diff options
Diffstat (limited to 'test/security')
-rw-r--r-- | test/security/k8s/src/check/cmd/check/check.go | 47 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/api/api.go (renamed from test/security/k8s/src/check/validators/master/api.go) | 2 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/api/api_suite_test.go (renamed from test/security/k8s/src/check/validators/master/master_suite_test.go) | 6 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/api/api_test.go (renamed from test/security/k8s/src/check/validators/master/api_test.go) | 4 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/master.go | 57 |
5 files changed, 64 insertions, 52 deletions
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index b10b8cb1d..5a29fa9d5 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -38,50 +38,5 @@ func main() { log.Fatal(err) } - log.Printf("IsBasicAuthFileAbsent: %t\n", master.IsBasicAuthFileAbsent(k8sParams)) - log.Printf("IsTokenAuthFileAbsent: %t\n", master.IsTokenAuthFileAbsent(k8sParams)) - log.Printf("IsInsecureAllowAnyTokenAbsent: %t\n", master.IsInsecureAllowAnyTokenAbsent(k8sParams)) - - log.Printf("IsAnonymousAuthDisabled: %t\n", master.IsAnonymousAuthDisabled(k8sParams)) - log.Printf("IsInsecurePortUnbound: %t\n", master.IsInsecurePortUnbound(k8sParams)) - log.Printf("IsProfilingDisabled: %t\n", master.IsProfilingDisabled(k8sParams)) - log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", master.IsRepairMalformedUpdatesDisabled(k8sParams)) - log.Printf("IsServiceAccountLookupEnabled: %t\n", master.IsServiceAccountLookupEnabled(k8sParams)) - - log.Printf("IsKubeletHTTPSAbsentOrEnabled: %t\n", master.IsKubeletHTTPSAbsentOrEnabled(k8sParams)) - log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", master.IsInsecureBindAddressAbsentOrLoopback(k8sParams)) - log.Printf("IsSecurePortAbsentOrValid: %t\n", master.IsSecurePortAbsentOrValid(k8sParams)) - - log.Printf("IsAlwaysAdmitAdmissionControlPluginExcluded: %t\n", master.IsAlwaysAdmitAdmissionControlPluginExcluded(k8sParams)) - - log.Printf("IsAlwaysPullImagesAdmissionControlPluginIncluded: %t\n", master.IsAlwaysPullImagesAdmissionControlPluginIncluded(k8sParams)) - log.Printf("IsDenyEscalatingExecAdmissionControlPluginIncluded: %t\n", master.IsDenyEscalatingExecAdmissionControlPluginIncluded(k8sParams)) - log.Printf("IsSecurityContextDenyAdmissionControlPluginIncluded: %t\n", master.IsSecurityContextDenyAdmissionControlPluginIncluded(k8sParams)) - log.Printf("IsPodSecurityPolicyAdmissionControlPluginIncluded: %t\n", master.IsPodSecurityPolicyAdmissionControlPluginIncluded(k8sParams)) - log.Printf("IsServiceAccountAdmissionControlPluginIncluded: %t\n", master.IsServiceAccountAdmissionControlPluginIncluded(k8sParams)) - log.Printf("IsNodeRestrictionAdmissionControlPluginIncluded: %t\n", master.IsNodeRestrictionAdmissionControlPluginIncluded(k8sParams)) - log.Printf("IsEventRateLimitAdmissionControlPluginIncluded: %t\n", master.IsEventRateLimitAdmissionControlPluginIncluded(k8sParams)) - - log.Printf("IsNamespaceLifecycleAdmissionControlPluginNotExcluded: %t\n", master.IsNamespaceLifecycleAdmissionControlPluginNotExcluded(k8sParams)) - - log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", master.IsAlwaysAllowAuthorizationModeExcluded(k8sParams)) - log.Printf("IsNodeAuthorizationModeIncluded: %t\n", master.IsNodeAuthorizationModeIncluded(k8sParams)) - - log.Printf("IsAuditLogPathSet: %t\n", master.IsAuditLogPathSet(k8sParams)) - log.Printf("IsAuditLogMaxAgeValid: %t\n", master.IsAuditLogMaxAgeValid(k8sParams)) - log.Printf("IsAuditLogMaxBackupValid: %t\n", master.IsAuditLogMaxBackupValid(k8sParams)) - log.Printf("IsAuditLogMaxSizeValid: %t\n", master.IsAuditLogMaxSizeValid(k8sParams)) - - log.Printf("IsRequestTimeoutValid: %t\n", master.IsRequestTimeoutValid(k8sParams)) - - log.Printf("IsKubeletCertificateAuthoritySet: %t\n", master.IsKubeletCertificateAuthoritySet(k8sParams)) - log.Printf("IsClientCertificateAuthoritySet: %t\n", master.IsClientCertificateAuthoritySet(k8sParams)) - log.Printf("IsEtcdCertificateAuthoritySet: %t\n", master.IsEtcdCertificateAuthoritySet(k8sParams)) - - log.Printf("IsServiceAccountKeySet: %t\n", master.IsServiceAccountKeySet(k8sParams)) - log.Printf("IsKubeletClientCertificateAndKeySet: %t\n", master.IsKubeletClientCertificateAndKeySet(k8sParams)) - log.Printf("IsEtcdCertificateAndKeySet: %t\n", master.IsEtcdCertificateAndKeySet(k8sParams)) - log.Printf("IsTLSCertificateAndKeySet: %t\n", master.IsTLSCertificateAndKeySet(k8sParams)) - - log.Printf("IsStrongCryptoCipherInUse: %t\n", master.IsStrongCryptoCipherInUse(k8sParams)) + master.Check(k8sParams) } diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api/api.go index c2a99641e..1ca920e1a 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api/api.go @@ -1,4 +1,4 @@ -package master +package api import ( "strconv" diff --git a/test/security/k8s/src/check/validators/master/master_suite_test.go b/test/security/k8s/src/check/validators/master/api/api_suite_test.go index 5c957d897..28066f963 100644 --- a/test/security/k8s/src/check/validators/master/master_suite_test.go +++ b/test/security/k8s/src/check/validators/master/api/api_suite_test.go @@ -1,4 +1,4 @@ -package master_test +package api_test import ( "testing" @@ -7,7 +7,7 @@ import ( . "github.com/onsi/gomega" ) -func TestMaster(t *testing.T) { +func TestApi(t *testing.T) { RegisterFailHandler(Fail) - RunSpecs(t, "Master Suite") + RunSpecs(t, "Api Suite") } diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api/api_test.go index 0b2021538..4ba5070a8 100644 --- a/test/security/k8s/src/check/validators/master/api_test.go +++ b/test/security/k8s/src/check/validators/master/api/api_test.go @@ -1,7 +1,7 @@ -package master_test +package api_test import ( - . "check/validators/master" + . "check/validators/master/api" . "github.com/onsi/ginkgo/extensions/table" diff --git a/test/security/k8s/src/check/validators/master/master.go b/test/security/k8s/src/check/validators/master/master.go new file mode 100644 index 000000000..e9dc66cc6 --- /dev/null +++ b/test/security/k8s/src/check/validators/master/master.go @@ -0,0 +1,57 @@ +package master + +import ( + "log" + + "check/validators/master/api" +) + +// Check validates master node complies with CIS guideliness. +func Check(k8sParams []string) { + log.Printf("IsBasicAuthFileAbsent: %t\n", api.IsBasicAuthFileAbsent(k8sParams)) + log.Printf("IsTokenAuthFileAbsent: %t\n", api.IsTokenAuthFileAbsent(k8sParams)) + log.Printf("IsInsecureAllowAnyTokenAbsent: %t\n", api.IsInsecureAllowAnyTokenAbsent(k8sParams)) + + log.Printf("IsAnonymousAuthDisabled: %t\n", api.IsAnonymousAuthDisabled(k8sParams)) + log.Printf("IsInsecurePortUnbound: %t\n", api.IsInsecurePortUnbound(k8sParams)) + log.Printf("IsProfilingDisabled: %t\n", api.IsProfilingDisabled(k8sParams)) + log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", api.IsRepairMalformedUpdatesDisabled(k8sParams)) + log.Printf("IsServiceAccountLookupEnabled: %t\n", api.IsServiceAccountLookupEnabled(k8sParams)) + + log.Printf("IsKubeletHTTPSAbsentOrEnabled: %t\n", api.IsKubeletHTTPSAbsentOrEnabled(k8sParams)) + log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", api.IsInsecureBindAddressAbsentOrLoopback(k8sParams)) + log.Printf("IsSecurePortAbsentOrValid: %t\n", api.IsSecurePortAbsentOrValid(k8sParams)) + + log.Printf("IsAlwaysAdmitAdmissionControlPluginExcluded: %t\n", api.IsAlwaysAdmitAdmissionControlPluginExcluded(k8sParams)) + + log.Printf("IsAlwaysPullImagesAdmissionControlPluginIncluded: %t\n", api.IsAlwaysPullImagesAdmissionControlPluginIncluded(k8sParams)) + log.Printf("IsDenyEscalatingExecAdmissionControlPluginIncluded: %t\n", api.IsDenyEscalatingExecAdmissionControlPluginIncluded(k8sParams)) + log.Printf("IsSecurityContextDenyAdmissionControlPluginIncluded: %t\n", api.IsSecurityContextDenyAdmissionControlPluginIncluded(k8sParams)) + log.Printf("IsPodSecurityPolicyAdmissionControlPluginIncluded: %t\n", api.IsPodSecurityPolicyAdmissionControlPluginIncluded(k8sParams)) + log.Printf("IsServiceAccountAdmissionControlPluginIncluded: %t\n", api.IsServiceAccountAdmissionControlPluginIncluded(k8sParams)) + log.Printf("IsNodeRestrictionAdmissionControlPluginIncluded: %t\n", api.IsNodeRestrictionAdmissionControlPluginIncluded(k8sParams)) + log.Printf("IsEventRateLimitAdmissionControlPluginIncluded: %t\n", api.IsEventRateLimitAdmissionControlPluginIncluded(k8sParams)) + + log.Printf("IsNamespaceLifecycleAdmissionControlPluginNotExcluded: %t\n", api.IsNamespaceLifecycleAdmissionControlPluginNotExcluded(k8sParams)) + + log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", api.IsAlwaysAllowAuthorizationModeExcluded(k8sParams)) + log.Printf("IsNodeAuthorizationModeIncluded: %t\n", api.IsNodeAuthorizationModeIncluded(k8sParams)) + + log.Printf("IsAuditLogPathSet: %t\n", api.IsAuditLogPathSet(k8sParams)) + log.Printf("IsAuditLogMaxAgeValid: %t\n", api.IsAuditLogMaxAgeValid(k8sParams)) + log.Printf("IsAuditLogMaxBackupValid: %t\n", api.IsAuditLogMaxBackupValid(k8sParams)) + log.Printf("IsAuditLogMaxSizeValid: %t\n", api.IsAuditLogMaxSizeValid(k8sParams)) + + log.Printf("IsRequestTimeoutValid: %t\n", api.IsRequestTimeoutValid(k8sParams)) + + log.Printf("IsKubeletCertificateAuthoritySet: %t\n", api.IsKubeletCertificateAuthoritySet(k8sParams)) + log.Printf("IsClientCertificateAuthoritySet: %t\n", api.IsClientCertificateAuthoritySet(k8sParams)) + log.Printf("IsEtcdCertificateAuthoritySet: %t\n", api.IsEtcdCertificateAuthoritySet(k8sParams)) + + log.Printf("IsServiceAccountKeySet: %t\n", api.IsServiceAccountKeySet(k8sParams)) + log.Printf("IsKubeletClientCertificateAndKeySet: %t\n", api.IsKubeletClientCertificateAndKeySet(k8sParams)) + log.Printf("IsEtcdCertificateAndKeySet: %t\n", api.IsEtcdCertificateAndKeySet(k8sParams)) + log.Printf("IsTLSCertificateAndKeySet: %t\n", api.IsTLSCertificateAndKeySet(k8sParams)) + + log.Printf("IsStrongCryptoCipherInUse: %t\n", api.IsStrongCryptoCipherInUse(k8sParams)) +} |