1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
|
package api
import (
"strconv"
"check/validators/master/args"
"check/validators/master/boolean"
)
const (
portDisabled = 0
auditLogAge = 30
auditLogBackups = 10
auditLogSize = 100
strongCryptoCiphers = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM" +
"_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM" +
"_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM" +
"_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
requestTimeout = 60
)
// IsBasicAuthFileAbsent validates there is no basic authentication file specified.
func IsBasicAuthFileAbsent(params []string) bool {
return boolean.IsFlagAbsent("--basic-auth-file=", params)
}
// IsTokenAuthFileAbsent validates there is no token based authentication file specified.
func IsTokenAuthFileAbsent(params []string) bool {
return boolean.IsFlagAbsent("--token-auth-file=", params)
}
// IsInsecureAllowAnyTokenAbsent validates insecure tokens are not accepted.
func IsInsecureAllowAnyTokenAbsent(params []string) bool {
return boolean.IsFlagAbsent("--insecure-allow-any-token", params)
}
// IsAnonymousAuthDisabled validates there is single "--anonymous-auth" flag and it is set to "false".
func IsAnonymousAuthDisabled(params []string) bool {
return args.HasSingleFlagArgument("--anonymous-auth=", "false", params)
}
// IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
func IsInsecurePortUnbound(params []string) bool {
return args.HasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params)
}
// IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
func IsProfilingDisabled(params []string) bool {
return args.HasSingleFlagArgument("--profiling=", "false", params)
}
// IsRepairMalformedUpdatesDisabled validates there is single "--repair-malformed-updates" flag and it is set to "false".
func IsRepairMalformedUpdatesDisabled(params []string) bool {
return args.HasSingleFlagArgument("--repair-malformed-updates=", "false", params)
}
// IsServiceAccountLookupEnabled validates there is single "--service-account-lookup" flag and it is set to "true".
func IsServiceAccountLookupEnabled(params []string) bool {
return args.HasSingleFlagArgument("--service-account-lookup=", "true", params)
}
// IsStrongCryptoCipherInUse validates there is single "--tls-cipher-suites=" flag and it is set to strong crypto ciphers.
func IsStrongCryptoCipherInUse(params []string) bool {
return args.HasSingleFlagArgument("--tls-cipher-suites=", strongCryptoCiphers, params)
}
// IsKubeletHTTPSAbsentOrEnabled validates there is single "--kubelet-https" flag and it is set to "true".
func IsKubeletHTTPSAbsentOrEnabled(params []string) bool {
return boolean.IsFlagAbsent("--kubelet-https=", params) ||
args.HasSingleFlagArgument("--kubelet-https=", "true", params)
}
// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
return boolean.IsFlagAbsent("--insecure-bind-address=", params) ||
args.HasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params)
}
// IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value.
func IsSecurePortAbsentOrValid(params []string) bool {
return boolean.IsFlagAbsent("--secure-port=", params) ||
args.HasSingleFlagValidPort("--secure-port=", params)
}
// IsAlwaysAdmitAdmissionControlPluginExcluded validates AlwaysAdmit is excluded from admission control plugins.
func IsAlwaysAdmitAdmissionControlPluginExcluded(params []string) bool {
if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
return !args.HasFlagArgumentIncluded("--enable-admission-plugins=", "AlwaysAdmit", params)
}
if boolean.IsSingleFlagPresent("--admission-control=", params) {
return !args.HasFlagArgumentIncluded("--admission-control=", "AlwaysAdmit", params)
}
return false
}
// IsAlwaysPullImagesAdmissionControlPluginIncluded validates AlwaysPullImages is included in admission control plugins.
func IsAlwaysPullImagesAdmissionControlPluginIncluded(params []string) bool {
if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "AlwaysPullImages", params)
}
if boolean.IsSingleFlagPresent("--admission-control=", params) {
return args.HasFlagArgumentIncluded("--admission-control=", "AlwaysPullImages", params)
}
return false
}
// IsDenyEscalatingExecAdmissionControlPluginIncluded validates DenyEscalatingExec is included in admission control plugins.
func IsDenyEscalatingExecAdmissionControlPluginIncluded(params []string) bool {
if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "DenyEscalatingExec", params)
}
if boolean.IsSingleFlagPresent("--admission-control=", params) {
return args.HasFlagArgumentIncluded("--admission-control=", "DenyEscalatingExec", params)
}
return false
}
// IsSecurityContextDenyAdmissionControlPluginIncluded validates SecurityContextDeny is included in admission control plugins.
func IsSecurityContextDenyAdmissionControlPluginIncluded(params []string) bool {
if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "SecurityContextDeny", params)
}
if boolean.IsSingleFlagPresent("--admission-control=", params) {
return args.HasFlagArgumentIncluded("--admission-control=", "SecurityContextDeny", params)
}
return false
}
// IsPodSecurityPolicyAdmissionControlPluginIncluded validates PodSecurityPolicy is included in admission control plugins.
func IsPodSecurityPolicyAdmissionControlPluginIncluded(params []string) bool {
if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "PodSecurityPolicy", params)
}
if boolean.IsSingleFlagPresent("--admission-control=", params) {
return args.HasFlagArgumentIncluded("--admission-control=", "PodSecurityPolicy", params)
}
return false
}
// IsServiceAccountAdmissionControlPluginIncluded validates ServiceAccount is included in admission control plugins.
