diff options
Diffstat (limited to 'test/security/k8s/src/check/validators/master/api_test.go')
-rw-r--r-- | test/security/k8s/src/check/validators/master/api_test.go | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go index 01f1824b0..ba72c33df 100644 --- a/test/security/k8s/src/check/validators/master/api_test.go +++ b/test/security/k8s/src/check/validators/master/api_test.go @@ -24,6 +24,7 @@ var _ = Describe("Api", func() { "ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," + "PodSecurityPolicy,NodeRestriction,EventRateLimit", "--authorization-mode=RBAC", + "--audit-log-path=/var/log/apiserver/audit.log", } // kubeApiServerCasablanca was obtained from virtual environment for testing @@ -189,6 +190,17 @@ var _ = Describe("Api", func() { Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) + + DescribeTable("Audit log path", + func(params []string, expected bool) { + Expect(IsAuditLogPathSet(params)).To(Equal(expected)) + }, + Entry("Is absent on insecure cluster", []string{}, false), + Entry("Is empty on insecure cluster", []string{"--audit-log-path="}, false), + Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), + Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), + ) }) Describe("Address and port flags", func() { |