From bd12bfbc6fbe4ecfc2152467ea6785c9e5163763 Mon Sep 17 00:00:00 2001 From: Pawel Wieczorek Date: Fri, 27 Sep 2019 19:00:46 +0200 Subject: k8s: Validate controller manager address flag This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.3.7). Issue-ID: SECCOM-235 Change-Id: Id3f4bcb9a506dae3c7c0a884ad6c704dfae2a6d8 Signed-off-by: Pawel Wieczorek --- test/security/k8s/src/check/cmd/check/check.go | 3 +- .../master/controllermanager/controllermanager.go | 12 ++++ .../controllermanager_suite_test.go | 13 +++++ .../controllermanager/controllermanager_test.go | 64 ++++++++++++++++++++++ .../k8s/src/check/validators/master/master.go | 7 +++ 5 files changed, 98 insertions(+), 1 deletion(-) create mode 100644 test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go create mode 100644 test/security/k8s/src/check/validators/master/controllermanager/controllermanager_suite_test.go create mode 100644 test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go (limited to 'test/security/k8s/src/check') diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index dd089b107..d7176170a 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -49,8 +49,9 @@ func main() { } master.CheckScheduler(schedulerParams) - _, err = info.GetControllerManagerParams() + controllerManagerParams, err := info.GetControllerManagerParams() if err != nil { log.Fatal(err) } + master.CheckControllerManager(controllerManagerParams) } diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go new file mode 100644 index 000000000..85ab28564 --- /dev/null +++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go @@ -0,0 +1,12 @@ +package controllermanager + +import ( + "check/validators/master/args" + "check/validators/master/boolean" +) + +// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address. +func IsInsecureBindAddressAbsentOrLoopback(params []string) bool { + return boolean.IsFlagAbsent("--address=", params) || + args.HasSingleFlagArgument("--address=", "127.0.0.1", params) +} diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_suite_test.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_suite_test.go new file mode 100644 index 000000000..c5b9a027c --- /dev/null +++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_suite_test.go @@ -0,0 +1,13 @@ +package controllermanager_test + +import ( + "testing" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" +) + +func TestControllermanager(t *testing.T) { + RegisterFailHandler(Fail) + RunSpecs(t, "Controllermanager Suite") +} diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go new file mode 100644 index 000000000..d417b7d9f --- /dev/null +++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go @@ -0,0 +1,64 @@ +package controllermanager_test + +import ( + . "github.com/onsi/ginkgo/extensions/table" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + + . "check/validators/master/controllermanager" +) + +var _ = Describe("Controllermanager", func() { + var ( + // kubeControllerManagerCISCompliant uses secure defaults or follows CIS guidelines explicitly. + kubeControllerManagerCISCompliant = []string{} + + // kubeControllerManagerCasablanca was obtained from virtual environment for testing + // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882). + kubeControllerManagerCasablanca = []string{ + "--kubeconfig=/etc/kubernetes/ssl/kubeconfig", + "--address=0.0.0.0", + "--root-ca-file=/etc/kubernetes/ssl/ca.pem", + "--service-account-private-key-file=/etc/kubernetes/ssl/key.pem", + "--allow-untagged-cloud", + "--cloud-provider=rancher", + "--horizontal-pod-autoscaler-use-rest-clients=false", + } + + // kubeControllerManagerCasablanca was obtained from virtual environment for testing + // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3). + kubeControllerManagerDublin = []string{ + "--kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-controller-manager.yaml", + "--address=0.0.0.0", + "--root-ca-file=/etc/kubernetes/ssl/kube-ca.pem", + "--service-account-private-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem", + "--terminated-pod-gc-threshold=1000", + "--profiling=false", + "--use-service-account-credentials=true", + "--node-monitor-grace-period=40s", + "--cloud-provider=", + "--service-cluster-ip-range=10.43.0.0/16", + "--configure-cloud-routes=false", + "--enable-hostpath-provisioner=false", + "--cluster-cidr=10.42.0.0/16", + "--allow-untagged-cloud=true", + "--pod-eviction-timeout=5m0s", + "--allocate-node-cidrs=true", + "--leader-elect=true", + "--v=2", + } + ) + + Describe("Address flag", func() { + DescribeTable("Bind address", + func(params []string, expected bool) { + Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected)) + }, + Entry("Is not absent on insecure cluster", []string{"--address=1.2.3.4"}, false), + Entry("Is not absent nor set to loopback on Casablanca cluster", kubeControllerManagerCasablanca, false), + Entry("Is not absent nor set to loopback on Dublin cluster", kubeControllerManagerDublin, false), + Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeControllerManagerCISCompliant, true), + ) + }) +}) diff --git a/test/security/k8s/src/check/validators/master/master.go b/test/security/k8s/src/check/validators/master/master.go index bc019a67a..79d6612a6 100644 --- a/test/security/k8s/src/check/validators/master/master.go +++ b/test/security/k8s/src/check/validators/master/master.go @@ -4,6 +4,7 @@ import ( "log" "check/validators/master/api" + "check/validators/master/controllermanager" "check/validators/master/scheduler" ) @@ -64,3 +65,9 @@ func CheckScheduler(params []string) { log.Printf("IsProfilingDisabled: %t\n", scheduler.IsProfilingDisabled(params)) log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", scheduler.IsInsecureBindAddressAbsentOrLoopback(params)) } + +// CheckControllerManager validates controller manager complies with CIS guideliness. +func CheckControllerManager(params []string) { + log.Println("==> Controller Manager:") + log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", controllermanager.IsInsecureBindAddressAbsentOrLoopback(params)) +} -- cgit 1.2.3-korg