diff options
Diffstat (limited to 'test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go')
-rw-r--r-- | test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go | 40 |
1 files changed, 40 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go index 7fd8b5d53..fcd337ac2 100644 --- a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go +++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go @@ -16,6 +16,9 @@ var _ = Describe("Controllermanager", func() { "--profiling=false", "--use-service-account-credentials=true", "--feature-gates=RotateKubeletServerCertificate=true", + "--terminated-pod-gc-threshold=10", + "--service-account-private-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem", + "--root-ca-file=/etc/kubernetes/ssl/kube-ca.pem", } // kubeControllerManagerCasablanca was obtained from virtual environment for testing @@ -78,6 +81,30 @@ var _ = Describe("Controllermanager", func() { ) }) + Describe("File path flags", func() { + DescribeTable("Service account private key", + func(params []string, expected bool) { + Expect(IsServiceAccountPrivateKeyFileSet(params)).To(Equal(expected)) + }, + Entry("Is absent on insecure cluster", []string{""}, false), + Entry("Is empty on insecure cluster", []string{"--service-account-private-key-file="}, false), + Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), + Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true), + Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true), + ) + + DescribeTable("Root certificate authority", + func(params []string, expected bool) { + Expect(IsRootCertificateAuthoritySet(params)).To(Equal(expected)) + }, + Entry("Is absent on insecure cluster", []string{""}, false), + Entry("Is empty on insecure cluster", []string{"--root-ca-file="}, false), + Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), + Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true), + Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true), + ) + }) + Describe("Address flag", func() { DescribeTable("Bind address", func(params []string, expected bool) { @@ -90,6 +117,19 @@ var _ = Describe("Controllermanager", func() { ) }) + Describe("Numeric flags", func() { + DescribeTable("Terminated pod garbage collector threshold", + func(params []string, expected bool) { + Expect(IsTerminatedPodGcThresholdValid(params)).To(Equal(expected)) + }, + Entry("Is absent on insecure cluster", []string{""}, false), + Entry("Is empty on insecure cluster", []string{"--terminated-pod-gc-threshold="}, false), + Entry("Is absent on Casablanca cluster", kubeControllerManagerCasablanca, false), + Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), + Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true), + ) + }) + Describe("Argument list flags", func() { DescribeTable("RotateKubeletServerCertificate", func(params []string, expected bool) { |