confidential-containers · bpradipt · Aug 13, 2025 · Aug 21, 2025 · Aug 21, 2025
@@ -111,6 +111,7 @@ jobs:
           DOCKER_HOST="unix:///var/run/docker.sock"
           DOCKER_NETWORK_NAME="kind"
           CONTAINER_RUNTIME="${{ inputs.container_runtime }}"
+          DOCKER_API_VERSION="1.44"
           EOF
           # For debugging
           cat docker.properties

@@ -54,6 +54,39 @@ you should export an unanchored regular expression in the `RUN_TESTS` variable t
 $ RUN_TESTS=CreateSimplePod TEST_PROVISION=yes TEST_PODVM_IMAGE="path/to/podvm-base.qcow2" CLOUD_PROVIDER=libvirt make test-e2e
 ```
 
+## Running tests by category
+
+The E2E tests are organized into categories using the naming convention `Test<Category><Provider><TestCaseName>`. This allows you to run specific types of tests across all providers or for specific providers.
+
+### Test Categories
+
+- **Basic** (37 tests) - Core pod operations like creation, deletion, ConfigMaps, Secrets, Jobs, and Deployments
+- **Net** (14 tests) - Network functionality including external IP access, service communication, and mTLS
+- **Sec** (13 tests) - Security features such as authenticated images, device annotations, and access control
+- **Conf** (10 tests) - Confidential computing features including image decryption, attestation, and KBS integration
+- **Res** (32 tests) - Resource management including CPU/memory limits, annotations, and logging
+- **Img** (6 tests) - Image handling including large images and alternate images
+- **Store** (2 tests) - Storage functionality such as Persistent Volume Claims (PVC)
+
+### Category-based filtering examples
+
+```bash
+# Run all basic tests for libvirt provider
+$ RUN_TESTS='^TestBasic' CLOUD_PROVIDER=libvirt make test-e2e
+
+# Run all networking tests for azure provider
+$ RUN_TESTS='^TestNet' CLOUD_PROVIDER=azure make test-e2e
+
+# Run all confidential computing tests for libvirt provider
+$ RUN_TESTS='^TestConf' CLOUD_PROVIDER=libvirt make test-e2e
+
+# Run all security tests for aws provider
+$ RUN_TESTS='^TestSec' CLOUD_PROVIDER=aws make test-e2e
+
+# Run all resource management tests for azure provider
+$ RUN_TESTS='^TestRes' CLOUD_PROVIDER=azure make test-e2e
+```
+
 ## Attestation and KBS specific
 
 We need artifacts from the trustee repo when doing the attestation tests.

@@ -12,108 +12,108 @@ import (
 	_ "github.com/confidential-containers/cloud-api-adaptor/src/cloud-api-adaptor/test/provisioner/aws"
 )
 
-func TestAwsCreateSimplePod(t *testing.T) {
+func TestBasicAwsCreateSimplePod(t *testing.T) {
 	assert := NewAWSAssert()
 	DoTestCreateSimplePod(t, testEnv, assert)
 }
 
-func TestAwsCreatePodWithConfigMap(t *testing.T) {
+func TestBasicAwsCreatePodWithConfigMap(t *testing.T) {
 	assert := NewAWSAssert()
 
 	DoTestCreatePodWithConfigMap(t, testEnv, assert)
 }
 
-func TestAwsCreatePodWithSecret(t *testing.T) {
+func TestBasicAwsCreatePodWithSecret(t *testing.T) {
 	t.Skip("Test not passing")
 	assert := NewAWSAssert()
 
 	DoTestCreatePodWithSecret(t, testEnv, assert)
 }
 
-func TestAwsCreatePeerPodContainerWithExternalIPAccess(t *testing.T) {
+func TestNetAwsCreatePeerPodContainerWithExternalIPAccess(t *testing.T) {
 	t.Skip("Test not passing")
 	assert := NewAWSAssert()
 
 	DoTestCreatePeerPodContainerWithExternalIPAccess(t, testEnv, assert)
 }
 
-func TestAwsCreatePeerPodWithJob(t *testing.T) {
+func TestBasicAwsCreatePeerPodWithJob(t *testing.T) {
 	assert := NewAWSAssert()
 
 	DoTestCreatePeerPodWithJob(t, testEnv, assert)
 }
 
-func TestAwsCreatePeerPodAndCheckUserLogs(t *testing.T) {
+func TestResAwsCreatePeerPodAndCheckUserLogs(t *testing.T) {
 	assert := NewAWSAssert()
 
 	DoTestCreatePeerPodAndCheckUserLogs(t, testEnv, assert)
 }
 
-func TestAwsCreatePeerPodAndCheckWorkDirLogs(t *testing.T) {
+func TestResAwsCreatePeerPodAndCheckWorkDirLogs(t *testing.T) {
 	assert := NewAWSAssert()
 
 	DoTestCreatePeerPodAndCheckWorkDirLogs(t, testEnv, assert)
 }
 
-func TestAwsCreatePeerPodAndCheckEnvVariableLogsWithImageOnly(t *testing.T) {
+func TestResAwsCreatePeerPodAndCheckEnvVariableLogsWithImageOnly(t *testing.T) {
 	assert := NewAWSAssert()
 
 	DoTestCreatePeerPodAndCheckEnvVariableLogsWithImageOnly(t, testEnv, assert)
 }
 
-func TestAwsCreatePeerPodAndCheckEnvVariableLogsWithDeploymentOnly(t *testing.T) {
+func TestResAwsCreatePeerPodAndCheckEnvVariableLogsWithDeploymentOnly(t *testing.T) {
 	assert := NewAWSAssert()
 
 	DoTestCreatePeerPodAndCheckEnvVariableLogsWithDeploymentOnly(t, testEnv, assert)
 }
 
-func TestAwsCreatePeerPodAndCheckEnvVariableLogsWithImageAndDeployment(t *testing.T) {
+func TestResAwsCreatePeerPodAndCheckEnvVariableLogsWithImageAndDeployment(t *testing.T) {
 	assert := NewAWSAssert()
 
 	DoTestCreatePeerPodAndCheckEnvVariableLogsWithImageAndDeployment(t, testEnv, assert)
 }
 
-func TestAwsCreatePeerPodWithLargeImage(t *testing.T) {
+func TestImgAwsCreatePeerPodWithLargeImage(t *testing.T) {
 	assert := NewAWSAssert()
 
 	DoTestCreatePeerPodWithLargeImage(t, testEnv, assert)
 }
 
-func TestAwsCreatePeerPodWithPVC(t *testing.T) {
+func TestStoreAwsCreatePeerPodWithPVC(t *testing.T) {
 	t.Skip("To be implemented")
 }
 
-func TestAwsCreatePeerPodWithAuthenticatedImagewithValidCredentials(t *testing.T) {
+func TestSecAwsCreatePeerPodWithAuthenticatedImageValidCredentials(t *testing.T) {
 	t.Skip("To be implemented")
 }
 
-func TestAwsCreatePeerPodWithAuthenticatedImageWithInvalidCredentials(t *testing.T) {
+func TestSecAwsCreatePeerPodWithAuthenticatedImageInvalidCredentials(t *testing.T) {
 	t.Skip("To be implemented")
 }
 
-func TestAwsCreatePeerPodWithAuthenticatedImageWithoutCredentials(t *testing.T) {
+func TestSecAwsCreatePeerPodWithAuthenticatedImageWithoutCredentials(t *testing.T) {
 	t.Skip("To be implemented")
 }
 
-func TestAwsDeletePod(t *testing.T) {
+func TestBasicAwsDeletePod(t *testing.T) {
 	assert := NewAWSAssert()
 	DoTestDeleteSimplePod(t, testEnv, assert)
 }
 
-func TestAwsCreateNginxDeployment(t *testing.T) {
+func TestBasicAwsCreateNginxDeployment(t *testing.T) {
 	t.Skip("Test not passing")
 	assert := NewAWSAssert()
 	DoTestNginxDeployment(t, testEnv, assert)
 }
 
-func TestAwsCreatePeerPodContainerWithInvalidAlternateImage(t *testing.T) {
+func TestImgAwsCreatePeerPodContainerWithInvalidAlternateImage(t *testing.T) {
 	assert := NewAWSAssert()
 	nonExistingImageName := "ami-123456"
 	expectedErrorMessage := fmt.Sprintf("InvalidAMIID.NotFound: The image id '[%s]' does not exist: not found", nonExistingImageName)
