path: root/test/security/k8s/src/check/validators/master/api/api_test.go
diff options
authorPawel Wieczorek <p.wieczorek2@samsung.com>2019-09-26 12:31:56 +0200
committerPawel Wieczorek <p.wieczorek2@samsung.com>2019-09-26 19:02:01 +0200
commit48d0f8c98b3511875768085af12c21389a465ab4 (patch)
treee39365815575066c00866862a106b25a9fa21fb1 /test/security/k8s/src/check/validators/master/api/api_test.go
parent5ece777e31795d3cbcfcc475d4e396386442b55e (diff)
k8s: Declutter checker by dividing it into smaller packages
Issue-ID: SECCOM-235 Change-Id: I7d4efd08b8c0258f2f9c33772bf1b1b02cedebfa Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security/k8s/src/check/validators/master/api/api_test.go')
1 files changed, 518 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/validators/master/api/api_test.go b/test/security/k8s/src/check/validators/master/api/api_test.go
new file mode 100644
index 000000000..4ba5070a8
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/api/api_test.go
@@ -0,0 +1,518 @@
+package api_test
+import (
+ . "check/validators/master/api"
+ . "github.com/onsi/ginkgo/extensions/table"
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+var _ = Describe("Api", func() {
+ var (
+ // kubeApiServerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
+ kubeApiServerCISCompliant = []string{
+ "--anonymous-auth=false",
+ "--insecure-port=0",
+ "--profiling=false",
+ "--repair-malformed-updates=false",
+ "--service-account-lookup=true",
+ "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount," +
+ "TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass," +
+ "PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook," +
+ "ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," +
+ "PodSecurityPolicy,NodeRestriction,EventRateLimit",
+ "--authorization-mode=Node,RBAC",
+ "--audit-log-path=/var/log/apiserver/audit.log",
+ "--audit-log-maxage=30",
+ "--audit-log-maxbackup=10",
+ "--audit-log-maxsize=100",
+ "--kubelet-certificate-authority=TrustedCA",
+ "--client-ca-file=/etc/kubernetes/ssl/ca.pem",
+ "--etcd-cafile=/etc/kubernetes/etcd/ca.pem",
+ "--service-account-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem",
+ "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem",
+ "--kubelet-client-key=/etc/kubernetes/ssl/key.pem",
+ "--etcd-certfile=/etc/kubernetes/etcd/cert.pem",
+ "--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
+ "--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
+ "--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
+ "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
+ }
+ // kubeApiServerCasablanca was obtained from virtual environment for testing
+ // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
+ kubeApiServerCasablanca = []string{
+ "--storage-backend=etcd2",
+ "--storage-media-type=application/json",
+ "--service-cluster-ip-range=",
+ "--etcd-servers=https://etcd.kubernetes.rancher.internal:2379",
+ "--insecure-bind-address=",
+ "--insecure-port=0",
+ "--cloud-provider=rancher",
+ "--allow-privileged=true",
+ "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount," +
+ "PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota",
+ "--client-ca-file=/etc/kubernetes/ssl/ca.pem",
+ "--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
+ "--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
+ "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem",
+ "--kubelet-client-key=/etc/kubernetes/ssl/key.pem",
+ "--runtime-config=batch/v2alpha1",
+ "--anonymous-auth=false",
+ "--authentication-token-webhook-config-file=/etc/kubernetes/authconfig",
+ "--runtime-config=authentication.k8s.io/v1beta1=true",
+ "--external-hostname=kubernetes.kubernetes.rancher.internal",
+ "--etcd-cafile=/etc/kubernetes/etcd/ca.pem",
+ "--etcd-certfile=/etc/kubernetes/etcd/cert.pem",
+ "--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
+ "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
+ }
+ // kubeApiServerCasablanca was obtained from virtual environment for testing
+ // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3).
