aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/k8s/src/check
diff options
context:
space:
mode:
Diffstat (limited to 'test/security/k8s/src/check')
-rw-r--r--test/security/k8s/src/check/validators/master/api_test.go56
1 files changed, 56 insertions, 0 deletions
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index ed93a5d13..bee199519 100644
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -51,6 +51,51 @@ var _ = Describe("Api", func() {
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
}
+
+ // kubeApiServerCasablanca was obtained from virtual environment for testing
+ // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3).
+ kubeApiServerDublin = []string{
+ "--requestheader-group-headers=X-Remote-Group",
+ "--proxy-client-cert-file=/etc/kubernetes/ssl/kube-apiserver-proxy-client.pem",
+ "--bind-address=0.0.0.0",
+ "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+ "--cloud-provider=",
+ "--etcd-cafile=/etc/kubernetes/ssl/kube-ca.pem",
+ "--etcd-servers=https://172.17.0.100:2379",
+ "--tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem",
+ "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount," +
+ "DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook," +
+ "ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,PersistentVolumeLabel",
+ "--insecure-port=0",
+ "--secure-port=6443",
+ "--storage-backend=etcd3",
+ "--kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem",
+ "--requestheader-client-ca-file=/etc/kubernetes/ssl/kube-apiserver-requestheader-ca.pem",
+ "--service-account-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem",
+ "--service-node-port-range=30000-32767",
+ "--tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem",
+ "--requestheader-username-headers=X-Remote-User",
+ "--repair-malformed-updates=false",
+ "--kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem",
+ "--service-cluster-ip-range=10.43.0.0/16",
+ "--advertise-address=172.17.0.100",
+ "--profiling=false",
+ "--requestheader-extra-headers-prefix=X-Remote-Extra-",
+ "--etcd-certfile=/etc/kubernetes/ssl/kube-node.pem",
+ "--anonymous-auth=false",
+ "--etcd-keyfile=/etc/kubernetes/ssl/kube-node-key.pem",
+ "--etcd-prefix=/registry",
+ "--client-ca-file=/etc/kubernetes/ssl/kube-ca.pem",
+ "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
+ "--requestheader-allowed-names=kube-apiserver-proxy-client",
+ "--service-account-lookup=true",
+ "--proxy-client-key-file=/etc/kubernetes/ssl/kube-apiserver-proxy-client-key.pem",
+ "--authorization-mode=Node,RBAC",
+ "--allow-privileged=true",
+ }
)
Describe("Boolean flags", func() {
@@ -61,6 +106,7 @@ var _ = Describe("Api", func() {
Entry("Is not absent on insecure cluster", []string{"--basic-auth-file=/path/to/file"}, false),
Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
DescribeTable("Token authentication file",
@@ -70,6 +116,7 @@ var _ = Describe("Api", func() {
Entry("Is not absent on insecure cluster", []string{"--token-auth-file=/path/to/file"}, false),
Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
DescribeTable("Accepting any token",
@@ -79,6 +126,7 @@ var _ = Describe("Api", func() {
Entry("Is not absent on insecure cluster", []string{"--insecure-allow-any-token"}, false),
Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
DescribeTable("Anonymous requests",
@@ -88,6 +136,7 @@ var _ = Describe("Api", func() {
Entry("Is not set on insecure cluster", []string{}, false),
Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be set to false on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
)
DescribeTable("HTTPS for kubelet",
@@ -97,6 +146,7 @@ var _ = Describe("Api", func() {
Entry("Is explicitly disabled on insecure cluster", []string{"--kubelet-https=false"}, false),
Entry("Should be absent or set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be absent or set to true on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent or set to true on Dublin cluster", kubeApiServerDublin, true),
)
DescribeTable("Bind address",
@@ -106,6 +156,7 @@ var _ = Describe("Api", func() {
Entry("Is not absent on insecure cluster", []string{"--insecure-bind-address=1.2.3.4"}, false),
Entry("Is not absent nor set to loopback on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent or set to loopback on Dublin cluster", kubeApiServerDublin, true),
)
DescribeTable("Bind port",
@@ -116,6 +167,7 @@ var _ = Describe("Api", func() {
Entry("Is explicitly enabled on insecure cluster", []string{"--insecure-port=1234"}, false),
Entry("Should be set to 0 on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be set to 0 on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be set to 0 on Dublin cluster", kubeApiServerDublin, true),
)
DescribeTable("Secure bind port",
@@ -125,6 +177,7 @@ var _ = Describe("Api", func() {
Entry("Is explicitly disabled on insecure cluster", []string{"--secure-port=0"}, false),
Entry("Should be absent or set to valid port on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be absent or set to valid port on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent or set to valid port on Dublin cluster", kubeApiServerDublin, true),
)
DescribeTable("Profiling",
@@ -135,6 +188,7 @@ var _ = Describe("Api", func() {
Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
)
DescribeTable("Repairing malformed updates",
@@ -145,6 +199,7 @@ var _ = Describe("Api", func() {
Entry("Is explicitly enabled on insecure cluster", []string{"--repair-malformed-updates=true"}, false),
Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
)
DescribeTable("Service account lookup",
@@ -155,6 +210,7 @@ var _ = Describe("Api", func() {
Entry("Is explicitly disabled on insecure cluster", []string{"--service-account-lookup=false"}, false),
Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be set to true on Dublin cluster", kubeApiServerDublin, true),
)
})
})