From 744f732b177c2449ab3ac2ee0ed8fa316122f393 Mon Sep 17 00:00:00 2001 From: Pawel Wieczorek Date: Fri, 27 Sep 2019 16:26:39 +0200 Subject: k8s: Validate scheduler flags Issue-ID: SECCOM-235 Change-Id: I61df142e99a7f1da335471acab88e5a47d72df15 Signed-off-by: Pawel Wieczorek --- test/security/k8s/src/check/cmd/check/check.go | 3 +- .../k8s/src/check/validators/master/master.go | 8 +++ .../check/validators/master/scheduler/scheduler.go | 17 ++++++ .../master/scheduler/scheduler_suite_test.go | 13 +++++ .../validators/master/scheduler/scheduler_test.go | 61 ++++++++++++++++++++++ 5 files changed, 101 insertions(+), 1 deletion(-) create mode 100644 test/security/k8s/src/check/validators/master/scheduler/scheduler.go create mode 100644 test/security/k8s/src/check/validators/master/scheduler/scheduler_suite_test.go create mode 100644 test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index e60912801..2d25100f3 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -43,8 +43,9 @@ func main() { } master.CheckAPI(apiParams) - _, err = info.GetSchedulerParams() + schedulerParams, err := info.GetSchedulerParams() if err != nil { log.Fatal(err) } + master.CheckScheduler(schedulerParams) } diff --git a/test/security/k8s/src/check/validators/master/master.go b/test/security/k8s/src/check/validators/master/master.go index ff3b79648..bc019a67a 100644 --- a/test/security/k8s/src/check/validators/master/master.go +++ b/test/security/k8s/src/check/validators/master/master.go @@ -4,6 +4,7 @@ import ( "log" "check/validators/master/api" + "check/validators/master/scheduler" ) // CheckAPI validates API server complies with CIS guideliness. @@ -56,3 +57,10 @@ func CheckAPI(params []string) { log.Printf("IsStrongCryptoCipherInUse: %t\n", api.IsStrongCryptoCipherInUse(params)) } + +// CheckScheduler validates scheduler complies with CIS guideliness. +func CheckScheduler(params []string) { + log.Println("==> Scheduler:") + log.Printf("IsProfilingDisabled: %t\n", scheduler.IsProfilingDisabled(params)) + log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", scheduler.IsInsecureBindAddressAbsentOrLoopback(params)) +} diff --git a/test/security/k8s/src/check/validators/master/scheduler/scheduler.go b/test/security/k8s/src/check/validators/master/scheduler/scheduler.go new file mode 100644 index 000000000..14a0fa22e --- /dev/null +++ b/test/security/k8s/src/check/validators/master/scheduler/scheduler.go @@ -0,0 +1,17 @@ +package scheduler + +import ( + "check/validators/master/args" + "check/validators/master/boolean" +) + +// IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false". +func IsProfilingDisabled(params []string) bool { + return args.HasSingleFlagArgument("--profiling=", "false", params) +} + +// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address. +func IsInsecureBindAddressAbsentOrLoopback(params []string) bool { + return boolean.IsFlagAbsent("--address=", params) || + args.HasSingleFlagArgument("--address=", "127.0.0.1", params) +} diff --git a/test/security/k8s/src/check/validators/master/scheduler/scheduler_suite_test.go b/test/security/k8s/src/check/validators/master/scheduler/scheduler_suite_test.go new file mode 100644 index 000000000..8f8320808 --- /dev/null +++ b/test/security/k8s/src/check/validators/master/scheduler/scheduler_suite_test.go @@ -0,0 +1,13 @@ +package scheduler_test + +import ( + "testing" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +func TestScheduler(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Scheduler Suite") +} diff --git a/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go new file mode 100644 index 000000000..4166a58d7 --- /dev/null +++ b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go @@ -0,0 +1,61 @@ +package scheduler_test + +import ( + . "github.com/onsi/ginkgo/extensions/table" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + + . "check/validators/master/scheduler" +) + +var _ = Describe("Scheduler", func() { + var ( + // kubeSchedulerCISCompliant uses secure defaults or follows CIS guidelines explicitly. + kubeSchedulerCISCompliant = []string{ + "--profiling=false", + } + + // kubeSchedulerCasablanca was obtained from virtual environment for testing + // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882). + kubeSchedulerCasablanca = []string{ + "--kubeconfig=/etc/kubernetes/ssl/kubeconfig", + "--address=0.0.0.0", + } + + // kubeSchedulerCasablanca was obtained from virtual environment for testing + // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3). + kubeSchedulerDublin = []string{ + "--kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-scheduler.yaml", + "--address=0.0.0.0", + "--profiling=false", + "--leader-elect=true", + "--v=2", + } + ) + + Describe("Boolean flag", func() { + DescribeTable("Profiling", + func(params []string, expected bool) { + Expect(IsProfilingDisabled(params)).To(Equal(expected)) + }, + Entry("Is not set on insecure cluster", []string{}, false), + Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false), + Entry("Is not set on Casablanca cluster", kubeSchedulerCasablanca, false), + Entry("Should be set to false on CIS-compliant cluster", kubeSchedulerCISCompliant, true), + Entry("Should be set to false on Dublin cluster", kubeSchedulerDublin, true), + ) + }) + + Describe("Address flag", func() { + DescribeTable("Bind address", + func(params []string, expected bool) { + Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected)) + }, + Entry("Is not absent on insecure cluster", []string{"--address=1.2.3.4"}, false), + Entry("Is not absent nor set to loopback on Casablanca cluster", kubeSchedulerCasablanca, false), + Entry("Is not absent nor set to loopback on Dublin cluster", kubeSchedulerDublin, false), + Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeSchedulerCISCompliant, true), + ) + }) +}) -- cgit 1.2.3-korg