diff options
| author |   Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-09-20 11:42:58 +0200 |
|---|---|---|
| committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-09-26 19:02:01 +0200 |
| commit | 944993869240ba58beab8958a61dacf927706a68 (patch) | |
| tree | 276b0d78dccc223ab80296b3f220669bd10ef92d | |
| parent | fbbdbece6e69adeba811496af511e278881bdc79 (diff) | |
k8s: Validate API server crypto ciphers in use
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.30).
It also covers its duplicate (1.1.39).
Issue-ID: SECCOM-235
Change-Id: I0f3031c080cf225e7c2c03e65dd0bfc780326307
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
| -rw-r--r-- | test/security/k8s/src/check/cmd/check/check.go | 2 | ||||
| -rw-r--r-- | test/security/k8s/src/check/validators/master/api.go | 10 | ||||
| -rw-r--r-- | test/security/k8s/src/check/validators/master/api_test.go | 19 |
3 files changed, 31 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index 028843734..f348cd01a 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -79,4 +79,6 @@ func main() { log.Printf("IsKubeletClientCertificateAndKeySet: %t\n", master.IsKubeletClientCertificateAndKeySet(k8sParams)) log.Printf("IsEtcdCertificateAndKeySet: %t\n", master.IsEtcdCertificateAndKeySet(k8sParams)) log.Printf("IsTLSCertificateAndKeySet: %t\n", master.IsTLSCertificateAndKeySet(k8sParams)) + + log.Printf("IsStrongCryptoCipherInUse: %t\n", master.IsStrongCryptoCipherInUse(k8sParams)) } diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index 95a02d17d..ea0d9ece9 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -13,6 +13,11 @@ const ( auditLogAge = 30 auditLogBackups = 10 auditLogSize = 100 + + strongCryptoCiphers = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM" + + "_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM" + + "_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM" + + "_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256" ) // IsBasicAuthFileAbsent validates there is no basic authentication file specified. @@ -64,6 +69,11 @@ func IsServiceAccountLookupEnabled(params []string) bool { return hasSingleFlagArgument("--service-account-lookup=", "true", params) } +// IsStrongCryptoCipherInUse validates there is single "--tls-cipher-suites=" flag and it is set to strong crypto ciphers. +func IsStrongCryptoCipherInUse(params []string) bool { + return hasSingleFlagArgument("--tls-cipher-suites=", strongCryptoCiphers, params) +} + // hasSingleFlagArgument checks whether selected flag was used once and has requested argument. func hasSingleFlagArgument(flag string, argument string, params []string) bool { found := filterFlags(params, flag) diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go index f9eb943b3..c0906bb74 100644 --- a/test/security/k8s/src/check/validators/master/api_test.go +++ b/test/security/k8s/src/check/validators/master/api_test.go @@ -38,6 +38,11 @@ var _ = Describe("Api", func() { "--etcd-keyfile=/etc/kubernetes/etcd/key.pem", "--tls-cert-file=/etc/kubernetes/ssl/cert.pem", "--tls-private-key-file=/etc/kubernetes/ssl/key.pem", + "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," + + "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305," + + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384," + + "TLS_RSA_WITH_AES_128_GCM_SHA256", } // kubeApiServerCasablanca was obtained from virtual environment for testing @@ -474,4 +479,18 @@ var _ = Describe("Api", func() { Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) }) + + Describe("Flags requiring strict equality", func() { + DescribeTable("Strong Cryptographic Ciphers", + func(params []string, expected bool) { + Expect(IsStrongCryptoCipherInUse(params)).To(Equal(expected)) + }, + Entry("Is absent on insecure cluster", []string{}, false), + Entry("Is empty on insecure cluster", []string{"--tls-cipher-suites="}, false), + Entry("Is incomplete on insecure cluster", []string{"--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}, false), + Entry("Is incomplete on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Is incomplete on Dublin cluster", kubeApiServerDublin, false), + Entry("Should be complete on CIS-compliant cluster", kubeApiServerCISCompliant, true), + ) + }) }) |