diff options
author | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-09-19 16:06:13 +0200 |
---|---|---|
committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-09-19 18:34:12 +0200 |
commit | 4e74a1e24e15b3db2216fb269a58cfc08e598f63 (patch) | |
tree | 7ecd79d0f80a4c32c19ad1f9db4aee062748a14a | |
parent | 3e602597b036d29f77485f35c1f81a8cdb6f350b (diff) |
k8s: Validate API server certificates and keys
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.22, 1.1.25 -
1.1.26 and 1.1.28).
Issue-ID: SECCOM-235
Change-Id: Ic61a796653dc868d20fe69c3ed508e7fa8ba52db
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
-rw-r--r-- | test/security/k8s/src/check/cmd/check/check.go | 5 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/api.go | 23 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/api_test.go | 51 |
3 files changed, 79 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index d124b8708..028843734 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -74,4 +74,9 @@ func main() { log.Printf("IsKubeletCertificateAuthoritySet: %t\n", master.IsKubeletCertificateAuthoritySet(k8sParams)) log.Printf("IsClientCertificateAuthoritySet: %t\n", master.IsClientCertificateAuthoritySet(k8sParams)) log.Printf("IsEtcdCertificateAuthoritySet: %t\n", master.IsEtcdCertificateAuthoritySet(k8sParams)) + + log.Printf("IsServiceAccountKeySet: %t\n", master.IsServiceAccountKeySet(k8sParams)) + log.Printf("IsKubeletClientCertificateAndKeySet: %t\n", master.IsKubeletClientCertificateAndKeySet(k8sParams)) + log.Printf("IsEtcdCertificateAndKeySet: %t\n", master.IsEtcdCertificateAndKeySet(k8sParams)) + log.Printf("IsTLSCertificateAndKeySet: %t\n", master.IsTLSCertificateAndKeySet(k8sParams)) } diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index 4a70e5337..95a02d17d 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -278,6 +278,29 @@ func IsEtcdCertificateAuthoritySet(params []string) bool { return hasSingleFlagNonemptyArgument("--etcd-cafile", params) } +// IsServiceAccountKeySet validates there is single "--service-account-key-file" flag and has non-empty argument. +func IsServiceAccountKeySet(params []string) bool { + return hasSingleFlagNonemptyArgument("--service-account-key-file", params) +} + +// IsKubeletClientCertificateAndKeySet validates there are single "--kubelet-client-certificate" and "--kubelet-client-key" flags and have non-empty arguments. +func IsKubeletClientCertificateAndKeySet(params []string) bool { + return hasSingleFlagNonemptyArgument("--kubelet-client-certificate", params) && + hasSingleFlagNonemptyArgument("--kubelet-client-key", params) +} + +// IsEtcdCertificateAndKeySet validates there are single "--etcd-certfile" and "--etcd-keyfile" flags and have non-empty arguments. +func IsEtcdCertificateAndKeySet(params []string) bool { + return hasSingleFlagNonemptyArgument("--etcd-certfile", params) && + hasSingleFlagNonemptyArgument("--etcd-keyfile", params) +} + +// IsTLSCertificateAndKeySet validates there are single "--tls-cert-file" and "--tls-private-key-file" flags and have non-empty arguments. +func IsTLSCertificateAndKeySet(params []string) bool { + return hasSingleFlagNonemptyArgument("--tls-cert-file", params) && + hasSingleFlagNonemptyArgument("--tls-private-key-file", params) +} + // hasSingleFlagNonemptyArgument checks whether selected flag was used once and has non-empty argument. func hasSingleFlagNonemptyArgument(flag string, params []string) bool { found := filterFlags(params, flag) diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go index f0db8b776..f9eb943b3 100644 --- a/test/security/k8s/src/check/validators/master/api_test.go +++ b/test/security/k8s/src/check/validators/master/api_test.go @@ -31,6 +31,13 @@ var _ = Describe("Api", func() { "--kubelet-certificate-authority=TrustedCA", "--client-ca-file=/etc/kubernetes/ssl/ca.pem", "--etcd-cafile=/etc/kubernetes/etcd/ca.pem", + "--service-account-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem", + "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem", + "--kubelet-client-key=/etc/kubernetes/ssl/key.pem", + "--etcd-certfile=/etc/kubernetes/etcd/cert.pem", + "--etcd-keyfile=/etc/kubernetes/etcd/key.pem", + "--tls-cert-file=/etc/kubernetes/ssl/cert.pem", + "--tls-private-key-file=/etc/kubernetes/ssl/key.pem", } // kubeApiServerCasablanca was obtained from virtual environment for testing @@ -240,6 +247,50 @@ var _ = Describe("Api", func() { Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) + + DescribeTable("Service account key", + func(params []string, expected bool) { + Expect(IsServiceAccountKeySet(params)).To(Equal(expected)) + }, + Entry("Is absent on insecure cluster", []string{}, false), + Entry("Is empty on insecure cluster", []string{"--service-account-key-file="}, false), + Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), + ) + + DescribeTable("Kubelet client certificate and key", + func(params []string, expected bool) { + Expect(IsKubeletClientCertificateAndKeySet(params)).To(Equal(expected)) + }, + Entry("Is absent on insecure cluster", []string{}, false), + Entry("Is empty on insecure cluster", []string{"--kubelet-client-certificate= --kubelet-client-key="}, false), + Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), + Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), + ) + + DescribeTable("Etcd certificate and key", + func(params []string, expected bool) { + Expect(IsEtcdCertificateAndKeySet(params)).To(Equal(expected)) + }, + Entry("Is absent on insecure cluster", []string{}, false), + Entry("Is empty on insecure cluster", []string{"--etcd-certfile= --etcd-keyfile="}, false), + Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), + Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), + ) + + DescribeTable("TLS certificate and key", + func(params []string, expected bool) { + Expect(IsTLSCertificateAndKeySet(params)).To(Equal(expected)) + }, + Entry("Is absent on insecure cluster", []string{}, false), + Entry("Is empty on insecure cluster", []string{"--tls-cert-file= --tls-private-key-file="}, false), + Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), + Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), + ) }) Describe("Address and port flags", func() { |