 	DoTestCreatePeerPodContainerWithInvalidAlternateImage(t, testEnv, assert, nonExistingImageName, expectedErrorMessage)
 }
 
-func TestAwsPodWithInitContainer(t *testing.T) {
+func TestBasicAwsPodWithInitContainer(t *testing.T) {
 	assert := NewAWSAssert()
 	DoTestPodWithInitContainer(t, testEnv, assert)
 }
@@ -20,57 +20,57 @@ import (
 	"sigs.k8s.io/e2e-framework/pkg/envconf"
 )
 
-func TestDeletePodAzure(t *testing.T) {
+func TestBasicAzureDeletePod(t *testing.T) {
 	t.Parallel()
 	DoTestDeleteSimplePod(t, testEnv, assert)
 }
 
-func TestCreateSimplePodAzure(t *testing.T) {
+func TestBasicAzureCreateSimplePod(t *testing.T) {
 	t.Parallel()
 	DoTestCreateSimplePod(t, testEnv, assert)
 }
 
-func TestCreatePodWithConfigMapAzure(t *testing.T) {
+func TestBasicAzureCreatePodWithConfigMap(t *testing.T) {
 	t.Parallel()
 	DoTestCreatePodWithConfigMap(t, testEnv, assert)
 }
 
-func TestCreatePodWithSecretAzure(t *testing.T) {
+func TestBasicAzureCreatePodWithSecret(t *testing.T) {
 	t.Parallel()
 	DoTestCreatePodWithSecret(t, testEnv, assert)
 }
 
-func TestCreateNginxDeploymentAzure(t *testing.T) {
+func TestBasicAzureCreateNginxDeployment(t *testing.T) {
 	t.Parallel()
 	DoTestNginxDeployment(t, testEnv, assert)
 }
 
-func TestPodToServiceCommunicationAzure(t *testing.T) {
+func TestNetAzurePodToServiceCommunication(t *testing.T) {
 	t.Parallel()
 	DoTestPodToServiceCommunication(t, testEnv, assert)
 }
 
-func TestPodsMTLSCommunicationAzure(t *testing.T) {
+func TestNetAzurePodsMTLSCommunication(t *testing.T) {
 	t.Parallel()
 	DoTestPodsMTLSCommunication(t, testEnv, assert)
 }
 
-func TestPodVMwithAnnotationsInstanceTypeAzure(t *testing.T) {
+func TestResAzurePodVMwithAnnotationsInstanceType(t *testing.T) {
 	SkipTestOnCI(t)
 	t.Parallel()
 	instanceSize := "Standard_DC2as_v5"
 	DoTestPodVMwithAnnotationsInstanceType(t, testEnv, assert, instanceSize)
 }
 
-func TestPodVMwithAnnotationsInvalidInstanceTypeAzure(t *testing.T) {
+func TestResAzurePodVMwithAnnotationsInvalidInstanceType(t *testing.T) {
 	t.Parallel()
 	// Using an instance type that's not configured in the AZURE_INSTANCE_SIZE
 	instanceSize := "Standard_D8as_v5"
 	DoTestPodVMwithAnnotationsInvalidInstanceType(t, testEnv, assert, instanceSize)
 }
 
 // Test with device annotation
-func TestPodWithCrioDeviceAnnotationAzure(t *testing.T) {
+func TestSecAzurePodWithCrioDeviceAnnotation(t *testing.T) {
 	if !isTestOnCrio() {
 		t.Skip("Skipping test as it is not running on CRI-O")
 	}
@@ -79,7 +79,7 @@ func TestPodWithCrioDeviceAnnotationAzure(t *testing.T) {
 }
 
 // Negative test with device annotation
-func TestPodWithIncorrectDeviceAnnotationAzure(t *testing.T) {
+func TestSecAzurePodWithIncorrectDeviceAnnotation(t *testing.T) {
 	if !isTestOnCrio() {
 		t.Skip("Skipping test as it is not running on CRI-O")
 	}
@@ -88,14 +88,14 @@ func TestPodWithIncorrectDeviceAnnotationAzure(t *testing.T) {
 }
 
 // Test with init container
-func TestPodWithInitContainerAzure(t *testing.T) {
+func TestBasicAzurePodWithInitContainer(t *testing.T) {
 	t.Parallel()
 	DoTestPodWithInitContainer(t, testEnv, assert)
 }
 
 // Test to check the presence if pod can access files from internet
 // Use DoTestPodWithSpecificCommands and provide the commands to be executed in the pod
