stevenhorsman
commented
1 week ago I'll put a hold on this as we expect it to fail with the 0.9.0-alpha1 release due to the required kata runtime changes not being in the 3.6.0 that the release uses.
Open stevenhorsman opened 1 week ago
stevenhorsman
commented
1 week ago I'll put a hold on this as we expect it to fail with the 0.9.0-alpha1 release due to the required kata runtime changes not being in the 3.6.0 that the release uses.
Add policy tests for two scenarios:
Scenario: Block exec command Given a peer pods set-up including the "latest" kata-containers
maincodebase and a pod created, which includes the annotationio.katacontainers.config.agent.policy:which is set to the base64 encodedallow-all-except-exec-process.regoWhen we runkubectl exec <pod_name> -- <command>Then The request is blocked with an error that includes:failed to exec in containerandExecProcessRequest is blocked by policyScenario: Fully permission policy Given a peer pods set-up including the "latest" kata-containers
maincodebase and a pod created, which includes the annotationio.katacontainers.config.agent.policy:which is set to the base64 encodedallow-all.regoWhen we runkubectl exec <pod_name> -- <command>Then The request is successful