From d52717dc912d26b4dc17ae1563ab994a919f8152 Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek <p.wieczorek2@samsung.com>
Date: Mon, 30 Sep 2019 15:27:43 +0200
Subject: k8s: Validate controller manager flags requiring specific values

This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.3.2 - 1.3.3
and 1.3.6).

Issue-ID: SECCOM-235
Change-Id: I9c2921faf40ad9445e983f2b9bd0610e556cfe15
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
---
 .../master/controllermanager/controllermanager.go  | 15 ++++++++
 .../controllermanager/controllermanager_test.go    | 43 +++++++++++++++++++++-
 .../k8s/src/check/validators/master/master.go      |  3 ++
 3 files changed, 60 insertions(+), 1 deletion(-)

diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go
index 85ab28564..f1dd0fe49 100644
--- a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go
+++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go
@@ -5,6 +5,21 @@ import (
 	"check/validators/master/boolean"
 )
 
+// IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
+func IsProfilingDisabled(params []string) bool {
+	return args.HasSingleFlagArgument("--profiling=", "false", params)
+}
+
+// IsUseServiceAccountCredentialsEnabled validates there is single "--use-service-account-credentials" flag and it is set to "true".
+func IsUseServiceAccountCredentialsEnabled(params []string) bool {
+	return args.HasSingleFlagArgument("--use-service-account-credentials=", "true", params)
+}
+
+// IsRotateKubeletServerCertificateIncluded validates RotateKubeletServerCertificate=true is included.
+func IsRotateKubeletServerCertificateIncluded(params []string) bool {
+	return args.HasFlagArgumentIncluded("--feature-gates=", "RotateKubeletServerCertificate=true", params)
+}
+
 // IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
 func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
 	return boolean.IsFlagAbsent("--address=", params) ||
diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
index d417b7d9f..7fd8b5d53 100644
--- a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
+++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
@@ -12,7 +12,11 @@ import (
 var _ = Describe("Controllermanager", func() {
 	var (
 		// kubeControllerManagerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
-		kubeControllerManagerCISCompliant = []string{}
+		kubeControllerManagerCISCompliant = []string{
+			"--profiling=false",
+			"--use-service-account-credentials=true",
+			"--feature-gates=RotateKubeletServerCertificate=true",
+		}
 
 		// kubeControllerManagerCasablanca was obtained from virtual environment for testing
 		// (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
@@ -50,6 +54,30 @@ var _ = Describe("Controllermanager", func() {
 		}
 	)
 
+	Describe("Boolean flags", func() {
+		DescribeTable("Profiling",
+			func(params []string, expected bool) {
+				Expect(IsProfilingDisabled(params)).To(Equal(expected))
+			},
+			Entry("Is not set on insecure cluster", []string{}, false),
+			Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
+			Entry("Is not set on Casablanca cluster", kubeControllerManagerCasablanca, false),
+			Entry("Should be set to false on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+			Entry("Should be set to false on Dublin cluster", kubeControllerManagerDublin, true),
+		)
+
+		DescribeTable("Service account credentials use",
+			func(params []string, expected bool) {
+				Expect(IsUseServiceAccountCredentialsEnabled(params)).To(Equal(expected))
+			},
+			Entry("Is not set on insecure cluster", []string{}, false),
+			Entry("Is explicitly disabled on insecure cluster", []string{"--use-service-account-credentials=false"}, false),
+			Entry("Is not set on Casablanca cluster", kubeControllerManagerCasablanca, false),
+			Entry("Should be set to true on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+			Entry("Should be set to true on Dublin cluster", kubeControllerManagerDublin, true),
+		)
+	})
+
 	Describe("Address flag", func() {
 		DescribeTable("Bind address",
 			func(params []string, expected bool) {
@@ -61,4 +89,17 @@ var _ = Describe("Controllermanager", func() {
 			Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
 		)
 	})
+
+	Describe("Argument list flags", func() {
+		DescribeTable("RotateKubeletServerCertificate",
+			func(params []string, expected bool) {
+				Expect(IsRotateKubeletServerCertificateIncluded(params)).To(Equal(expected))
+			},
+			Entry("Is not enabled on insecure cluster", []string{"--feature-gates=Foo=Bar,Baz=Quuz"}, false),
+			Entry("Is explicitly disabled on insecure cluster", []string{"--feature-gates=Foo=Bar,RotateKubeletServerCertificate=false,Baz=Quuz"}, false),
+			Entry("Is not enabled on Casablanca cluster", kubeControllerManagerCasablanca, false),
+			Entry("Is not enabled on Dublin cluster", kubeControllerManagerDublin, false),
+			Entry("Should be enabled on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+		)
+	})
 })
diff --git a/test/security/k8s/src/check/validators/master/master.go b/test/security/k8s/src/check/validators/master/master.go
index 79d6612a6..0f668f614 100644
--- a/test/security/k8s/src/check/validators/master/master.go
+++ b/test/security/k8s/src/check/validators/master/master.go
@@ -69,5 +69,8 @@ func CheckScheduler(params []string) {
 // CheckControllerManager validates controller manager complies with CIS guideliness.
 func CheckControllerManager(params []string) {
 	log.Println("==> Controller Manager:")
+	log.Printf("IsProfilingDisabled: %t\n", controllermanager.IsProfilingDisabled(params))
+	log.Printf("IsUseServiceAccountCredentialsEnabled: %t\n", controllermanager.IsUseServiceAccountCredentialsEnabled(params))
+	log.Printf("IsRotateKubeletServerCertificateIncluded: %t\n", controllermanager.IsRotateKubeletServerCertificateIncluded(params))
 	log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", controllermanager.IsInsecureBindAddressAbsentOrLoopback(params))
 }
-- 
cgit 1.2.3-korg