You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We have encrypted image support in kata-containers now, so we should add some testing in peer pods to check it works correctly
This is the acceptance criteria based on Kata, but it might be overblown to test all three cases and maybe one positive and one negative test (to ensure our test image is actually encrypted) is enough?
Acceptance Criteria
Scenario: Pull encrypted image on peer pod works Given I have a version of kata deployed with a guest image that has an agent with guest_pull feature enabled and nydus-snapshotter installed and configured for guest-pulling And A public encrypted container image i with a decryption key k that is configured in a KBS, so that image-rs on the guest can connect to it When I try and create a peer pod from i Then The pod is successfully created and runs
Scenario: Cannot pull encrypted image with no decryption key Given I have a version of kata deployed with a guest image that has an agent with guest_pull feature enabled and nydus-snapshotter installed and configured for guest-pulling And A public encrypted container image i with a decryption key k that is not configured in a KBS, so that image-rs on the guest can connect to it When I try and create a peer pod from i Then The pod is not created an errors (with a helpful message hopefully)
Scenario: Cannot pull encrypted image with wrong decryption key Given I have a version of kata deployed with a guest image that has an agent with guest_pull feature enabled and nydus-snapshotter installed and configured for guest-pulling And A public encrypted container image i with a decryption key k and a different key k' that is configured in a KBS, so that image-rs on the guest can connect to it When I try and create a peer pod from i Then The pod is not created an errors (with a helpful message hopefully)
The text was updated successfully, but these errors were encountered:
We have encrypted image support in kata-containers now, so we should add some testing in peer pods to check it works correctly
This is the acceptance criteria based on Kata, but it might be overblown to test all three cases and maybe one positive and one negative test (to ensure our test image is actually encrypted) is enough?
Acceptance Criteria
Scenario: Pull encrypted image on peer pod works
Given I have a version of kata deployed with a guest image that has an agent with
guest_pullfeature enabled and nydus-snapshotter installed and configured for guest-pullingAnd A public encrypted container image i with a decryption key k that is configured in a KBS, so that image-rs on the guest can connect to it
When I try and create a peer pod from i
Then The pod is successfully created and runs
Scenario: Cannot pull encrypted image with no decryption key
Given I have a version of kata deployed with a guest image that has an agent with
guest_pullfeature enabled and nydus-snapshotter installed and configured for guest-pullingAnd A public encrypted container image i with a decryption key k that is not configured in a KBS, so that image-rs on the guest can connect to it
When I try and create a peer pod from i
Then The pod is not created an errors (with a helpful message hopefully)
Scenario: Cannot pull encrypted image with wrong decryption key
Given I have a version of kata deployed with a guest image that has an agent with
guest_pullfeature enabled and nydus-snapshotter installed and configured for guest-pullingAnd A public encrypted container image i with a decryption key k and a different key k' that is configured in a KBS, so that image-rs on the guest can connect to it
When I try and create a peer pod from i
Then The pod is not created an errors (with a helpful message hopefully)
The text was updated successfully, but these errors were encountered: