k8s: Validate API server included authorization mode

This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.32).

It also fixes wrong documentation comment for similar validator
(1.1.19).

Issue-ID: SECCOM-235
Change-Id: I00cb8a458871b091b16fe60fc0087b7972aa3b6b
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

1 files changed, 6 insertions, 1 deletions

diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index ea0d9ece9..bc25d9922 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -262,12 +262,17 @@ func hasFlagArgumentIncluded(flag string, argument string, params []string) bool
 	return false
 }
 
-// IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from admission control plugins.
+// IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from authorization modes.
 func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool {
 	return isSingleFlagPresent("--authorization-mode=", params) &&
 		!hasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params)
 }
 
+// IsNodeAuthorizationModeIncluded validates Node is included in authorization modes.
+func IsNodeAuthorizationModeIncluded(params []string) bool {
+	return hasFlagArgumentIncluded("--authorization-mode=", "Node", params)
+}
+
 // IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument.
 func IsAuditLogPathSet(params []string) bool {
 	return hasSingleFlagNonemptyArgument("--audit-log-path=", params)