tests: k8s: improve the Agent Policy tests #9398
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Don't add the "allow all" policy to all the test YAML files anymore. After this change, the k8s tests assume that all the Kata CI Guest rootfs image files either: - Don't support Agent Policy at all, or - Include an "allow all" default policy. This relience/assumption will be addressed in a future commit. Fixes: kata-containers#9395 Signed-off-by: Dan Mihai <[email protected]>
Check from: - k8s-exec-rejected.bats - k8s-policy-set-keys.bats if policy testing is enabled or not, to reduce the complexity of run_kubernetes_tests.sh. After these changes, there are no policy specific commands left in run_kubernetes_tests.sh. add_allow_all_policy_to_yaml() is moving out of run_kubernetes_tests.sh too, but it not used yet. It will be used in future commits. Fixes: kata-containers#9395 Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-empty-dirs.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-footloose.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-guest-pull-image.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-inotify.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-liveness-probes.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-measured-rootfs.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-optional-empty-secret.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-pod-quota.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-projected-volume.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-seccomp.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-security-context.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-sysctls.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-volume.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-nginx-connectivity.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
Use the "allow all" policy for k8s-sandbox-vcpus-allocation.bats, instead of relying on the Kata Guest image to use the same policy as its default. Signed-off-by: Dan Mihai <[email protected]>
danmihai1
force-pushed
the
danmihai1/policy-test-cleanup
branch
from
f75853e to
f800bd8
Compare
ChengyuZhu6
reviewed
Apr 3, 2024
Comment on lines
277
to
279
| ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${yaml_file}" \ | ||
| 'metadata.annotations."io.katacontainers.config.agent.policy"' \ | ||
| "${ALLOW_ALL_POLICY}" |
There was a problem hiding this comment.
@danmihai1 , I recommend to call set_metadata_annotation to apply annotation.
kata-containers/tests/integration/kubernetes/lib.sh
Lines 177 to 193 in c163d9f
There was a problem hiding this comment.
@ChengyuZhu6 thanks! I think that's a good idea but I think we should perform this additional cleanup in a separate PR. I explained my thoughts in #9405 .
Comment on lines
284
to
286
| ALLOW_ALL_POLICY="${ALLOW_ALL_POLICY}" yq write -i "${yaml_file}" \ | ||
| 'spec.template.metadata.annotations."io.katacontainers.config.agent.policy"' \ | ||
| "${ALLOW_ALL_POLICY}" |
|
/test |
GabyCT
approved these changes
Apr 4, 2024
sprt
approved these changes
Apr 8, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Don't blindly apply the "allow all" policy to all the test yaml files - even to files that don't need a policy (e.g., ConfigMap|LimitRange|Namespace|PersistentVolume|PersistentVolumeClaim|RuntimeClass|Secret|Service don't need policy)
Reduce the run_kubernetes_tests.sh complexity, by replacing all of its commands that are directly related to policy
Add the "allow all" policy just to test yaml files that need a policy (Pod|Deployment|Job|ReplicationController) and that are not being tested using a policy auto-generated by the genpolicy tool