genpolicy: Adapt to CRI-O

Signed-off-by: Fabiano Fidêncio <ffidencio@nvidia.com>

.github/workflows/run-kata-coco-tests.yaml

@@ -258,6 +258,98 @@ jobs:
         timeout-minutes: 5
         run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
 
+  run-k8s-tests-coco-nontee-crio:
+    name: run-k8s-tests-coco-nontee-crio
+    strategy:
+      fail-fast: false
+      matrix:
+        vmm:
+          - qemu-coco-dev
+    runs-on: fidencio-crio
+    permissions:
+      contents: read
+    environment: ci
+    env:
+      DOCKER_REGISTRY: ${{ inputs.registry }}
+      DOCKER_REPO: ${{ inputs.repo }}
+      DOCKER_TAG: ${{ inputs.tag }}
+      GH_PR_NUMBER: ${{ inputs.pr-number }}
+      KATA_HYPERVISOR: ${{ matrix.vmm }}
+      KBS: "true"
+      KBS_INGRESS: "nodeport"
+      KUBERNETES: "vanilla"
+      PULL_TYPE: "guest-pull"
+      AUTHENTICATED_IMAGE_USER: ${{ vars.AUTHENTICATED_IMAGE_USER }}
+      AUTHENTICATED_IMAGE_PASSWORD: ${{ secrets.AUTHENTICATED_IMAGE_PASSWORD }}
+      SNAPSHOTTER: ""
+      EXPERIMENTAL_FORCE_GUEST_PULL: ""
+      AUTO_GENERATE_POLICY: "yes"
+      K8S_TEST_HOST_TYPE: "all"
+      CONTAINER_ENGINE: "crio"
+      CONTAINER_RUNTIME: "crio"
+      CONTAINER_ENGINE_VERSION: "active"
+      GH_TOKEN: ${{ github.token }}
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ inputs.commit-hash }}
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Rebase atop of the latest target branch
+        run: |
+          ./tests/git-helper.sh "rebase-atop-of-the-latest-target-branch"
+        env:
+          TARGET_BRANCH: ${{ inputs.target-branch }}
+
+      - name: get-kata-tools-tarball
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4.3.0
+        with:
+          name: kata-tools-static-tarball-amd64${{ inputs.tarball-suffix }}
+          path: kata-tools-artifacts
+
+      - name: Install kata-tools
+        run: bash tests/integration/kubernetes/gha-run.sh install-kata-tools kata-tools-artifacts
+
+      - name: Deploy Kata
+        timeout-minutes: 20
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-kata
+
+      - name: Deploy CoCo KBS
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-coco-kbs
+
+      - name: Install `kbs-client`
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh install-kbs-client
+
+      - name: Deploy CSI driver
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh deploy-csi-driver
+
+      - name: Run tests
+        timeout-minutes: 80
+        run: bash tests/integration/kubernetes/gha-run.sh run-tests
+
+      - name: Report tests
+        if: always()
+        run: bash tests/integration/kubernetes/gha-run.sh report-tests
+
+      - name: Delete kata-deploy
+        if: always()
+        timeout-minutes: 15
+        run: bash tests/integration/kubernetes/gha-run.sh cleanup
+
+      - name: Delete CoCo KBS
+        if: always()
+        timeout-minutes: 10
+        run: bash tests/integration/kubernetes/gha-run.sh delete-coco-kbs
+
+      - name: Delete CSI driver
+        if: always()
+        timeout-minutes: 5
+        run: bash tests/integration/kubernetes/gha-run.sh delete-csi-driver
+
   # Generate jobs for testing CoCo on non-TEE environments with erofs-snapshotter
   run-k8s-tests-coco-nontee-with-erofs-snapshotter:
     name: run-k8s-tests-coco-nontee-with-erofs-snapshotter

src/tools/genpolicy/rules.rego

@@ -51,12 +51,33 @@ default WriteStreamRequest := false
 # them and inspect OPA logs for the root cause of a failure.
 default AllowRequestsFailingPolicy := false
 
