6 "check/validators/master/args"
7 "check/validators/master/boolean"
17 strongCryptoCiphers = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM" +
18 "_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM" +
19 "_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM" +
20 "_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
25 // IsBasicAuthFileAbsent validates there is no basic authentication file specified.
26 func IsBasicAuthFileAbsent(params []string) bool {
27 return boolean.IsFlagAbsent("--basic-auth-file=", params)
30 // IsTokenAuthFileAbsent validates there is no token based authentication file specified.
31 func IsTokenAuthFileAbsent(params []string) bool {
32 return boolean.IsFlagAbsent("--token-auth-file=", params)
35 // IsInsecureAllowAnyTokenAbsent validates insecure tokens are not accepted.
36 func IsInsecureAllowAnyTokenAbsent(params []string) bool {
37 return boolean.IsFlagAbsent("--insecure-allow-any-token", params)
40 // IsAnonymousAuthDisabled validates there is single "--anonymous-auth" flag and it is set to "false".
41 func IsAnonymousAuthDisabled(params []string) bool {
42 return args.HasSingleFlagArgument("--anonymous-auth=", "false", params)
45 // IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
46 func IsInsecurePortUnbound(params []string) bool {
47 return args.HasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params)
50 // IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
51 func IsProfilingDisabled(params []string) bool {
52 return args.HasSingleFlagArgument("--profiling=", "false", params)
55 // IsRepairMalformedUpdatesDisabled validates there is single "--repair-malformed-updates" flag and it is set to "false".
56 func IsRepairMalformedUpdatesDisabled(params []string) bool {
57 return args.HasSingleFlagArgument("--repair-malformed-updates=", "false", params)
60 // IsServiceAccountLookupEnabled validates there is single "--service-account-lookup" flag and it is set to "true".
61 func IsServiceAccountLookupEnabled(params []string) bool {
62 return args.HasSingleFlagArgument("--service-account-lookup=", "true", params)
65 // IsStrongCryptoCipherInUse validates there is single "--tls-cipher-suites=" flag and it is set to strong crypto ciphers.
66 func IsStrongCryptoCipherInUse(params []string) bool {
67 return args.HasSingleFlagArgument("--tls-cipher-suites=", strongCryptoCiphers, params)
70 // IsKubeletHTTPSAbsentOrEnabled validates there is single "--kubelet-https" flag and it is set to "true".
71 func IsKubeletHTTPSAbsentOrEnabled(params []string) bool {
72 return boolean.IsFlagAbsent("--kubelet-https=", params) ||
73 args.HasSingleFlagArgument("--kubelet-https=", "true", params)
76 // IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
77 func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
78 return boolean.IsFlagAbsent("--insecure-bind-address=", params) ||
79 args.HasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params)
82 // IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value.
83 func IsSecurePortAbsentOrValid(params []string) bool {
84 return boolean.IsFlagAbsent("--secure-port=", params) ||
85 args.HasSingleFlagValidPort("--secure-port=", params)
88 // IsAlwaysAdmitAdmissionControlPluginExcluded validates AlwaysAdmit is excluded from admission control plugins.
89 func IsAlwaysAdmitAdmissionControlPluginExcluded(params []string) bool {
90 if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
91 return !args.HasFlagArgumentIncluded("--enable-admission-plugins=", "AlwaysAdmit", params)
93 if boolean.IsSingleFlagPresent("--admission-control=", params) {
94 return !args.HasFlagArgumentIncluded("--admission-control=", "AlwaysAdmit", params)
99 // IsAlwaysPullImagesAdmissionControlPluginIncluded validates AlwaysPullImages is included in admission control plugins.
100 func IsAlwaysPullImagesAdmissionControlPluginIncluded(params []string) bool {
101 if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
102 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "AlwaysPullImages", params)
104 if boolean.IsSingleFlagPresent("--admission-control=", params) {
105 return args.HasFlagArgumentIncluded("--admission-control=", "AlwaysPullImages", params)
110 // IsDenyEscalatingExecAdmissionControlPluginIncluded validates DenyEscalatingExec is included in admission control plugins.
111 func IsDenyEscalatingExecAdmissionControlPluginIncluded(params []string) bool {
112 if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
113 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "DenyEscalatingExec", params)
115 if boolean.IsSingleFlagPresent("--admission-control=", params) {
116 return args.HasFlagArgumentIncluded("--admission-control=", "DenyEscalatingExec", params)
121 // IsSecurityContextDenyAdmissionControlPluginIncluded validates SecurityContextDeny is included in admission control plugins.
122 func IsSecurityContextDenyAdmissionControlPluginIncluded(params []string) bool {
123 if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
124 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "SecurityContextDeny", params)
126 if boolean.IsSingleFlagPresent("--admission-control=", params) {
127 return args.HasFlagArgumentIncluded("--admission-control=", "SecurityContextDeny", params)
132 // IsPodSecurityPolicyAdmissionControlPluginIncluded validates PodSecurityPolicy is included in admission control plugins.
133 func IsPodSecurityPolicyAdmissionControlPluginIncluded(params []string) bool {
134 if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
135 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "PodSecurityPolicy", params)
137 if boolean.IsSingleFlagPresent("--admission-control=", params) {
138 return args.HasFlagArgumentIncluded("--admission-control=", "PodSecurityPolicy", params)
143 // IsServiceAccountAdmissionControlPluginIncluded validates ServiceAccount is included in admission control plugins.
