From 65028666004a61afa0b7ea054da4744f3a2e298d Mon Sep 17 00:00:00 2001 From: Pawel Wieczorek Date: Mon, 3 Jun 2019 17:03:42 +0200 Subject: k8s: Validate API server address and port flags This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections regarding master node configuration are satisfied (1.1.6 and 1.1.7). Issue-ID: SECCOM-235 Change-Id: I5f215a6642b177e85d7e1c70860ba0c7e558ec4e Signed-off-by: Pawel Wieczorek --- test/security/k8s/src/check/cmd/check/check.go | 3 ++ .../k8s/src/check/validators/master/api.go | 36 ++++++++++++++++++++-- 2 files changed, 37 insertions(+), 2 deletions(-) diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index fd4c2aff9..81e96e66f 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -25,4 +25,7 @@ func main() { log.Printf("IsProfilingDisabled: %t\n", master.IsProfilingDisabled(k8sParams)) log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", master.IsRepairMalformedUpdatesDisabled(k8sParams)) log.Printf("IsServiceAccountLookupEnabled: %t\n", master.IsServiceAccountLookupEnabled(k8sParams)) + + log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", master.IsInsecureBindAddressAbsentOrLoopback(k8sParams)) + log.Printf("IsSecurePortAbsentOrValid: %t\n", master.IsSecurePortAbsentOrValid(k8sParams)) } diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index bf275c1ca..ac84d8f1c 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -6,7 +6,9 @@ import ( ) const ( - disabledPort = 0 + portDisabled = 0 + portLowest = 1 + portHighest = 65536 ) // IsBasicAuthFileAbsent validates there is no basic authentication file specified. @@ -45,7 +47,7 @@ func IsKubeletHTTPSConnected(params []string) bool { // IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled). func IsInsecurePortUnbound(params []string) bool { - return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(disabledPort), params) + return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params) } // IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false". @@ -93,3 +95,33 @@ func splitKV(s, sep string) (string, string) { ret := strings.SplitN(s, sep, 2) return ret[0], ret[1] } + +// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address. +func IsInsecureBindAddressAbsentOrLoopback(params []string) bool { + return isFlagAbsent("--insecure-bind-address=", params) || + hasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params) +} + +// IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value. +func IsSecurePortAbsentOrValid(params []string) bool { + return isFlagAbsent("--secure-port=", params) || + hasFlagValidPort("--secure-port=", params) +} + +// hasFlagValidPort checks whether selected flag has valid port as an argument in given command. +func hasFlagValidPort(flag string, params []string) bool { + found := filterFlags(params, flag) + if len(found) != 1 { + return false + } + + _, value := splitKV(found[0], "=") + port, err := strconv.Atoi(value) // what about empty parameter? + if err != nil { + return false + } + if port < portLowest || port > portHighest { + return false + } + return true +} -- cgit 1.2.3-korg