aljaz/kata-containers
1
0
Fork 0
mirror of https://github.com/aljazceru/kata-containers.git synced 2025-12-17 14:24:27 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
patch-1
kata-containers/tests/integration/kubernetes/k8s-measured-rootfs.bats
Wainer dos Santos Moschetta 48bdca4c49 tests/k8s: add k8s-measured-rootfs.bats 
Implements the following test case:

  Scenario: Check incorrect hash fails
  **Given** I have a version of kata installed that has a kernel with the
  initramfs built and config with rootfs_verity.scheme=dm-verity
  rootfs_verity.hash=<incorrect hash of rootfs> set in the kernel_params
  **When** I try and create a container a basic pod
  **Then** The pod is doesn't run
  **And**  Ideally we'd get a helpful message to indicate why

Currently on CI only qemu-tdx is built with measured
rootfs support in the kernel, so the test is restriced to that
runtimeclass.

Fixes #7415
Signed-off-by: Wainer dos Santos Moschetta <wainersm@redhat.com>
2023-11-28 11:21:54 -03:00

52 lines
1.4 KiB
Bash
Raw Permalink Blame History

#!/usr/bin/env bats
#
# Copyright (c) 2023 Red Hat
#
# SPDX-License-Identifier: Apache-2.0
#
load "${BATS_TEST_DIRNAME}/lib.sh"
load "${BATS_TEST_DIRNAME}/tests_common.sh"
check_and_skip() {
# Currently the only kernel built with measured rootfs support is
# the kernel-tdx-experimental.
[ "${KATA_HYPERVISOR}" = "qemu-tdx" ] || \
skip "measured rootfs tests not implemented for hypervisor: $KATA_HYPERVISOR"
}
setup() {
check_and_skip
setup_common
}
teardown() {
check_and_skip
kubectl describe -f "${pod_config}" || true
kubectl delete -f "${pod_config}" || true
}
@test "Test cannnot launch pod with measured boot enabled and incorrect hash" {
pod_config="$(new_pod_config nginx "kata-${KATA_HYPERVISOR}")"
incorrect_hash="5180b1568c2ba972e4e06ee0a55976acae8329f2a5d1d2004395635e1ec4a76e"
# Despite the kernel being built with support, it is not currently enabled
# on configuration.toml. To avoid editing that file on the worker node,
# here it will be enabled via pod annotations.
set_metadata_annotation "$pod_config" \
"io.katacontainers.config.hypervisor.kernel_params" \
"rootfs_verity.scheme=dm-verity rootfs_verity.hash=$incorrect_hash"
# Run on a specific node so we know from where to inspect the logs
set_node "$pod_config" "$node"
# For debug sake
echo "Pod $pod_config file:"
cat $pod_config
assert_pod_fail "$pod_config"
assert_logs_contain "$node" kata "$node_start_time" \
'verity: .* metadata block .* is corrupted'
}
Reference in New Issue View Git Blame Copy Permalink