From 65028666004a61afa0b7ea054da4744f3a2e298d Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek <p.wieczorek2@samsung.com>
Date: Mon, 3 Jun 2019 17:03:42 +0200
Subject: k8s: Validate API server address and port flags

This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.6 and 1.1.7).

Issue-ID: SECCOM-235
Change-Id: I5f215a6642b177e85d7e1c70860ba0c7e558ec4e
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
---
 .../k8s/src/check/validators/master/api.go         | 36 ++++++++++++++++++++--
 1 file changed, 34 insertions(+), 2 deletions(-)

(limited to 'test/security/k8s/src/check/validators')

diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index bf275c1ca..ac84d8f1c 100644
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -6,7 +6,9 @@ import (
 )
 
 const (
-	disabledPort = 0
+	portDisabled = 0
+	portLowest   = 1
+	portHighest  = 65536
 )
 
 // IsBasicAuthFileAbsent validates there is no basic authentication file specified.
@@ -45,7 +47,7 @@ func IsKubeletHTTPSConnected(params []string) bool {
 
 // IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
 func IsInsecurePortUnbound(params []string) bool {
-	return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(disabledPort), params)
+	return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params)
 }
 
 // IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
@@ -93,3 +95,33 @@ func splitKV(s, sep string) (string, string) {
 	ret := strings.SplitN(s, sep, 2)
 	return ret[0], ret[1]
 }
+
+// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
+func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
+	return isFlagAbsent("--insecure-bind-address=", params) ||
+		hasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params)
+}
+
+// IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value.
+func IsSecurePortAbsentOrValid(params []string) bool {
+	return isFlagAbsent("--secure-port=", params) ||
+		hasFlagValidPort("--secure-port=", params)
+}
+
+// hasFlagValidPort checks whether selected flag has valid port as an argument in given command.
+func hasFlagValidPort(flag string, params []string) bool {
+	found := filterFlags(params, flag)
+	if len(found) != 1 {
+		return false
+	}
+
+	_, value := splitKV(found[0], "=")
+	port, err := strconv.Atoi(value) // what about empty parameter?
+	if err != nil {
+		return false
+	}
+	if port < portLowest || port > portHighest {
+		return false
+	}
+	return true
+}
-- 
cgit 1.2.3-korg