-# Constants
+# Constants (containerd keys; CRI-O uses different keys, see *_CRIO below)
 S_NAME_KEY = "io.kubernetes.cri.sandbox-name"
 S_NAMESPACE_KEY = "io.kubernetes.cri.sandbox-namespace"
+S_NAME_KEY_CRIO = "io.kubernetes.cri-o.SandboxName"
+S_NAMESPACE_KEY_CRIO = "io.kubernetes.cri-o.Namespace"
+SANDBOX_ID_KEY = "io.kubernetes.cri.sandbox-id"
+SANDBOX_ID_KEY_CRIO = "io.kubernetes.cri-o.SandboxID"
+C_TYPE_KEY = "io.kubernetes.cri.container-type"
+C_TYPE_KEY_CRIO = "io.kubernetes.cri-o.ContainerType"
+CONTAINER_NAME_KEY = "io.kubernetes.cri.container-name"
+CONTAINER_NAME_KEY_CRIO = "io.kubernetes.cri-o.ContainerName"
+IMAGE_NAME_KEY = "io.kubernetes.cri.image-name"
+IMAGE_NAME_KEY_CRIO = "io.kubernetes.cri-o.ImageName"
+SANDBOX_LOG_DIR_KEY = "io.kubernetes.cri.sandbox-log-directory"
+SANDBOX_LOG_DIR_KEY_CRIO = "io.kubernetes.cri-o.LogPath"
 CDI_VFIO_ANNOTATION_PREFIX = "cdi.k8s.io/vfio"
 VFIO_PCI_ADDRESS_REGEX = "^[0-9a-fA-F]{4}:[0-9a-fA-F]{2}:[01][0-9a-fA-F]\\.[0-7]=[0-9a-fA-F]{2}/[0-9a-fA-F]{2}$"
 
+# Get annotation value from input OCI: accept either CRI (containerd) or CRI-O key.
+get_input_anno(i_oci, cri_key, crio_key) := v if {
+    v := i_oci.Annotations[cri_key]
+}
+get_input_anno(i_oci, cri_key, crio_key) := v if {
+    not i_oci.Annotations[cri_key]
+    v := i_oci.Annotations[crio_key]
+}
+
 CreateContainerRequest := {"ops": ops, "allowed": true} if {
     # Check if the input request should be rejected even before checking the
     # policy_data.containers information.
@@ -69,8 +90,8 @@ CreateContainerRequest := {"ops": ops, "allowed": true} if {
     # array of possible state operations
     ops_builder := []
 
-    # check sandbox name
-    sandbox_name = i_oci.Annotations[S_NAME_KEY]
+    # check sandbox name (containerd or CRI-O)
+    sandbox_name := get_input_anno(i_oci, S_NAME_KEY, S_NAME_KEY_CRIO)
     add_sandbox_name_to_state := state_allows("sandbox_name", sandbox_name)
     ops_builder1 := concat_op_if_not_null(ops_builder, add_sandbox_name_to_state)
 
@@ -85,9 +106,9 @@ CreateContainerRequest := {"ops": ops, "allowed": true} if {
 
     p_oci := p_container.OCI
 
-    # check namespace
+    # check namespace (containerd or CRI-O)
     p_namespace := p_oci.Annotations[S_NAMESPACE_KEY]
-    i_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+    i_namespace := get_input_anno(i_oci, S_NAMESPACE_KEY, S_NAMESPACE_KEY_CRIO)
     print("CreateContainerRequest: p_namespace =", p_namespace, "i_namespace =", i_namespace)
     add_namespace_to_state := allow_namespace(p_namespace, i_namespace)
     ops_builder2 := concat_op_if_not_null(ops_builder1, add_namespace_to_state)
@@ -249,9 +270,13 @@ allow_anno_key_value(i_key, i_value, p_container) if {
     print("allow_anno_key_value 1: i key =", i_key)
 
     startswith(i_key, "io.kubernetes.cri.")
-
     print("allow_anno_key_value 1: true")
 }
+allow_anno_key_value(i_key, i_value, p_container) if {
+    print("allow_anno_key_value 1b: i key =", i_key)
+    startswith(i_key, "io.kubernetes.cri-o.")
+    print("allow_anno_key_value 1b: true")
+}
 allow_anno_key_value(i_key, i_value, p_container) if {
     print("allow_anno_key_value 2: i key =", i_key)
 