144 func IsServiceAccountAdmissionControlPluginIncluded(params []string) bool {
145 if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
146 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "ServiceAccount", params)
148 if boolean.IsSingleFlagPresent("--admission-control=", params) {
149 return args.HasFlagArgumentIncluded("--admission-control=", "ServiceAccount", params)
154 // IsNodeRestrictionAdmissionControlPluginIncluded validates NodeRestriction is included in admission control plugins.
155 func IsNodeRestrictionAdmissionControlPluginIncluded(params []string) bool {
156 if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
157 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "NodeRestriction", params)
159 if boolean.IsSingleFlagPresent("--admission-control=", params) {
160 return args.HasFlagArgumentIncluded("--admission-control=", "NodeRestriction", params)
165 // IsEventRateLimitAdmissionControlPluginIncluded validates EventRateLimit is included in admission control plugins.
166 func IsEventRateLimitAdmissionControlPluginIncluded(params []string) bool {
167 if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
168 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "EventRateLimit", params)
170 if boolean.IsSingleFlagPresent("--admission-control=", params) {
171 return args.HasFlagArgumentIncluded("--admission-control=", "EventRateLimit", params)
176 // IsNamespaceLifecycleAdmissionControlPluginNotExcluded validates NamespaceLifecycle is excluded from admission control plugins.
177 func IsNamespaceLifecycleAdmissionControlPluginNotExcluded(params []string) bool {
178 if boolean.IsSingleFlagPresent("--disable-admission-plugins=", params) {
179 return !args.HasFlagArgumentIncluded("--disable-admission-plugins=", "NamespaceLifecycle", params)
184 // IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from authorization modes.
185 func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool {
186 return boolean.IsSingleFlagPresent("--authorization-mode=", params) &&
187 !args.HasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params)
190 // IsNodeAuthorizationModeIncluded validates Node is included in authorization modes.
191 func IsNodeAuthorizationModeIncluded(params []string) bool {
192 return args.HasFlagArgumentIncluded("--authorization-mode=", "Node", params)
195 // IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument.
196 func IsAuditLogPathSet(params []string) bool {
197 return args.HasSingleFlagNonemptyArgument("--audit-log-path=", params)
200 // IsKubeletCertificateAuthoritySet validates there is single "--kubelet-certificate-authority" flag and has non-empty argument.
201 func IsKubeletCertificateAuthoritySet(params []string) bool {
202 return args.HasSingleFlagNonemptyArgument("--kubelet-certificate-authority", params)
205 // IsClientCertificateAuthoritySet validates there is single "--client-ca-file" flag and has non-empty argument.
206 func IsClientCertificateAuthoritySet(params []string) bool {
207 return args.HasSingleFlagNonemptyArgument("--client-ca-file", params)
210 // IsEtcdCertificateAuthoritySet validates there is single "--etcd-cafile" flag and has non-empty argument.
211 func IsEtcdCertificateAuthoritySet(params []string) bool {
212 return args.HasSingleFlagNonemptyArgument("--etcd-cafile", params)
215 // IsServiceAccountKeySet validates there is single "--service-account-key-file" flag and has non-empty argument.
216 func IsServiceAccountKeySet(params []string) bool {
217 return args.HasSingleFlagNonemptyArgument("--service-account-key-file", params)
220 // IsKubeletClientCertificateAndKeySet validates there are single "--kubelet-client-certificate" and "--kubelet-client-key" flags and have non-empty arguments.
221 func IsKubeletClientCertificateAndKeySet(params []string) bool {
222 return args.HasSingleFlagNonemptyArgument("--kubelet-client-certificate", params) &&
223 args.HasSingleFlagNonemptyArgument("--kubelet-client-key", params)
226 // IsEtcdCertificateAndKeySet validates there are single "--etcd-certfile" and "--etcd-keyfile" flags and have non-empty arguments.
227 func IsEtcdCertificateAndKeySet(params []string) bool {
228 return args.HasSingleFlagNonemptyArgument("--etcd-certfile", params) &&
229 args.HasSingleFlagNonemptyArgument("--etcd-keyfile", params)
232 // IsTLSCertificateAndKeySet validates there are single "--tls-cert-file" and "--tls-private-key-file" flags and have non-empty arguments.
233 func IsTLSCertificateAndKeySet(params []string) bool {
234 return args.HasSingleFlagNonemptyArgument("--tls-cert-file", params) &&
235 args.HasSingleFlagNonemptyArgument("--tls-private-key-file", params)
238 // IsAuditLogMaxAgeValid validates audit log age is set and it has recommended value.
239 func IsAuditLogMaxAgeValid(params []string) bool {
240 return args.HasSingleFlagRecommendedNumericArgument("--audit-log-maxage", auditLogAge, params)
243 // IsAuditLogMaxBackupValid validates audit log age is set and it has recommended value.
244 func IsAuditLogMaxBackupValid(params []string) bool {
245 return args.HasSingleFlagRecommendedNumericArgument("--audit-log-maxbackup", auditLogBackups, params)
248 // IsAuditLogMaxSizeValid validates audit log age is set and it has recommended value.
249 func IsAuditLogMaxSizeValid(params []string) bool {
250 return args.HasSingleFlagRecommendedNumericArgument("--audit-log-maxsize", auditLogSize, params)
253 // IsRequestTimeoutValid validates request timeout is set and it has recommended value.
254 func IsRequestTimeoutValid(params []string) bool {
255 return boolean.IsFlagAbsent("--request-timeout", params) ||
256 args.HasSingleFlagValidTimeout("--request-timeout", requestTimeout, 2*requestTimeout, params)