aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/k8s/src/check/validators/master/api_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'test/security/k8s/src/check/validators/master/api_test.go')
-rw-r--r--test/security/k8s/src/check/validators/master/api_test.go80
1 files changed, 79 insertions, 1 deletions
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index f7c6daa52..4e125663a 100644
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -21,7 +21,8 @@ var _ = Describe("Api", func() {
"--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount," +
"TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass," +
"PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook," +
- "ResourceQuota",
+ "ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," +
+ "PodSecurityPolicy,NodeRestriction,EventRateLimit",
}
// kubeApiServerCasablanca was obtained from virtual environment for testing
@@ -227,5 +228,82 @@ var _ = Describe("Api", func() {
Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
+
+ DescribeTable("AlwaysPullImages admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsAlwaysPullImagesAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("DenyEscalatingExec admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsDenyEscalatingExecAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("SecurityContextDeny admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsSecurityContextDenyAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("PodSecurityPolicy admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsPodSecurityPolicyAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("ServiceAccount admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsServiceAccountAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
+
+ DescribeTable("NodeRestriction admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsNodeRestrictionAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+ )
+
+ DescribeTable("EventRateLimit admission control plugin",
+ func(params []string, expected bool) {
+ Expect(IsEventRateLimitAdmissionControlPluginIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
+ Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
+ Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
})
})