@@ -272,17 +297,17 @@ allow_anno_key_value(i_key, i_value, p_container) if {
     print("allow_anno_key_value 3: true")
 }
 
-# Get the value of the S_NAME_KEY annotation and
-# correlate it with other annotations and process fields.
+# Get the value of the sandbox name/namespace annotations (containerd or CRI-O) and
+# correlate with other annotations and process fields.
 allow_by_anno(p_oci, i_oci, p_storages, i_storages) if {
     print("allow_by_anno 1: start")
 
     not p_oci.Annotations[S_NAME_KEY]
 
-    i_s_name := i_oci.Annotations[S_NAME_KEY]
+    i_s_name := get_input_anno(i_oci, S_NAME_KEY, S_NAME_KEY_CRIO)
     print("allow_by_anno 1: i_s_name =", i_s_name)
 
-    i_s_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+    i_s_namespace := get_input_anno(i_oci, S_NAMESPACE_KEY, S_NAMESPACE_KEY_CRIO)
     print("allow_by_anno 1: i_s_namespace =", i_s_namespace)
 
     allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name, i_s_namespace)
@@ -293,12 +318,12 @@ allow_by_anno(p_oci, i_oci, p_storages, i_storages) if {
     print("allow_by_anno 2: start")
 
     p_s_name := p_oci.Annotations[S_NAME_KEY]
-    i_s_name := i_oci.Annotations[S_NAME_KEY]
+    i_s_name := get_input_anno(i_oci, S_NAME_KEY, S_NAME_KEY_CRIO)
     print("allow_by_anno 2: i_s_name =", i_s_name, "p_s_name =", p_s_name)
 
     allow_sandbox_name(p_s_name, i_s_name)
 
-    i_s_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+    i_s_namespace := get_input_anno(i_oci, S_NAMESPACE_KEY, S_NAMESPACE_KEY_CRIO)
     print("allow_by_anno 2: i_s_namespace =", i_s_namespace)
 
     allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, i_s_name, i_s_namespace)
@@ -309,7 +334,7 @@ allow_by_anno(p_oci, i_oci, p_storages, i_storages) if {
 allow_by_sandbox_name(p_oci, i_oci, p_storages, i_storages, s_name, s_namespace) if {
     print("allow_by_sandbox_name: start")
 
-    i_namespace := i_oci.Annotations[S_NAMESPACE_KEY]
+    i_namespace := get_input_anno(i_oci, S_NAMESPACE_KEY, S_NAMESPACE_KEY_CRIO)
 
     allow_by_container_types(p_oci, i_oci, s_name, i_namespace)
     allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages)
@@ -325,18 +350,14 @@ allow_sandbox_name(p_s_name, i_s_name) if {
     print("allow_sandbox_name: true")
 }
 
-# Check that the "io.kubernetes.cri.container-type" and
-# "io.katacontainers.pkg.oci.container_type" annotations designate the
-# expected type - either a "sandbox" or a "container". Then, validate
-# other annotations based on the actual "sandbox" or "container" value
-# from the input container.
+# Check that the container-type annotation (containerd or CRI-O) and
+# "io.katacontainers.pkg.oci.container_type" designate the expected type -
+# either "sandbox" or "container". Then validate other annotations accordingly.
 allow_by_container_types(p_oci, i_oci, s_name, s_namespace) if {
-    print("allow_by_container_types: checking io.kubernetes.cri.container-type")
+    print("allow_by_container_types: checking container-type")
 
