Scenario: Block exec commandGiven a peer pods set-up including the "latest" kata-containers main codebase and a pod created, which includes the annotation io.katacontainers.config.agent.policy: which is set to the base64 encoded allow-all-except-exec-process.regoWhen we run kubectl exec <pod_name> -- <command>Then The request is blocked with an error that includes: failed to exec in container and ExecProcessRequest is blocked by policy
Scenario: Fully permission policyGiven a peer pods set-up including the "latest" kata-containers main codebase and a pod created, which includes the annotation io.katacontainers.config.agent.policy: which is set to the base64 encoded allow-all.regoWhen we run kubectl exec <pod_name> -- <command>Then The request is successful
I'll put a hold on this as we expect it to fail with the 0.9.0-alpha1 release due to the required kata runtime changes not being in the 3.6.0 that the release uses.
Add policy tests for two scenarios:
Scenario: Block exec command Given a peer pods set-up including the "latest" kata-containers
main
codebase and a pod created, which includes the annotationio.katacontainers.config.agent.policy:
which is set to the base64 encodedallow-all-except-exec-process.rego
When we runkubectl exec <pod_name> -- <command>
Then The request is blocked with an error that includes:failed to exec in container
andExecProcessRequest is blocked by policy
Scenario: Fully permission policy Given a peer pods set-up including the "latest" kata-containers
main
codebase and a pod created, which includes the annotationio.katacontainers.config.agent.policy:
which is set to the base64 encodedallow-all.rego
When we runkubectl exec <pod_name> -- <command>
Then The request is successful