diff options
-rw-r--r-- | test/security/k8s/src/check/cmd/check/check.go | 2 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/api.go | 26 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/api_test.go | 11 |
3 files changed, 39 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index 0447d5bb0..fb63ae632 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -72,6 +72,8 @@ func main() { log.Printf("IsAuditLogMaxBackupValid: %t\n", master.IsAuditLogPathSet(k8sParams)) log.Printf("IsAuditLogMaxSizeValid: %t\n", master.IsAuditLogPathSet(k8sParams)) + log.Printf("IsRequestTimeoutValid: %t\n", master.IsRequestTimeoutValid(k8sParams)) + log.Printf("IsKubeletCertificateAuthoritySet: %t\n", master.IsKubeletCertificateAuthoritySet(k8sParams)) log.Printf("IsClientCertificateAuthoritySet: %t\n", master.IsClientCertificateAuthoritySet(k8sParams)) log.Printf("IsEtcdCertificateAuthoritySet: %t\n", master.IsEtcdCertificateAuthoritySet(k8sParams)) diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index bc25d9922..c2a99641e 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -18,6 +18,8 @@ const ( "_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM" + "_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM" + "_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256" + + requestTimeout = 60 ) // IsBasicAuthFileAbsent validates there is no basic authentication file specified. @@ -363,3 +365,27 @@ func hasSingleFlagRecommendedNumericArgument(flag string, recommendation int, pa } return true } + +// IsRequestTimeoutValid validates request timeout is set and it has recommended value. +func IsRequestTimeoutValid(params []string) bool { + return isFlagAbsent("--request-timeout", params) || + hasSingleFlagValidTimeout("--request-timeout", requestTimeout, 2*requestTimeout, params) +} + +// hasSingleFlagValidTimeout checks whether selected flag has valid timeout as an argument in given command. +func hasSingleFlagValidTimeout(flag string, min int, max int, params []string) bool { + found := filterFlags(params, flag) + if len(found) != 1 { + return false + } + + _, value := splitKV(found[0], "=") + timeout, err := strconv.Atoi(value) // what about empty parameter? + if err != nil { + return false + } + if timeout < min || timeout > max { + return false + } + return true +} diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go index 35860c6b1..0b2021538 100644 --- a/test/security/k8s/src/check/validators/master/api_test.go +++ b/test/security/k8s/src/check/validators/master/api_test.go @@ -367,6 +367,17 @@ var _ = Describe("Api", func() { Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true), ) + + DescribeTable("Request timeout", + func(params []string, expected bool) { + Expect(IsRequestTimeoutValid(params)).To(Equal(expected)) + }, + Entry("Is empty on insecure cluster", []string{"--request-timeout="}, false), + Entry("Is too high on insecure cluster", []string{"--request-timeout=600"}, false), + Entry("Should be set only if needed on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be set only if needed on Casablanca cluster", kubeApiServerCasablanca, true), + Entry("Should be set only if needed on Dublin cluster", kubeApiServerDublin, true), + ) }) Describe("Argument list flags", func() { |