diff options
author | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2020-01-23 12:13:44 +0100 |
---|---|---|
committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2020-01-29 17:17:40 +0100 |
commit | 2e956f6332428d91afd683884de7dcf43aec5988 (patch) | |
tree | b66c30376fb7cae6c982ea6324a22b864f553a58 /test/security/k8s/src | |
parent | e15544dfe000aa6d055b5d8bc0fadfc8f0ef5648 (diff) |
k8s: Drop support for Casablanca
Casablanca release reached End of Life (EOL) stage on July 8th 2019 [1].
This patch also fixes comments for test fixtures.
This whole test subtree will be deleted upon migrating Aquasec
kube-bench [2] for CIS Benchmark [3] integrated by Orange [4] to ONAP
xtesting [5].
[1] https://wiki.onap.org/display/DW/Long+Term+Roadmap
[2] https://github.com/aquasecurity/kube-bench
[3] https://www.cisecurity.org/benchmark/kubernetes/
[4] https://gitlab.com/Orange-OpenSource/lfn/onap/integration/xtesting
[5] https://git.onap.org/integration/xtesting/
Issue-ID: SECCOM-235
Change-Id: Ifc7d9c775c27d4cfafdd1932809288530cffceff
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security/k8s/src')
6 files changed, 5 insertions, 261 deletions
diff --git a/test/security/k8s/src/check/check.go b/test/security/k8s/src/check/check.go index 728be18ff..91e9e5fd2 100644 --- a/test/security/k8s/src/check/check.go +++ b/test/security/k8s/src/check/check.go @@ -39,31 +39,3 @@ func (c Command) String() string { } return names[c] } - -// Service represents services run on Rancher-based cluster. -type Service int - -const ( - // APIService represents API server service ("kubernetes/kubernetes"). - APIService Service = iota - // SchedulerService represents scheduler service ("kubernetes/scheduler"). - SchedulerService - // ControllerManagerService represents controller manager service ("kubernetes/controller-manager"). - ControllerManagerService - // EtcdService represents etcd service ("kubernetes/etcd"). - EtcdService -) - -func (s Service) String() string { - names := [...]string{ - "kubernetes/kubernetes", - "kubernetes/scheduler", - "kubernetes/controller-manager", - "kubernetes/etcd", - } - - if s < APIService || s > EtcdService { - return "" - } - return names[s] -} diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index 98254aef9..42e9903e6 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -5,32 +5,23 @@ import ( "log" "check" - "check/rancher" "check/raw" "check/validators/master" ) var ( - ranchercli = flag.Bool("ranchercli", false, "use rancher utility for accessing cluster nodes") - rke = flag.Bool("rke", false, "use RKE cluster definition and ssh for accessing cluster nodes (default)") + rke = flag.Bool("rke", true, "use RKE cluster definition and ssh for accessing cluster nodes (default)") ) func main() { flag.Parse() - if *ranchercli && *rke { + if !(*rke) { log.Fatal("Not supported.") } - // Use default cluster access method if none was declared explicitly. - if !(*ranchercli || *rke) { - *rke = true - } - var info check.Informer switch { - case *ranchercli: - info = &rancher.Rancher{} case *rke: info = &raw.Raw{} default: diff --git a/test/security/k8s/src/check/rancher/rancher.go b/test/security/k8s/src/check/rancher/rancher.go deleted file mode 100644 index 2cf2fbe69..000000000 --- a/test/security/k8s/src/check/rancher/rancher.go +++ /dev/null @@ -1,124 +0,0 @@ -// Package rancher wraps Rancher commands necessary for K8s inspection. -package rancher - -import ( - "bytes" - "fmt" - "os/exec" - - "check" -) - -const ( - bin = "rancher" - paramHost = "--host" - cmdHosts = "hosts" - cmdHostsParams = "--quiet" - cmdDocker = "docker" - cmdDockerCmdPs = "ps" - cmdDockerCmdPsParams = "--no-trunc" - cmdDockerCmdPsFilter = "--filter" - cmdDockerCmdPsFilterArgs = "label=io.rancher.stack_service.name=" - cmdDockerCmdPsFormat = "--format" - cmdDockerCmdPsFormatArgs = "{{.Command}}" -) - -// Rancher implements Informer interface. -type Rancher struct { - check.Informer -} - -// GetAPIParams returns parameters of running Kubernetes API server. -// It queries default environment set in configuration file. -func (r *Rancher) GetAPIParams() ([]string, error) { - return getProcessParams(check.APIProcess, check.APIService) -} - -// GetSchedulerParams returns parameters of running Kubernetes scheduler. -// It queries default environment set in configuration file. -func (r *Rancher) GetSchedulerParams() ([]string, error) { - return getProcessParams(check.SchedulerProcess, check.SchedulerService) -} - -// GetControllerManagerParams returns parameters of running Kubernetes scheduler. -// It queries default environment set in configuration file. -func (r *Rancher) GetControllerManagerParams() ([]string, error) { - return getProcessParams(check.ControllerManagerProcess, check.ControllerManagerService) -} - -// GetEtcdParams returns parameters of running etcd. -// It queries only cluster