test/security/k8s/src/check/validators/master/api/api.go

   1 package api
   2
   3 import (
   4         "strconv"
   5
   6         "check/validators/master/args"
   7         "check/validators/master/boolean"
   8 )
   9
  10 const (
  11         portDisabled = 0
  12
  13         auditLogAge     = 30
  14         auditLogBackups = 10
  15         auditLogSize    = 100
  16
  17         strongCryptoCiphers = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM" +
  18                 "_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM" +
  19                 "_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM" +
  20                 "_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
  21
  22         requestTimeout = 60
  23 )
  24
  25 // IsBasicAuthFileAbsent validates there is no basic authentication file specified.
  26 func IsBasicAuthFileAbsent(params []string) bool {
  27         return boolean.IsFlagAbsent("--basic-auth-file=", params)
  28 }
  29
  30 // IsTokenAuthFileAbsent validates there is no token based authentication file specified.
  31 func IsTokenAuthFileAbsent(params []string) bool {
  32         return boolean.IsFlagAbsent("--token-auth-file=", params)
  33 }
  34
  35 // IsInsecureAllowAnyTokenAbsent validates insecure tokens are not accepted.
  36 func IsInsecureAllowAnyTokenAbsent(params []string) bool {
  37         return boolean.IsFlagAbsent("--insecure-allow-any-token", params)
  38 }
  39
  40 // IsAnonymousAuthDisabled validates there is single "--anonymous-auth" flag and it is set to "false".
  41 func IsAnonymousAuthDisabled(params []string) bool {
  42         return args.HasSingleFlagArgument("--anonymous-auth=", "false", params)
  43 }
  44
  45 // IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
  46 func IsInsecurePortUnbound(params []string) bool {
  47         return args.HasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params)
  48 }
  49
  50 // IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
  51 func IsProfilingDisabled(params []string) bool {
  52         return args.HasSingleFlagArgument("--profiling=", "false", params)
  53 }
  54
  55 // IsRepairMalformedUpdatesDisabled validates there is single "--repair-malformed-updates" flag and it is set to "false".
  56 func IsRepairMalformedUpdatesDisabled(params []string) bool {
  57         return args.HasSingleFlagArgument("--repair-malformed-updates=", "false", params)
  58 }
  59
  60 // IsServiceAccountLookupEnabled validates there is single "--service-account-lookup" flag and it is set to "true".
  61 func IsServiceAccountLookupEnabled(params []string) bool {
  62         return args.HasSingleFlagArgument("--service-account-lookup=", "true", params)
  63 }
  64
  65 // IsStrongCryptoCipherInUse validates there is single "--tls-cipher-suites=" flag and it is set to strong crypto ciphers.
  66 func IsStrongCryptoCipherInUse(params []string) bool {
  67         return args.HasSingleFlagArgument("--tls-cipher-suites=", strongCryptoCiphers, params)
  68 }
  69
  70 // IsKubeletHTTPSAbsentOrEnabled validates there is single "--kubelet-https" flag and it is set to "true".
  71 func IsKubeletHTTPSAbsentOrEnabled(params []string) bool {
  72         return boolean.IsFlagAbsent("--kubelet-https=", params) ||
  73                 args.HasSingleFlagArgument("--kubelet-https=", "true", params)
  74 }
  75
  76 // IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
  77 func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
  78         return boolean.IsFlagAbsent("--insecure-bind-address=", params) ||
  79                 args.HasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params)
  80 }
  81
  82 // IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value.
  83 func IsSecurePortAbsentOrValid(params []string) bool {
  84         return boolean.IsFlagAbsent("--secure-port=", params) ||
  85                 args.HasSingleFlagValidPort("--secure-port=", params)
  86 }
  87
  88 // IsAlwaysAdmitAdmissionControlPluginExcluded validates AlwaysAdmit is excluded from admission control plugins.
  89 func IsAlwaysAdmitAdmissionControlPluginExcluded(params []string) bool {
  90         if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
  91                 return !args.HasFlagArgumentIncluded("--enable-admission-plugins=", "AlwaysAdmit", params)
  92         }
  93         if boolean.IsSingleFlagPresent("--admission-control=", params) {
  94                 return !args.HasFlagArgumentIncluded("--admission-control=", "AlwaysAdmit", params)
  95         }
  96         return false
  97 }
  98
  99 // IsAlwaysPullImagesAdmissionControlPluginIncluded validates AlwaysPullImages is included in admission control plugins.
