diff options
author | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-07-05 14:34:34 +0200 |
---|---|---|
committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-07-08 12:29:52 +0200 |
commit | 0231bdbc69fd7a594606d88124a1a789963a49e7 (patch) | |
tree | fb3bca21e050877d5417a54962d68d5c0b094391 /test/security/k8s/src/check | |
parent | 60fef55b8719c0fcb07c81da7e75f818f32bbfb5 (diff) |
k8s: Relax kublet HTTPS connection requirement
According to kube-apiserver documentation [1] and CIS guideline 1.1.4
option "--kubelet-https=" might be absent in API server configuration.
It has secure configuration (being set to "true") by default.
[1] https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/
Issue-ID: SECCOM-235
Change-Id: I604cdcace03f65185aab6a0b34d48cfec94277ab
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security/k8s/src/check')
-rw-r--r-- | test/security/k8s/src/check/cmd/check/check.go | 2 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/api.go | 11 |
2 files changed, 7 insertions, 6 deletions
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index 81e96e66f..c4dd39870 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -20,12 +20,12 @@ func main() { log.Printf("IsInsecureAllowAnyTokenAbsent: %t\n", master.IsInsecureAllowAnyTokenAbsent(k8sParams)) log.Printf("IsAnonymousAuthDisabled: %t\n", master.IsAnonymousAuthDisabled(k8sParams)) - log.Printf("IsKubeletHTTPSConnected: %t\n", master.IsKubeletHTTPSConnected(k8sParams)) log.Printf("IsInsecurePortUnbound: %t\n", master.IsInsecurePortUnbound(k8sParams)) log.Printf("IsProfilingDisabled: %t\n", master.IsProfilingDisabled(k8sParams)) log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", master.IsRepairMalformedUpdatesDisabled(k8sParams)) log.Printf("IsServiceAccountLookupEnabled: %t\n", master.IsServiceAccountLookupEnabled(k8sParams)) + log.Printf("IsKubeletHTTPSAbsentOrEnabled: %t\n", master.IsKubeletHTTPSAbsentOrEnabled(k8sParams)) log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", master.IsInsecureBindAddressAbsentOrLoopback(k8sParams)) log.Printf("IsSecurePortAbsentOrValid: %t\n", master.IsSecurePortAbsentOrValid(k8sParams)) } diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index ac84d8f1c..c91b77e30 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -40,11 +40,6 @@ func IsAnonymousAuthDisabled(params []string) bool { return hasSingleFlagArgument("--anonymous-auth=", "false", params) } -// IsKubeletHTTPSConnected validates there is single "--kubelet-https" flag and it is set to "true". -func IsKubeletHTTPSConnected(params []string) bool { - return hasSingleFlagArgument("--kubelet-https=", "true", params) -} - // IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled). func IsInsecurePortUnbound(params []string) bool { return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params) @@ -96,6 +91,12 @@ func splitKV(s, sep string) (string, string) { return ret[0], ret[1] } +// IsKubeletHTTPSAbsentOrEnabled validates there is single "--kubelet-https" flag and it is set to "true". +func IsKubeletHTTPSAbsentOrEnabled(params []string) bool { + return isFlagAbsent("--kubelet-https=", params) || + hasSingleFlagArgument("--kubelet-https=", "true", params) +} + // IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address. func IsInsecureBindAddressAbsentOrLoopback(params []string) bool { return isFlagAbsent("--insecure-bind-address=", params) || |