From efd65f9839f7379b590452ed31ab8605102904c3 Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek <p.wieczorek2@samsung.com>
Date: Tue, 17 Sep 2019 15:47:24 +0200
Subject: k8s: Validate API server included admission plugins

This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.11 - 1.1.13,
1.1.24, 1.1.27, 1.1.33 and 1.1.36).

Issue-ID: SECCOM-235
Change-Id: I920bfd42014b8458126be251648f5bf3dcd84c16
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
---
 .../k8s/src/check/validators/master/api.go         | 77 ++++++++++++++++++++++
 1 file changed, 77 insertions(+)

(limited to 'test/security/k8s/src/check/validators/master/api.go')

diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index 58064ef10..0bed71189 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -138,6 +138,83 @@ func IsAlwaysAdmitAdmissionControlPluginExcluded(params []string) bool {
 	return false
 }
 
+// IsAlwaysPullImagesAdmissionControlPluginIncluded validates AlwaysPullImages is included in admission control plugins.
+func IsAlwaysPullImagesAdmissionControlPluginIncluded(params []string) bool {
+	if isSingleFlagPresent("--enable-admission-plugins=", params) {
+		return hasFlagArgumentIncluded("--enable-admission-plugins=", "AlwaysPullImages", params)
+	}
+	if isSingleFlagPresent("--admission-control=", params) {
+		return hasFlagArgumentIncluded("--admission-control=", "AlwaysPullImages", params)
+	}
+	return false
+}
+
+// IsDenyEscalatingExecAdmissionControlPluginIncluded validates DenyEscalatingExec is included in admission control plugins.
+func IsDenyEscalatingExecAdmissionControlPluginIncluded(params []string) bool {
+	if isSingleFlagPresent("--enable-admission-plugins=", params) {
+		return hasFlagArgumentIncluded("--enable-admission-plugins=", "DenyEscalatingExec", params)
+	}
+	if isSingleFlagPresent("--admission-control=", params) {
+		return hasFlagArgumentIncluded("--admission-control=", "DenyEscalatingExec", params)
+	}
+	return false
+}
+
+// IsSecurityContextDenyAdmissionControlPluginIncluded validates SecurityContextDeny is included in admission control plugins.
+func IsSecurityContextDenyAdmissionControlPluginIncluded(params []string) bool {
+	if isSingleFlagPresent("--enable-admission-plugins=", params) {
+		return hasFlagArgumentIncluded("--enable-admission-plugins=", "SecurityContextDeny", params)
+	}
+	if isSingleFlagPresent("--admission-control=", params) {
+		return hasFlagArgumentIncluded("--admission-control=", "SecurityContextDeny", params)
+	}
+	return false
+}
+
+// IsPodSecurityPolicyAdmissionControlPluginIncluded validates PodSecurityPolicy is included in admission control plugins.
+func IsPodSecurityPolicyAdmissionControlPluginIncluded(params []string) bool {
+	if isSingleFlagPresent("--enable-admission-plugins=", params) {
+		return hasFlagArgumentIncluded("--enable-admission-plugins=", "PodSecurityPolicy", params)
+	}
+	if isSingleFlagPresent("--admission-control=", params) {
+		return hasFlagArgumentIncluded("--admission-control=", "PodSecurityPolicy", params)
+	}
+	return false
+}
+
+// IsServiceAccountAdmissionControlPluginIncluded validates ServiceAccount is included in admission control plugins.
+func IsServiceAccountAdmissionControlPluginIncluded(params []string) bool {
+	if isSingleFlagPresent("--enable-admission-plugins=", params) {
+		return hasFlagArgumentIncluded("--enable-admission-plugins=", "ServiceAccount", params)
+	}
+	if isSingleFlagPresent("--admission-control=", params) {
+		return hasFlagArgumentIncluded("--admission-control=", "ServiceAccount", params)
+	}
+	return false
+}
+
+// IsNodeRestrictionAdmissionControlPluginIncluded validates NodeRestriction is included in admission control plugins.
+func IsNodeRestrictionAdmissionControlPluginIncluded(params []string) bool {
+	if isSingleFlagPresent("--enable-admission-plugins=", params) {
+		return hasFlagArgumentIncluded("--enable-admission-plugins=", "NodeRestriction", params)
+	}
+	if isSingleFlagPresent("--admission-control=", params) {
+		return hasFlagArgumentIncluded("--admission-control=", "NodeRestriction", params)
+	}
+	return false
+}
+
+// IsEventRateLimitAdmissionControlPluginIncluded validates EventRateLimit is included in admission control plugins.
+func IsEventRateLimitAdmissionControlPluginIncluded(params []string) bool {
+	if isSingleFlagPresent("--enable-admission-plugins=", params) {
+		return hasFlagArgumentIncluded("--enable-admission-plugins=", "EventRateLimit", params)
+	}
+	if isSingleFlagPresent("--admission-control=", params) {
+		return hasFlagArgumentIncluded("--admission-control=", "EventRateLimit", params)
+	}
+	return false
+}
+
 // isSingleFlagPresent checks presence of selected flag and whether it was used once.
 func isSingleFlagPresent(flag string, params []string) bool {
 	found := filterFlags(params, flag)
-- 
cgit 1.2.3-korg