 100 func IsAlwaysPullImagesAdmissionControlPluginIncluded(params []string) bool {
 101         if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
 102                 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "AlwaysPullImages", params)
 103         }
 104         if boolean.IsSingleFlagPresent("--admission-control=", params) {
 105                 return args.HasFlagArgumentIncluded("--admission-control=", "AlwaysPullImages", params)
 106         }
 107         return false
 108 }
 109
 110 // IsDenyEscalatingExecAdmissionControlPluginIncluded validates DenyEscalatingExec is included in admission control plugins.
 111 func IsDenyEscalatingExecAdmissionControlPluginIncluded(params []string) bool {
 112         if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
 113                 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "DenyEscalatingExec", params)
 114         }
 115         if boolean.IsSingleFlagPresent("--admission-control=", params) {
 116                 return args.HasFlagArgumentIncluded("--admission-control=", "DenyEscalatingExec", params)
 117         }
 118         return false
 119 }
 120
 121 // IsSecurityContextDenyAdmissionControlPluginIncluded validates SecurityContextDeny is included in admission control plugins.
 122 func IsSecurityContextDenyAdmissionControlPluginIncluded(params []string) bool {
 123         if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
 124                 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "SecurityContextDeny", params)
 125         }
 126         if boolean.IsSingleFlagPresent("--admission-control=", params) {
 127                 return args.HasFlagArgumentIncluded("--admission-control=", "SecurityContextDeny", params)
 128         }
 129         return false
 130 }
 131
 132 // IsPodSecurityPolicyAdmissionControlPluginIncluded validates PodSecurityPolicy is included in admission control plugins.
 133 func IsPodSecurityPolicyAdmissionControlPluginIncluded(params []string) bool {
 134         if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
 135                 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "PodSecurityPolicy", params)
 136         }
 137         if boolean.IsSingleFlagPresent("--admission-control=", params) {
 138                 return args.HasFlagArgumentIncluded("--admission-control=", "PodSecurityPolicy", params)
 139         }
 140         return false
 141 }
 142
 143 // IsServiceAccountAdmissionControlPluginIncluded validates ServiceAccount is included in admission control plugins.
 144 func IsServiceAccountAdmissionControlPluginIncluded(params []string) bool {
 145         if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
 146                 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "ServiceAccount", params)
 147         }
 148         if boolean.IsSingleFlagPresent("--admission-control=", params) {
 149                 return args.HasFlagArgumentIncluded("--admission-control=", "ServiceAccount", params)
 150         }
 151         return false
 152 }
 153
 154 // IsNodeRestrictionAdmissionControlPluginIncluded validates NodeRestriction is included in admission control plugins.
 155 func IsNodeRestrictionAdmissionControlPluginIncluded(params []string) bool {
 156         if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
 157                 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "NodeRestriction", params)
 158         }
 159         if boolean.IsSingleFlagPresent("--admission-control=", params) {
 160                 return args.HasFlagArgumentIncluded("--admission-control=", "NodeRestriction", params)
 161         }
 162         return false
 163 }
 164
 165 // IsEventRateLimitAdmissionControlPluginIncluded validates EventRateLimit is included in admission control plugins.
 166 func IsEventRateLimitAdmissionControlPluginIncluded(params []string) bool {
 167         if boolean.IsSingleFlagPresent("--enable-admission-plugins=", params) {
 168                 return args.HasFlagArgumentIncluded("--enable-admission-plugins=", "EventRateLimit", params)
 169         }
 170         if boolean.IsSingleFlagPresent("--admission-control=", params) {
 171                 return args.HasFlagArgumentIncluded("--admission-control=", "EventRateLimit", params)
 172         }
 173         return false
 174 }
 175
 176 // IsNamespaceLifecycleAdmissionControlPluginNotExcluded validates NamespaceLifecycle is excluded from admission control plugins.
 177 func IsNamespaceLifecycleAdmissionControlPluginNotExcluded(params []string) bool {
 178         if boolean.IsSingleFlagPresent("--disable-admission-plugins=", params) {
 179                 return !args.HasFlagArgumentIncluded("--disable-admission-plugins=", "NamespaceLifecycle", params)
 180         }
 181         return true
 182 }
 183
 184 // IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from authorization modes.