+ kubeApiServerDublin = []string{
+ "--requestheader-group-headers=X-Remote-Group",
+ "--proxy-client-cert-file=/etc/kubernetes/ssl/kube-apiserver-proxy-client.pem",
+ "--bind-address=",
+ "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
+ "--cloud-provider=",
+ "--etcd-cafile=/etc/kubernetes/ssl/kube-ca.pem",
+ "--etcd-servers=",
+ "--tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem",
+ "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount," +
+ "DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook," +
+ "ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,PersistentVolumeLabel",
+ "--insecure-port=0",
+ "--secure-port=6443",
+ "--storage-backend=etcd3",
+ "--kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem",
+ "--requestheader-client-ca-file=/etc/kubernetes/ssl/kube-apiserver-requestheader-ca.pem",
+ "--service-account-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem",
+ "--service-node-port-range=30000-32767",
+ "--tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem",
+ "--requestheader-username-headers=X-Remote-User",
+ "--repair-malformed-updates=false",
+ "--kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem",
+ "--service-cluster-ip-range=",
+ "--advertise-address=",
+ "--profiling=false",
+ "--requestheader-extra-headers-prefix=X-Remote-Extra-",
+ "--etcd-certfile=/etc/kubernetes/ssl/kube-node.pem",
+ "--anonymous-auth=false",
+ "--etcd-keyfile=/etc/kubernetes/ssl/kube-node-key.pem",
+ "--etcd-prefix=/registry",
+ "--client-ca-file=/etc/kubernetes/ssl/kube-ca.pem",
+ "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
+ "--requestheader-allowed-names=kube-apiserver-proxy-client",
+ "--service-account-lookup=true",
+ "--proxy-client-key-file=/etc/kubernetes/ssl/kube-apiserver-proxy-client-key.pem",
+ "--authorization-mode=Node,RBAC",
+ "--allow-privileged=true",
+ }
+ )
+ Describe("Boolean flags", func() {
+ DescribeTable("Accepting any token",
+ func(params []string, expected bool) {
+ Expect(IsInsecureAllowAnyTokenAbsent(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--insecure-allow-any-token"}, false),
+ Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("Anonymous requests",
+ func(params []string, expected bool) {
+ Expect(IsAnonymousAuthDisabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be set to false on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("Profiling",
+ func(params []string, expected bool) {
+ Expect(IsProfilingDisabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
+ Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("HTTPS for kubelet",
+ func(params []string, expected bool) {
+ Expect(IsKubeletHTTPSAbsentOrEnabled(params)).To(Equal(expected))
+ },
+ Entry("Is explicitly disabled on insecure cluster", []string{"--kubelet-https=false"}, false),
+ Entry("Should be absent or set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent or set to true on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent or set to true on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("Repairing malformed updates",
+ func(params []string, expected bool) {
+ Expect(IsRepairMalformedUpdatesDisabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly enabled on insecure cluster", []string{"--repair-malformed-updates=true"}, false),
+ Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("Service account lookup",
+ func(params []string, expected bool) {
+ Expect(IsServiceAccountLookupEnabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly disabled on insecure cluster", []string{"--service-account-lookup=false"}, false),
+ Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be set to true on Dublin cluster", kubeApiServerDublin, true),
+ )
+ })
+ Describe("File path flags", func() {
+ DescribeTable("Basic authentication file",
+ func(params []string, expected bool) {
+ Expect(IsBasicAuthFileAbsent(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--basic-auth-file=/path/to/file"}, false),
+ Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("Token authentication file",
+ func(params []string, expected bool) {
+ Expect(IsTokenAuthFileAbsent(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--token-auth-file=/path/to/file"}, false),
+ Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("Audit log path",
+ func(params []string, expected bool) {
+ Expect(IsAuditLogPathSet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--audit-log-path="}, false),
+ Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ DescribeTable("Kubelet certificate authority",
+ func(params []string, expected bool) {
+ Expect(IsKubeletCertificateAuthoritySet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--kubelet-certificate-authority="}, false),
+ Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ DescribeTable("Client certificate authority",
+ func(params []string, expected bool) {
+ Expect(IsClientCertificateAuthoritySet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--client-ca-file="}, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("Etcd certificate authority",
+ func(params []string, expected bool) {
+ Expect(IsEtcdCertificateAuthoritySet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"-etcd-cafile="}, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("Service account key",
+ func(params []string, expected bool) {
+ Expect(IsServiceAccountKeySet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--service-account-key-file="}, false),
+ Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("Kubelet client certificate and key",
+ func(params []string, expected bool) {
+ Expect(IsKubeletClientCertificateAndKeySet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--kubelet-client-certificate= --kubelet-client-key="}, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("Etcd certificate and key",
+ func(params []string, expected bool) {
+ Expect(IsEtcdCertificateAndKeySet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--etcd-certfile= --etcd-keyfile="}, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("TLS certificate and key",
+ func(params []string, expected bool) {
+ Expect(IsTLSCertificateAndKeySet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--tls-cert-file= --tls-private-key-file="}, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
+ })
+ Describe("Address and port flags", func() {
+ DescribeTable("Bind address",
