diff options
author | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-09-19 16:06:13 +0200 |
---|---|---|
committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-09-19 18:34:12 +0200 |
commit | 4e74a1e24e15b3db2216fb269a58cfc08e598f63 (patch) | |
tree | 7ecd79d0f80a4c32c19ad1f9db4aee062748a14a /test/security/k8s/src/check/validators/master/api.go | |
parent | 3e602597b036d29f77485f35c1f81a8cdb6f350b (diff) |
k8s: Validate API server certificates and keys
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.22, 1.1.25 -
1.1.26 and 1.1.28).
Issue-ID: SECCOM-235
Change-Id: Ic61a796653dc868d20fe69c3ed508e7fa8ba52db
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security/k8s/src/check/validators/master/api.go')
-rw-r--r-- | test/security/k8s/src/check/validators/master/api.go | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index 4a70e5337..95a02d17d 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -278,6 +278,29 @@ func IsEtcdCertificateAuthoritySet(params []string) bool { return hasSingleFlagNonemptyArgument("--etcd-cafile", params) } +// IsServiceAccountKeySet validates there is single "--service-account-key-file" flag and has non-empty argument. +func IsServiceAccountKeySet(params []string) bool { + return hasSingleFlagNonemptyArgument("--service-account-key-file", params) +} + +// IsKubeletClientCertificateAndKeySet validates there are single "--kubelet-client-certificate" and "--kubelet-client-key" flags and have non-empty arguments. +func IsKubeletClientCertificateAndKeySet(params []string) bool { + return hasSingleFlagNonemptyArgument("--kubelet-client-certificate", params) && + hasSingleFlagNonemptyArgument("--kubelet-client-key", params) +} + +// IsEtcdCertificateAndKeySet validates there are single "--etcd-certfile" and "--etcd-keyfile" flags and have non-empty arguments. +func IsEtcdCertificateAndKeySet(params []string) bool { + return hasSingleFlagNonemptyArgument("--etcd-certfile", params) && + hasSingleFlagNonemptyArgument("--etcd-keyfile", params) +} + +// IsTLSCertificateAndKeySet validates there are single "--tls-cert-file" and "--tls-private-key-file" flags and have non-empty arguments. +func IsTLSCertificateAndKeySet(params []string) bool { + return hasSingleFlagNonemptyArgument("--tls-cert-file", params) && + hasSingleFlagNonemptyArgument("--tls-private-key-file", params) +} + // hasSingleFlagNonemptyArgument checks whether selected flag was used once and has non-empty argument. func hasSingleFlagNonemptyArgument(flag string, params []string) bool { found := filterFlags(params, flag) |