k8s: Add tests for API server validators

This patch also adds convenience target to the Makefile and updates documentation on relevant dependencies. Issue-ID: SECCOM-235 Change-Id: I57e00af3cd4c60af3128e3094607cc61bc1e5dbe Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
author: Pawel Wieczorek <p.wieczorek2@samsung.com> 2019-07-08 14:17:55 +0200
committer: Pawel Wieczorek <p.wieczorek2@samsung.com> 2019-07-08 14:18:22 +0200
commit: 056ef4c18a177e179ce288247f67cf23dad47c18 (patch)
tree: 0172fbdc05662c510494092ab8884a7d45b054eb /test/security/k8s
parent: 0231bdbc69fd7a594606d88124a1a789963a49e7 (diff)
4 files changed, 194 insertions, 1 deletions
diff --git a/test/security/k8s/Makefile b/test/security/k8s/Makefile
index aeb1d9077..05fbba047 100644
--- a/test/security/k8s/Makefile
+++ b/test/security/k8s/Makefile
@@ -13,8 +13,12 @@ $(BIN): export GOPATH = $(shell pwd)
 $(BIN):
 	go install $(PROJECT)/cmd/$(BIN)
 
+test: export GOPATH = $(shell pwd)
+test:
+	go test $(PROJECT)/...
+
 clean:
 	rm $(BIN_DIR)/$(BIN)
 	rmdir $(BIN_DIR)
 
-.PHONY: all run build clean $(BIN)
+.PHONY: all run build test clean $(BIN)
diff --git a/test/security/k8s/README b/test/security/k8s/README
index f69eb6ee8..4f14e37db 100644
--- a/test/security/k8s/README
+++ b/test/security/k8s/README
@@ -28,6 +28,13 @@ Run
 .. _`Rancher CLI`: https://rancher.com/docs/rancher/v1.6/en/cli
 .. _Docker: https://docs.docker.com/install
 
+Test
+----
+
+- Ginkgo_
+
+.. _Ginkgo: https://onsi.github.io/ginkgo/#getting-ginkgo
+
 Running
 =======
 
