diff options
| author |   Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-05-29 20:17:44 +0200 |
|---|---|---|
| committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-07-08 12:29:52 +0200 |
| commit | 28bd2f7044d0b120d202a9ef1a2ef8294f153bad (patch) | |
| tree | 11be846e73ad2c2342274bd682c5187aa51bd5d9 /test/security/k8s | |
| parent | ff3ebac2a21a4f9d8213ec255656d199cb6f4fe9 (diff) | |
k8s: Validate API server boolean flags
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.1 - 1.1.5, 1.1.8,
1.1.9, 1.1.20 and 1.1.23).
Issue-ID: SECCOM-235
Change-Id: Ib964b5111b616a891c3963ef9695af660810e8ba
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security/k8s')
| -rw-r--r-- | test/security/k8s/src/check/cmd/check/check.go | 13 | ||||
| -rw-r--r-- | test/security/k8s/src/check/validators/master/api.go | 95 |
2 files changed, 107 insertions, 1 deletions
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index e48088a9e..fd4c2aff9 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -5,6 +5,7 @@ import ( "log" "check/rancher" + "check/validators/master" ) func main() { @@ -13,5 +14,15 @@ func main() { if err != nil { log.Fatal(err) } - log.Printf("%s\n", k8sParams) + + log.Printf("IsBasicAuthFileAbsent: %t\n", master.IsBasicAuthFileAbsent(k8sParams)) + log.Printf("IsTokenAuthFileAbsent: %t\n", master.IsTokenAuthFileAbsent(k8sParams)) + log.Printf("IsInsecureAllowAnyTokenAbsent: %t\n", master.IsInsecureAllowAnyTokenAbsent(k8sParams)) + + log.Printf("IsAnonymousAuthDisabled: %t\n", master.IsAnonymousAuthDisabled(k8sParams)) + log.Printf("IsKubeletHTTPSConnected: %t\n", master.IsKubeletHTTPSConnected(k8sParams)) + log.Printf("IsInsecurePortUnbound: %t\n", master.IsInsecurePortUnbound(k8sParams)) + log.Printf("IsProfilingDisabled: %t\n", master.IsProfilingDisabled(k8sParams)) + log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", master.IsRepairMalformedUpdatesDisabled(k8sParams)) + log.Printf("IsServiceAccountLookupEnabled: %t\n", master.IsServiceAccountLookupEnabled(k8sParams)) } diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go new file mode 100644 index 000000000..bf275c1ca --- /dev/null +++ b/test/security/k8s/src/check/validators/master/api.go @@ -0,0 +1,95 @@ +package master + +import ( + "strconv" + "strings" +) + +const ( + disabledPort = 0 +) + +// IsBasicAuthFileAbsent validates there is no basic authentication file specified. +func IsBasicAuthFileAbsent(params []string) bool { + return isFlagAbsent("--basic-auth-file=", params) +} + +// IsTokenAuthFileAbsent validates there is no token based authentication file specified. +func IsTokenAuthFileAbsent(params []string) bool { + return isFlagAbsent("--token-auth-file=", params) +} + +// IsInsecureAllowAnyTokenAbsent validates insecure tokens are not accepted. +func IsInsecureAllowAnyTokenAbsent(params []string) bool { + return isFlagAbsent("--insecure-allow-any-token", params) +} + +// isFlagAbsent checks absence of selected flag in parameters. +func isFlagAbsent(flag string, params []string) bool { + found := filterFlags(params, flag) + if len(found) != 0 { + return false + } + return true +} + +// IsAnonymousAuthDisabled validates there is single "--anonymous-auth" flag and it is set to "false". +func IsAnonymousAuthDisabled(params []string) bool { + return hasSingleFlagArgument("--anonymous-auth=", "false", params) +} + +// IsKubeletHTTPSConnected validates there is single "--kubelet-https" flag and it is set to "true". +func IsKubeletHTTPSConnected(params []string) bool { + return hasSingleFlagArgument("--kubelet-https=", "true", params) +} + +// IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled). +func IsInsecurePortUnbound(params []string) bool { + return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(disabledPort), params) +} + +// IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false". +func IsProfilingDisabled(params []string) bool { + return hasSingleFlagArgument("--profiling=", "false", params) +} + +// IsRepairMalformedUpdatesDisabled validates there is single "--repair-malformed-updates" flag and it is set to "false". +func IsRepairMalformedUpdatesDisabled(params []string) bool { + return hasSingleFlagArgument("--repair-malformed-updates=", "false", params) +} + +// IsServiceAccountLookupEnabled validates there is single "--service-account-lookup" flag and it is set to "true". +func IsServiceAccountLookupEnabled(params []string) bool { + return hasSingleFlagArgument("--service-account-lookup=", "true", params) +} + +// hasSingleFlagArgument checks whether selected flag was used once and has requested argument. +func hasSingleFlagArgument(flag string, argument string, params []string) bool { + found := filterFlags(params, flag) + if len(found) != 1 { + return false + } + + _, value := splitKV(found[0], "=") + if value != argument { + return false + } + return true +} + +// filterFlags returns all occurrences of selected flag. +func filterFlags(strs []string, flag string) []string { + var filtered []string + for _, str := range strs { + if strings.HasPrefix(str, flag) { + filtered = append(filtered, str) + } + } + return filtered +} + +// splitKV splits key and value (after first occurrence of separator). +func splitKV(s, sep string) (string, string) { + ret := strings.SplitN(s, sep, 2) + return ret[0], ret[1] +} |