-    c_type := "io.kubernetes.cri.container-type"
-
-    p_cri_type := p_oci.Annotations[c_type]
-    i_cri_type := i_oci.Annotations[c_type]
+    p_cri_type := p_oci.Annotations[C_TYPE_KEY]
+    i_cri_type := get_input_anno(i_oci, C_TYPE_KEY, C_TYPE_KEY_CRIO)
     print("allow_by_container_types: p_cri_type =", p_cri_type, "i_cri_type =", i_cri_type)
     p_cri_type == i_cri_type
 
@@ -375,44 +396,54 @@ allow_by_container_type(i_cri_type, p_oci, i_oci, s_name, s_namespace) if {
     print("allow_by_container_type 2: true")
 }
 
-# "io.kubernetes.cri.container-name" annotation
+# Container name: sandbox has none; container must match (containerd or CRI-O key).
 allow_sandbox_container_name(p_oci, i_oci) if {
     print("allow_sandbox_container_name: start")
-
-    container_annotation_missing(p_oci, i_oci, "io.kubernetes.cri.container-name")
-
+    container_annotation_missing_cri_crio(p_oci, i_oci, CONTAINER_NAME_KEY, CONTAINER_NAME_KEY_CRIO)
     print("allow_sandbox_container_name: true")
 }
 
 allow_container_name(p_oci, i_oci) if {
     print("allow_container_name: start")
-
-    allow_container_annotation(p_oci, i_oci, "io.kubernetes.cri.container-name")
-
+    allow_container_annotation_cri_crio(p_oci, i_oci, CONTAINER_NAME_KEY, CONTAINER_NAME_KEY_CRIO)
     print("allow_container_name: true")
 }
 
 container_annotation_missing(p_oci, i_oci, key) if {
     print("container_annotation_missing:", key)
-
     not p_oci.Annotations[key]
     not i_oci.Annotations[key]
-
     print("container_annotation_missing: true")
 }
 
+# Both policy and input lack the annotation (input checked for both CRI and CRI-O keys).
+container_annotation_missing_cri_crio(p_oci, i_oci, cri_key, crio_key) if {
+    print("container_annotation_missing_cri_crio:", cri_key)
+    not p_oci.Annotations[cri_key]
+    not i_oci.Annotations[cri_key]
+    not i_oci.Annotations[crio_key]
+    print("container_annotation_missing_cri_crio: true")
+}
+
 allow_container_annotation(p_oci, i_oci, key) if {
     print("allow_container_annotation: key =", key)
-
     p_value := p_oci.Annotations[key]
     i_value := i_oci.Annotations[key]
     print("allow_container_annotation: p_value =", p_value, "i_value =", i_value)
-
     p_value == i_value
-
     print("allow_container_annotation: true")
 }
 
+# Policy uses CRI key; input may have CRI or CRI-O key.
+allow_container_annotation_cri_crio(p_oci, i_oci, cri_key, crio_key) if {
+    print("allow_container_annotation_cri_crio: cri_key =", cri_key)
+    p_value := p_oci.Annotations[cri_key]
+    i_value := get_input_anno(i_oci, cri_key, crio_key)
+    print("allow_container_annotation_cri_crio: p_value =", p_value, "i_value =", i_value)
+    p_value == i_value
+    print("allow_container_annotation_cri_crio: true")
+}
+
 # "nerdctl/network-namespace" annotation
 allow_sandbox_net_namespace(p_oci, i_oci) if {
     print("allow_sandbox_net_namespace: start")
@@ -439,18 +470,16 @@ allow_net_namespace(p_oci, i_oci) if {
     print("allow_net_namespace: true")
 }
 
-# "io.kubernetes.cri.sandbox-log-directory" annotation
+# Sandbox log directory (containerd or CRI-O: cri-o uses LogPath)
 allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) if {
     print("allow_sandbox_log_directory: start")
 
-    key := "io.kubernetes.cri.sandbox-log-directory"
-
-    p_dir := p_oci.Annotations[key]
+    p_dir := p_oci.Annotations[SANDBOX_LOG_DIR_KEY]
     regex1 := replace(p_dir, "$(sandbox-name)", s_name)
     regex2 := replace(regex1, "$(sandbox-namespace)", s_namespace)
     print("allow_sandbox_log_directory: regex2 =", regex2)
 
