From 2e956f6332428d91afd683884de7dcf43aec5988 Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek
Date: Thu, 23 Jan 2020 12:13:44 +0100
Subject: k8s: Drop support for Casablanca
Casablanca release reached End of Life (EOL) stage on July 8th 2019 [1].
This patch also fixes comments for test fixtures.
This whole test subtree will be deleted upon migrating Aquasec
kube-bench [2] for CIS Benchmark [3] integrated by Orange [4] to ONAP
xtesting [5].
[1] https://wiki.onap.org/display/DW/Long+Term+Roadmap
[2] https://github.com/aquasecurity/kube-bench
[3] https://www.cisecurity.org/benchmark/kubernetes/
[4] https://gitlab.com/Orange-OpenSource/lfn/onap/integration/xtesting
[5] https://git.onap.org/integration/xtesting/
Issue-ID: SECCOM-235
Change-Id: Ifc7d9c775c27d4cfafdd1932809288530cffceff
Signed-off-by: Pawel Wieczorek
---
.../src/check/validators/master/api/api_test.go | 69 +---------------------
.../controllermanager/controllermanager_test.go | 21 +------
.../validators/master/scheduler/scheduler_test.go | 11 +---
3 files changed, 3 insertions(+), 98 deletions(-)
(limited to 'test/security/k8s/src/check/validators/master')
diff --git a/test/security/k8s/src/check/validators/master/api/api_test.go b/test/security/k8s/src/check/validators/master/api/api_test.go
index 4ba5070a8..01fe9b1c6 100644
--- a/test/security/k8s/src/check/validators/master/api/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api/api_test.go
@@ -45,39 +45,7 @@ var _ = Describe("Api", func() {
"TLS_RSA_WITH_AES_128_GCM_SHA256",
}
- // kubeApiServerCasablanca was obtained from virtual environment for testing
- // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
- kubeApiServerCasablanca = []string{
- "--storage-backend=etcd2",
- "--storage-media-type=application/json",
- "--service-cluster-ip-range=10.43.0.0/16",
- "--etcd-servers=https://etcd.kubernetes.rancher.internal:2379",
- "--insecure-bind-address=0.0.0.0",
- "--insecure-port=0",
- "--cloud-provider=rancher",
- "--allow-privileged=true",
- "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount," +
- "PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota",
- "--client-ca-file=/etc/kubernetes/ssl/ca.pem",
- "--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
- "--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
- "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem",
- "--kubelet-client-key=/etc/kubernetes/ssl/key.pem",
- "--runtime-config=batch/v2alpha1",
- "--anonymous-auth=false",
- "--authentication-token-webhook-config-file=/etc/kubernetes/authconfig",
- "--runtime-config=authentication.k8s.io/v1beta1=true",
- "--external-hostname=kubernetes.kubernetes.rancher.internal",
- "--etcd-cafile=/etc/kubernetes/etcd/ca.pem",
- "--etcd-certfile=/etc/kubernetes/etcd/cert.pem",
- "--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
- "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
- "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
- "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
- "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
- }
-
- // kubeApiServerCasablanca was obtained from virtual environment for testing
+ // kubeApiServerDublin was obtained from virtual environment for testing
// (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3).
