This repository was archived by the owner on Jun 28, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 196
/
Copy pathagent_image.bats
168 lines (129 loc) · 6.09 KB
/
agent_image.bats
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
#!/usr/bin/env bats
# Copyright (c) 2022 IBM Corporation
#
# SPDX-License-Identifier: Apache-2.0
#
load "${BATS_TEST_DIRNAME}/tests_common.sh"
tag_suffix=""
if [ "$(uname -m)" != "x86_64" ]; then
tag_suffix="-$(uname -m)"
fi
# Images used on the tests.
## Cosign
image_cosigned="quay.io/kata-containers/confidential-containers:cosign-signed${tag_suffix}"
image_cosigned_other="quay.io/kata-containers/confidential-containers:cosign-signed-key2"
## Simple Signing
image_simple_signed="quay.io/kata-containers/confidential-containers:signed${tag_suffix}"
image_signed_protected_other="quay.io/kata-containers/confidential-containers:other_signed${tag_suffix}"
image_unsigned_protected="quay.io/kata-containers/confidential-containers:unsigned${tag_suffix}"
image_unsigned_unprotected="quay.io/prometheus/busybox:latest"
## Authenticated Image
image_authenticated="quay.io/kata-containers/confidential-containers-auth:test"
# Allow to configure the runtimeClassName on pod configuration.
RUNTIMECLASS="${RUNTIMECLASS:-kata}"
test_tag="[cc][agent][kubernetes][containerd]"
setup() {
setup_common
}
@test "$test_tag Test can launch pod with measured boot enabled" {
switch_measured_rootfs_verity_scheme dm-verity
pod_config="$(new_pod_config "$image_unsigned_unprotected")"
echo $pod_config
create_test_pod
}
@test "$test_tag Test cannnot launch pod with measured boot enabled and rootfs modified" {
switch_measured_rootfs_verity_scheme dm-verity
setup_signature_files
pod_config="$(new_pod_config "$image_unsigned_unprotected")"
echo $pod_config
assert_pod_fail "$pod_config"
}
@test "$test_tag Test cannot pull an unencrypted unsigned image from a protected registry" {
setup_signature_files
local container_config="$(new_pod_config "$image_unsigned_protected")"
echo $container_config
assert_pod_fail "$container_config"
assert_logs_contain "kata" 'Validate image failed: The signatures do not satisfied! Reject reason: \[Match reference failed.\]'
}
@test "$test_tag Test can pull an unencrypted image inside the guest" {
create_test_pod
echo "Check the image was not pulled in the host"
local pod_id=$(kubectl get pods -o jsonpath='{.items..metadata.name}')
retrieve_sandbox_id
rootfs=($(find /run/kata-containers/shared/sandboxes/${sandbox_id}/shared \
-name rootfs))
[ ${#rootfs[@]} -eq 1 ]
}
@test "$test_tag Test can pull a unencrypted signed image from a protected registry" {
setup_signature_files
create_test_pod
}
@test "$test_tag Test can pull an unencrypted unsigned image from an unprotected registry" {
setup_signature_files
pod_config="$(new_pod_config "$image_unsigned_unprotected")"
echo $pod_config
create_test_pod
}
@test "$test_tag Test unencrypted signed image with unknown signature is rejected" {
setup_signature_files
local container_config="$(new_pod_config "$image_signed_protected_other")"
echo $container_config
assert_pod_fail "$container_config"
assert_logs_contain "kata" 'Validate image failed: The signatures do not satisfied! Reject reason: \[signature verify failed! There is no pubkey can verify the signature!\]'
}
@test "$test_tag Test unencrypted image signed with cosign" {
setup_cosign_signatures_files
pod_config="$(new_pod_config "$image_cosigned")"
echo $pod_config
create_test_pod
}
@test "$test_tag Test unencrypted image with unknown cosign signature" {
setup_cosign_signatures_files
local container_config="$(new_pod_config "$image_cosigned_other")"
echo $container_config
assert_pod_fail "$container_config"
assert_logs_contain "kata" 'Validate image failed: \[PublicKeyVerifier { key: ECDSA_P256_SHA256_ASN1'
}
@test "$test_tag Test pull an unencrypted unsigned image from an authenticated registry with correct credentials" {
kubectl delete secret cococred --ignore-not-found
AUTH_USER_NAME=$(echo "$REGISTRY_CREDENTIAL_ENCODED" |base64 -d| cut -d':' -f1)
AUTH_USER_PASSWD=$(echo "$REGISTRY_CREDENTIAL_ENCODED" |base64 -d| cut -d':' -f2)
kubectl create secret docker-registry cococred --docker-server="https://quay.io/kata-containers/confidential-containers-auth" \
--docker-username="$AUTH_USER_NAME" --docker-password="$AUTH_USER_PASSWD"
if [ "${AA_KBC}" = "offline_fs_kbc" ]; then
setup_credentials_files "quay.io/kata-containers/confidential-containers-auth"
elif [ "${AA_KBC}" = "cc_kbc" ]; then
# CC KBC is specified as: cc_kbc::http://host_ip:port/, and 60000 is the default port used
# by the service, as well as the one configured in the Kata Containers rootfs.
CC_KBS_IP=${CC_KBS_IP:-"$(hostname -I | awk '{print $1}')"}
CC_KBS_PORT=${CC_KBS_PORT:-"60000"}
add_kernel_params "agent.aa_kbc_params=cc_kbc::http://${CC_KBS_IP}:${CC_KBS_PORT}/"
fi
pod_config="$(new_pod_config "${image_authenticated}")"
echo $pod_config
create_test_pod
kubectl delete secret cococred --ignore-not-found
}
@test "$test_tag Test cannot pull an image from an authenticated registry with incorrect credentials" {
if [ "${AA_KBC}" = "cc_kbc" ]; then
skip "As the test requires changing verdictd configuration and restarting its service"
fi
kubectl delete secret cococred --ignore-not-found
kubectl create secret docker-registry cococred --docker-server="https://quay.io/kata-containers/confidential-containers-auth" \
--docker-username="Arandomquaytestaccountthatdoesntexist" --docker-password="password"
REGISTRY_CREDENTIAL_ENCODED="QXJhbmRvbXF1YXl0ZXN0YWNjb3VudHRoYXRkb2VzbnRleGlzdDpwYXNzd29yZAo=" setup_credentials_files "quay.io/kata-containers/confidential-containers-auth"
pod_config="$(new_pod_config "${image_authenticated}")"
echo "Pod config: ${pod_config}"
assert_pod_fail "${pod_config}"
assert_logs_contain "containerd" 'failed to fetch oauth token'
kubectl delete secret cococred --ignore-not-found
}
@test "$test_tag Test cannot pull an image from an authenticated registry without credentials" {
pod_config="$(new_pod_config "${image_authenticated}")"
echo "Pod config: ${pod_config}"
assert_pod_fail "${pod_config}"
assert_logs_contain "containerd" 'failed to resolve reference \\"quay.io/kata-containers/confidential-containers-auth:test\\": pulling from host quay.io failed with status code \[manifests test\]: 401 UNAUTHORIZED'
}
teardown() {
teardown_common
}