1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
|
package master
import (
"strconv"
"strings"
)
const (
portDisabled = 0
portLowest = 1
portHighest = 65536
)
// IsBasicAuthFileAbsent validates there is no basic authentication file specified.
func IsBasicAuthFileAbsent(params []string) bool {
return isFlagAbsent("--basic-auth-file=", params)
}
// IsTokenAuthFileAbsent validates there is no token based authentication file specified.
func IsTokenAuthFileAbsent(params []string) bool {
return isFlagAbsent("--token-auth-file=", params)
}
// IsInsecureAllowAnyTokenAbsent validates insecure tokens are not accepted.
func IsInsecureAllowAnyTokenAbsent(params []string) bool {
return isFlagAbsent("--insecure-allow-any-token", params)
}
// isFlagAbsent checks absence of selected flag in parameters.
func isFlagAbsent(flag string, params []string) bool {
found := filterFlags(params, flag)
if len(found) != 0 {
return false
}
return true
}
// IsAnonymousAuthDisabled validates there is single "--anonymous-auth" flag and it is set to "false".
func IsAnonymousAuthDisabled(params []string) bool {
return hasSingleFlagArgument("--anonymous-auth=", "false", params)
}
// IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
func IsInsecurePortUnbound(params []string) bool {
return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params)
}
// IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
func IsProfilingDisabled(params []string) bool {
return hasSingleFlagArgument("--profiling=", "false", params)
}
// IsRepairMalformedUpdatesDisabled validates there is single "--repair-malformed-updates" flag and it is set to "false".
func IsRepairMalformedUpdatesDisabled(params []string) bool {
return hasSingleFlagArgument("--repair-malformed-updates=", "false", params)
}
// IsServiceAccountLookupEnabled validates there is single "--service-account-lookup" flag and it is set to "true".
func IsServiceAccountLookupEnabled(params []string) bool {
return hasSingleFlagArgument("--service-account-lookup=", "true", params)
}
// hasSingleFlagArgument checks whether selected flag was used once and has requested argument.
func hasSingleFlagArgument(flag string, argument string, params []string) bool {
found := filterFlags(params, flag)
if len(found) != 1 {
return false
}
_, value := splitKV(found[0], "=")
if value != argument {
return false
}
return true
}
// filterFlags returns all occurrences of selected flag.
func filterFlags(strs []string, flag string) []string {
var filtered []string
for _, str := range strs {
if strings.HasPrefix(str, flag) {
filtered = append(filtered, str)
}
}
return filtered
}
// splitKV splits key and value (after first occurrence of separator).
func splitKV(s, sep string) (string, string) {
ret := strings.SplitN(s, sep, 2)
return ret[0], ret[1]
}
// IsKubeletHTTPSAbsentOrEnabled validates there is single "--kubelet-https" flag and it is set to "true".
func IsKubeletHTTPSAbsentOrEnabled(params []string) bool {
return isFlagAbsent("--kubelet-https=", params) ||
hasSingleFlagArgument("--kubelet-https=", "true", params)
}
// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
return isFlagAbsent("--insecure-bind-address=", params) ||
hasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params)
}
// IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value.
func IsSecurePortAbsentOrValid(params []string) bool {
return isFlagAbsent("--secure-port=", params) ||
hasFlagValidPort("--secure-port=", params)
}
// hasFlagValidPort checks whether selected flag has valid port as an argument in given command.
func hasFlagValidPort(flag string, params []string) bool {
found := filterFlags(params, flag)
if len(found) != 1 {
return false
}
_, value := splitKV(found[0], "=")
port, err := strconv.Atoi(value) // what about empty parameter?
if err != nil {
return false
}
if port < portLowest || port > portHighest {
return false
}
return true
}
// IsAlwaysAdmitAdmissionControlPluginExcluded validates AlwaysAdmit is excluded from admission control plugins.
func IsAlwaysAdmitAdmissionControlPluginExcluded(params []string) bool {
if isSingleFlagPresent("--enable-admission-plugins=", params) {
return !hasFlagArgumentIncluded("--enable-admission-plugins=", "AlwaysAdmit", params)
}
if isSingleFlagPresent("--admission-control=", params) {
return !hasFlagArgumentIncluded("--admission-control=", "AlwaysAdmit", params)
}
return false
}
// isSingleFlagPresent checks presence of selected flag and whether it was used once.
func isSingleFlagPresent(flag string, params []string) bool {
found := filterFlags(params, flag)
if len(found) != 1 {
return false
}
return true
}
// hasFlagArgumentIncluded checks whether selected flag includes requested argument.
func hasFlagArgumentIncluded(flag string, argument string, params []string) bool {
found := filterFlags(params, flag)
if len(found) != 1 {
return false
}
_, values := splitKV(found[0], "=")
for _, v := range strings.Split(values, ",") {
if v == argument {
return true
}
}
return false
}
|