nodes with "controlplane" role. -func (r *Rancher) GetEtcdParams() ([]string, error) { - return []string{}, check.ErrNotImplemented -} - -func getProcessParams(process check.Command, service check.Service) ([]string, error) { - hosts, err := listHosts() - if err != nil { - return []string{}, err - } - - for _, host := range hosts { - cmd, err := getPsCmdOutput(host, service) - if err != nil { - return []string{}, err - } - - cmd = trimOutput(cmd) // TODO: improve `docker ps` query format. - if len(cmd) > 0 { - i := bytes.Index(cmd, []byte(process.String())) - if i == -1 { - return []string{}, fmt.Errorf("missing %s command", process) - } - return btos(cmd[i+len(process.String()):]), nil - } - } - return []string{}, nil -} - -// listHosts lists IDs of active hosts. -// It queries default environment set in configuration file. -func listHosts() ([]string, error) { - cmd := exec.Command(bin, cmdHosts, cmdHostsParams) - out, err := cmd.Output() - if err != nil { - return nil, err - } - return btos(out), nil -} - -// getPsCmdOutput returns running Kubernetes service command with its parameters. -// It queries default environment set in configuration file. -func getPsCmdOutput(host string, service check.Service) ([]byte, error) { - // Following is equivalent to: - // $ rancher --host $HOST \ - // docker ps --no-trunc \ - // --filter "label=io.rancher.stack_service.name=$SERVICE" \ - // --format "{{.Command}}" - cmd := exec.Command(bin, paramHost, host, - cmdDocker, cmdDockerCmdPs, cmdDockerCmdPsParams, - cmdDockerCmdPsFilter, cmdDockerCmdPsFilterArgs+service.String(), - cmdDockerCmdPsFormat, cmdDockerCmdPsFormatArgs) - out, err := cmd.Output() - if err != nil { - return nil, err - } - return out, nil -} - -// trimOutput removes trailing new line and brackets from output. -func trimOutput(b []byte) []byte { - b = bytes.TrimSpace(b) - b = bytes.TrimPrefix(b, []byte("[")) - b = bytes.TrimSuffix(b, []byte("]")) - return b -} - -// btos converts slice of bytes to slice of strings split by white space characters. -func btos(in []byte) []string { - var out []string - for _, b := range bytes.Fields(in) { - out = append(out, string(b)) - } - return out -} diff --git a/test/security/k8s/src/check/validators/master/api/api_test.go b/test/security/k8s/src/check/validators/master/api/api_test.go index 4ba5070a8..01fe9b1c6 100644 --- a/test/security/k8s/src/check/validators/master/api/api_test.go +++ b/test/security/k8s/src/check/validators/master/api/api_test.go @@ -45,39 +45,7 @@ var _ = Describe("Api", func() { "TLS_RSA_WITH_AES_128_GCM_SHA256", } - // kubeApiServerCasablanca was obtained from virtual environment for testing - // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882). - kubeApiServerCasablanca = []string{ - "--storage-backend=etcd2", - "--storage-media-type=application/json", - "--service-cluster-ip-range=10.43.0.0/16", - "--etcd-servers=https://etcd.kubernetes.rancher.internal:2379", - "--insecure-bind-address=0.0.0.0", - "--insecure-port=0", - "--cloud-provider=rancher", - "--allow-privileged=true", - "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount," + - "PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota", - "--client-ca-file=/etc/kubernetes/ssl/ca.pem", - "--tls-cert-file=/etc/kubernetes/ssl/cert.pem", - "--tls-private-key-file=/etc/kubernetes/ssl/key.pem", - "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem", - "--kubelet-client-key=/etc/kubernetes/ssl/key.pem", - "--runtime-config=batch/v2alpha1", - "--anonymous-auth=false", - "--authentication-token-webhook-config-file=/etc/kubernetes/authconfig", - "--runtime-config=authentication.k8s.io/v1beta1=true", - "--external-hostname=kubernetes.kubernetes.rancher.internal", - "--etcd-cafile=/etc/kubernetes/etcd/ca.pem", - "--etcd-certfile=/etc/kubernetes/etcd/cert.pem", - "--etcd-keyfile=/etc/kubernetes/etcd/key.pem", - "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," + - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", - } - - // kubeApiServerCasablanca was obtained from virtual environment for testing + // kubeApiServerDublin was obtained from virtual environment for testing // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3). kubeApiServerDublin = []string{ "--requestheader-group-headers=X-Remote-Group", @@ -130,7 +98,6 @@ var _ = Describe("Api", func() { }, Entry("Is not absent on insecure cluster", []string{"--insecure-allow-any-token"}, false), Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) @@ -140,7 +107,6 @@ var _ = Describe("Api", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be set to false on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true), ) @@ -150,7 +116,6 @@ var _ = Describe("Api", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false), - Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true), ) @@ -161,7 +126,6 @@ var _ = Describe("Api", func() { }, Entry("Is