kubeApiServerDublin = []string{
"--requestheader-group-headers=X-Remote-Group",
@@ -130,7 +98,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not absent on insecure cluster", []string{"--insecure-allow-any-token"}, false),
Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
@@ -140,7 +107,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not set on insecure cluster", []string{}, false),
Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be set to false on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
)
@@ -150,7 +116,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not set on insecure cluster", []string{}, false),
Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
- Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
)
@@ -161,7 +126,6 @@ var _ = Describe("Api", func() {
},
Entry("Is explicitly disabled on insecure cluster", []string{"--kubelet-https=false"}, false),
Entry("Should be absent or set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be absent or set to true on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be absent or set to true on Dublin cluster", kubeApiServerDublin, true),
)
@@ -171,7 +135,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not set on insecure cluster", []string{}, false),
Entry("Is explicitly enabled on insecure cluster", []string{"--repair-malformed-updates=true"}, false),
- Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
)
@@ -182,7 +145,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not set on insecure cluster", []string{}, false),
Entry("Is explicitly disabled on insecure cluster", []string{"--service-account-lookup=false"}, false),
- Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be set to true on Dublin cluster", kubeApiServerDublin, true),
)
@@ -195,7 +157,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not absent on insecure cluster", []string{"--basic-auth-file=/path/to/file"}, false),
Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
@@ -205,7 +166,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not absent on insecure cluster", []string{"--token-auth-file=/path/to/file"}, false),
Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
@@ -215,7 +175,6 @@ var _ = Describe("Api", func() {
},
Entry("Is absent on insecure cluster", []string{}, false),
Entry("Is empty on insecure cluster", []string{"--audit-log-path="}, false),
- Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
)
@@ -226,7 +185,6 @@ var _ = Describe("Api", func() {
},
Entry("Is absent on insecure cluster", []string{}, false),
Entry("Is empty on insecure cluster", []string{"--kubelet-certificate-authority="}, false),
- Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
)
@@ -238,7 +196,6 @@ var _ = Describe("Api", func() {
Entry("Is absent on insecure cluster", []string{}, false),
Entry("Is empty on insecure cluster", []string{"--client-ca-file="}, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
)
@@ -249,7 +206,6 @@ var _ = Describe("Api", func() {
Entry("Is absent on insecure cluster", []string{}, false),
Entry("Is empty on insecure cluster", []string{"-etcd-cafile="}, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
)
@@ -259,7 +215,6 @@ var _ = Describe("Api", func() {
},
Entry("Is absent on insecure cluster", []string{}, false),
Entry("Is empty on insecure cluster", []string{"--service-account-key-file="}, false),
- Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
)
@@ -271,7 +226,6 @@ var _ = Describe("Api", func() {
Entry("Is absent on insecure cluster", []string{}, false),
Entry("Is empty on insecure cluster", []string{"--kubelet-client-certificate= --kubelet-client-key="}, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
)
@@ -282,7 +236,6 @@ var _ = Describe("Api", func() {
Entry("Is absent on insecure cluster", []string{}, false),
Entry("Is empty on insecure cluster", []string{"--etcd-certfile= --etcd-keyfile="}, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
)
@@ -293,7 +246,6 @@ var _ = Describe("Api", func() {
Entry("Is absent on insecure cluster", []string{}, false),
Entry("Is empty on insecure cluster", []string{"--tls-cert-file= --tls-private-key-file="}, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
)
})
@@ -304,7 +256,6 @@ var _ = Describe("Api", func() {
Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
},
Entry("Is not absent on insecure cluster", []string{"--insecure-bind-address=1.2.3.4"}, false),
- Entry("Is not absent nor set to loopback on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be absent or set to loopback on Dublin cluster", kubeApiServerDublin, true),
)
@@ -316,7 +267,6 @@ var _ = Describe("Api", func() {
Entry("Is not set on insecure cluster", []string{}, false),
Entry("Is explicitly enabled on insecure cluster", []string{"--insecure-port=1234"}, false),
Entry("Should be set to 0 on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be set to 0 on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be set to 0 on Dublin cluster", kubeApiServerDublin, true),
)
@@ -326,7 +276,6 @@ var _ = Describe("Api", func() {
},
Entry("Is explicitly disabled on insecure cluster", []string{"--secure-port=0"}, false),
Entry("Should be absent or set to valid port on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be absent or set to valid port on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be absent or set to valid port on Dublin cluster", kubeApiServerDublin, true),
)
})
@@ -339,7 +288,6 @@ var _ = Describe("Api", func() {
