From 28bd2f7044d0b120d202a9ef1a2ef8294f153bad Mon Sep 17 00:00:00 2001
From: Pawel Wieczorek
Date: Wed, 29 May 2019 20:17:44 +0200
Subject: k8s: Validate API server boolean flags
This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.1 - 1.1.5, 1.1.8,
1.1.9, 1.1.20 and 1.1.23).
Issue-ID: SECCOM-235
Change-Id: Ib964b5111b616a891c3963ef9695af660810e8ba
Signed-off-by: Pawel Wieczorek
---
test/security/k8s/src/check/cmd/check/check.go | 13 ++-
.../k8s/src/check/validators/master/api.go | 95 ++++++++++++++++++++++
2 files changed, 107 insertions(+), 1 deletion(-)
create mode 100644 test/security/k8s/src/check/validators/master/api.go
(limited to 'test')
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index e48088a9e..fd4c2aff9 100644
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -5,6 +5,7 @@ import (
"log"
"check/rancher"
+ "check/validators/master"
)
func main() {
@@ -13,5 +14,15 @@ func main() {
if err != nil {
log.Fatal(err)
}
- log.Printf("%s\n", k8sParams)
+
+ log.Printf("IsBasicAuthFileAbsent: %t\n", master.IsBasicAuthFileAbsent(k8sParams))
+ log.Printf("IsTokenAuthFileAbsent: %t\n", master.IsTokenAuthFileAbsent(k8sParams))
+ log.Printf("IsInsecureAllowAnyTokenAbsent: %t\n", master.IsInsecureAllowAnyTokenAbsent(k8sParams))
+
+ log.Printf("IsAnonymousAuthDisabled: %t\n", master.IsAnonymousAuthDisabled(k8sParams))
+ log.Printf("IsKubeletHTTPSConnected: %t\n", master.IsKubeletHTTPSConnected(k8sParams))
+ log.Printf("IsInsecurePortUnbound: %t\n", master.IsInsecurePortUnbound(k8sParams))
+ log.Printf("IsProfilingDisabled: %t\n", master.IsProfilingDisabled(k8sParams))
+ log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", master.IsRepairMalformedUpdatesDisabled(k8sParams))
+ log.Printf("IsServiceAccountLookupEnabled: %t\n", master.IsServiceAccountLookupEnabled(k8sParams))
}
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
new file mode 100644
index 000000000..bf275c1ca
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -0,0 +1,95 @@
+package master
+
+import (
+ "strconv"
+ "strings"
+)
+
+const (
+ disabledPort = 0
+)
+
+// IsBasicAuthFileAbsent validates there is no basic authentication file specified.
+func IsBasicAuthFileAbsent(params []string) bool {
+ return isFlagAbsent("--basic-auth-file=", params)
+}
+
+// IsTokenAuthFileAbsent validates there is no token based authentication file specified.
+func IsTokenAuthFileAbsent(params []string) bool {
+ return isFlagAbsent("--token-auth-file=", params)
+}
+
+// IsInsecureAllowAnyTokenAbsent validates insecure tokens are not accepted.
+func IsInsecureAllowAnyTokenAbsent(params []string) bool {
+ return isFlagAbsent("--insecure-allow-any-token", params)
+}
+
+// isFlagAbsent checks absence of selected flag in parameters.
+func isFlagAbsent(flag string, params []string) bool {
+ found := filterFlags(params, flag)
+ if len(found) != 0 {
+ return false
+ }
+ return true
+}
+
+// IsAnonymousAuthDisabled validates there is single "--anonymous-auth" flag and it is set to "false".
+func IsAnonymousAuthDisabled(params []string) bool {
+ return hasSingleFlagArgument("--anonymous-auth=", "false", params)
+}
+
+// IsKubeletHTTPSConnected validates there is single "--kubelet-https" flag and it is set to "true".
+func IsKubeletHTTPSConnected(params []string) bool {
+ return hasSingleFlagArgument("--kubelet-https=", "true", params)
+}
+
+// IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
+func IsInsecurePortUnbound(params []string) bool {
+ return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(disabledPort), params)
+}
+
+// IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
+func IsProfilingDisabled(params []string) bool {
+ return hasSingleFlagArgument("--profiling=", "false", params)
+}
+
+// IsRepairMalformedUpdatesDisabled validates there is single "--repair-malformed-updates" flag and it is set to "false".
+func IsRepairMalformedUpdatesDisabled(params []string) bool {
+ return hasSingleFlagArgument("--repair-malformed-updates=", "false", params)
+}
+
+// IsServiceAccountLookupEnabled validates there is single "--service-account-lookup" flag and it is set to "true".
+func IsServiceAccountLookupEnabled(params []string) bool {
+ return hasSingleFlagArgument("--service-account-lookup=", "true", params)
+}
+
+// hasSingleFlagArgument checks whether selected flag was used once and has requested argument.
+func hasSingleFlagArgument(flag string, argument string, params []string) bool {
+ found := filterFlags(params, flag)
+ if len(found) != 1 {
+ return false
+ }
+
+ _, value := splitKV(found[0], "=")
+ if value != argument {
+ return false
+ }
+ return true
+}
+
+// filterFlags returns all occurrences of selected flag.
+func filterFlags(strs []string, flag string) []string {
+ var filtered []string
+ for _, str := range strs {
+ if strings.HasPrefix(str, flag) {
+ filtered = append(filtered, str)
+ }
+ }
+ return filtered
+}
+
+// splitKV splits key and value (after first occurrence of separator).
+func splitKV(s, sep string) (string, string) {
+ ret := strings.SplitN(s, sep, 2)
+ return ret[0], ret[1]
+}
--
cgit 1.2.3-korg