From bd12bfbc6fbe4ecfc2152467ea6785c9e5163763 Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek <p.wieczorek2@samsung.com>
Date: Fri, 27 Sep 2019 19:00:46 +0200
Subject: k8s: Validate controller manager address flag

This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.3.7).

Issue-ID: SECCOM-235
Change-Id: Id3f4bcb9a506dae3c7c0a884ad6c704dfae2a6d8
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
---
 test/security/k8s/src/check/cmd/check/check.go     |  3 +-
 .../master/controllermanager/controllermanager.go  | 12 ++++
 .../controllermanager_suite_test.go                | 13 +++++
 .../controllermanager/controllermanager_test.go    | 64 ++++++++++++++++++++++
 .../k8s/src/check/validators/master/master.go      |  7 +++
 5 files changed, 98 insertions(+), 1 deletion(-)
 create mode 100644 test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go
 create mode 100644 test/security/k8s/src/check/validators/master/controllermanager/controllermanager_suite_test.go
 create mode 100644 test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go

diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index dd089b107..d7176170a 100644
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -49,8 +49,9 @@ func main() {
 	}
 	master.CheckScheduler(schedulerParams)
 
-	_, err = info.GetControllerManagerParams()
+	controllerManagerParams, err := info.GetControllerManagerParams()
 	if err != nil {
 		log.Fatal(err)
 	}
+	master.CheckControllerManager(controllerManagerParams)
 }
diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go
new file mode 100644
index 000000000..85ab28564
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go
@@ -0,0 +1,12 @@
+package controllermanager
+
+import (
+	"check/validators/master/args"
+	"check/validators/master/boolean"
+)
+
+// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
+func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
+	return boolean.IsFlagAbsent("--address=", params) ||
+		args.HasSingleFlagArgument("--address=", "127.0.0.1", params)
+}
diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_suite_test.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_suite_test.go
new file mode 100644
index 000000000..c5b9a027c
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_suite_test.go
@@ -0,0 +1,13 @@
+package controllermanager_test
+
+import (
+	"testing"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+)
+
+func TestControllermanager(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Controllermanager Suite")
+}
diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
new file mode 100644
index 000000000..d417b7d9f
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
@@ -0,0 +1,64 @@
+package controllermanager_test
+
+import (
+	. "github.com/onsi/ginkgo/extensions/table"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	. "check/validators/master/controllermanager"
+)
+
+var _ = Describe("Controllermanager", func() {
+	var (
+		// kubeControllerManagerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
+		kubeControllerManagerCISCompliant = []string{}
+
+		// kubeControllerManagerCasablanca was obtained from virtual environment for testing
+		// (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
+		kubeControllerManagerCasablanca = []string{
+			"--kubeconfig=/etc/kubernetes/ssl/kubeconfig",
+			"--address=0.0.0.0",
+			"--root-ca-file=/etc/kubernetes/ssl/ca.pem",
+			"--service-account-private-key-file=/etc/kubernetes/ssl/key.pem",
+			"--allow-untagged-cloud",
+			"--cloud-provider=rancher",
+			"--horizontal-pod-autoscaler-use-rest-clients=false",
+		}
+
+		// kubeControllerManagerCasablanca was obtained from virtual environment for testing
+		// (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3).
+		kubeControllerManagerDublin = []string{
+			"--kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-controller-manager.yaml",
+			"--address=0.0.0.0",
+			"--root-ca-file=/etc/kubernetes/ssl/kube-ca.pem",
+			"--service-account-private-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem",
+			"--terminated-pod-gc-threshold=1000",
+			"--profiling=false",
+			"--use-service-account-credentials=true",
+			"--node-monitor-grace-period=40s",
+			"--cloud-provider=",
+			"--service-cluster-ip-range=10.43.0.0/16",
+			"--configure-cloud-routes=false",
+			"--enable-hostpath-provisioner=false",
+			"--cluster-cidr=10.42.0.0/16",
+			"--allow-untagged-cloud=true",
+			"--pod-eviction-timeout=5m0s",
+			"--allocate-node-cidrs=true",
+			"--leader-elect=true",
+			"--v=2",
+		}
+	)
+
+	Describe("Address flag", func() {
+		DescribeTable("Bind address",
+			func(params []string, expected bool) {
+				Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
+			},
+			Entry("Is not absent on insecure cluster", []string{"--address=1.2.3.4"}, false),
+			Entry("Is not absent nor set to loopback on Casablanca cluster", kubeControllerManagerCasablanca, false),
+			Entry("Is not absent nor set to loopback on Dublin cluster", kubeControllerManagerDublin, false),
+			Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+		)
+	})
+})
diff --git a/test/security/k8s/src/check/validators/master/master.go b/test/security/k8s/src/check/validators/master/master.go
index bc019a67a..79d6612a6 100644
--- a/test/security/k8s/src/check/validators/master/master.go
+++ b/test/security/k8s/src/check/validators/master/master.go
@@ -4,6 +4,7 @@ import (
 	"log"
 
 	"check/validators/master/api"
+	"check/validators/master/controllermanager"
 	"check/validators/master/scheduler"
 )
 
@@ -64,3 +65,9 @@ func CheckScheduler(params []string) {
 	log.Printf("IsProfilingDisabled: %t\n", scheduler.IsProfilingDisabled(params))
 	log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", scheduler.IsInsecureBindAddressAbsentOrLoopback(params))
 }
+
+// CheckControllerManager validates controller manager complies with CIS guideliness.
+func CheckControllerManager(params []string) {
+	log.Println("==> Controller Manager:")
+	log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", controllermanager.IsInsecureBindAddressAbsentOrLoopback(params))
+}
-- 
cgit 1.2.3-korg