-func TestPodToDownloadExternalFileAzure(t *testing.T) {
+func TestNetAzurePodToDownloadExternalFile(t *testing.T) {
 	t.Parallel()
 	// Create TestCommand struct with the command to download index.html
 	command1 := TestCommand{
@@ -125,13 +125,13 @@ func TestPodToDownloadExternalFileAzure(t *testing.T) {
 }
 
 // Method to check external IP access using ping
-func TestCreatePeerPodContainerWithExternalIPAccessAzure(t *testing.T) {
+func TestNetAzureCreatePeerPodContainerWithExternalIPAccess(t *testing.T) {
 	SkipTestOnCI(t)
 	t.Parallel()
 	DoTestCreatePeerPodContainerWithExternalIPAccess(t, testEnv, assert)
 }
 
-func TestKbsKeyRelease(t *testing.T) {
+func TestConfAzureKbsKeyRelease(t *testing.T) {
 	if !isTestWithKbs() {
 		t.Skip("Skipping kbs related test as kbs is not deployed")
 	}
@@ -146,7 +146,7 @@ func TestKbsKeyRelease(t *testing.T) {
 	DoTestKbsKeyRelease(t, testEnv, assert, kbsEndpoint, resourcePath, testSecret)
 }
 
-func TestRemoteAttestation(t *testing.T) {
+func TestConfAzureRemoteAttestation(t *testing.T) {
 	t.Parallel()
 	var kbsEndpoint string
 	if ep := os.Getenv("KBS_ENDPOINT"); ep != "" {
@@ -163,7 +163,7 @@ func TestRemoteAttestation(t *testing.T) {
 	DoTestRemoteAttestation(t, testEnv, assert, kbsEndpoint)
 }
 
-func TestTrusteeOperatorKeyReleaseForSpecificKey(t *testing.T) {
+func TestConfAzureTrusteeOperatorKeyReleaseForSpecificKey(t *testing.T) {
 	if !isTestWithTrusteeOperator() {
 		t.Skip("Skipping kbs related test as Trustee Operator is not deployed")
 	}
@@ -175,7 +175,7 @@ func TestTrusteeOperatorKeyReleaseForSpecificKey(t *testing.T) {
 	DoTestKbsKeyRelease(t, testEnv, assert, kbsEndpoint, "default/kbsres1/key1", "res1val1")
 }
 
-func TestAzureImageDecryption(t *testing.T) {
+func TestConfAzureImageDecryption(t *testing.T) {
 	if !isTestWithKbs() {
 		t.Skip("Skipping kbs related test as kbs is not deployed")
 	}
@@ -187,7 +187,7 @@ func TestAzureImageDecryption(t *testing.T) {
 // This test is to verify that the initdata is measured correctly. The digest algorith in the initdata fixture
 // is sha384. The initdata spec requires the digest to be truncated/padded to the TEE's requirement. In this case,
 // the az tpm attester requires the digest to be sha256 and is hence truncated
-func TestInitDataMeasurement(t *testing.T) {
+func TestConfAzureInitDataMeasurement(t *testing.T) {
 	kbsEndpoint := "http://some.endpoint"
 	annotation, err := buildInitdataAnnotation(kbsEndpoint, testInitdata)
 	if err != nil {

@@ -11,7 +11,7 @@ import (
 	"testing"
 	"time"
 
-	"github.com/docker/docker/api/types"
+	"github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/client"
 )
 
@@ -26,13 +26,13 @@ func (c DockerAssert) DefaultTimeout() time.Duration {
 }
 
 func (l DockerAssert) HasPodVM(t *testing.T, id string) {
-	conn, err := client.NewClientWithOpts(client.FromEnv)
+	conn, err := client.NewClientWithOpts(client.FromEnv, client.WithAPIVersionNegotiation())
 	if err != nil {
 		t.Fatal(err)
 	}
 
 	// Check if the container is running
-	containers, err := conn.ContainerList(context.Background(), types.ContainerListOptions{})
+	containers, err := conn.ContainerList(context.Background(), container.ListOptions{})
 	if err != nil {
 		t.Fatal(err)
 	}