aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPawel Wieczorek <p.wieczorek2@samsung.com>2019-09-19 16:06:13 +0200
committerPawel Wieczorek <p.wieczorek2@samsung.com>2019-09-19 18:34:12 +0200
commit4e74a1e24e15b3db2216fb269a58cfc08e598f63 (patch)
tree7ecd79d0f80a4c32c19ad1f9db4aee062748a14a
parent3e602597b036d29f77485f35c1f81a8cdb6f350b (diff)
k8s: Validate API server certificates and keys
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.22, 1.1.25 - 1.1.26 and 1.1.28). Issue-ID: SECCOM-235 Change-Id: Ic61a796653dc868d20fe69c3ed508e7fa8ba52db Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
-rw-r--r--test/security/k8s/src/check/cmd/check/check.go5
-rw-r--r--test/security/k8s/src/check/validators/master/api.go23
-rw-r--r--test/security/k8s/src/check/validators/master/api_test.go51
3 files changed, 79 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index d124b8708..028843734 100644
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -74,4 +74,9 @@ func main() {
log.Printf("IsKubeletCertificateAuthoritySet: %t\n", master.IsKubeletCertificateAuthoritySet(k8sParams))
log.Printf("IsClientCertificateAuthoritySet: %t\n", master.IsClientCertificateAuthoritySet(k8sParams))
log.Printf("IsEtcdCertificateAuthoritySet: %t\n", master.IsEtcdCertificateAuthoritySet(k8sParams))
+
+ log.Printf("IsServiceAccountKeySet: %t\n", master.IsServiceAccountKeySet(k8sParams))
+ log.Printf("IsKubeletClientCertificateAndKeySet: %t\n", master.IsKubeletClientCertificateAndKeySet(k8sParams))
+ log.Printf("IsEtcdCertificateAndKeySet: %t\n", master.IsEtcdCertificateAndKeySet(k8sParams))
+ log.Printf("IsTLSCertificateAndKeySet: %t\n", master.IsTLSCertificateAndKeySet(k8sParams))
}
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index 4a70e5337..95a02d17d 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -278,6 +278,29 @@ func IsEtcdCertificateAuthoritySet(params []string) bool {
return hasSingleFlagNonemptyArgument("--etcd-cafile", params)
}
+// IsServiceAccountKeySet validates there is single "--service-account-key-file" flag and has non-empty argument.
+func IsServiceAccountKeySet(params []string) bool {
+ return hasSingleFlagNonemptyArgument("--service-account-key-file", params)
+}
+
+// IsKubeletClientCertificateAndKeySet validates there are single "--kubelet-client-certificate" and "--kubelet-client-key" flags and have non-empty arguments.
+func IsKubeletClientCertificateAndKeySet(params []string) bool {
+ return hasSingleFlagNonemptyArgument("--kubelet-client-certificate", params) &&
+ hasSingleFlagNonemptyArgument("--kubelet-client-key", params)
+}
+
+// IsEtcdCertificateAndKeySet validates there are single "--etcd-certfile" and "--etcd-keyfile" flags and have non-empty arguments.
+func IsEtcdCertificateAndKeySet(params []string) bool {
+ return hasSingleFlagNonemptyArgument("--etcd-certfile", params) &&
+ hasSingleFlagNonemptyArgument("--etcd-keyfile", params)
+}
+
+// IsTLSCertificateAndKeySet validates there are single "--tls-cert-file" and "--tls-private-key-file" flags and have non-empty arguments.
+func IsTLSCertificateAndKeySet(params []string) bool {
+ return hasSingleFlagNonemptyArgument("--tls-cert-file", params) &&
+ hasSingleFlagNonemptyArgument("--tls-private-key-file", params)
+}
+
// hasSingleFlagNonemptyArgument checks whether selected flag was used once and has non-empty argument.
func hasSingleFlagNonemptyArgument(flag string, params []string) bool {
found := filterFlags(params, flag)
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index f0db8b776..f9eb943b3 100644
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -31,6 +31,13 @@ var _ = Describe("Api", func() {
"--kubelet-certificate-authority=TrustedCA",
"--client-ca-file=/etc/kubernetes/ssl/ca.pem",
"--etcd-cafile=/etc/kubernetes/etcd/ca.pem",
+ "--service-account-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem",
+ "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem",
+ "--kubelet-client-key=/etc/kubernetes/ssl/key.pem",
+ "--etcd-certfile=/etc/kubernetes/etcd/cert.pem",
+ "--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
+ "--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
+ "--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
}
// kubeApiServerCasablanca was obtained from virtual environment for testing
@@ -240,6 +247,50 @@ var _ = Describe("Api", func() {
Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
)
+
+ DescribeTable("Service account key",
+ func(params []string, expected bool) {
+ Expect(IsServiceAccountKeySet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--service-account-key-file="}, false),
+ Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
+
+ DescribeTable("Kubelet client certificate and key",
+ func(params []string, expected bool) {
+ Expect(IsKubeletClientCertificateAndKeySet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--kubelet-client-certificate= --kubelet-client-key="}, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
+
+ DescribeTable("Etcd certificate and key",
+ func(params []string, expected bool) {
+ Expect(IsEtcdCertificateAndKeySet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--etcd-certfile= --etcd-keyfile="}, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
+
+ DescribeTable("TLS certificate and key",
+ func(params []string, expected bool) {
+ Expect(IsTLSCertificateAndKeySet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--tls-cert-file= --tls-private-key-file="}, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
})
Describe("Address and port flags", func() {