 185 func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool {
 186         return boolean.IsSingleFlagPresent("--authorization-mode=", params) &&
 187                 !args.HasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params)
 188 }
 189
 190 // IsNodeAuthorizationModeIncluded validates Node is included in authorization modes.
 191 func IsNodeAuthorizationModeIncluded(params []string) bool {
 192         return args.HasFlagArgumentIncluded("--authorization-mode=", "Node", params)
 193 }
 194
 195 // IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument.
 196 func IsAuditLogPathSet(params []string) bool {
 197         return args.HasSingleFlagNonemptyArgument("--audit-log-path=", params)
 198 }
 199
 200 // IsKubeletCertificateAuthoritySet validates there is single "--kubelet-certificate-authority" flag and has non-empty argument.
 201 func IsKubeletCertificateAuthoritySet(params []string) bool {
 202         return args.HasSingleFlagNonemptyArgument("--kubelet-certificate-authority", params)
 203 }
 204
 205 // IsClientCertificateAuthoritySet validates there is single "--client-ca-file" flag and has non-empty argument.
 206 func IsClientCertificateAuthoritySet(params []string) bool {
 207         return args.HasSingleFlagNonemptyArgument("--client-ca-file", params)
 208 }
 209
 210 // IsEtcdCertificateAuthoritySet validates there is single "--etcd-cafile" flag and has non-empty argument.
 211 func IsEtcdCertificateAuthoritySet(params []string) bool {
 212         return args.HasSingleFlagNonemptyArgument("--etcd-cafile", params)
 213 }
 214
 215 // IsServiceAccountKeySet validates there is single "--service-account-key-file" flag and has non-empty argument.
 216 func IsServiceAccountKeySet(params []string) bool {
 217         return args.HasSingleFlagNonemptyArgument("--service-account-key-file", params)
 218 }
 219
 220 // IsKubeletClientCertificateAndKeySet validates there are single "--kubelet-client-certificate" and "--kubelet-client-key" flags and have non-empty arguments.
 221 func IsKubeletClientCertificateAndKeySet(params []string) bool {
 222         return args.HasSingleFlagNonemptyArgument("--kubelet-client-certificate", params) &&
 223                 args.HasSingleFlagNonemptyArgument("--kubelet-client-key", params)
 224 }
 225
 226 // IsEtcdCertificateAndKeySet validates there are single "--etcd-certfile" and "--etcd-keyfile" flags and have non-empty arguments.
 227 func IsEtcdCertificateAndKeySet(params []string) bool {
 228         return args.HasSingleFlagNonemptyArgument("--etcd-certfile", params) &&
 229                 args.HasSingleFlagNonemptyArgument("--etcd-keyfile", params)
 230 }
 231
 232 // IsTLSCertificateAndKeySet validates there are single "--tls-cert-file" and "--tls-private-key-file" flags and have non-empty arguments.
 233 func IsTLSCertificateAndKeySet(params []string) bool {
 234         return args.HasSingleFlagNonemptyArgument("--tls-cert-file", params) &&
 235                 args.HasSingleFlagNonemptyArgument("--tls-private-key-file", params)
 236 }
 237
 238 // IsAuditLogMaxAgeValid validates audit log age is set and it has recommended value.
 239 func IsAuditLogMaxAgeValid(params []string) bool {
 240         return args.HasSingleFlagRecommendedNumericArgument("--audit-log-maxage", auditLogAge, params)
 241 }
 242
 243 // IsAuditLogMaxBackupValid validates audit log age is set and it has recommended value.
 244 func IsAuditLogMaxBackupValid(params []string) bool {
 245         return args.HasSingleFlagRecommendedNumericArgument("--audit-log-maxbackup", auditLogBackups, params)
 246 }
 247
 248 // IsAuditLogMaxSizeValid validates audit log age is set and it has recommended value.
 249 func IsAuditLogMaxSizeValid(params []string) bool {
 250         return args.HasSingleFlagRecommendedNumericArgument("--audit-log-maxsize", auditLogSize, params)
 251 }
 252
 253 // IsRequestTimeoutValid validates request timeout is set and it has recommended value.
 254 func IsRequestTimeoutValid(params []string) bool {
 255         return boolean.IsFlagAbsent("--request-timeout", params) ||
 256                 args.HasSingleFlagValidTimeout("--request-timeout", requestTimeout, 2*requestTimeout, params)
 257 }