diff options
author | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2019-09-30 15:27:43 +0200 |
---|---|---|
committer | Daniel Rose <dr695h@att.com> | 2019-10-01 13:22:20 +0000 |
commit | d52717dc912d26b4dc17ae1563ab994a919f8152 (patch) | |
tree | a5fb2f8302a1e93858ffa754274dc75d8a783814 /test/security | |
parent | f8229d0f2249302879225f03a77b54be6cf43e82 (diff) |
k8s: Validate controller manager flags requiring specific values
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.3.2 - 1.3.3
and 1.3.6).
Issue-ID: SECCOM-235
Change-Id: I9c2921faf40ad9445e983f2b9bd0610e556cfe15
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security')
3 files changed, 60 insertions, 1 deletions
diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go index 85ab28564..f1dd0fe49 100644 --- a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go +++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go @@ -5,6 +5,21 @@ import ( "check/validators/master/boolean" ) +// IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false". +func IsProfilingDisabled(params []string) bool { + return args.HasSingleFlagArgument("--profiling=", "false", params) +} + +// IsUseServiceAccountCredentialsEnabled validates there is single "--use-service-account-credentials" flag and it is set to "true". +func IsUseServiceAccountCredentialsEnabled(params []string) bool { + return args.HasSingleFlagArgument("--use-service-account-credentials=", "true", params) +} + +// IsRotateKubeletServerCertificateIncluded validates RotateKubeletServerCertificate=true is included. +func IsRotateKubeletServerCertificateIncluded(params []string) bool { + return args.HasFlagArgumentIncluded("--feature-gates=", "RotateKubeletServerCertificate=true", params) +} + // IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address. func IsInsecureBindAddressAbsentOrLoopback(params []string) bool { return boolean.IsFlagAbsent("--address=", params) || diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go index d417b7d9f..7fd8b5d53 100644 --- a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go +++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go @@ -12,7 +12,11 @@ import ( var _ = Describe("Controllermanager", func() { var ( // kubeControllerManagerCISCompliant uses secure defaults or follows CIS guidelines explicitly. - kubeControllerManagerCISCompliant = []string{} + kubeControllerManagerCISCompliant = []string{ + "--profiling=false", + "--use-service-account-credentials=true", + "--feature-gates=RotateKubeletServerCertificate=true", + } // kubeControllerManagerCasablanca was obtained from virtual environment for testing // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882). @@ -50,6 +54,30 @@ var _ = Describe("Controllermanager", func() { } ) + Describe("Boolean flags", func() { + DescribeTable("Profiling", + func(params []string, expected bool) { + Expect(IsProfilingDisabled(params)).To(Equal(expected)) + }, + Entry("Is not set on insecure cluster", []string{}, false), + Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false), + Entry("Is not set on Casablanca cluster", kubeControllerManagerCasablanca, false), + Entry("Should be set to false on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), + Entry("Should be set to false on Dublin cluster", kubeControllerManagerDublin, true), + ) + + DescribeTable("Service account credentials use", + func(params []string, expected bool) { + Expect(IsUseServiceAccountCredentialsEnabled(params)).To(Equal(expected)) + }, + Entry("Is not set on insecure cluster", []string{}, false), + Entry("Is explicitly disabled on insecure cluster", []string{"--use-service-account-credentials=false"}, false), + Entry("Is not set on Casablanca cluster", kubeControllerManagerCasablanca, false), + Entry("Should be set to true on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), + Entry("Should be set to true on Dublin cluster", kubeControllerManagerDublin, true), + ) + }) + Describe("Address flag", func() { DescribeTable("Bind address", func(params []string, expected bool) { @@ -61,4 +89,17 @@ var _ = Describe("Controllermanager", func() { Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), ) }) + + Describe("Argument list flags", func() { + DescribeTable("RotateKubeletServerCertificate", + func(params []string, expected bool) { + Expect(IsRotateKubeletServerCertificateIncluded(params)).To(Equal(expected)) + }, + Entry("Is not enabled on insecure cluster", []string{"--feature-gates=Foo=Bar,Baz=Quuz"}, false), + Entry("Is explicitly disabled on insecure cluster", []string{"--feature-gates=Foo=Bar,RotateKubeletServerCertificate=false,Baz=Quuz"}, false), + Entry("Is not enabled on Casablanca cluster", kubeControllerManagerCasablanca, false), + Entry("Is not enabled on Dublin cluster", kubeControllerManagerDublin, false), + Entry("Should be enabled on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), + ) + }) }) diff --git a/test/security/k8s/src/check/validators/master/master.go b/test/security/k8s/src/check/validators/master/master.go index 79d6612a6..0f668f614 100644 --- a/test/security/k8s/src/check/validators/master/master.go +++ b/test/security/k8s/src/check/validators/master/master.go @@ -69,5 +69,8 @@ func CheckScheduler(params []string) { // CheckControllerManager validates controller manager complies with CIS guideliness. func CheckControllerManager(params []string) { log.Println("==> Controller Manager:") + log.Printf("IsProfilingDisabled: %t\n", controllermanager.IsProfilingDisabled(params)) + log.Printf("IsUseServiceAccountCredentialsEnabled: %t\n", controllermanager.IsUseServiceAccountCredentialsEnabled(params)) + log.Printf("IsRotateKubeletServerCertificateIncluded: %t\n", controllermanager.IsRotateKubeletServerCertificateIncluded(params)) log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", controllermanager.IsInsecureBindAddressAbsentOrLoopback(params)) } |