@@ -36,3 +43,12 @@ Calling::
   make run
 
 will build and run configuration check executable. It is the default target.
+
+Testing
+=======
+
+Calling::
+
+  make test
+
+will run tests.
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
new file mode 100644
index 000000000..95b68daca
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -0,0 +1,160 @@
+package master_test
+
+import (
+	. "check/validators/master"
+
+	. "github.com/onsi/ginkgo/extensions/table"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+var _ = Describe("Api", func() {
+	var (
+		// kubeApiServerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
+		kubeApiServerCISCompliant = []string{
+			"--anonymous-auth=false",
+			"--insecure-port=0",
+			"--profiling=false",
+			"--repair-malformed-updates=false",
+			"--service-account-lookup=true",
+		}
+
+		// kubeApiServerCasablanca was obtained from virtual environment for testing
+		// (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
+		kubeApiServerCasablanca = []string{
+			"--storage-backend=etcd2",
+			"--storage-media-type=application/json",
+			"--service-cluster-ip-range=10.43.0.0/16",
+			"--etcd-servers=https://etcd.kubernetes.rancher.internal:2379",
+			"--insecure-bind-address=0.0.0.0",
+			"--insecure-port=0",
+			"--cloud-provider=rancher",
+			"--allow-privileged=true",
+			"--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount," +
+				"PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota",
+			"--client-ca-file=/etc/kubernetes/ssl/ca.pem",
+			"--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
+			"--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
+			"--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem",
+			"--kubelet-client-key=/etc/kubernetes/ssl/key.pem",
+			"--runtime-config=batch/v2alpha1",
+			"--anonymous-auth=false",
+			"--authentication-token-webhook-config-file=/etc/kubernetes/authconfig",
+			"--runtime-config=authentication.k8s.io/v1beta1=true",
+			"--external-hostname=kubernetes.kubernetes.rancher.internal",
+			"--etcd-cafile=/etc/kubernetes/etcd/ca.pem",
+			"--etcd-certfile=/etc/kubernetes/etcd/cert.pem",
+			"--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
+			"--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
+				"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
+				"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+		}
+	)
+
+	Describe("Boolean flags", func() {
+		DescribeTable("Basic authentication file",
+			func(params []string, expected bool) {
+				Expect(IsBasicAuthFileAbsent(params)).To(Equal(expected))
+			},
+			Entry("Is not absent on insecure cluster", []string{"--basic-auth-file=/path/to/file"}, false),
+			Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+			Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+		)
+
+		DescribeTable("Token authentication file",
+			func(params []string, expected bool) {
+				Expect(IsTokenAuthFileAbsent(params)).To(Equal(expected))
+			},
+			Entry("Is not absent on insecure cluster", []string{"--token-auth-file=/path/to/file"}, false),
+			Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+			Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+		)
+
+		DescribeTable("Accepting any token",
+			func(params []string, expected bool) {
+				Expect(IsInsecureAllowAnyTokenAbsent(params)).To(Equal(expected))
+			},
+			Entry("Is not absent on insecure cluster", []string{"--insecure-allow-any-token"}, false),
+			Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+			Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+		)
+
+		DescribeTable("Anonymous requests",
+			func(params []string, expected bool) {
+				Expect(IsAnonymousAuthDisabled(params)).To(Equal(expected))
+			},
+			Entry("Is not set on insecure cluster", []string{}, false),
+			Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+			Entry("Should be set to false on Casablanca cluster", kubeApiServerCasablanca, true),
+		)
+
+		DescribeTable("HTTPS for kubelet",
+			func(params []string, expected bool) {
+				Expect(IsKubeletHTTPSAbsentOrEnabled(params)).To(Equal(expected))
+			},
+			Entry("Is explicitly disabled on insecure cluster", []string{"--kubelet-https=false"}, false),
+			Entry("Should be absent or set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+			Entry("Should be absent or set to true on Casablanca cluster", kubeApiServerCasablanca, true),
+		)
+
+		DescribeTable("Bind address",
+			func(params []string, expected bool) {
+				Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
+			},
+			Entry("Is not absent on insecure cluster", []string{"--insecure-bind-address=1.2.3.4"}, false),
+			Entry("Is not absent nor set to loopback on Casablanca cluster", kubeApiServerCasablanca, false),
+			Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+		)
+
+		DescribeTable("Bind port",
+			func(params []string, expected bool) {
+				Expect(IsInsecurePortUnbound(params)).To(Equal(expected))
+			},
+			Entry("Is not set on insecure cluster", []string{}, false),
+			Entry("Is explicitly enabled on insecure cluster", []string{"--insecure-port=1234"}, false),
+			Entry("Should be set to 0 on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+			Entry("Should be set to 0 on Casablanca cluster", kubeApiServerCasablanca, true),
+		)
+
+		DescribeTable("Secure bind port",
+			func(params []string, expected bool) {
+				Expect(IsSecurePortAbsentOrValid(params)).To(Equal(expected))
+			},
+			Entry("Is explicitly disabled on insecure cluster", []string{"--secure-port=0"}, false),
+			Entry("Should be absent or set to valid port on Casablanca cluster", kubeApiServerCasablanca, true),
+			Entry("Should be absent or set to valid port on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+		)
+
+		DescribeTable("Profiling",
+			func(params []string, expected bool) {
+				Expect(IsProfilingDisabled(params)).To(Equal(expected))
+			},
+			Entry("Is not set on insecure cluster", []string{}, false),
+			Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
+			Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
+			Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+		)
+
+		DescribeTable("Repairing malformed updates",
+			func(params []string, expected bool) {
+				Expect(IsRepairMalformedUpdatesDisabled(params)).To(Equal(expected))
+			},
+			Entry("Is not set on insecure cluster", []string{}, false),
+			Entry("Is explicitly enabled on insecure cluster", []string{"--repair-malformed-updates=true"}, false),
+			Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
+			Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+		)
+
+		DescribeTable("Service account lookup",
+			func(params []string, expected bool) {
+				Expect(IsServiceAccountLookupEnabled(params)).To(Equal(expected))
+			},
+			Entry("Is not set on insecure cluster", []string{}, false),
+			Entry("Is explicitly disabled on insecure cluster", []string{"--service-account-lookup=false"}, false),
+			Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
+			Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+		)
+	})
+})
diff --git a/test/security/k8s/src/check/validators/master/master_suite_test.go b/test/security/k8s/src/check/validators/master/master_suite_test.go
new file mode 100644
index 000000000..5c957d897
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/master_suite_test.go
@@ -0,0 +1,13 @@
+package master_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestMaster(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Master Suite")
+}
author	Pawel Wieczorek <p.wieczorek2@samsung.com>	2019-07-08 14:17:55 +0200
committer	Pawel Wieczorek <p.wieczorek2@samsung.com>	2019-07-08 14:18:22 +0200
commit	056ef4c18a177e179ce288247f67cf23dad47c18 (patch)
tree	0172fbdc05662c510494092ab8884a7d45b054eb /test/security/k8s
parent	0231bdbc69fd7a594606d88124a1a789963a49e7 (diff)