aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go
diff options
context:
space:
mode:
Diffstat (limited to 'test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go')
-rw-r--r--test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go61
1 files changed, 61 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go
new file mode 100644
index 000000000..4166a58d7
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go
@@ -0,0 +1,61 @@
+package scheduler_test
+
+import (
+ . "github.com/onsi/ginkgo/extensions/table"
+
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+
+ . "check/validators/master/scheduler"
+)
+
+var _ = Describe("Scheduler", func() {
+ var (
+ // kubeSchedulerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
+ kubeSchedulerCISCompliant = []string{
+ "--profiling=false",
+ }
+
+ // kubeSchedulerCasablanca was obtained from virtual environment for testing
+ // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
+ kubeSchedulerCasablanca = []string{
+ "--kubeconfig=/etc/kubernetes/ssl/kubeconfig",
+ "--address=0.0.0.0",
+ }
+
+ // kubeSchedulerCasablanca was obtained from virtual environment for testing
+ // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3).
+ kubeSchedulerDublin = []string{
+ "--kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-scheduler.yaml",
+ "--address=0.0.0.0",
+ "--profiling=false",
+ "--leader-elect=true",
+ "--v=2",
+ }
+ )
+
+ Describe("Boolean flag", func() {
+ DescribeTable("Profiling",
+ func(params []string, expected bool) {
+ Expect(IsProfilingDisabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
+ Entry("Is not set on Casablanca cluster", kubeSchedulerCasablanca, false),
+ Entry("Should be set to false on CIS-compliant cluster", kubeSchedulerCISCompliant, true),
+ Entry("Should be set to false on Dublin cluster", kubeSchedulerDublin, true),
+ )
+ })
+
+ Describe("Address flag", func() {
+ DescribeTable("Bind address",
+ func(params []string, expected bool) {
+ Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--address=1.2.3.4"}, false),
+ Entry("Is not absent nor set to loopback on Casablanca cluster", kubeSchedulerCasablanca, false),
+ Entry("Is not absent nor set to loopback on Dublin cluster", kubeSchedulerDublin, false),
+ Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeSchedulerCISCompliant, true),
+ )
+ })
+})