diff options
author | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-06-03 17:03:42 +0200 |
---|---|---|
committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-07-08 12:29:52 +0200 |
commit | 65028666004a61afa0b7ea054da4744f3a2e298d (patch) | |
tree | ce02bb02880af76ef2fc7d719c7b7d3a4eb2929b | |
parent | 28bd2f7044d0b120d202a9ef1a2ef8294f153bad (diff) |
k8s: Validate API server address and port flags
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.6 and 1.1.7).
Issue-ID: SECCOM-235
Change-Id: I5f215a6642b177e85d7e1c70860ba0c7e558ec4e
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
-rw-r--r-- | test/security/k8s/src/check/cmd/check/check.go | 3 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/api.go | 36 |
2 files changed, 37 insertions, 2 deletions
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index fd4c2aff9..81e96e66f 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -25,4 +25,7 @@ func main() { log.Printf("IsProfilingDisabled: %t\n", master.IsProfilingDisabled(k8sParams)) log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", master.IsRepairMalformedUpdatesDisabled(k8sParams)) log.Printf("IsServiceAccountLookupEnabled: %t\n", master.IsServiceAccountLookupEnabled(k8sParams)) + + log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", master.IsInsecureBindAddressAbsentOrLoopback(k8sParams)) + log.Printf("IsSecurePortAbsentOrValid: %t\n", master.IsSecurePortAbsentOrValid(k8sParams)) } diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index bf275c1ca..ac84d8f1c 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -6,7 +6,9 @@ import ( ) const ( - disabledPort = 0 + portDisabled = 0 + portLowest = 1 + portHighest = 65536 ) // IsBasicAuthFileAbsent validates there is no basic authentication file specified. @@ -45,7 +47,7 @@ func IsKubeletHTTPSConnected(params []string) bool { // IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled). func IsInsecurePortUnbound(params []string) bool { - return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(disabledPort), params) + return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params) } // IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false". @@ -93,3 +95,33 @@ func splitKV(s, sep string) (string, string) { ret := strings.SplitN(s, sep, 2) return ret[0], ret[1] } + +// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address. +func IsInsecureBindAddressAbsentOrLoopback(params []string) bool { + return isFlagAbsent("--insecure-bind-address=", params) || + hasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params) +} + +// IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value. +func IsSecurePortAbsentOrValid(params []string) bool { + return isFlagAbsent("--secure-port=", params) || + hasFlagValidPort("--secure-port=", params) +} + +// hasFlagValidPort checks whether selected flag has valid port as an argument in given command. +func hasFlagValidPort(flag string, params []string) bool { + found := filterFlags(params, flag) + if len(found) != 1 { + return false + } + + _, value := splitKV(found[0], "=") + port, err := strconv.Atoi(value) // what about empty parameter? + if err != nil { + return false + } + if port < portLowest || port > portHighest { + return false + } + return true +} |