github/kata-containers
1
0
Fork 2
mirror of https://github.com/kata-containers/kata-containers.git synced 2026-05-14 02:53:02 +00:00
Code Issues Projects Releases Wiki Activity
Files
c225cba0e6dc1fc31f5f02ac67679c0ae2ffb0f7
kata-containers/tests
History
Alex Lyn c225cba0e6 tests: Correct unexpected capability for policy failure test 
The test case designed to verify policy failures due to an "unexpected
capability" was misconfigured. It was using "CAP_SYS_CHROOT" as the
unexpected capability to be added.

This configuration was flawed for two main reasons:
1.Incorrect Syntax: Kubernetes Pod specs expect capability names without
the "CAP_" prefix (e.g., "SYS_CHROOT", not "CAP_SYS_CHROOT").
This made the test case's premise incorrect from a K8s API perspective.
2.Part of Default Set: "SYS_CHROOT" is already included in the
`default_caps` list for a standard container. Therefore, adding it would
 not trigger a policy violation, defeating the purpose of the
 "unexpected capability" test.

Furthermore, a related issue was observed where a malformed capability
like "CAP_CAP_SYS_CHROOT" was being generated, causing parsing failures
in the `oci-spec-rs` library. This was a symptom of incorrect string
manipulation when handling capabilities.

This commit corrects the test by selecting "SYS_NICE" as the unexpected
capability. "SYS_NICE" is a more suitable choice because:
- It is a valid Linux capability.
- It is relatively harmless.
- It is **not** part of the default capability set defined in
  `genpolicy-settings.json`.

By using "SYS_NICE", the test now accurately simulates a scenario where
a Pod requests a legitimate but non-default capability, which the policy
(generated from a baseline Pod without this capability) should correctly
reject. This change fixes the test's logic and also resolves the
downstream `oci-spec-rs` parsing error by ensuring only valid capability
names are processed.

Signed-off-by: Alex Lyn <alex.lyn@antgroup.com>
2025-11-11 14:06:30 +08:00
..
cmd
helm: Add missing documentation
2025-10-21 16:20:21 +02:00
functional
tests: Align kata-deploy helm's uninstall
2025-11-04 09:29:35 +01:00
integration
tests: Correct unexpected capability for policy failure test
2025-11-11 14:06:30 +08:00
metrics
golang: Update to 1.24.9
2025-11-03 16:57:22 +01:00
stability
gha: Remove unnecessary install-azure-cli step
2025-07-30 10:42:56 -05:00
vendor
versions: Bump gopkg.in/yaml.v3
2025-09-05 16:36:48 +01:00
.gitignore
.golangci.yml
build: Update golang version to 1.22.2
2024-04-26 15:50:29 +02:00
cleanup_resources.py
ci: cleanup: Ignore nonexisting resources
2024-07-02 22:23:54 +00:00
common.bash
tests: policy-pod: detect create container errors early
2025-11-03 15:55:55 +00:00
error.sh
shellcheck: Fix shellcheck SC2148
2025-03-04 09:35:46 +00:00
gha-adjust-to-use-prebuilt-components.sh
tests: Add a helper script to use prebuild components
2024-10-28 12:43:52 +01:00
gha-run-k8s-common.sh
tests: nvidia: Do not deploy NFD on nvidia-gpu cases
2025-11-10 13:01:30 +01:00
git-helper.sh
gha: fix git-helper issues reported by shellcheck
2025-03-06 20:28:41 +00:00
go.mod
golang: Update to 1.24.9
2025-11-03 16:57:22 +01:00
go.sum
versions: Bump gopkg.in/yaml.v3
2025-09-05 16:36:48 +01:00
govulncheck-runner.sh
ci: Add optional govulncheck security scanning to static checks
2025-06-17 20:43:00 -07:00
install_go.sh
tools: Install Golang from a reliable mirror (follow-up)
2025-10-23 11:15:13 +02:00
install_opa.sh
ci/static-checks: install opa
2025-06-12 10:46:43 +02:00
install_regorus.sh
ci/static-checks: use oras cache for regorus
2025-06-24 13:14:18 +02:00
install_rust.sh
ci: build genpolicy on darwin
2025-09-29 09:48:32 +02:00
kata-arch.sh
kata-doc-to-script.sh
Revert "tests: Add trap statement in kata doc script"
2024-10-29 09:57:18 +00:00
README.md
docs: Add general tests documentation in main README
2024-03-04 21:53:01 +00:00
static-checks.sh
ci: static-checks: add SECURITY.md to exclude list
2025-08-06 11:24:52 -05:00

README.md

Kata Containers Tests

This directory contains various types of tests for testing the Kata Containers repository.

Test Content

We provide several tests to ensure Kata-Containers run on different scenarios and with different container managers.

  1. Integration tests to ensure compatibility with:
  2. Stability tests
  3. Metrics
  4. Functional

GitHub Actions

Kata Containers uses GitHub Actions in the Kata Containers repository.

Reference in New Issue View Git Blame Copy Permalink