k8s: Validate API server Certificate Authorities

This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.21, 1.1.29
and 1.1.31).

Issue-ID: SECCOM-235
Change-Id: Ia2f55f6962885a7aa878c970a406189902cfab10
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

1 files changed, 15 insertions, 0 deletions

diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index ca517c1ec..4a70e5337 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -263,6 +263,21 @@ func IsAuditLogPathSet(params []string) bool {
 	return hasSingleFlagNonemptyArgument("--audit-log-path=", params)
 }
 
+// IsKubeletCertificateAuthoritySet validates there is single "--kubelet-certificate-authority" flag and has non-empty argument.
+func IsKubeletCertificateAuthoritySet(params []string) bool {
+	return hasSingleFlagNonemptyArgument("--kubelet-certificate-authority", params)
+}
+
+// IsClientCertificateAuthoritySet validates there is single "--client-ca-file" flag and has non-empty argument.
+func IsClientCertificateAuthoritySet(params []string) bool {
+	return hasSingleFlagNonemptyArgument("--client-ca-file", params)
+}
+
+// IsEtcdCertificateAuthoritySet validates there is single "--etcd-cafile" flag and has non-empty argument.
+func IsEtcdCertificateAuthoritySet(params []string) bool {
+	return hasSingleFlagNonemptyArgument("--etcd-cafile", params)
+}
+
 // hasSingleFlagNonemptyArgument checks whether selected flag was used once and has non-empty argument.
 func hasSingleFlagNonemptyArgument(flag string, params []string) bool {
 	found := filterFlags(params, flag)