

The nginxhttps image has been modified in https://hub.docker.com/r/ymqytw/nginxhttps/tags such that we are no longer able to pull it:

$ docker pull ymqytw/nginxhttps:1.5
Error response from daemon: missing signature key

We may remove this test since schema version 1 manifests are deprecated per
https://docs.docker.com/engine/deprecated/#pushing-and-pulling-with-image-manifest-v2-schema-1 :
"These legacy formats should no longer be used, and users are recommended to update images to use current formats, or to upgrade to more
current images". This schema version was used by old docker versions. Further OCI spec
https://github.com/opencontainers/image-spec/blob/main/manifest.md#image-manifest-property-descriptions only supports schema version 2.

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-11-08 13:38:51 -08:00
alex.lyn
b25538f670 ci: Introduce CI to validate pod hostname
Fixes #10422

Signed-off-by: alex.lyn <alex.lyn@antgroup.com>
2024-10-21 16:32:56 +01:00
Leonard Cohnen
c06bf2e3bb genpolicy: read binaryData value as String
While Kubernetes defines `binaryData` as `[]byte`,
when defined in a YAML file the raw bytes are
base64 encoded. Therefore, we need to read the YAML
value as `String` and not as `Vec<u8>`.

Fixes: #10410

Signed-off-by: Leonard Cohnen <lc@edgeless.systems>
2024-10-14 20:03:11 +02:00
ChengyuZhu6
a94024aedc tests: add test for sealed file secrets
add a test for sealed file secrets.

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
2024-10-08 16:01:48 +08:00
Dan Mihai
9a8341f431 Merge pull request #10370 from microsoft/danmihai1/k8s-policy-rc
tests: k8s-policy-rc: remove default UID from YAML
2024-10-02 09:32:17 -07:00
Dan Mihai
3b24219310 tests: k8s-policy-rc: remove default UID from YAML
The nginx container seems to error out when using UID=123.

Depending on the timing between container initialization and "kubectl
wait", the test might have gotten lucky and found the pod briefly in
Ready state before nginx errored out. But on some of the nodes, the pod
never got reported as Ready.

Also, don't block in "kubectl wait --for=condition=Ready" when wrapping
that command in a waitForProcess call, because waitForProcess is
designed for short-lived commands.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-10-01 00:10:30 +00:00
Aurélien Bombo
c037ac0e82 tests: Add k8s-block-volume test
This imports the k8s-block-volume test from the tests repo and modifies
it slightly to set up the host volume on the AKS host.

This is a follow-up to #7132.

Fixes: #7164

Signed-off-by: Salvador Fuentes <salvador.fuentes@intel.com>
Signed-off-by: Aurélien Bombo <abombo@microsoft.com>
2024-09-30 10:58:30 -05:00
Hyounggyu Choi
374b8d2534 tests: Create and delete node debugger pod only once
Creating and deleting a node debugger pod for every `exec_host()`
call is inefficient.
This commit changes the test suite to create and delete the pod
only once, globally.

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-09-20 14:37:43 +02:00
Hyounggyu Choi
aedf14b244 tests: Mimic node debugger with full privileges
This commit addresses an issue with handling loop devices
via a node debugger due to restricted privileges.
It runs a pod with full privileges, allowing it to mount
the host root to `/host`, similar to the node debugger.
This change enables us to run tests for trusted image storage
using the `qemu-coco-dev` runtime class.

Fixes: #10133

Signed-off-by: Hyounggyu Choi <Hyounggyu.Choi@ibm.com>
2024-09-20 14:37:43 +02:00
Dan Mihai
5777869cf4 tests: k8s-policy-rc: add unexpected UID test
Change pod runAsUser value of a Replication Controller after generating
the RC's policy, and verify that the RC pods get rejected due to this
change.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-09-13 22:05:31 +00:00
Dan Mihai
124f01beb3 tests: k8s-policy-deployment: add bad UID test
Change pod runAsUser value of a Deployment after generating the
Deployment's policy, and verify that the Deployment fails due to
this change.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-09-13 22:05:31 +00:00
Dan Mihai
eb7f747df1 genpolicy: enable create container UID verification
Disabling the UID Policy rule was a workaround for #9928. Re-enable
that rule here and add a new test/CI temporary workaround for this
issue. This new test workaround will be removed after fixing #9928.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-09-11 22:38:20 +00:00
Dan Mihai
71ede4ea3f tests: k8s-policy-pod: use prometheus container
Change quay.io/prometheus/busybox to quay.io/prometheus/prometheus in
this test. The prometheus image will be helpful for testing the future
fix for #9928 because it specifies user = "nobody".

Also, change:

sh -c "ls -l /"

to:

echo -n "readinessProbe with space characters"

as the test readinessProbe command line. Both include a command line
argument containing space characters, but "sh -c" behaves differently
when using the prometheus container image (causes the readinessProbe
to time out, etc.).

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-09-11 22:38:20 +00:00
Saul Paredes
24c2d13fd3 genpolicy: support readonly emptyDir mount
Set emptyDir access based on volume mount readOnly value

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-09-04 15:05:44 -07:00
Saul Paredes
36a4104753 genpolicy: support readonly hostpath
Set hostpath access based on volume mount readOnly value

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-09-04 14:55:22 -07:00
Archana Choudhary
ae2cdedba8 genpolicy: add priorityClassName as a field in PodSpec interface
This allows generation of policy for pods specifying priority classes.

Signed-off-by: Archana Choudhary <archana1@microsoft.com>
2024-08-27 19:54:02 -07:00
Fabiano Fidêncio
0831081399 ci: k8s: Replace nginx alpine images
The previous ones are gone, so let's switch to our own multi-arch image
for the tests.

Signed-off-by: Fabiano Fidêncio <fabiano.fidencio@intel.com>
2024-08-17 12:19:33 +02:00
Dan Mihai
c22ac4f72c genpolicy: add bind mounts for image volumes
Add bind mounts for volumes defined by docker container images, unless
those mounts have been defined in the input K8s YAML file too.

For example, quay.io/opstree/redis defines two mounts:
/data
/node-conf
Before these changes, if these mounts were not defined in the YAML file
too, the auto-generated policy did not allow this container image to
start.

Signed-off-by: Dan Mihai <dmihai@microsoft.com>
2024-08-16 15:11:05 +00:00
Chengyu Zhu
ba3c484d12 Merge pull request #9999 from ChengyuZhu6/trusted-storage
Trusted image storage
2024-08-16 15:39:50 +08:00
ChengyuZhu6
6c506cde86 tests:k8s: add tests for pull images in the guest using trusted storage
add tests for pull images in the guest using trusted storage:
1) failed case: Test we cannot pull an image that exceeds the memory limit inside the guest
2) successful case: Test we can pull an image inside the guest using
   trusted ephemeral storage.

Signed-off-by: ChengyuZhu6 <chengyu.zhu@intel.com>
2024-08-15 13:55:22 +08:00
Saul Paredes
af598a232b tests: add test for cron job support
Add simple test for cron job support

Signed-off-by: Saul Paredes <saulparedes@microsoft.com>
2024-08-13 10:47:42 -07:00