From 4dbeacb893fce6c6c6dad99cd691362fda48ec91 Mon Sep 17 00:00:00 2001 From: Pawel Wieczorek Date: Wed, 25 Sep 2019 16:37:24 +0200 Subject: k8s: Validate API server included authorization mode This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.32). It also fixes wrong documentation comment for similar validator (1.1.19). Issue-ID: SECCOM-235 Change-Id: I00cb8a458871b091b16fe60fc0087b7972aa3b6b Signed-off-by: Pawel Wieczorek --- test/security/k8s/src/check/cmd/check/check.go | 1 + test/security/k8s/src/check/validators/master/api.go | 7 ++++++- test/security/k8s/src/check/validators/master/api_test.go | 13 ++++++++++++- 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index f348cd01a..0447d5bb0 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -65,6 +65,7 @@ func main() { log.Printf("IsNamespaceLifecycleAdmissionControlPluginNotExcluded: %t\n", master.IsNamespaceLifecycleAdmissionControlPluginNotExcluded(k8sParams)) log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", master.IsAlwaysAllowAuthorizationModeExcluded(k8sParams)) + log.Printf("IsNodeAuthorizationModeIncluded: %t\n", master.IsNodeAuthorizationModeIncluded(k8sParams)) log.Printf("IsAuditLogPathSet: %t\n", master.IsAuditLogPathSet(k8sParams)) log.Printf("IsAuditLogMaxAgeValid: %t\n", master.IsAuditLogPathSet(k8sParams)) diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index ea0d9ece9..bc25d9922 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -262,12 +262,17 @@ func hasFlagArgumentIncluded(flag string, argument string, params []string) bool return false } -// IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from admission control plugins. +// IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from authorization modes. func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool { return isSingleFlagPresent("--authorization-mode=", params) && !hasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params) } +// IsNodeAuthorizationModeIncluded validates Node is included in authorization modes. +func IsNodeAuthorizationModeIncluded(params []string) bool { + return hasFlagArgumentIncluded("--authorization-mode=", "Node", params) +} + // IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument. func IsAuditLogPathSet(params []string) bool { return hasSingleFlagNonemptyArgument("--audit-log-path=", params) diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go index c0906bb74..35860c6b1 100644 --- a/test/security/k8s/src/check/validators/master/api_test.go +++ b/test/security/k8s/src/check/validators/master/api_test.go @@ -23,7 +23,7 @@ var _ = Describe("Api", func() { "PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook," + "ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," + "PodSecurityPolicy,NodeRestriction,EventRateLimit", - "--authorization-mode=RBAC", + "--authorization-mode=Node,RBAC", "--audit-log-path=/var/log/apiserver/audit.log", "--audit-log-maxage=30", "--audit-log-maxbackup=10", @@ -478,6 +478,17 @@ var _ = Describe("Api", func() { Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) + + DescribeTable("Node authorization mode", + func(params []string, expected bool) { + Expect(IsNodeAuthorizationModeIncluded(params)).To(Equal(expected)) + }, + Entry("Is not explicitly enabled on insecure cluster", []string{}, false), + Entry("Is not present on insecure cluster", []string{"--authorization-mode=Foo,Bar"}, false), + Entry("Is not explicitly enabled on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Should present on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should present on Dublin cluster", kubeApiServerDublin, true), + ) }) Describe("Flags requiring strict equality", func() { -- cgit 1.2.3-korg