diff options
Diffstat (limited to 'test/security')
-rw-r--r-- | test/security/k8s/src/check/cmd/check/check.go | 1 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/api.go | 7 | ||||
-rw-r--r-- | test/security/k8s/src/check/validators/master/api_test.go | 13 |
3 files changed, 19 insertions, 2 deletions
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index f348cd01a..0447d5bb0 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -65,6 +65,7 @@ func main() { log.Printf("IsNamespaceLifecycleAdmissionControlPluginNotExcluded: %t\n", master.IsNamespaceLifecycleAdmissionControlPluginNotExcluded(k8sParams)) log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", master.IsAlwaysAllowAuthorizationModeExcluded(k8sParams)) + log.Printf("IsNodeAuthorizationModeIncluded: %t\n", master.IsNodeAuthorizationModeIncluded(k8sParams)) log.Printf("IsAuditLogPathSet: %t\n", master.IsAuditLogPathSet(k8sParams)) log.Printf("IsAuditLogMaxAgeValid: %t\n", master.IsAuditLogPathSet(k8sParams)) diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index ea0d9ece9..bc25d9922 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -262,12 +262,17 @@ func hasFlagArgumentIncluded(flag string, argument string, params []string) bool return false } -// IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from admission control plugins. +// IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from authorization modes. func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool { return isSingleFlagPresent("--authorization-mode=", params) && !hasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params) } +// IsNodeAuthorizationModeIncluded validates Node is included in authorization modes. +func IsNodeAuthorizationModeIncluded(params []string) bool { + return hasFlagArgumentIncluded("--authorization-mode=", "Node", params) +} + // IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument. func IsAuditLogPathSet(params []string) bool { return hasSingleFlagNonemptyArgument("--audit-log-path=", params) diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go index c0906bb74..35860c6b1 100644 --- a/test/security/k8s/src/check/validators/master/api_test.go +++ b/test/security/k8s/src/check/validators/master/api_test.go @@ -23,7 +23,7 @@ var _ = Describe("Api", func() { "PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook," + "ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," + "PodSecurityPolicy,NodeRestriction,EventRateLimit", - "--authorization-mode=RBAC", + "--authorization-mode=Node,RBAC", "--audit-log-path=/var/log/apiserver/audit.log", "--audit-log-maxage=30", "--audit-log-maxbackup=10", @@ -478,6 +478,17 @@ var _ = Describe("Api", func() { Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) + + DescribeTable("Node authorization mode", + func(params []string, expected bool) { + Expect(IsNodeAuthorizationModeIncluded(params)).To(Equal(expected)) + }, + Entry("Is not explicitly enabled on insecure cluster", []string{}, false), + Entry("Is not present on insecure cluster", []string{"--authorization-mode=Foo,Bar"}, false), + Entry("Is not explicitly enabled on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Should present on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should present on Dublin cluster", kubeApiServerDublin, true), + ) }) Describe("Flags requiring strict equality", func() { |