aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/k8s/src/check/validators
diff options
context:
space:
mode:
authorPawel Wieczorek <p.wieczorek2@samsung.com>2019-07-05 14:34:34 +0200
committerPawel Wieczorek <p.wieczorek2@samsung.com>2019-07-08 12:29:52 +0200
commit0231bdbc69fd7a594606d88124a1a789963a49e7 (patch)
treefb3bca21e050877d5417a54962d68d5c0b094391 /test/security/k8s/src/check/validators
parent60fef55b8719c0fcb07c81da7e75f818f32bbfb5 (diff)
k8s: Relax kublet HTTPS connection requirement
According to kube-apiserver documentation [1] and CIS guideline 1.1.4 option "--kubelet-https=" might be absent in API server configuration. It has secure configuration (being set to "true") by default. [1] https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ Issue-ID: SECCOM-235 Change-Id: I604cdcace03f65185aab6a0b34d48cfec94277ab Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security/k8s/src/check/validators')
-rw-r--r--test/security/k8s/src/check/validators/master/api.go11
1 files changed, 6 insertions, 5 deletions
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index ac84d8f1c..c91b77e30 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -40,11 +40,6 @@ func IsAnonymousAuthDisabled(params []string) bool {
return hasSingleFlagArgument("--anonymous-auth=", "false", params)
}
-// IsKubeletHTTPSConnected validates there is single "--kubelet-https" flag and it is set to "true".
-func IsKubeletHTTPSConnected(params []string) bool {
- return hasSingleFlagArgument("--kubelet-https=", "true", params)
-}
-
// IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
func IsInsecurePortUnbound(params []string) bool {
return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params)
@@ -96,6 +91,12 @@ func splitKV(s, sep string) (string, string) {
return ret[0], ret[1]
}
+// IsKubeletHTTPSAbsentOrEnabled validates there is single "--kubelet-https" flag and it is set to "true".
+func IsKubeletHTTPSAbsentOrEnabled(params []string) bool {
+ return isFlagAbsent("--kubelet-https=", params) ||
+ hasSingleFlagArgument("--kubelet-https=", "true", params)
+}
+
// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
return isFlagAbsent("--insecure-bind-address=", params) ||