+ func(params []string, expected bool) {
+ Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--insecure-bind-address="}, false),
+ Entry("Is not absent nor set to loopback on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent or set to loopback on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("Bind port",
+ func(params []string, expected bool) {
+ Expect(IsInsecurePortUnbound(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly enabled on insecure cluster", []string{"--insecure-port=1234"}, false),
+ Entry("Should be set to 0 on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be set to 0 on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be set to 0 on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("Secure bind port",
+ func(params []string, expected bool) {
+ Expect(IsSecurePortAbsentOrValid(params)).To(Equal(expected))
+ },
+ Entry("Is explicitly disabled on insecure cluster", []string{"--secure-port=0"}, false),
+ Entry("Should be absent or set to valid port on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent or set to valid port on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent or set to valid port on Dublin cluster", kubeApiServerDublin, true),
+ )
+ })
+ Describe("Numeric flags", func() {
+ DescribeTable("Audit log age",
+ func(params []string, expected bool) {
+ Expect(IsAuditLogMaxAgeValid(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--audit-log-maxage="}, false),
+ Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxage=5"}, false),
+ Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ DescribeTable("Audit log backups",
+ func(params []string, expected bool) {
+ Expect(IsAuditLogMaxBackupValid(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--audit-log-maxbackup="}, false),
+ Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxbackup=2"}, false),
+ Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ DescribeTable("Audit log size",
+ func(params []string, expected bool) {
+ Expect(IsAuditLogMaxSizeValid(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--audit-log-maxsize="}, false),
+ Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxsize=5"}, false),
+ Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ DescribeTable("Request timeout",
+ func(params []string, expected bool) {
+ Expect(IsRequestTimeoutValid(params)).To(Equal(expected))
+ },
+ Entry("Is empty on insecure cluster", []string{"--request-timeout="}, false),
+ Entry("Is too high on insecure cluster", []string{"--request-timeout=600"}, false),
+ Entry("Should be set only if needed on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be set only if needed on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be set only if needed on Dublin cluster", kubeApiServerDublin, true),
+ )
+ })
+ Describe("Argument list flags", func() {
+ DescribeTable("AlwaysAdmit admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsAlwaysAdmitAdmissionControlPluginExcluded(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar,AlwaysAdmit,Baz,Quuz"}, false),
+ Entry("Is not absent on insecure deprecated cluster", []string{"--admission-control=Foo,Bar,AlwaysAdmit,Baz,Quuz"}, false),
+ Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("AlwaysPullImages admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsAlwaysPullImagesAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ DescribeTable("DenyEscalatingExec admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsDenyEscalatingExecAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ DescribeTable("SecurityContextDeny admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsSecurityContextDenyAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ DescribeTable("PodSecurityPolicy admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsPodSecurityPolicyAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ DescribeTable("ServiceAccount admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsServiceAccountAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("NodeRestriction admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsNodeRestrictionAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("EventRateLimit admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsEventRateLimitAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ DescribeTable("NamespaceLifecycle admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsNamespaceLifecycleAdmissionControlPluginNotExcluded(params)).To(Equal(expected))
+ },
+ Entry("Is explicitly disabled on insecure cluster", []string{"--disable-admission-plugins=Foo,Bar,NamespaceLifecycle,Baz,Quuz"}, false),
+ Entry("Should not be disabled on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should not be disabled on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should not be disabled on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("AlwaysAllow authorization mode",
+ func(params []string, expected bool) {
+ Expect(IsAlwaysAllowAuthorizationModeExcluded(params)).To(Equal(expected))
+ },
+ Entry("Is not explicitly disabled on insecure cluster", []string{}, false),
+ Entry("Is not absent on insecure cluster", []string{"--authorization-mode=Foo,Bar,AlwaysAllow,Baz,Quuz"}, false),
+ Entry("Is not explicitly disabled on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
+ )
+ DescribeTable("Node authorization mode",
+ func(params []string, expected bool) {
+ Expect(IsNodeAuthorizationModeIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not explicitly enabled on insecure cluster", []string{}, false),
+ Entry("Is not present on insecure cluster", []string{"--authorization-mode=Foo,Bar"}, false),
+ Entry("Is not explicitly enabled on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should present on Dublin cluster", kubeApiServerDublin, true),
+ )
+ })
+ Describe("Flags requiring strict equality", func() {
+ DescribeTable("Strong Cryptographic Ciphers",
+ func(params []string, expected bool) {
+ Expect(IsStrongCryptoCipherInUse(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--tls-cipher-suites="}, false),
+ Entry("Is incomplete on insecure cluster", []string{"--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}, false),
+ Entry("Is incomplete on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is incomplete on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be complete on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ })