aboutsummaryrefslogtreecommitdiffstats
path: root/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go
blob: 4166a58d7d0606b77565a19e88403a7ce3b18abf (plain) 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

package scheduler_test

import (
	. "github.com/onsi/ginkgo/extensions/table"

	. "github.com/onsi/ginkgo"
	. "github.com/onsi/gomega"

	. "check/validators/master/scheduler"
)

var _ = Describe("Scheduler", func() {
	var (
		// kubeSchedulerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
		kubeSchedulerCISCompliant = []string{
			"--profiling=false",
		}

		// kubeSchedulerCasablanca was obtained from virtual environment for testing
		// (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
		kubeSchedulerCasablanca = []string{
			"--kubeconfig=/etc/kubernetes/ssl/kubeconfig",
			"--address=0.0.0.0",
		}

		// kubeSchedulerCasablanca was obtained from virtual environment for testing
		// (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3).
		kubeSchedulerDublin = []string{
			"--kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-scheduler.yaml",
			"--address=0.0.0.0",
			"--profiling=false",
			"--leader-elect=true",
			"--v=2",
		}
	)

	Describe("Boolean flag", func() {
		DescribeTable("Profiling",
			func(params []string, expected bool) {
				Expect(IsProfilingDisabled(params)).To(Equal(expected))
			},
			Entry("Is not set on insecure cluster", []string{}, false),
			Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
			Entry("Is not set on Casablanca cluster", kubeSchedulerCasablanca, false),
			Entry("Should be set to false on CIS-compliant cluster", kubeSchedulerCISCompliant, true),
			Entry("Should be set to false on Dublin cluster", kubeSchedulerDublin, true),
		)
	})

	Describe("Address flag", func() {
		DescribeTable("Bind address",
			func(params []string, expected bool) {
				Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
			},
			Entry("Is not absent on insecure cluster", []string{"--address=1.2.3.4"}, false),
			Entry("Is not absent nor set to loopback on Casablanca cluster", kubeSchedulerCasablanca, false),
			Entry("Is not absent nor set to loopback on Dublin cluster", kubeSchedulerDublin, false),
			Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeSchedulerCISCompliant, true),
		)
	})
})