From 744f732b177c2449ab3ac2ee0ed8fa316122f393 Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek
Date: Fri, 27 Sep 2019 16:26:39 +0200
Subject: k8s: Validate scheduler flags
Issue-ID: SECCOM-235
Change-Id: I61df142e99a7f1da335471acab88e5a47d72df15
Signed-off-by: Pawel Wieczorek
---
test/security/k8s/src/check/cmd/check/check.go | 3 +-
.../k8s/src/check/validators/master/master.go | 8 +++
.../check/validators/master/scheduler/scheduler.go | 17 ++++++
.../master/scheduler/scheduler_suite_test.go | 13 +++++
.../validators/master/scheduler/scheduler_test.go | 61 ++++++++++++++++++++++
5 files changed, 101 insertions(+), 1 deletion(-)
create mode 100644 test/security/k8s/src/check/validators/master/scheduler/scheduler.go
create mode 100644 test/security/k8s/src/check/validators/master/scheduler/scheduler_suite_test.go
create mode 100644 test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go
(limited to 'test/security/k8s/src/check')
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index e60912801..2d25100f3 100644
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -43,8 +43,9 @@ func main() {
}
master.CheckAPI(apiParams)
- _, err = info.GetSchedulerParams()
+ schedulerParams, err := info.GetSchedulerParams()
if err != nil {
log.Fatal(err)
}
+ master.CheckScheduler(schedulerParams)
}
diff --git a/test/security/k8s/src/check/validators/master/master.go b/test/security/k8s/src/check/validators/master/master.go
index ff3b79648..bc019a67a 100644
--- a/test/security/k8s/src/check/validators/master/master.go
+++ b/test/security/k8s/src/check/validators/master/master.go
@@ -4,6 +4,7 @@ import (
"log"
"check/validators/master/api"
+ "check/validators/master/scheduler"
)
// CheckAPI validates API server complies with CIS guideliness.
@@ -56,3 +57,10 @@ func CheckAPI(params []string) {
log.Printf("IsStrongCryptoCipherInUse: %t\n", api.IsStrongCryptoCipherInUse(params))
}
+
+// CheckScheduler validates scheduler complies with CIS guideliness.
+func CheckScheduler(params []string) {
+ log.Println("==> Scheduler:")
+ log.Printf("IsProfilingDisabled: %t\n", scheduler.IsProfilingDisabled(params))
+ log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", scheduler.IsInsecureBindAddressAbsentOrLoopback(params))
+}
diff --git a/test/security/k8s/src/check/validators/master/scheduler/scheduler.go b/test/security/k8s/src/check/validators/master/scheduler/scheduler.go
new file mode 100644
index 000000000..14a0fa22e
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/scheduler/scheduler.go
@@ -0,0 +1,17 @@
+package scheduler
+
+import (
+ "check/validators/master/args"
+ "check/validators/master/boolean"
+)
+
+// IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
+func IsProfilingDisabled(params []string) bool {
+ return args.HasSingleFlagArgument("--profiling=", "false", params)
+}
+
+// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
+func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
+ return boolean.IsFlagAbsent("--address=", params) ||
+ args.HasSingleFlagArgument("--address=", "127.0.0.1", params)
+}
diff --git a/test/security/k8s/src/check/validators/master/scheduler/scheduler_suite_test.go b/test/security/k8s/src/check/validators/master/scheduler/scheduler_suite_test.go
new file mode 100644
index 000000000..8f8320808
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/scheduler/scheduler_suite_test.go
@@ -0,0 +1,13 @@
+package scheduler_test
+
+import (
+ "testing"
+
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+)
+
+func TestScheduler(t *testing.T) {
+ RegisterFailHandler(Fail)
+ RunSpecs(t, "Scheduler Suite")
+}
diff --git a/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go
new file mode 100644
index 000000000..4166a58d7
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go
@@ -0,0 +1,61 @@
+package scheduler_test
+
+import (
+ . "github.com/onsi/ginkgo/extensions/table"
+
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+
+ . "check/validators/master/scheduler"
+)
+
+var _ = Describe("Scheduler", func() {
+ var (
+ // kubeSchedulerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
+ kubeSchedulerCISCompliant = []string{
+ "--profiling=false",
+ }
+
+ // kubeSchedulerCasablanca was obtained from virtual environment for testing
+ // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
+ kubeSchedulerCasablanca = []string{
+ "--kubeconfig=/etc/kubernetes/ssl/kubeconfig",
+ "--address=0.0.0.0",
+ }
+
+ // kubeSchedulerCasablanca was obtained from virtual environment for testing
+ // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3).
+ kubeSchedulerDublin = []string{
+ "--kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-scheduler.yaml",
+ "--address=0.0.0.0",
+ "--profiling=false",
+ "--leader-elect=true",
+ "--v=2",
+ }
+ )
+
+ Describe("Boolean flag", func() {
+ DescribeTable("Profiling",
+ func(params []string, expected bool) {
+ Expect(IsProfilingDisabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
+ Entry("Is not set on Casablanca cluster", kubeSchedulerCasablanca, false),
+ Entry("Should be set to false on CIS-compliant cluster", kubeSchedulerCISCompliant, true),
+ Entry("Should be set to false on Dublin cluster", kubeSchedulerDublin, true),
+ )
+ })
+
+ Describe("Address flag", func() {
+ DescribeTable("Bind address",
+ func(params []string, expected bool) {
+ Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--address=1.2.3.4"}, false),
+ Entry("Is not absent nor set to loopback on Casablanca cluster", kubeSchedulerCasablanca, false),
+ Entry("Is not absent nor set to loopback on Dublin cluster", kubeSchedulerDublin, false),
+ Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeSchedulerCISCompliant, true),
+ )
+ })
+})
--
cgit 1.2.3-korg