aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/k8s/src/check/validators/master/api.go
diff options
context:
space:
mode:
Diffstat (limited to 'test/security/k8s/src/check/validators/master/api.go')
-rw-r--r--test/security/k8s/src/check/validators/master/api.go10
1 files changed, 10 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index 95a02d17d..ea0d9ece9 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -13,6 +13,11 @@ const (
auditLogAge = 30
auditLogBackups = 10
auditLogSize = 100
+
+ strongCryptoCiphers = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM" +
+ "_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM" +
+ "_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM" +
+ "_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
)
// IsBasicAuthFileAbsent validates there is no basic authentication file specified.
@@ -64,6 +69,11 @@ func IsServiceAccountLookupEnabled(params []string) bool {
return hasSingleFlagArgument("--service-account-lookup=", "true", params)
}
+// IsStrongCryptoCipherInUse validates there is single "--tls-cipher-suites=" flag and it is set to strong crypto ciphers.
+func IsStrongCryptoCipherInUse(params []string) bool {
+ return hasSingleFlagArgument("--tls-cipher-suites=", strongCryptoCiphers, params)
+}
+
// hasSingleFlagArgument checks whether selected flag was used once and has requested argument.
func hasSingleFlagArgument(flag string, argument string, params []string) bool {
found := filterFlags(params, flag)