From e5766d0eaa2441cbd1d52c8082442a689b752874 Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek <p.wieczorek2@samsung.com>
Date: Thu, 3 Oct 2019 18:34:38 +0200
Subject: k8s: Validate controller manager flags requiring appropriate values

This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.3.1 and 1.3.4 -
1.3.5).

Issue-ID: SECCOM-235
Change-Id: I418034ea98423142f4875b97a8e6a22e8b4cd112
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
---
 .../master/controllermanager/controllermanager.go  | 15 ++++++++
 .../controllermanager/controllermanager_test.go    | 40 ++++++++++++++++++++++
 .../k8s/src/check/validators/master/master.go      |  3 ++
 3 files changed, 58 insertions(+)

(limited to 'test/security')

diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go
index f1dd0fe49..4629ad86f 100644
--- a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go
+++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager.go
@@ -25,3 +25,18 @@ func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
 	return boolean.IsFlagAbsent("--address=", params) ||
 		args.HasSingleFlagArgument("--address=", "127.0.0.1", params)
 }
+
+// IsTerminatedPodGcThresholdValid validates terminated pod garbage collector threshold is set and it has non-empty argument.
+func IsTerminatedPodGcThresholdValid(params []string) bool {
+	return args.HasSingleFlagNonemptyArgument("--terminated-pod-gc-threshold", params)
+}
+
+// IsServiceAccountPrivateKeyFileSet validates service account private key is set and it has non-empty argument.
+func IsServiceAccountPrivateKeyFileSet(params []string) bool {
+	return args.HasSingleFlagNonemptyArgument("--service-account-private-key-file", params)
+}
+
+// IsRootCertificateAuthoritySet validates root certificate authority is set and it has non-empty argument.
+func IsRootCertificateAuthoritySet(params []string) bool {
+	return args.HasSingleFlagNonemptyArgument("--root-ca-file", params)
+}
diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
index 7fd8b5d53..fcd337ac2 100644
--- a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
+++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
@@ -16,6 +16,9 @@ var _ = Describe("Controllermanager", func() {
 			"--profiling=false",
 			"--use-service-account-credentials=true",
 			"--feature-gates=RotateKubeletServerCertificate=true",
+			"--terminated-pod-gc-threshold=10",
+			"--service-account-private-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem",
+			"--root-ca-file=/etc/kubernetes/ssl/kube-ca.pem",
 		}
 
 		// kubeControllerManagerCasablanca was obtained from virtual environment for testing
@@ -78,6 +81,30 @@ var _ = Describe("Controllermanager", func() {
 		)
 	})
 
+	Describe("File path flags", func() {
+		DescribeTable("Service account private key",
+			func(params []string, expected bool) {
+				Expect(IsServiceAccountPrivateKeyFileSet(params)).To(Equal(expected))
+			},
+			Entry("Is absent on insecure cluster", []string{""}, false),
+			Entry("Is empty on insecure cluster", []string{"--service-account-private-key-file="}, false),
+			Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+			Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true),
+			Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true),
+		)
+
+		DescribeTable("Root certificate authority",
+			func(params []string, expected bool) {
+				Expect(IsRootCertificateAuthoritySet(params)).To(Equal(expected))
+			},
+			Entry("Is absent on insecure cluster", []string{""}, false),
+			Entry("Is empty on insecure cluster", []string{"--root-ca-file="}, false),
+			Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+			Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true),
+			Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true),
+		)
+	})
+
 	Describe("Address flag", func() {
 		DescribeTable("Bind address",
 			func(params []string, expected bool) {
@@ -90,6 +117,19 @@ var _ = Describe("Controllermanager", func() {
 		)
 	})
 
+	Describe("Numeric flags", func() {
+		DescribeTable("Terminated pod garbage collector threshold",
+			func(params []string, expected bool) {
+				Expect(IsTerminatedPodGcThresholdValid(params)).To(Equal(expected))
+			},
+			Entry("Is absent on insecure cluster", []string{""}, false),
+			Entry("Is empty on insecure cluster", []string{"--terminated-pod-gc-threshold="}, false),
+			Entry("Is absent on Casablanca cluster", kubeControllerManagerCasablanca, false),
+			Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+			Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true),
+		)
+	})
+
 	Describe("Argument list flags", func() {
 		DescribeTable("RotateKubeletServerCertificate",
 			func(params []string, expected bool) {
diff --git a/test/security/k8s/src/check/validators/master/master.go b/test/security/k8s/src/check/validators/master/master.go
index 0f668f614..11c1b5052 100644
--- a/test/security/k8s/src/check/validators/master/master.go
+++ b/test/security/k8s/src/check/validators/master/master.go
@@ -70,7 +70,10 @@ func CheckScheduler(params []string) {
 func CheckControllerManager(params []string) {
 	log.Println("==> Controller Manager:")
 	log.Printf("IsProfilingDisabled: %t\n", controllermanager.IsProfilingDisabled(params))
+	log.Printf("IsTerminatedPodGcThresholdValid: %t\n", controllermanager.IsTerminatedPodGcThresholdValid(params))
 	log.Printf("IsUseServiceAccountCredentialsEnabled: %t\n", controllermanager.IsUseServiceAccountCredentialsEnabled(params))
 	log.Printf("IsRotateKubeletServerCertificateIncluded: %t\n", controllermanager.IsRotateKubeletServerCertificateIncluded(params))
+	log.Printf("IsServiceAccountPrivateKeyFileSet: %t\n", controllermanager.IsServiceAccountPrivateKeyFileSet(params))
+	log.Printf("IsRootCertificateAuthoritySet: %t\n", controllermanager.IsRootCertificateAuthoritySet(params))
 	log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", controllermanager.IsInsecureBindAddressAbsentOrLoopback(params))
 }
-- 
cgit 1.2.3-korg