aboutsummaryrefslogtreecommitdiffstats
path: root/test/security
diff options
context:
space:
mode:
Diffstat (limited to 'test/security')
-rw-r--r--test/security/k8s/src/check/cmd/check/check.go1
-rw-r--r--test/security/k8s/src/check/validators/master/api.go7
-rw-r--r--test/security/k8s/src/check/validators/master/api_test.go13
3 files changed, 19 insertions, 2 deletions
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index f348cd01a..0447d5bb0 100644
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -65,6 +65,7 @@ func main() {
log.Printf("IsNamespaceLifecycleAdmissionControlPluginNotExcluded: %t\n", master.IsNamespaceLifecycleAdmissionControlPluginNotExcluded(k8sParams))
log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", master.IsAlwaysAllowAuthorizationModeExcluded(k8sParams))
+ log.Printf("IsNodeAuthorizationModeIncluded: %t\n", master.IsNodeAuthorizationModeIncluded(k8sParams))
log.Printf("IsAuditLogPathSet: %t\n", master.IsAuditLogPathSet(k8sParams))
log.Printf("IsAuditLogMaxAgeValid: %t\n", master.IsAuditLogPathSet(k8sParams))
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index ea0d9ece9..bc25d9922 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -262,12 +262,17 @@ func hasFlagArgumentIncluded(flag string, argument string, params []string) bool
return false
}
-// IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from admission control plugins.
+// IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from authorization modes.
func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool {
return isSingleFlagPresent("--authorization-mode=", params) &&
!hasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params)
}
+// IsNodeAuthorizationModeIncluded validates Node is included in authorization modes.
+func IsNodeAuthorizationModeIncluded(params []string) bool {
+ return hasFlagArgumentIncluded("--authorization-mode=", "Node", params)
+}
+
// IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument.
func IsAuditLogPathSet(params []string) bool {
return hasSingleFlagNonemptyArgument("--audit-log-path=", params)
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index c0906bb74..35860c6b1 100644
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -23,7 +23,7 @@ var _ = Describe("Api", func() {
"PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook," +
"ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," +
"PodSecurityPolicy,NodeRestriction,EventRateLimit",
- "--authorization-mode=RBAC",
+ "--authorization-mode=Node,RBAC",
"--audit-log-path=/var/log/apiserver/audit.log",
"--audit-log-maxage=30",
"--audit-log-maxbackup=10",
@@ -478,6 +478,17 @@ var _ = Describe("Api", func() {
Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
+
+ DescribeTable("Node authorization mode",
+ func(params []string, expected bool) {
+ Expect(IsNodeAuthorizationModeIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not explicitly enabled on insecure cluster", []string{}, false),
+ Entry("Is not present on insecure cluster", []string{"--authorization-mode=Foo,Bar"}, false),
+ Entry("Is not explicitly enabled on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should present on Dublin cluster", kubeApiServerDublin, true),
+ )
})
Describe("Flags requiring strict equality", func() {