-    i_dir := i_oci.Annotations[key]
+    i_dir := get_input_anno(i_oci, SANDBOX_LOG_DIR_KEY, SANDBOX_LOG_DIR_KEY_CRIO)
     print("allow_sandbox_log_directory: i_dir =", i_dir)
 
     regex.match(regex2, i_dir)
@@ -460,12 +489,9 @@ allow_sandbox_log_directory(p_oci, i_oci, s_name, s_namespace) if {
 
 allow_log_directory(p_oci, i_oci) if {
     print("allow_log_directory: start")
-
-    key := "io.kubernetes.cri.sandbox-log-directory"
-
-    not p_oci.Annotations[key]
-    not i_oci.Annotations[key]
-
+    not p_oci.Annotations[SANDBOX_LOG_DIR_KEY]
+    not i_oci.Annotations[SANDBOX_LOG_DIR_KEY]
+    not i_oci.Annotations[SANDBOX_LOG_DIR_KEY_CRIO]
     print("allow_log_directory: true")
 }
 
@@ -776,22 +802,25 @@ allow_linux_sysctl(p_linux, i_linux) if {
     print("allow_linux_sysctl 2: true")
 }
 
-# Check the consistency of the input "io.katacontainers.pkg.oci.bundle_path"
-# and io.kubernetes.cri.sandbox-id" values with other fields.
+# Check sandbox_id and derive bundle_id from guest root path (CRI-agnostic: works for containerd and CRI-O).
+# Bundle path on the host is runtime-specific; root path in the guest is stable, so we extract bundle_id from it.
 allow_by_bundle_or_sandbox_id(p_oci, i_oci, p_storages, i_storages) if {
     print("allow_by_bundle_or_sandbox_id: start")
 
-    bundle_path := i_oci.Annotations["io.katacontainers.pkg.oci.bundle_path"]
-    bundle_id := replace(bundle_path, "/run/containerd/io.containerd.runtime.v2.task/k8s.io/", "")
-
-    key := "io.kubernetes.cri.sandbox-id"
-
-    p_regex := p_oci.Annotations[key]
-    sandbox_id := i_oci.Annotations[key]
-
+    p_regex := p_oci.Annotations[SANDBOX_ID_KEY]
+    sandbox_id := get_input_anno(i_oci, SANDBOX_ID_KEY, SANDBOX_ID_KEY_CRIO)
     print("allow_by_bundle_or_sandbox_id: sandbox_id =", sandbox_id, "regex =", p_regex)
     regex.match(p_regex, sandbox_id)
 
+    # Derive bundle_id from guest root path (e.g. /run/kata-containers/<bundle_id>/rootfs).
+    # Match 64-char hex (real runtimes) or any single path segment (e.g. test data: bundle-id, gpu-container, dummy).
+    i_root := i_oci.Root.Path
+    p_root_pattern1 := p_oci.Root.Path
+    p_root_pattern2 := replace(p_root_pattern1, "$(root_path)", policy_data.common.root_path)
+    p_root_pattern3 := replace(p_root_pattern2, "$(bundle-id)", "([0-9a-f]{64}|[^/]+)")
+    print("allow_by_bundle_or_sandbox_id: i_root =", i_root, "regex =", p_root_pattern3)
+    bundle_id := regex.find_all_string_submatch_n(p_root_pattern3, i_root, 1)[0][1]
+
     allow_root_path(p_oci, i_oci, bundle_id)
 
     # Match each input mount with a Policy mount.

tests/common.bash

@@ -810,16 +810,17 @@ function install_nydus_snapshotter() {
 	rm -f "${tarball_name}"
 }
 
