From 944993869240ba58beab8958a61dacf927706a68 Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek <p.wieczorek2@samsung.com>
Date: Fri, 20 Sep 2019 11:42:58 +0200
Subject: k8s: Validate API server crypto ciphers in use

This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.30).

It also covers its duplicate (1.1.39).

Issue-ID: SECCOM-235
Change-Id: I0f3031c080cf225e7c2c03e65dd0bfc780326307
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
---
 test/security/k8s/src/check/cmd/check/check.go        |  2 ++
 test/security/k8s/src/check/validators/master/api.go  | 10 ++++++++++
 .../k8s/src/check/validators/master/api_test.go       | 19 +++++++++++++++++++
 3 files changed, 31 insertions(+)

diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index 028843734..f348cd01a 100644
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -79,4 +79,6 @@ func main() {
 	log.Printf("IsKubeletClientCertificateAndKeySet: %t\n", master.IsKubeletClientCertificateAndKeySet(k8sParams))
 	log.Printf("IsEtcdCertificateAndKeySet: %t\n", master.IsEtcdCertificateAndKeySet(k8sParams))
 	log.Printf("IsTLSCertificateAndKeySet: %t\n", master.IsTLSCertificateAndKeySet(k8sParams))
+
+	log.Printf("IsStrongCryptoCipherInUse: %t\n", master.IsStrongCryptoCipherInUse(k8sParams))
 }
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index 95a02d17d..ea0d9ece9 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -13,6 +13,11 @@ const (
 	auditLogAge     = 30
 	auditLogBackups = 10
 	auditLogSize    = 100
+
+	strongCryptoCiphers = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM" +
+		"_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM" +
+		"_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM" +
+		"_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
 )
 
 // IsBasicAuthFileAbsent validates there is no basic authentication file specified.
@@ -64,6 +69,11 @@ func IsServiceAccountLookupEnabled(params []string) bool {
 	return hasSingleFlagArgument("--service-account-lookup=", "true", params)
 }
 
+// IsStrongCryptoCipherInUse validates there is single "--tls-cipher-suites=" flag and it is set to strong crypto ciphers.
+func IsStrongCryptoCipherInUse(params []string) bool {
+	return hasSingleFlagArgument("--tls-cipher-suites=", strongCryptoCiphers, params)
+}
+
 // hasSingleFlagArgument checks whether selected flag was used once and has requested argument.
 func hasSingleFlagArgument(flag string, argument string, params []string) bool {
 	found := filterFlags(params, flag)
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index f9eb943b3..c0906bb74 100644
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -38,6 +38,11 @@ var _ = Describe("Api", func() {
 			"--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
 			"--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
 			"--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
+			"--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
+				"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
+				"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305," +
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384," +
+				"TLS_RSA_WITH_AES_128_GCM_SHA256",
 		}
 
 		// kubeApiServerCasablanca was obtained from virtual environment for testing
@@ -474,4 +479,18 @@ var _ = Describe("Api", func() {
 			Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
 		)
 	})
+
+	Describe("Flags requiring strict equality", func() {
+		DescribeTable("Strong Cryptographic Ciphers",
+			func(params []string, expected bool) {
+				Expect(IsStrongCryptoCipherInUse(params)).To(Equal(expected))
+			},
+			Entry("Is absent on insecure cluster", []string{}, false),
+			Entry("Is empty on insecure cluster", []string{"--tls-cipher-suites="}, false),
+			Entry("Is incomplete on insecure cluster", []string{"--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}, false),
+			Entry("Is incomplete on Casablanca cluster", kubeApiServerCasablanca, false),
+			Entry("Is incomplete on Dublin cluster", kubeApiServerDublin, false),
+			Entry("Should be complete on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+		)
+	})
 })
-- 
cgit 1.2.3-korg