explicitly disabled on insecure cluster", []string{"--kubelet-https=false"}, false), Entry("Should be absent or set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be absent or set to true on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent or set to true on Dublin cluster", kubeApiServerDublin, true), ) @@ -171,7 +135,6 @@ var _ = Describe("Api", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly enabled on insecure cluster", []string{"--repair-malformed-updates=true"}, false), - Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true), ) @@ -182,7 +145,6 @@ var _ = Describe("Api", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly disabled on insecure cluster", []string{"--service-account-lookup=false"}, false), - Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be set to true on Dublin cluster", kubeApiServerDublin, true), ) @@ -195,7 +157,6 @@ var _ = Describe("Api", func() { }, Entry("Is not absent on insecure cluster", []string{"--basic-auth-file=/path/to/file"}, false), Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) @@ -205,7 +166,6 @@ var _ = Describe("Api", func() { }, Entry("Is not absent on insecure cluster", []string{"--token-auth-file=/path/to/file"}, false), Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) @@ -215,7 +175,6 @@ var _ = Describe("Api", func() { }, Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--audit-log-path="}, false), - Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -226,7 +185,6 @@ var _ = Describe("Api", func() { }, Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--kubelet-certificate-authority="}, false), - Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -238,7 +196,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--client-ca-file="}, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -249,7 +206,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"-etcd-cafile="}, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -259,7 +215,6 @@ var _ = Describe("Api", func() { }, Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--service-account-key-file="}, false), - Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -271,7 +226,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--kubelet-client-certificate= --kubelet-client-key="}, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -282,7 +236,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--etcd-certfile= --etcd-keyfile="}, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -293,7 +246,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--tls-cert-file= --tls-private-key-file="}, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) }) @@ -304,7 +256,6 @@ var _ = Describe("Api", func() { Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected)) }, Entry("Is not absent on insecure cluster", []string{"--insecure-bind-address=1.2.3.4"}, false), - Entry("Is not absent nor set to loopback on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be absent or set to loopback on Dublin cluster", kubeApiServerDublin, true), ) @@ -316,7 +267,6 @@ var _ = Describe("Api", func() { Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly enabled on insecure cluster", []string{"--insecure-port=1234"}, false), Entry("Should be set to 0 on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be set to 0 on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be set to 0 on Dublin cluster", kubeApiServerDublin, true), ) @@ -326,7 +276,6 @@ var _ = Describe("Api", func() { }, Entry("Is explicitly disabled on insecure cluster", []string{"--secure-port=0"}, false), Entry("Should be absent or set to valid port on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be absent or set to valid port on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent or set to valid port on Dublin cluster", kubeApiServerDublin, true), ) }) @@ -339,7 +288,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--audit-log-maxage="}, false), Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxage=5"}, false), - Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -351,7 +299,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--audit-log-maxbackup="}, false), Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxbackup=2"}, false), - Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -363,7 +310,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--audit-log-maxsize="}, false), Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxsize=5"}, false), - Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -375,7 +321,6 @@ var _ = Describe("Api", func() { Entry("Is empty on insecure cluster", []string{"--request-timeout="}, false), Entry("Is too high on insecure cluster", []string{"--request-timeout=600"}, false), Entry("Should be set only if needed on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be set only if needed on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be