diff options
author | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-07-08 14:17:55 +0200 |
---|---|---|
committer | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-07-08 14:18:22 +0200 |
commit | 056ef4c18a177e179ce288247f67cf23dad47c18 (patch) | |
tree | 0172fbdc05662c510494092ab8884a7d45b054eb /test/security | |
parent | 0231bdbc69fd7a594606d88124a1a789963a49e7 (diff) |
k8s: Add tests for API server validators
This patch also adds convenience target to the Makefile and updates
documentation on relevant dependencies.
Issue-ID: SECCOM-235
Change-Id: I57e00af3cd4c60af3128e3094607cc61bc1e5dbe
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security')
-rw-r--r-- | test/security/k8s/Makefile | 6 | ||||
-rw-r--r-- | test/security/k8s/README | 16 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/api_test.go | 160 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/master_suite_test.go | 13 |
4 files changed, 194 insertions, 1 deletions
diff --git a/test/security/k8s/Makefile b/test/security/k8s/Makefile index aeb1d9077..05fbba047 100644 --- a/test/security/k8s/Makefile +++ b/test/security/k8s/Makefile @@ -13,8 +13,12 @@ $(BIN): export GOPATH = $(shell pwd) $(BIN): go install $(PROJECT)/cmd/$(BIN) +test: export GOPATH = $(shell pwd) +test: + go test $(PROJECT)/... + clean: rm $(BIN_DIR)/$(BIN) rmdir $(BIN_DIR) -.PHONY: all run build clean $(BIN) +.PHONY: all run build test clean $(BIN) diff --git a/test/security/k8s/README b/test/security/k8s/README index f69eb6ee8..4f14e37db 100644 --- a/test/security/k8s/README +++ b/test/security/k8s/README @@ -28,6 +28,13 @@ Run .. _`Rancher CLI`: https://rancher.com/docs/rancher/v1.6/en/cli .. _Docker: https://docs.docker.com/install +Test +---- + +- Ginkgo_ + +.. _Ginkgo: https://onsi.github.io/ginkgo/#getting-ginkgo + Running ======= @@ -36,3 +43,12 @@ Calling:: make run will build and run configuration check executable. It is the default target. + +Testing +======= + +Calling:: + + make test + +will run tests. diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go new file mode 100644 index 000000000..95b68daca --- /dev/null +++ b/test/security/k8s/src/check/validators/master/api_test.go @@ -0,0 +1,160 @@ +package master_test + +import ( + . "check/validators/master" + + . "github.com/onsi/ginkgo/extensions/table" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +var _ = Describe("Api", func() { + var ( + // kubeApiServerCISCompliant uses secure defaults or follows CIS guidelines explicitly. + kubeApiServerCISCompliant = []string{ + "--anonymous-auth=false", + "--insecure-port=0", + "--profiling=false", + "--repair-malformed-updates=false", + "--service-account-lookup=true", + } + + // kubeApiServerCasablanca was obtained from virtual environment for testing + // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882). + kubeApiServerCasablanca = []string{ + "--storage-backend=etcd2", + "--storage-media-type=application/json", + "--service-cluster-ip-range=10.43.0.0/16", + "--etcd-servers=https://etcd.kubernetes.rancher.internal:2379", + "--insecure-bind-address=0.0.0.0", + "--insecure-port=0", + "--cloud-provider=rancher", + "--allow-privileged=true", + "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount," + + "PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota", + "--client-ca-file=/etc/kubernetes/ssl/ca.pem", + "--tls-cert-file=/etc/kubernetes/ssl/cert.pem", + "--tls-private-key-file=/etc/kubernetes/ssl/key.pem", + "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem", + "--kubelet-client-key=/etc/kubernetes/ssl/key.pem", + "--runtime-config=batch/v2alpha1", + "--anonymous-auth=false", + "--authentication-token-webhook-config-file=/etc/kubernetes/authconfig", + "--runtime-config=authentication.k8s.io/v1beta1=true", + "--external-hostname=kubernetes.kubernetes.rancher.internal", + "--etcd-cafile=/etc/kubernetes/etcd/ca.pem", + "--etcd-certfile=/etc/kubernetes/etcd/cert.pem", + "--etcd-keyfile=/etc/kubernetes/etcd/key.pem", + "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," + + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + } + ) + + Describe("Boolean flags", func() { + DescribeTable("Basic authentication file", + func(params []string, expected bool) { + Expect(IsBasicAuthFileAbsent(params)).To(Equal(expected)) + }, + Entry("Is not absent on insecure