Entry("Is absent on insecure cluster", []string{}, false),
Entry("Is empty on insecure cluster", []string{"--audit-log-maxage="}, false),
Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxage=5"}, false),
- Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
)
@@ -351,7 +299,6 @@ var _ = Describe("Api", func() {
Entry("Is absent on insecure cluster", []string{}, false),
Entry("Is empty on insecure cluster", []string{"--audit-log-maxbackup="}, false),
Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxbackup=2"}, false),
- Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
)
@@ -363,7 +310,6 @@ var _ = Describe("Api", func() {
Entry("Is absent on insecure cluster", []string{}, false),
Entry("Is empty on insecure cluster", []string{"--audit-log-maxsize="}, false),
Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxsize=5"}, false),
- Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
)
@@ -375,7 +321,6 @@ var _ = Describe("Api", func() {
Entry("Is empty on insecure cluster", []string{"--request-timeout="}, false),
Entry("Is too high on insecure cluster", []string{"--request-timeout=600"}, false),
Entry("Should be set only if needed on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be set only if needed on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be set only if needed on Dublin cluster", kubeApiServerDublin, true),
)
})
@@ -388,7 +333,6 @@ var _ = Describe("Api", func() {
Entry("Is not absent on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar,AlwaysAdmit,Baz,Quuz"}, false),
Entry("Is not absent on insecure deprecated cluster", []string{"--admission-control=Foo,Bar,AlwaysAdmit,Baz,Quuz"}, false),
Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
@@ -398,7 +342,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
- Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
)
@@ -409,7 +352,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
- Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
)
@@ -420,7 +362,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
- Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
)
@@ -431,7 +372,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
- Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
)
@@ -443,7 +383,6 @@ var _ = Describe("Api", func() {
Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
)
@@ -453,7 +392,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
- Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
)
@@ -464,7 +402,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
- Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
)
@@ -475,7 +412,6 @@ var _ = Describe("Api", func() {
},
Entry("Is explicitly disabled on insecure cluster", []string{"--disable-admission-plugins=Foo,Bar,NamespaceLifecycle,Baz,Quuz"}, false),
Entry("Should not be disabled on CIS-compliant cluster", kubeApiServerCISCompliant, true),
- Entry("Should not be disabled on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should not be disabled on Dublin cluster", kubeApiServerDublin, true),
)
@@ -485,7 +421,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not explicitly disabled on insecure cluster", []string{}, false),
Entry("Is not absent on insecure cluster", []string{"--authorization-mode=Foo,Bar,AlwaysAllow,Baz,Quuz"}, false),
- Entry("Is not explicitly disabled on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
@@ -496,7 +431,6 @@ var _ = Describe("Api", func() {
},
Entry("Is not explicitly enabled on insecure cluster", []string{}, false),
Entry("Is not present on insecure cluster", []string{"--authorization-mode=Foo,Bar"}, false),
- Entry("Is not explicitly enabled on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Should present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
Entry("Should present on Dublin cluster", kubeApiServerDublin, true),
)
@@ -510,7 +444,6 @@ var _ = Describe("Api", func() {
Entry("Is absent on insecure cluster", []string{}, false),
Entry("Is empty on insecure cluster", []string{"--tls-cipher-suites="}, false),
Entry("Is incomplete on insecure cluster", []string{"--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}, false),
- Entry("Is incomplete on Casablanca cluster", kubeApiServerCasablanca, false),
Entry("Is incomplete on Dublin cluster", kubeApiServerDublin, false),
Entry("Should be complete on CIS-compliant cluster", kubeApiServerCISCompliant, true),
)
diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
index fcd337ac2..05e3cae7e 100644
--- a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
+++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
@@ -21,19 +21,7 @@ var _ = Describe("Controllermanager", func() {
"--root-ca-file=/etc/kubernetes/ssl/kube-ca.pem",
}
- // kubeControllerManagerCasablanca was obtained from virtual environment for testing
- // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
- kubeControllerManagerCasablanca = []string{
- "--kubeconfig=/etc/kubernetes/ssl/kubeconfig",
- "--address=0.0.0.0",
- "--root-ca-file=/etc/kubernetes/ssl/ca.pem",
- "--service-account-private-key-file=/etc/kubernetes/ssl/key.pem",
- "--allow-untagged-cloud",
- "--cloud-provider=rancher",
- "--horizontal-pod-autoscaler-use-rest-clients=false",
- }
-
- // kubeControllerManagerCasablanca was obtained from virtual environment for testing
+ // kubeControllerManagerDublin was obtained from virtual environment for testing
// (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3).
