aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/k8s/src
AgeCommit message (Collapse)AuthorFilesLines
2019-10-01k8s: Validate controller manager flags requiring specific valuesPawel Wieczorek3-1/+60
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.3.2 - 1.3.3 and 1.3.6). Issue-ID: SECCOM-235 Change-Id: I9c2921faf40ad9445e983f2b9bd0610e556cfe15 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-30k8s: Resolve Docker response formatting issuePawel Wieczorek2-0/+18
Checker collects information on cluster by Docker queries: $ docker ps ARGS... # Casablanca $ docker inspect ARGS... # Dublin Arrays of values are then filtered from those. They include: * opening bracket ('['), * closing bracket (']'), * new line. Additional characters affect check results if last flag (including "]\n") requires specific value. Issue-ID: SECCOM-235 Change-Id: I6838342b7e2ecdc44a47ffe02286266003e0b4d3 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-27k8s: Validate controller manager address flagPawel Wieczorek5-1/+98
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.3.7). Issue-ID: SECCOM-235 Change-Id: Id3f4bcb9a506dae3c7c0a884ad6c704dfae2a6d8 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-27k8s: Add controller manager information collectionPawel Wieczorek4-2/+27
Issue-ID: SECCOM-235 Change-Id: Ieceb6337f935e6a5a6b94248ccf072229116510a Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-27k8s: Validate scheduler flagsPawel Wieczorek5-1/+101
Issue-ID: SECCOM-235 Change-Id: I61df142e99a7f1da335471acab88e5a47d72df15 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-27k8s: Add scheduler information collectionPawel Wieczorek4-2/+27
Issue-ID: SECCOM-235 Change-Id: I7da645737440172d3cf11f33069daa2697f83056 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-27k8s: Extract common validators for DRY codePawel Wieczorek3-205/+232
Issue-ID: SECCOM-235 Change-Id: Ic5997b67d0512bea51c3b4a4c71805987fa6f011 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-27k8s: Extract common interface to simplify developmentPawel Wieczorek5-81/+142
Common command and service name extraction is intended to limit execution to small set of allowed processes. This patch also drops unnecessary use of "Kubernetes" name because this whole subproject concerns its clusters. Issue-ID: SECCOM-235 Change-Id: I8babfeb4f24cf3baa4d236ca622c21170ab6205e Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-26k8s: Change default cluster access method choice logicPawel Wieczorek1-1/+6
Previous way of choosing it led to impractical calls, e.g. $ ./check -rke # (works fine) $ ./check -ranchercli # "Not supported." $ ./check -ranchercli -rke=false # (works fine) Disabling default cluster access method is no longer necessary. Issue-ID: SECCOM-235 Change-Id: I2b4d5bff10c5470e567351abeac0431bed3b7938 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-26k8s: Declutter checker by dividing it into smaller packagesPawel Wieczorek5-52/+64
Issue-ID: SECCOM-235 Change-Id: I7d4efd08b8c0258f2f9c33772bf1b1b02cedebfa Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-26k8s: Call correct methods for API server auditing flags validationPawel Wieczorek1-3/+3
Issue-ID: SECCOM-235 Change-Id: Ia5d75628b1c5211f378c239f84e9689d45697a04 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-26k8s: Validate API server request timeoutPawel Wieczorek3-0/+39
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.38). Issue-ID: SECCOM-235 Change-Id: Ic1f175d577c79013ddb49e02b8de69137535c964 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-26k8s: Validate API server included authorization modePawel Wieczorek3-2/+19
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.32). It also fixes wrong documentation comment for similar validator (1.1.19). Issue-ID: SECCOM-235 Change-Id: I00cb8a458871b091b16fe60fc0087b7972aa3b6b Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-26k8s: Validate API server crypto ciphers in usePawel Wieczorek3-0/+31
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.30). It also covers its duplicate (1.1.39). Issue-ID: SECCOM-235 Change-Id: I0f3031c080cf225e7c2c03e65dd0bfc780326307 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server certificates and keysPawel Wieczorek3-0/+79
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.22, 1.1.25 - 1.1.26 and 1.1.28). Issue-ID: SECCOM-235 Change-Id: Ic61a796653dc868d20fe69c3ed508e7fa8ba52db Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server Certificate AuthoritiesPawel Wieczorek3-0/+55
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.21, 1.1.29 and 1.1.31). Issue-ID: SECCOM-235 Change-Id: Ia2f55f6962885a7aa878c970a406189902cfab10 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server auditing flagsPawel Wieczorek3-0/+82
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.16 - 1.1.18). Issue-ID: SECCOM-235 Change-Id: I27b63e37fc3203cf3574b9e1cdc43333041f2a36 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server auditing is enabledPawel Wieczorek3-0/+33
