1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
package master
import (
"strconv"
"strings"
)
const (
portDisabled = 0
portLowest = 1
portHighest = 65536
)
// IsBasicAuthFileAbsent validates there is no basic authentication file specified.
func IsBasicAuthFileAbsent(params []string) bool {
return isFlagAbsent("--basic-auth-file=", params)
}
// IsTokenAuthFileAbsent validates there is no token based authentication file specified.
func IsTokenAuthFileAbsent(params []string) bool {
return isFlagAbsent("--token-auth-file=", params)
}
// IsInsecureAllowAnyTokenAbsent validates insecure tokens are not accepted.
func IsInsecureAllowAnyTokenAbsent(params []string) bool {
return isFlagAbsent("--insecure-allow-any-token", params)
}
// isFlagAbsent checks absence of selected flag in parameters.
func isFlagAbsent(flag string, params []string) bool {
found := filterFlags(params, flag)
if len(found) != 0 {
return false
}
return true
}
// IsAnonymousAuthDisabled validates there is single "--anonymous-auth" flag and it is set to "false".
func IsAnonymousAuthDisabled(params []string) bool {
return hasSingleFlagArgument("--anonymous-auth=", "false", params)
}
// IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
func IsInsecurePortUnbound(params []string) bool {
return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params)
}
// IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
func IsProfilingDisabled(params []string) bool {
return hasSingleFlagArgument("--profiling=", "false", params)
}
// IsRepairMalformedUpdatesDisabled validates there is single "--repair-malformed-updates" flag and it is set to "false".
func IsRepairMalformedUpdatesDisabled(params []string) bool {
return hasSingleFlagArgument("--repair-malformed-updates=", "false", params)
}
// IsServiceAccountLookupEnabled validates there is single "--service-account-lookup" flag and it is set to "true".
func IsServiceAccountLookupEnabled(params []string) bool {
return hasSingleFlagArgument("--service-account-lookup=", "true", params)
}
// hasSingleFlagArgument checks whether selected flag was used once and has requested argument.
func hasSingleFlagArgument(flag string, argument string, params []string) bool {
found := filterFlags(params, flag)
if len(found) != 1 {
return false
}
_, value := splitKV(found[0], "=")
if value != argument {
return false
}
return true
}
// filterFlags returns all occurrences of selected flag.
func filterFlags(strs []string, flag string) []string {
var filtered []string
for _, str := range strs {
if strings.HasPrefix(str, flag) {
filtered = append(filtered, str)
}
}
return filtered
}
// splitKV splits key and value (after first occurrence of separator).
func splitKV(s, sep string) (string, string) {
ret := strings.SplitN(s, sep, 2)
return ret[0], ret[1]
}
// IsKubeletHTTPSAbsentOrEnabled validates there is single "--kubelet-https" flag and it is set to "true".
func IsKubeletHTTPSAbsentOrEnabled(params []string) bool {
return isFlagAbsent("--kubelet-https=", params) ||
hasSingleFlagArgument("--kubelet-https=", "true", params)
}
// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
return isFlagAbsent("--insecure-bind-address=", params) ||
hasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params)
}
// IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value.
func IsSecurePortAbsentOrValid(params []string) bool {
return isFlagAbsent("--secure-port=", params) ||
hasFlagValidPort("--secure-port=", params)
}
// hasFlagValidPort checks whether selected flag has valid port as an argument in given command.
func hasFlagValidPort(flag string, params []string) bool {
found := filterFlags(params, flag)
if len(found) != 1 {
return false
}
_, value := splitKV(found[0], "=")
port, err := strconv.Atoi(value) // what about empty parameter?
if err != nil {
return false
}
if port < portLowest || port > portHighest {
return false
}
return true
}
|