set only if needed on Dublin cluster", kubeApiServerDublin, true), ) }) @@ -388,7 +333,6 @@ var _ = Describe("Api", func() { Entry("Is not absent on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar,AlwaysAdmit,Baz,Quuz"}, false), Entry("Is not absent on insecure deprecated cluster", []string{"--admission-control=Foo,Bar,AlwaysAdmit,Baz,Quuz"}, false), Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) @@ -398,7 +342,6 @@ var _ = Describe("Api", func() { }, Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), - Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is not present on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -409,7 +352,6 @@ var _ = Describe("Api", func() { }, Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), - Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is not present on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -420,7 +362,6 @@ var _ = Describe("Api", func() { }, Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), - Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is not present on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -431,7 +372,6 @@ var _ = Describe("Api", func() { }, Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), - Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is not present on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -443,7 +383,6 @@ var _ = Describe("Api", func() { Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -453,7 +392,6 @@ var _ = Describe("Api", func() { }, Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), - Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be present on Dublin cluster", kubeApiServerDublin, true), ) @@ -464,7 +402,6 @@ var _ = Describe("Api", func() { }, Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false), Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false), - Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is not present on Dublin cluster", kubeApiServerDublin, false), Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) @@ -475,7 +412,6 @@ var _ = Describe("Api", func() { }, Entry("Is explicitly disabled on insecure cluster", []string{"--disable-admission-plugins=Foo,Bar,NamespaceLifecycle,Baz,Quuz"}, false), Entry("Should not be disabled on CIS-compliant cluster", kubeApiServerCISCompliant, true), - Entry("Should not be disabled on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should not be disabled on Dublin cluster", kubeApiServerDublin, true), ) @@ -485,7 +421,6 @@ var _ = Describe("Api", func() { }, Entry("Is not explicitly disabled on insecure cluster", []string{}, false), Entry("Is not absent on insecure cluster", []string{"--authorization-mode=Foo,Bar,AlwaysAllow,Baz,Quuz"}, false), - Entry("Is not explicitly disabled on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) @@ -496,7 +431,6 @@ var _ = Describe("Api", func() { }, Entry("Is not explicitly enabled on insecure cluster", []string{}, false), Entry("Is not present on insecure cluster", []string{"--authorization-mode=Foo,Bar"}, false), - Entry("Is not explicitly enabled on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should present on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should present on Dublin cluster", kubeApiServerDublin, true), ) @@ -510,7 +444,6 @@ var _ = Describe("Api", func() { Entry("Is absent on insecure cluster", []string{}, false), Entry("Is empty on insecure cluster", []string{"--tls-cipher-suites="}, false), Entry("Is incomplete on insecure cluster", []string{"--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}, false), - Entry("Is incomplete on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Is incomplete on Dublin cluster", kubeApiServerDublin, false), Entry("Should be complete on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go index fcd337ac2..05e3cae7e 100644 --- a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go +++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go @@ -21,19 +21,7 @@ var _ = Describe("Controllermanager", func() { "--root-ca-file=/etc/kubernetes/ssl/kube-ca.pem", } - // kubeControllerManagerCasablanca was obtained from virtual environment for testing - // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882). - kubeControllerManagerCasablanca = []string{ - "--kubeconfig=/etc/kubernetes/ssl/kubeconfig", - "--address=0.0.0.0", - "--root-ca-file=/etc/kubernetes/ssl/ca.pem", - "--service-account-private-key-file=/etc/kubernetes/ssl/key.pem", - "--allow-untagged-cloud", - "--cloud-provider=rancher", - "--horizontal-pod-autoscaler-use-rest-clients=false", - } - - // kubeControllerManagerCasablanca was obtained from virtual environment for testing + // kubeControllerManagerDublin was obtained from virtual environment for testing // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3). kubeControllerManagerDublin = []string{ "--kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-controller-manager.yaml", @@ -64,7 +52,6 @@ var _ = Describe("Controllermanager", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false), - Entry("Is not set on Casablanca cluster", kubeControllerManagerCasablanca, false), Entry("Should be set to false on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), Entry("Should be set to false on Dublin cluster", kubeControllerManagerDublin, true), ) @@ -75,7 +62,6 @@ var _ = Describe("Controllermanager", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly disabled on insecure cluster", []string{"--use-service-account-credentials=false"}, false), - Entry("Is not set on Casablanca cluster", kubeControllerManagerCasablanca, false), Entry("Should be set to true on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), Entry("Should be set to true on Dublin cluster", kubeControllerManagerDublin, true), ) @@ -89,7 +75,6 @@ var _ = Describe("Controllermanager", func() { Entry("Is absent on insecure cluster", []string{""}, false), Entry("Is empty on insecure cluster", []string{"--service-account-private-key-file="}, false), Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), - Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true), Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true), ) @@ -100,7 +85,6 @@ var _ = Describe("Controllermanager", func() { Entry("Is absent on insecure cluster", []string{""}, false), Entry("Is empty on insecure cluster", []string{"--root-ca-file="}, false), Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), - Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true), Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true), ) }) @@ -111,7 +95,6 @@ var _ = Describe("Controllermanager", func() { Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected)) }, Entry("Is not absent on insecure cluster", []string{"--address=1.2.3.4"}, false), - Entry("Is not absent nor set to loopback on Casablanca cluster", kubeControllerManagerCasablanca, false), Entry("Is not absent nor set to loopback on Dublin cluster", kubeControllerManagerDublin, false), Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), ) @@ -124,7 +107,6 @@ var _ = Describe("Controllermanager", func() { }, Entry("Is absent on insecure cluster", []string{""}, false), Entry("Is empty on insecure cluster", []string{"--terminated-pod-gc-threshold="}, false), - Entry("Is absent on Casablanca cluster", kubeControllerManagerCasablanca, false), Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true), ) @@ -137,7 +119,6 @@ var _ = Describe("Controllermanager", func() { }, Entry("Is not enabled on insecure cluster", []string{"--feature-gates=Foo=Bar,Baz=Quuz"}, false), Entry("Is explicitly disabled on insecure cluster", []string{"--feature-gates=Foo=Bar,RotateKubeletServerCertificate=false,Baz=Quuz"}, false), - Entry("Is not enabled on Casablanca cluster", kubeControllerManagerCasablanca, false), Entry("Is not enabled on Dublin cluster", kubeControllerManagerDublin, false), Entry("Should be enabled on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), ) diff --git a/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go index 4166a58d7..7fb13b820 100644 --- a/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go +++ b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go @@ -16,14 +16,7 @@ var _ = Describe("Scheduler", func() { "--profiling=false", } - // kubeSchedulerCasablanca was obtained from virtual environment for testing - // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882). - kubeSchedulerCasablanca = []string{ - "--kubeconfig=/etc/kubernetes/ssl/kubeconfig", - "--address=0.0.0.0", - } - - // kubeSchedulerCasablanca was obtained from virtual environment for testing + // kubeSchedulerDublin was obtained from virtual environment for testing // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3). kubeSchedulerDublin = []string{ "--kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-scheduler.yaml", @@ -41,7 +34,6 @@ var _ = Describe("Scheduler", func() { }, Entry("Is not set on insecure cluster", []string{}, false), Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false), - Entry("Is not set on Casablanca cluster", kubeSchedulerCasablanca, false), Entry("Should be set to false on CIS-compliant cluster", kubeSchedulerCISCompliant, true), Entry("Should be set to false on Dublin cluster", kubeSchedulerDublin, true), ) @@ -53,7 +45,6 @@ var _ = Describe("Scheduler", func() { Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected)) }, Entry("Is not absent on insecure cluster", []string{"--address=1.2.3.4"}, false), - Entry("Is not absent nor set to loopback on Casablanca cluster", kubeSchedulerCasablanca, false), Entry("Is not absent nor set to loopback on Dublin cluster", kubeSchedulerDublin, false), Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeSchedulerCISCompliant, true), ) |