-# version: the CRI-O version to be installe
+# version: the CRI-O version to be installed (major.minor, e.g. 1.35)
+# Repo: https://github.com/cri-o/packaging (OpenSUSE Build Service, not pkgs.k8s.io)
 function install_crio() {
 	local version=${1}
 
 	sudo mkdir -p /etc/apt/keyrings
 	sudo mkdir -p /etc/apt/sources.list.d
 
-	curl -fsSL https://pkgs.k8s.io/addons:/cri-o:/stable:/v${version}/deb/Release.key | \
+	curl -fsSL https://download.opensuse.org/repositories/isv:/cri-o:/stable:/v${version}/deb/Release.key | \
 		sudo gpg --dearmor -o /etc/apt/keyrings/cri-o-apt-keyring.gpg
-	echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://pkgs.k8s.io/addons:/cri-o:/stable:/v${version}/deb/ /" | \
+	echo "deb [signed-by=/etc/apt/keyrings/cri-o-apt-keyring.gpg] https://download.opensuse.org/repositories/isv:/cri-o:/stable:/v${version}/deb/ /" | \
 		sudo tee /etc/apt/sources.list.d/cri-o.list
 
 	sudo apt update

tests/gha-run-k8s-common.sh

@@ -397,13 +397,19 @@ EOF
 
 	# Deploy k8s using kubeadm with CreateContainerRequest (CRI) timeout set to 600s,
 	# mainly for CoCo (Confidential Containers) tests (attestation, policy, image pull, VM start).
+	local cri_socket
+	case "${CONTAINER_ENGINE:-containerd}" in
+		crio) cri_socket="/var/run/crio/crio.sock" ;;
+		containerd) cri_socket="/run/containerd/containerd.sock" ;;
+		*) cri_socket="/run/containerd/containerd.sock" ;;
+	esac
 	local kubeadm_config
 	kubeadm_config="$(mktemp --tmpdir kubeadm-config.XXXXXX.yaml)"
 	cat <<EOF | tee "${kubeadm_config}"
 apiVersion: kubeadm.k8s.io/v1beta3
 kind: InitConfiguration
 nodeRegistration:
-  criSocket: "/run/containerd/containerd.sock"
+  criSocket: "${cri_socket}"
 ---
 apiVersion: kubeadm.k8s.io/v1beta3
 kind: ClusterConfiguration
@@ -427,8 +433,29 @@ EOF
 	kubectl taint nodes --all node-role.kubernetes.io/control-plane-
 }
 
-# container_engine: containerd (only containerd is supported for now, support for crio is welcome)
-# container_engine_version: major.minor (and then we'll install the latest patch release matching that major.minor)
+# Try to install CRI-O for the given k8s-matching version (major.minor); if the repo/package
+# is not available yet (k8s released before CRI-O), try previous minor (x.y-1).
+function try_install_crio_for_k8s() {
+	local version="${1}"
+	local major minor
+	major="${version%%.*}"
+	minor="${version##*.}"
+
+	if install_crio "${version}"; then
+		return 0
+	fi
+	if [[ "${minor}" -gt 0 ]]; then
+		minor=$((minor - 1))
+		echo "CRI-O v${version} not available yet, trying v${major}.${minor}"
+		install_crio "${major}.${minor}"
+	else
+		echo "CRI-O v${version} failed and no fallback (minor would be < 0)" >&2
+		return 1
+	fi
+}
+
+# container_engine: containerd or crio
+# container_engine_version: for containerd: major.minor or lts/active; for crio: major.minor (e.g. 1.31) or active
 function deploy_vanilla_k8s() {
 	container_engine="${1}"
 	container_engine_version="${2}"
@@ -436,10 +463,18 @@ function deploy_vanilla_k8s() {
 	[[ -z "${container_engine}" ]] && die "container_engine is required"
 	[[ -z "${container_engine_version}" ]] && die "container_engine_version is required"
 