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.15). Issue-ID: SECCOM-235 Change-Id: Ia1d27ed7a9e439bb0abf4bd8941bdd4573a50bd5 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Group tests by flag typePawel Wieczorek1-53/+59
Issue-ID: SECCOM-235 Change-Id: I25ebd2930afec6eb259f0a678fffbf7727eb315b Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server not excluded authorization modePawel Wieczorek3-0/+20
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.19). Issue-ID: SECCOM-235 Change-Id: I00c9600fd0d351afb7141a5fa16f348eab67b12d Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-19k8s: Validate API server not excluded admission pluginsPawel Wieczorek3-0/+20
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.14). Issue-ID: SECCOM-235 Change-Id: I63c2f8a5b94bfd6c9963805aae85595e6b6ad6d7 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-17k8s: Validate API server included admission pluginsPawel Wieczorek3-1/+164
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.11 - 1.1.13, 1.1.24, 1.1.27, 1.1.33 and 1.1.36). Issue-ID: SECCOM-235 Change-Id: I920bfd42014b8458126be251648f5bf3dcd84c16 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-09-17k8s: Validate API server excluded admission pluginsPawel Wieczorek3-0/+53
This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.10). However, CIS Kubernetes Benchmark v1.3.0 mismatches official documentation: Kubernetes 1.10+ already provides safe defaults from security standpoint [1] (ONAP Casablanca uses 1.11). Deprecated admission control plugin flag has also been validated since it was still available in Kubernetes provided by Rancher [2]. [1] https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use [2] https://github.com/rancher/rancher/issues/15064 Issue-ID: SECCOM-235 Change-Id: I0e8fe9f885861f155cb8265df085fa93dbdff6d2 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-08-07k8s: Add support for RKE-deployed clustersPawel Wieczorek3-1/+232
RKE is used as a Kubernetes cluster deployment method from ONAP Dublin release. RKE cluster definition is used to get access to necessary information. Issue-ID: SECCOM-235 Change-Id: I588598011ea746b5f7ba327a48f1cea605e56d31 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-08-07k8s: Add test cases for Dublin API serverPawel Wieczorek1-0/+56
Issue-ID: SECCOM-235 Change-Id: Ie6d43b9db767f191f883a2912916bc8abf9d3ad6 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-08-07k8s: Unify order of API server test casesPawel Wieczorek1-1/+1
So far CIS-compliant configuration has been validated first unless configuration used in ONAP release did not pass given benchmark. Issue-ID: SECCOM-235 Change-Id: Ibdb523ab7ab6b8285757719721f75aca57beeb82 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-08k8s: Add tests for API server validatorsPawel Wieczorek2-0/+173
This patch also adds convenience target to the Makefile and updates documentation on relevant dependencies. Issue-ID: SECCOM-235 Change-Id: I57e00af3cd4c60af3128e3094607cc61bc1e5dbe Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-08k8s: Relax kublet HTTPS connection requirementPawel Wieczorek2-6/+7
According to kube-apiserver documentation [1] and CIS guideline 1.1.4 option "--kubelet-https=" might be absent in API server configuration. It has secure configuration (being set to "true") by default. [1] https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ Issue-ID: SECCOM-235 Change-Id: I604cdcace03f65185aab6a0b34d48cfec94277ab Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-08k8s: Validate API server address and port flagsPawel Wieczorek2-2/+37
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.6 and 1.1.7). Issue-ID: SECCOM-235 Change-Id: I5f215a6642b177e85d7e1c70860ba0c7e558ec4e Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-07-08k8s: Validate API server boolean flagsPawel Wieczorek2-1/+107
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.1 - 1.1.5, 1.1.8, 1.1.9, 1.1.20 and 1.1.23). Issue-ID: SECCOM-235 Change-Id: Ib964b5111b616a891c3963ef9695af660810e8ba Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-06-24k8s: Obtain relevant information from RancherPawel Wieczorek2-0/+95
This patch introduces Rancher queries using its CLI client. It depends on having utility binary located in PATH and providing configuration file prior first use. Issue-ID: SECCOM-235 Change-Id: Idb011e27b4801c5700b4482656463849736298da Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
2019-06-20k8s: Add basic structure for validation toolPawel Wieczorek1-0/+9
This patch introduces CLI utility for checking if Kubernetes cluster follows security recommendations. Provided Makefile simplifies setup process by setting appropriate environment variables for the build. Further information can be found in README. Provided symlink allows proper document rendering on VCS hosting site. Issue-ID: SECCOM-235 Change-Id: I4a1337c9834322ee4fd742a9ccb979b9bc505f75 Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>