aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/k8s/src/check/validators/master/api.go
diff options
context:
space:
mode:
authorPawel Wieczorek <p.wieczorek2@samsung.com>2019-09-17 15:47:24 +0200
committerPawel Wieczorek <p.wieczorek2@samsung.com>2019-09-17 15:51:37 +0200
commitefd65f9839f7379b590452ed31ab8605102904c3 (patch)
tree214aff8602ffc81bb086d64b90c2c448573a247b /test/security/k8s/src/check/validators/master/api.go
parentaeaa5a1f5e57f63dd203db43fb6992ab1728c504 (diff)
k8s: Validate API server included admission plugins
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.11 - 1.1.13, 1.1.24, 1.1.27, 1.1.33 and 1.1.36). Issue-ID: SECCOM-235 Change-Id: I920bfd42014b8458126be251648f5bf3dcd84c16 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security/k8s/src/check/validators/master/api.go')
-rw-r--r--test/security/k8s/src/check/validators/master/api.go77
1 files changed, 77 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index 58064ef10..0bed71189 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -138,6 +138,83 @@ func IsAlwaysAdmitAdmissionControlPluginExcluded(params []string) bool {
return false
}
+// IsAlwaysPullImagesAdmissionControlPluginIncluded validates AlwaysPullImages is included in admission control plugins.
+func IsAlwaysPullImagesAdmissionControlPluginIncluded(params []string) bool {
+ if isSingleFlagPresent("--enable-admission-plugins=", params) {
+ return hasFlagArgumentIncluded("--enable-admission-plugins=", "AlwaysPullImages", params)
+ }
+ if isSingleFlagPresent("--admission-control=", params) {
+ return hasFlagArgumentIncluded("--admission-control=", "AlwaysPullImages", params)
+ }
+ return false
+}
+
+// IsDenyEscalatingExecAdmissionControlPluginIncluded validates DenyEscalatingExec is included in admission control plugins.
+func IsDenyEscalatingExecAdmissionControlPluginIncluded(params []string) bool {
+ if isSingleFlagPresent("--enable-admission-plugins=", params) {
+ return hasFlagArgumentIncluded("--enable-admission-plugins=", "DenyEscalatingExec", params)
+ }
+ if isSingleFlagPresent("--admission-control=", params) {
+ return hasFlagArgumentIncluded("--admission-control=", "DenyEscalatingExec", params)
+ }
+ return false
+}
+
+// IsSecurityContextDenyAdmissionControlPluginIncluded validates SecurityContextDeny is included in admission control plugins.
+func IsSecurityContextDenyAdmissionControlPluginIncluded(params []string) bool {
+ if isSingleFlagPresent("--enable-admission-plugins=", params) {
+ return hasFlagArgumentIncluded("--enable-admission-plugins=", "SecurityContextDeny", params)
+ }
+ if isSingleFlagPresent("--admission-control=", params) {
+ return hasFlagArgumentIncluded("--admission-control=", "SecurityContextDeny", params)
+ }
+ return false
+}
+
+// IsPodSecurityPolicyAdmissionControlPluginIncluded validates PodSecurityPolicy is included in admission control plugins.
+func IsPodSecurityPolicyAdmissionControlPluginIncluded(params []string) bool {
+ if isSingleFlagPresent("--enable-admission-plugins=", params) {
+ return hasFlagArgumentIncluded("--enable-admission-plugins=", "PodSecurityPolicy", params)
+ }
+ if isSingleFlagPresent("--admission-control=", params) {
+ return hasFlagArgumentIncluded("--admission-control=", "PodSecurityPolicy", params)
+ }
+ return false
+}
+
+// IsServiceAccountAdmissionControlPluginIncluded validates ServiceAccount is included in admission control plugins.
+func IsServiceAccountAdmissionControlPluginIncluded(params []string) bool {
+ if isSingleFlagPresent("--enable-admission-plugins=", params) {
+ return hasFlagArgumentIncluded("--enable-admission-plugins=", "ServiceAccount", params)
+ }
+ if isSingleFlagPresent("--admission-control=", params) {
+ return hasFlagArgumentIncluded("--admission-control=", "ServiceAccount", params)
+ }
+ return false
+}
+
+// IsNodeRestrictionAdmissionControlPluginIncluded validates NodeRestriction is included in admission control plugins.
+func IsNodeRestrictionAdmissionControlPluginIncluded(params []string) bool {
+ if isSingleFlagPresent("--enable-admission-plugins=", params) {
+ return hasFlagArgumentIncluded("--enable-admission-plugins=", "NodeRestriction", params)
+ }
+ if isSingleFlagPresent("--admission-control=", params) {
+ return hasFlagArgumentIncluded("--admission-control=", "NodeRestriction", params)
+ }
+ return false
+}
+
+// IsEventRateLimitAdmissionControlPluginIncluded validates EventRateLimit is included in admission control plugins.
+func IsEventRateLimitAdmissionControlPluginIncluded(params []string) bool {
+ if isSingleFlagPresent("--enable-admission-plugins=", params) {
+ return hasFlagArgumentIncluded("--enable-admission-plugins=", "EventRateLimit", params)
+ }
+ if isSingleFlagPresent("--admission-control=", params) {
+ return hasFlagArgumentIncluded("--admission-control=", "EventRateLimit", params)
+ }
+ return false
+}
+
// isSingleFlagPresent checks presence of selected flag and whether it was used once.
func isSingleFlagPresent(flag string, params []string) bool {
found := filterFlags(params, flag)