+	# Export so do_deploy_k8s can pick the right CRI socket
+	export CONTAINER_ENGINE="${container_engine}"
+
 	# Resolve lts/active to the actual version from versions.yaml (e.g. v1.7, v2.1)
-	case "${container_engine_version}" in
+		case "${container_engine_version}" in
 		lts|active)
-			container_engine_version=$(get_from_kata_deps ".externals.containerd.${container_engine_version}")
+			if [[ "${container_engine}" == "containerd" ]]; then
+				container_engine_version=$(get_from_kata_deps ".externals.containerd.${container_engine_version}")
+			else
+				# CRI-O version matches k8s: use latest k8s stable major.minor (e.g. 1.31)
+				container_engine_version=$(curl -Ls https://dl.k8s.io/release/stable.txt | sed -e 's/^v//' | cut -d. -f-2)
+			fi
 			;;
 		*) ;;
 	esac
@@ -454,6 +489,11 @@ function deploy_vanilla_k8s() {
 			sudo mkdir -p /etc/containerd
 			containerd config default | sed -e 's/SystemdCgroup = false/SystemdCgroup = true/' | sudo tee /etc/containerd/config.toml
 			;;
+		crio)
+			# CRI-O version is major.minor (e.g. 1.31) for download.opensuse.org/isv:cri-o:stable
+			# If k8s was released before CRI-O, try previous minor (x.y-1)
+			try_install_crio_for_k8s "${container_engine_version}"
+			;;
 		*) die "${container_engine} is not a container engine supported by this script" ;;
 	esac
 	sudo systemctl daemon-reload && sudo systemctl restart "${container_engine}"

tests/integration/kubernetes/k8s-guest-pull-image-authenticated.bats

@@ -10,14 +10,15 @@ load "${BATS_TEST_DIRNAME}/confidential_common.sh"
 export KBS="${KBS:-false}"
 export SNAPSHOTTER="${SNAPSHOTTER:-}"
 export EXPERIMENTAL_FORCE_GUEST_PULL="${EXPERIMENTAL_FORCE_GUEST_PULL:-}"
+export PULL_TYPE="${PULL_TYPE:-}"
 
 setup() {
     if ! is_confidential_runtime_class; then
         skip "Test not supported for ${KATA_HYPERVISOR}."
     fi
 
-    if [ "${SNAPSHOTTER}" != "nydus" ] && [ -z "${EXPERIMENTAL_FORCE_GUEST_PULL}" ]; then
-        skip "Either SNAPSHOTTER=nydus or EXPERIMENTAL_FORCE_GUEST_PULL must be set for this test"
+    if [ "${SNAPSHOTTER}" != "nydus" ] && [ -z "${EXPERIMENTAL_FORCE_GUEST_PULL}" ] && [ "${PULL_TYPE}" != "guest-pull" ]; then
+        skip "Either SNAPSHOTTER=nydus, EXPERIMENTAL_FORCE_GUEST_PULL, or PULL_TYPE=guest-pull must be set for this test"
     fi
 
     setup_common || die "setup_common failed"
@@ -174,8 +175,8 @@ teardown() {
         skip "Test not supported for ${KATA_HYPERVISOR}."
     fi
 
-    if [ "${SNAPSHOTTER}" != "nydus" ] && [ -z "${EXPERIMENTAL_FORCE_GUEST_PULL}" ]; then
-        skip "Either SNAPSHOTTER=nydus or EXPERIMENTAL_FORCE_GUEST_PULL must be set for this test"
+    if [ "${SNAPSHOTTER}" != "nydus" ] && [ -z "${EXPERIMENTAL_FORCE_GUEST_PULL}" ] && [ "${PULL_TYPE}" != "guest-pull" ]; then
+        skip "Either SNAPSHOTTER=nydus, EXPERIMENTAL_FORCE_GUEST_PULL, or PULL_TYPE=guest-pull must be set for this test"
     fi
 
     confidential_teardown_common "${node}" "${node_start_time:-}"

tests/integration/kubernetes/k8s-guest-pull-image-signature.bats

@@ -11,14 +11,15 @@ load "${BATS_TEST_DIRNAME}/confidential_common.sh"
 export KBS="${KBS:-false}"
 export SNAPSHOTTER="${SNAPSHOTTER:-}"
 export EXPERIMENTAL_FORCE_GUEST_PULL="${EXPERIMENTAL_FORCE_GUEST_PULL:-}"
+export PULL_TYPE="${PULL_TYPE:-}"
 
 setup() {
     if ! is_confidential_runtime_class; then
         skip "Test not supported for ${KATA_HYPERVISOR}."
     fi
 
