aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPawel Wieczorek <p.wieczorek2@samsung.com>2019-09-17 18:45:41 +0200
committerPawel Wieczorek <p.wieczorek2@samsung.com>2019-09-19 15:14:01 +0200
commit6c95c5ca28dd3f48a58dc11cc9c17fd8b4934881 (patch)
tree15d8e107c46c828b1e7b9332c2cdd3c506dd75d5
parent1ef8cebe0663ec14d00cd62884fe55060c0b04a2 (diff)
k8s: Validate API server auditing is enabled
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.15). Issue-ID: SECCOM-235 Change-Id: Ia1d27ed7a9e439bb0abf4bd8941bdd4573a50bd5 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
-rw-r--r--test/security/k8s/src/check/cmd/check/check.go2
-rw-r--r--test/security/k8s/src/check/validators/master/api.go19
-rw-r--r--test/security/k8s/src/check/validators/master/api_test.go12
3 files changed, 33 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index c9b34aa42..23465d66a 100644
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -65,4 +65,6 @@ func main() {
log.Printf("IsNamespaceLifecycleAdmissionControlPluginNotExcluded: %t\n", master.IsNamespaceLifecycleAdmissionControlPluginNotExcluded(k8sParams))
log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", master.IsAlwaysAllowAuthorizationModeExcluded(k8sParams))
+
+ log.Printf("IsAuditLogPathSet: %t\n", master.IsAuditLogPathSet(k8sParams))
}
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index 47a2a8e01..a316bbc00 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -253,3 +253,22 @@ func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool {
return isSingleFlagPresent("--authorization-mode=", params) &&
!hasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params)
}
+
+// IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument.
+func IsAuditLogPathSet(params []string) bool {
+ return hasSingleFlagNonemptyArgument("--audit-log-path=", params)
+}
+
+// hasSingleFlagNonemptyArgument checks whether selected flag was used once and has non-empty argument.
+func hasSingleFlagNonemptyArgument(flag string, params []string) bool {
+ found := filterFlags(params, flag)
+ if len(found) != 1 {
+ return false
+ }
+
+ _, value := splitKV(found[0], "=")
+ if value == "" {
+ return false
+ }
+ return true
+}
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index 01f1824b0..ba72c33df 100644
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -24,6 +24,7 @@ var _ = Describe("Api", func() {
"ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," +
"PodSecurityPolicy,NodeRestriction,EventRateLimit",
"--authorization-mode=RBAC",
+ "--audit-log-path=/var/log/apiserver/audit.log",
}
// kubeApiServerCasablanca was obtained from virtual environment for testing
@@ -189,6 +190,17 @@ var _ = Describe("Api", func() {
Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
+
+ DescribeTable("Audit log path",
+ func(params []string, expected bool) {
+ Expect(IsAuditLogPathSet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--audit-log-path="}, false),
+ Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
})
Describe("Address and port flags", func() {