aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/k8s/src/check/validators
AgeCommit message (Collapse)AuthorFilesLines
2019-09-19k8s: Validate API server certificates and keysPawel Wieczorek2-0/+74
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.22, 1.1.25 - 1.1.26 and 1.1.28). Issue-ID: SECCOM-235 Change-Id: Ic61a796653dc868d20fe69c3ed508e7fa8ba52db Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server Certificate AuthoritiesPawel Wieczorek2-0/+51
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.21, 1.1.29 and 1.1.31). Issue-ID: SECCOM-235 Change-Id: Ia2f55f6962885a7aa878c970a406189902cfab10 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server auditing flagsPawel Wieczorek2-0/+79
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.16 - 1.1.18). Issue-ID: SECCOM-235 Change-Id: I27b63e37fc3203cf3574b9e1cdc43333041f2a36 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server auditing is enabledPawel Wieczorek2-0/+31
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.15). Issue-ID: SECCOM-235 Change-Id: Ia1d27ed7a9e439bb0abf4bd8941bdd4573a50bd5 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Group tests by flag typePawel Wieczorek1-53/+59
Issue-ID: SECCOM-235 Change-Id: I25ebd2930afec6eb259f0a678fffbf7727eb315b Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server not excluded authorization modePawel Wieczorek2-0/+18
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.19). Issue-ID: SECCOM-235 Change-Id: I00c9600fd0d351afb7141a5fa16f348eab67b12d Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server not excluded admission pluginsPawel Wieczorek2-0/+18
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.14). Issue-ID: SECCOM-235 Change-Id: I63c2f8a5b94bfd6c9963805aae85595e6b6ad6d7 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-17k8s: Validate API server included admission pluginsPawel Wieczorek2-1/+156
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.11 - 1.1.13, 1.1.24, 1.1.27, 1.1.33 and 1.1.36). Issue-ID: SECCOM-235 Change-Id: I920bfd42014b8458126be251648f5bf3dcd84c16 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-17k8s: Validate API server excluded admission pluginsPawel Wieczorek2-0/+51
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.10). However, CIS Kubernetes Benchmark v1.3.0 mismatches official documentation: Kubernetes 1.10+ already provides safe defaults from security standpoint [1] (ONAP Casablanca uses 1.11). Deprecated admission control plugin flag has also been validated since it was still available in Kubernetes provided by Rancher [2]. [1] https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use [2] https://github.com/rancher/rancher/issues/15064 Issue-ID: SECCOM-235 Change-Id: I0e8fe9f885861f155cb8265df085fa93dbdff6d2 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-08-07k8s: Add test cases for Dublin API serverPawel Wieczorek1-0/+56
Issue-ID: SECCOM-235 Change-Id: Ie6d43b9db767f191f883a2912916bc8abf9d3ad6 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-08-07k8s: Unify order of API server test casesPawel Wieczorek1-1/+1
So far CIS-compliant configuration has been validated first unless configuration used in ONAP release did not pass given benchmark. Issue-ID: SECCOM-235 Change-Id: Ibdb523ab7ab6b8285757719721f75aca57beeb82 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-08k8s: Add tests for API server validatorsPawel Wieczorek2-0/+173
This patch also adds convenience target to the Makefile and updates documentation on relevant dependencies. Issue-ID: SECCOM-235 Change-Id: I57e00af3cd4c60af3128e3094607cc61bc1e5dbe Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-08k8s: Relax kublet HTTPS connection requirementPawel Wieczorek1-5/+6
According to kube-apiserver documentation [1] and CIS guideline 1.1.4 option "--kubelet-https=" might be absent in API server configuration. It has secure configuration (being set to "true") by default. [1] https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ Issue-ID: SECCOM-235 Change-Id: I604cdcace03f65185aab6a0b34d48cfec94277ab Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-08k8s: Validate API server address and port flagsPawel Wieczorek1-2/+34
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.6 and 1.1.7). Issue-ID: SECCOM-235 Change-Id: I5f215a6642b177e85d7e1c70860ba0c7e558ec4e Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-08k8s: Validate API server boolean flagsPawel Wieczorek1-0/+95
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.1 - 1.1.5, 1.1.8, 1.1.9, 1.1.20 and 1.1.23). Issue-ID: SECCOM-235 Change-Id: Ib964b5111b616a891c3963ef9695af660810e8ba Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>