-    if [ "${SNAPSHOTTER}" != "nydus" ] && [ -z "${EXPERIMENTAL_FORCE_GUEST_PULL}" ]; then
-        skip "Either SNAPSHOTTER=nydus or EXPERIMENTAL_FORCE_GUEST_PULL must be set for this test"
+    if [ "${SNAPSHOTTER}" != "nydus" ] && [ -z "${EXPERIMENTAL_FORCE_GUEST_PULL}" ] && [ "${PULL_TYPE}" != "guest-pull" ]; then
+        skip "Either SNAPSHOTTER=nydus, EXPERIMENTAL_FORCE_GUEST_PULL, or PULL_TYPE=guest-pull must be set for this test"
     fi
 
     tag_suffix=""
@@ -243,8 +244,8 @@ teardown() {
         skip "Test not supported for ${KATA_HYPERVISOR}."
     fi
 
-    if [ "${SNAPSHOTTER}" != "nydus" ] && [ -z "${EXPERIMENTAL_FORCE_GUEST_PULL}" ]; then
-        skip "Either SNAPSHOTTER=nydus or EXPERIMENTAL_FORCE_GUEST_PULL must be set for this test"
+    if [ "${SNAPSHOTTER}" != "nydus" ] && [ -z "${EXPERIMENTAL_FORCE_GUEST_PULL}" ] && [ "${PULL_TYPE}" != "guest-pull" ]; then
+        skip "Either SNAPSHOTTER=nydus, EXPERIMENTAL_FORCE_GUEST_PULL, or PULL_TYPE=guest-pull must be set for this test"
     fi
 
     teardown_common "${node}" "${node_start_time:-}"

tests/integration/kubernetes/k8s-guest-pull-image.bats

@@ -10,14 +10,15 @@ load "${BATS_TEST_DIRNAME}/confidential_common.sh"
 
 export SNAPSHOTTER="${SNAPSHOTTER:-}"
 export EXPERIMENTAL_FORCE_GUEST_PULL="${EXPERIMENTAL_FORCE_GUEST_PULL:-}"
+export PULL_TYPE="${PULL_TYPE:-}"
 
 setup() {
     if ! is_confidential_runtime_class; then
         skip "Test not supported for ${KATA_HYPERVISOR}."
     fi
 
-    if [ "${SNAPSHOTTER}" != "nydus" ] && [ -z "${EXPERIMENTAL_FORCE_GUEST_PULL}" ]; then
-        skip "Either SNAPSHOTTER=nydus or EXPERIMENTAL_FORCE_GUEST_PULL must be set for this test"
+    if [ "${SNAPSHOTTER}" != "nydus" ] && [ -z "${EXPERIMENTAL_FORCE_GUEST_PULL}" ] && [ "${PULL_TYPE}" != "guest-pull" ]; then
+        skip "Either SNAPSHOTTER=nydus, EXPERIMENTAL_FORCE_GUEST_PULL, or PULL_TYPE=guest-pull must be set for this test"
     fi
 
     setup_common || die "setup_common failed"
@@ -228,8 +229,8 @@ teardown() {
         skip "Test not supported for ${KATA_HYPERVISOR}."
     fi
 
-    if [ "${SNAPSHOTTER}" != "nydus" ] && [ -z "${EXPERIMENTAL_FORCE_GUEST_PULL}" ]; then
-        skip "Either SNAPSHOTTER=nydus or EXPERIMENTAL_FORCE_GUEST_PULL must be set for this test"
+    if [ "${SNAPSHOTTER}" != "nydus" ] && [ -z "${EXPERIMENTAL_FORCE_GUEST_PULL}" ] && [ "${PULL_TYPE}" != "guest-pull" ]; then
+        skip "Either SNAPSHOTTER=nydus, EXPERIMENTAL_FORCE_GUEST_PULL, or PULL_TYPE=guest-pull must be set for this test"
     fi
 
     teardown_common "${node}" "${node_start_time:-}"