cluster", []string{"--basic-auth-file=/path/to/file"}, false), + Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), + ) + + DescribeTable("Token authentication file", + func(params []string, expected bool) { + Expect(IsTokenAuthFileAbsent(params)).To(Equal(expected)) + }, + Entry("Is not absent on insecure cluster", []string{"--token-auth-file=/path/to/file"}, false), + Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), + ) + + DescribeTable("Accepting any token", + func(params []string, expected bool) { + Expect(IsInsecureAllowAnyTokenAbsent(params)).To(Equal(expected)) + }, + Entry("Is not absent on insecure cluster", []string{"--insecure-allow-any-token"}, false), + Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), + ) + + DescribeTable("Anonymous requests", + func(params []string, expected bool) { + Expect(IsAnonymousAuthDisabled(params)).To(Equal(expected)) + }, + Entry("Is not set on insecure cluster", []string{}, false), + Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be set to false on Casablanca cluster", kubeApiServerCasablanca, true), + ) + + DescribeTable("HTTPS for kubelet", + func(params []string, expected bool) { + Expect(IsKubeletHTTPSAbsentOrEnabled(params)).To(Equal(expected)) + }, + Entry("Is explicitly disabled on insecure cluster", []string{"--kubelet-https=false"}, false), + Entry("Should be absent or set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be absent or set to true on Casablanca cluster", kubeApiServerCasablanca, true), + ) + + DescribeTable("Bind address", + func(params []string, expected bool) { + Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected)) + }, + Entry("Is not absent on insecure cluster", []string{"--insecure-bind-address=1.2.3.4"}, false), + Entry("Is not absent nor set to loopback on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeApiServerCISCompliant, true), + ) + + DescribeTable("Bind port", + func(params []string, expected bool) { + Expect(IsInsecurePortUnbound(params)).To(Equal(expected)) + }, + Entry("Is not set on insecure cluster", []string{}, false), + Entry("Is explicitly enabled on insecure cluster", []string{"--insecure-port=1234"}, false), + Entry("Should be set to 0 on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be set to 0 on Casablanca cluster", kubeApiServerCasablanca, true), + ) + + DescribeTable("Secure bind port", + func(params []string, expected bool) { + Expect(IsSecurePortAbsentOrValid(params)).To(Equal(expected)) + }, + Entry("Is explicitly disabled on insecure cluster", []string{"--secure-port=0"}, false), + Entry("Should be absent or set to valid port on Casablanca cluster", kubeApiServerCasablanca, true), + Entry("Should be absent or set to valid port on CIS-compliant cluster", kubeApiServerCISCompliant, true), + ) + + DescribeTable("Profiling", + func(params []string, expected bool) { + Expect(IsProfilingDisabled(params)).To(Equal(expected)) + }, + Entry("Is not set on insecure cluster", []string{}, false), + Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false), + Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true), + ) + + DescribeTable("Repairing malformed updates", + func(params []string, expected bool) { + Expect(IsRepairMalformedUpdatesDisabled(params)).To(Equal(expected)) + }, + Entry("Is not set on insecure cluster", []string{}, false), + Entry("Is explicitly enabled on insecure cluster", []string{"--repair-malformed-updates=true"}, false), + Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true), + ) + + DescribeTable("Service account lookup", + func(params []string, expected bool) { + Expect(IsServiceAccountLookupEnabled(params)).To(Equal(expected)) + }, + Entry("Is not set on insecure cluster", []string{}, false), + Entry("Is explicitly disabled on insecure cluster", []string{"--service-account-lookup=false"}, false), + Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true), + ) + }) +}) diff --git a/test/security/k8s/src/check/validators/master/master_suite_test.go b/test/security/k8s/src/check/validators/master/master_suite_test.go new file mode 100644 index 000000000..5c957d897 --- /dev/null +++ b/test/security/k8s/src/check/validators/master/master_suite_test.go @@ -0,0 +1,13 @@ +package master_test + +import ( + "testing" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +func TestMaster(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Master Suite") +} |