func IsServiceAccountAdmissionControlPluginIncluded(params []string) bool {
if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "ServiceAccount", params)
}
if boolean.IsSingleFlagPresent("--admission-control=", params) {
return args.HasFlagArgumentIncluded("--admission-control=", "ServiceAccount", params)
}
return false
}
// IsNodeRestrictionAdmissionControlPluginIncluded validates NodeRestriction is included in admission control plugins.
func IsNodeRestrictionAdmissionControlPluginIncluded(params []string) bool {
if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "NodeRestriction", params)
}
if boolean.IsSingleFlagPresent("--admission-control=", params) {
return args.HasFlagArgumentIncluded("--admission-control=", "NodeRestriction", params)
}
return false
}
// IsEventRateLimitAdmissionControlPluginIncluded validates EventRateLimit is included in admission control plugins.
func IsEventRateLimitAdmissionControlPluginIncluded(params []string) bool {
if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "EventRateLimit", params)
}
if boolean.IsSingleFlagPresent("--admission-control=", params) {
return args.HasFlagArgumentIncluded("--admission-control=", "EventRateLimit", params)
}
return false
}
// IsNamespaceLifecycleAdmissionControlPluginNotExcluded validates NamespaceLifecycle is excluded from admission control plugins.
func IsNamespaceLifecycleAdmissionControlPluginNotExcluded(params []string) bool {
if boolean.IsSingleFlagPresent("--disable-admission-plugins=", params) {
return !args.HasFlagArgumentIncluded("--disable-admission-plugins=", "NamespaceLifecycle", params)
}
return true
}
// IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from authorization modes.
func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool {
return boolean.IsSingleFlagPresent("--authorization-mode=", params) &&
!args.HasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params)
}
// IsNodeAuthorizationModeIncluded validates Node is included in authorization modes.
func IsNodeAuthorizationModeIncluded(params []string) bool {
return args.HasFlagArgumentIncluded("--authorization-mode=", "Node", params)
}
// IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument.
func IsAuditLogPathSet(params []string) bool {
return args.HasSingleFlagNonemptyArgument("--audit-log-path=", params)
}
// IsKubeletCertificateAuthoritySet validates there is single "--kubelet-certificate-authority" flag and has non-empty argument.
func IsKubeletCertificateAuthoritySet(params []string) bool {
return args.HasSingleFlagNonemptyArgument("--kubelet-certificate-authority", params)
}
// IsClientCertificateAuthoritySet validates there is single "--client-ca-file" flag and has non-empty argument.
func IsClientCertificateAuthoritySet(params []string) bool {
return args.HasSingleFlagNonemptyArgument("--client-ca-file", params)
}
// IsEtcdCertificateAuthoritySet validates there is single "--etcd-cafile" flag and has non-empty argument.
func IsEtcdCertificateAuthoritySet(params []string) bool {
return args.HasSingleFlagNonemptyArgument("--etcd-cafile", params)
}
// IsServiceAccountKeySet validates there is single "--service-account-key-file" flag and has non-empty argument.
func IsServiceAccountKeySet(params []string) bool {
return args.HasSingleFlagNonemptyArgument("--service-account-key-file", params)
}
// IsKubeletClientCertificateAndKeySet validates there are single "--kubelet-client-certificate" and "--kubelet-client-key" flags and have non-empty arguments.
func IsKubeletClientCertificateAndKeySet(params []string) bool {
return args.HasSingleFlagNonemptyArgument("--kubelet-client-certificate", params) &&
args.HasSingleFlagNonemptyArgument("--kubelet-client-key", params)
}
// IsEtcdCertificateAndKeySet validates there are single "--etcd-certfile" and "--etcd-keyfile" flags and have non-empty arguments.
func IsEtcdCertificateAndKeySet(params []string) bool {
return args.HasSingleFlagNonemptyArgument("--etcd-certfile", params) &&
args.HasSingleFlagNonemptyArgument("--etcd-keyfile", params)
}
// IsTLSCertificateAndKeySet validates there are single "--tls-cert-file" and "--tls-private-key-file" flags and have non-empty arguments.
func IsTLSCertificateAndKeySet(params []string) bool {
return args.HasSingleFlagNonemptyArgument("--tls-cert-file", params) &&
args.HasSingleFlagNonemptyArgument("--tls-private-key-file", params)
}
// IsAuditLogMaxAgeValid validates audit log age is set and it has recommended value.
func IsAuditLogMaxAgeValid(params []string) bool {
return args.HasSingleFlagRecommendedNumericArgument("--audit-log-maxage", auditLogAge, params)
}
// IsAuditLogMaxBackupValid validates audit log age is set and it has recommended value.
func IsAuditLogMaxBackupValid(params []string) bool {
return args.HasSingleFlagRecommendedNumericArgument("--audit-log-maxbackup", auditLogBackups, params)
}
// IsAuditLogMaxSizeValid validates audit log age is set and it has recommended value.
func IsAuditLogMaxSizeValid(params []string) bool {
return args.HasSingleFlagRecommendedNumericArgument("--audit-log-maxsize", auditLogSize, params)
}
// IsRequestTimeoutValid validates request timeout is set and it has recommended value.
func IsRequestTimeoutValid(params []string) bool {
return boolean.IsFlagAbsent("--request-timeout", params) ||
args.HasSingleFlagValidTimeout("--request-timeout", requestTimeout, 2*requestTimeout, params)
}
|
