aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/k8s/src/check/validators/master/api_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'test/security/k8s/src/check/validators/master/api_test.go')
-rw-r--r--test/security/k8s/src/check/validators/master/api_test.go12
1 files changed, 12 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index 01f1824b0..ba72c33df 100644
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -24,6 +24,7 @@ var _ = Describe("Api", func() {
"ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," +
"PodSecurityPolicy,NodeRestriction,EventRateLimit",
"--authorization-mode=RBAC",
+ "--audit-log-path=/var/log/apiserver/audit.log",
}
// kubeApiServerCasablanca was obtained from virtual environment for testing
@@ -189,6 +190,17 @@ var _ = Describe("Api", func() {
Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
+
+ DescribeTable("Audit log path",
+ func(params []string, expected bool) {
+ Expect(IsAuditLogPathSet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--audit-log-path="}, false),
+ Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
})
Describe("Address and port flags", func() {