diff options
| author |   Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-09-25 16:37:24 +0200 |
|---|---|---|
| committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-09-26 19:02:01 +0200 |
| commit | 4dbeacb893fce6c6c6dad99cd691362fda48ec91 (patch) | |
| tree | 4119e4f4de56e883eb8ff291e44e29bc444c0f28 | |
| parent | 944993869240ba58beab8958a61dacf927706a68 (diff) | |
k8s: Validate API server included authorization mode
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.32).
It also fixes wrong documentation comment for similar validator
(1.1.19).
Issue-ID: SECCOM-235
Change-Id: I00cb8a458871b091b16fe60fc0087b7972aa3b6b
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
| -rw-r--r-- | test/security/k8s/src/check/cmd/check/check.go | 1 | ||||
| -rw-r--r-- | test/security/k8s/src/check/validators/master/api.go | 7 | ||||
| -rw-r--r-- | test/security/k8s/src/check/validators/master/api_test.go | 13 |
3 files changed, 19 insertions, 2 deletions
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index f348cd01a..0447d5bb0 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -65,6 +65,7 @@ func main() { log.Printf("IsNamespaceLifecycleAdmissionControlPluginNotExcluded: %t\n", master.IsNamespaceLifecycleAdmissionControlPluginNotExcluded(k8sParams)) log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", master.IsAlwaysAllowAuthorizationModeExcluded(k8sParams)) + log.Printf("IsNodeAuthorizationModeIncluded: %t\n", master.IsNodeAuthorizationModeIncluded(k8sParams)) log.Printf("IsAuditLogPathSet: %t\n", master.IsAuditLogPathSet(k8sParams)) log.Printf("IsAuditLogMaxAgeValid: %t\n", master.IsAuditLogPathSet(k8sParams)) diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index ea0d9ece9..bc25d9922 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -262,12 +262,17 @@ func hasFlagArgumentIncluded(flag string, argument string, params []string) bool return false } -// IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from admission control plugins. +// IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from authorization modes. func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool { return isSingleFlagPresent("--authorization-mode=", params) && !hasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params) } +// IsNodeAuthorizationModeIncluded validates Node is included in authorization modes. +func IsNodeAuthorizationModeIncluded(params []string) bool { + return hasFlagArgumentIncluded("--authorization-mode=", "Node", params) +} + // IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument. func IsAuditLogPathSet(params []string) bool { return hasSingleFlagNonemptyArgument("--audit-log-path=", params) diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go index c0906bb74..35860c6b1 100644 --- a/test/security/k8s/src/check/validators/master/api_test.go +++ b/test/security/k8s/src/check/validators/master/api_test.go @@ -23,7 +23,7 @@ var _ = Describe("Api", func() { "PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook," + "ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," + "PodSecurityPolicy,NodeRestriction,EventRateLimit", - "--authorization-mode=RBAC", + "--authorization-mode=Node,RBAC", "--audit-log-path=/var/log/apiserver/audit.log", "--audit-log-maxage=30", "--audit-log-maxbackup=10", @@ -478,6 +478,17 @@ var _ = Describe("Api", func() { Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) + + DescribeTable("Node authorization mode", + func(params []string, expected bool) { + Expect(IsNodeAuthorizationModeIncluded(params)).To(Equal(expected)) + }, + Entry("Is not explicitly enabled on insecure cluster", []string{}, false), + Entry("Is not present on insecure cluster", []string{"--authorization-mode=Foo,Bar"}, false), + Entry("Is not explicitly enabled on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Should present on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should present on Dublin cluster", kubeApiServerDublin, true), + ) }) Describe("Flags requiring strict equality", func() { |