From 65028666004a61afa0b7ea054da4744f3a2e298d Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek
Date: Mon, 3 Jun 2019 17:03:42 +0200
Subject: k8s: Validate API server address and port flags
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.6 and 1.1.7).
Issue-ID: SECCOM-235
Change-Id: I5f215a6642b177e85d7e1c70860ba0c7e558ec4e
Signed-off-by: Pawel Wieczorek
---
test/security/k8s/src/check/cmd/check/check.go | 3 ++
.../k8s/src/check/validators/master/api.go | 36 ++++++++++++++++++++--
2 files changed, 37 insertions(+), 2 deletions(-)
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index fd4c2aff9..81e96e66f 100644
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -25,4 +25,7 @@ func main() {
log.Printf("IsProfilingDisabled: %t\n", master.IsProfilingDisabled(k8sParams))
log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", master.IsRepairMalformedUpdatesDisabled(k8sParams))
log.Printf("IsServiceAccountLookupEnabled: %t\n", master.IsServiceAccountLookupEnabled(k8sParams))
+
+ log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", master.IsInsecureBindAddressAbsentOrLoopback(k8sParams))
+ log.Printf("IsSecurePortAbsentOrValid: %t\n", master.IsSecurePortAbsentOrValid(k8sParams))
}
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index bf275c1ca..ac84d8f1c 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -6,7 +6,9 @@ import (
)
const (
- disabledPort = 0
+ portDisabled = 0
+ portLowest = 1
+ portHighest = 65536
)
// IsBasicAuthFileAbsent validates there is no basic authentication file specified.
@@ -45,7 +47,7 @@ func IsKubeletHTTPSConnected(params []string) bool {
// IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
func IsInsecurePortUnbound(params []string) bool {
- return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(disabledPort), params)
+ return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params)
}
// IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
@@ -93,3 +95,33 @@ func splitKV(s, sep string) (string, string) {
ret := strings.SplitN(s, sep, 2)
return ret[0], ret[1]
}
+
+// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
+func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
+ return isFlagAbsent("--insecure-bind-address=", params) ||
+ hasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params)
+}
+
+// IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value.
+func IsSecurePortAbsentOrValid(params []string) bool {
+ return isFlagAbsent("--secure-port=", params) ||
+ hasFlagValidPort("--secure-port=", params)
+}
+
+// hasFlagValidPort checks whether selected flag has valid port as an argument in given command.
+func hasFlagValidPort(flag string, params []string) bool {
+ found := filterFlags(params, flag)
+ if len(found) != 1 {
+ return false
+ }
+
+ _, value := splitKV(found[0], "=")
+ port, err := strconv.Atoi(value) // what about empty parameter?
+ if err != nil {
+ return false
+ }
+ if port < portLowest || port > portHighest {
+ return false
+ }
+ return true
+}
--
cgit 1.2.3-korg