kubeControllerManagerDublin = []string{
"--kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-controller-manager.yaml",
@@ -64,7 +52,6 @@ var _ = Describe("Controllermanager", func() {
},
Entry("Is not set on insecure cluster", []string{}, false),
Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
- Entry("Is not set on Casablanca cluster", kubeControllerManagerCasablanca, false),
Entry("Should be set to false on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
Entry("Should be set to false on Dublin cluster", kubeControllerManagerDublin, true),
)
@@ -75,7 +62,6 @@ var _ = Describe("Controllermanager", func() {
},
Entry("Is not set on insecure cluster", []string{}, false),
Entry("Is explicitly disabled on insecure cluster", []string{"--use-service-account-credentials=false"}, false),
- Entry("Is not set on Casablanca cluster", kubeControllerManagerCasablanca, false),
Entry("Should be set to true on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
Entry("Should be set to true on Dublin cluster", kubeControllerManagerDublin, true),
)
@@ -89,7 +75,6 @@ var _ = Describe("Controllermanager", func() {
Entry("Is absent on insecure cluster", []string{""}, false),
Entry("Is empty on insecure cluster", []string{"--service-account-private-key-file="}, false),
Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
- Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true),
Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true),
)
@@ -100,7 +85,6 @@ var _ = Describe("Controllermanager", func() {
Entry("Is absent on insecure cluster", []string{""}, false),
Entry("Is empty on insecure cluster", []string{"--root-ca-file="}, false),
Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
- Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true),
Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true),
)
})
@@ -111,7 +95,6 @@ var _ = Describe("Controllermanager", func() {
Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
},
Entry("Is not absent on insecure cluster", []string{"--address=1.2.3.4"}, false),
- Entry("Is not absent nor set to loopback on Casablanca cluster", kubeControllerManagerCasablanca, false),
Entry("Is not absent nor set to loopback on Dublin cluster", kubeControllerManagerDublin, false),
Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
)
@@ -124,7 +107,6 @@ var _ = Describe("Controllermanager", func() {
},
Entry("Is absent on insecure cluster", []string{""}, false),
Entry("Is empty on insecure cluster", []string{"--terminated-pod-gc-threshold="}, false),
- Entry("Is absent on Casablanca cluster", kubeControllerManagerCasablanca, false),
Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true),
)
@@ -137,7 +119,6 @@ var _ = Describe("Controllermanager", func() {
},
Entry("Is not enabled on insecure cluster", []string{"--feature-gates=Foo=Bar,Baz=Quuz"}, false),
Entry("Is explicitly disabled on insecure cluster", []string{"--feature-gates=Foo=Bar,RotateKubeletServerCertificate=false,Baz=Quuz"}, false),
- Entry("Is not enabled on Casablanca cluster", kubeControllerManagerCasablanca, false),
Entry("Is not enabled on Dublin cluster", kubeControllerManagerDublin, false),
Entry("Should be enabled on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
)
diff --git a/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go
index 4166a58d7..7fb13b820 100644
--- a/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go
+++ b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go
@@ -16,14 +16,7 @@ var _ = Describe("Scheduler", func() {
"--profiling=false",
}
- // kubeSchedulerCasablanca was obtained from virtual environment for testing
- // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
- kubeSchedulerCasablanca = []string{
- "--kubeconfig=/etc/kubernetes/ssl/kubeconfig",
- "--address=0.0.0.0",
- }
-
- // kubeSchedulerCasablanca was obtained from virtual environment for testing
+ // kubeSchedulerDublin was obtained from virtual environment for testing
// (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3).
kubeSchedulerDublin = []string{
"--kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-scheduler.yaml",
@@ -41,7 +34,6 @@ var _ = Describe("Scheduler", func() {
},
Entry("Is not set on insecure cluster", []string{}, false),
Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
- Entry("Is not set on Casablanca cluster", kubeSchedulerCasablanca, false),
Entry("Should be set to false on CIS-compliant cluster", kubeSchedulerCISCompliant, true),
Entry("Should be set to false on Dublin cluster", kubeSchedulerDublin, true),
)
@@ -53,7 +45,6 @@ var _ = Describe("Scheduler", func() {
Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
},
Entry("Is not absent on insecure cluster", []string{"--address=1.2.3.4"}, false),
- Entry("Is not absent nor set to loopback on Casablanca cluster", kubeSchedulerCasablanca, false),
Entry("Is not absent nor set to loopback on Dublin cluster", kubeSchedulerDublin, false),
Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeSchedulerCISCompliant, true),
)
--
cgit 1.2.3-korg