17 strongCryptoCiphers = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM" +
18 "_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM" +
19 "_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM" +
20 "_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
25 // IsBasicAuthFileAbsent validates there is no basic authentication file specified.
26 func IsBasicAuthFileAbsent(params []string) bool {
27 return isFlagAbsent("--basic-auth-file=", params)
30 // IsTokenAuthFileAbsent validates there is no token based authentication file specified.
31 func IsTokenAuthFileAbsent(params []string) bool {
32 return isFlagAbsent("--token-auth-file=", params)
35 // IsInsecureAllowAnyTokenAbsent validates insecure tokens are not accepted.
36 func IsInsecureAllowAnyTokenAbsent(params []string) bool {
37 return isFlagAbsent("--insecure-allow-any-token", params)
40 // isFlagAbsent checks absence of selected flag in parameters.
41 func isFlagAbsent(flag string, params []string) bool {
42 found := filterFlags(params, flag)
49 // IsAnonymousAuthDisabled validates there is single "--anonymous-auth" flag and it is set to "false".
50 func IsAnonymousAuthDisabled(params []string) bool {
51 return hasSingleFlagArgument("--anonymous-auth=", "false", params)
54 // IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
55 func IsInsecurePortUnbound(params []string) bool {
56 return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params)
59 // IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
60 func IsProfilingDisabled(params []string) bool {
61 return hasSingleFlagArgument("--profiling=", "false", params)
64 // IsRepairMalformedUpdatesDisabled validates there is single "--repair-malformed-updates" flag and it is set to "false".
65 func IsRepairMalformedUpdatesDisabled(params []string) bool {
66 return hasSingleFlagArgument("--repair-malformed-updates=", "false", params)
69 // IsServiceAccountLookupEnabled validates there is single "--service-account-lookup" flag and it is set to "true".
70 func IsServiceAccountLookupEnabled(params []string) bool {
71 return hasSingleFlagArgument("--service-account-lookup=", "true", params)
74 // IsStrongCryptoCipherInUse validates there is single "--tls-cipher-suites=" flag and it is set to strong crypto ciphers.
75 func IsStrongCryptoCipherInUse(params []string) bool {
76 return hasSingleFlagArgument("--tls-cipher-suites=", strongCryptoCiphers, params)
79 // hasSingleFlagArgument checks whether selected flag was used once and has requested argument.
80 func hasSingleFlagArgument(flag string, argument string, params []string) bool {
81 found := filterFlags(params, flag)
86 _, value := splitKV(found[0], "=")
87 if value != argument {
93 // filterFlags returns all occurrences of selected flag.
94 func filterFlags(strs []string, flag string) []string {
96 for _, str := range strs {
97 if strings.HasPrefix(str, flag) {
98 filtered = append(filtered, str)
104 // splitKV splits key and value (after first occurrence of separator).
105 func splitKV(s, sep string) (string, string) {
106 ret := strings.SplitN(s, sep, 2)
107 return ret[0], ret[1]
110 // IsKubeletHTTPSAbsentOrEnabled validates there is single "--kubelet-https" flag and it is set to "true".
111 func IsKubeletHTTPSAbsentOrEnabled(params []string) bool {
112 return isFlagAbsent("--kubelet-https=", params) ||
113 hasSingleFlagArgument("--kubelet-https=", "true", params)
116 // IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
117 func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
118 return isFlagAbsent("--insecure-bind-address=", params) ||
119 hasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params)
122 // IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value.
123 func IsSecurePortAbsentOrValid(params []string) bool {
124 return isFlagAbsent("--secure-port=", params) ||
125 hasFlagValidPort("--secure-port=", params)
128 // hasFlagValidPort checks whether selected flag has valid port as an argument in given command.
129 func hasFlagValidPort(flag string, params []string) bool {
130 found := filterFlags(params, flag)
135 _, value := splitKV(found[0], "=")
136 port, err := strconv.Atoi(value) // what about empty parameter?
140 if port < portLowest || port > portHighest {
146 // IsAlwaysAdmitAdmissionControlPluginExcluded validates AlwaysAdmit is excluded from admission control plugins.
147 func IsAlwaysAdmitAdmissionControlPluginExcluded(params []string) bool {
148 if isSingleFlagPresent("--enable-admission-plugins=", params) {
149 return !hasFlagArgumentIncluded("--enable-admission-plugins=", "AlwaysAdmit", params)
151 if isSingleFlagPresent("--admission-control=", params) {
152 return !hasFlagArgumentIncluded("--admission-control=", "AlwaysAdmit", params)
157 // IsAlwaysPullImagesAdmissionControlPluginIncluded validates AlwaysPullImages is included in admission control plugins.
158 func IsAlwaysPullImagesAdmissionControlPluginIncluded(params []string) bool {
159 if isSingleFlagPresent("--enable-admission-plugins=", params) {
160 return hasFlagArgumentIncluded("--enable-admission-plugins=", "AlwaysPullImages", params)
162 if isSingleFlagPresent("--admission-control=", params) {
163 return hasFlagArgumentIncluded("--admission-control=", "AlwaysPullImages", params)
168 // IsDenyEscalatingExecAdmissionControlPluginIncluded validates DenyEscalatingExec is included in admission control plugins.
169 func IsDenyEscalatingExecAdmissionControlPluginIncluded(params []string) bool {
170 if isSingleFlagPresent("--enable-admission-plugins=", params) {
171 return hasFlagArgumentIncluded("--enable-admission-plugins=", "DenyEscalatingExec", params)
173 if isSingleFlagPresent("--admission-control=", params) {
174 return hasFlagArgumentIncluded("--admission-control=", "DenyEscalatingExec", params)
179 // IsSecurityContextDenyAdmissionControlPluginIncluded validates SecurityContextDeny is included in admission control plugins.
180 func IsSecurityContextDenyAdmissionControlPluginIncluded(params []string) bool {
181 if isSingleFlagPresent("--enable-admission-plugins=", params) {
182 return hasFlagArgumentIncluded("--enable-admission-plugins=", "SecurityContextDeny", params)
184 if isSingleFlagPresent("--admission-control=", params) {
185 return hasFlagArgumentIncluded("--admission-control=", "SecurityContextDeny", params)
190 // IsPodSecurityPolicyAdmissionControlPluginIncluded validates PodSecurityPolicy is included in admission control plugins.
191 func IsPodSecurityPolicyAdmissionControlPluginIncluded(params []string) bool {
192 if isSingleFlagPresent("--enable-admission-plugins=", params) {
193 return hasFlagArgumentIncluded("--enable-admission-plugins=", "PodSecurityPolicy", params)
195 if isSingleFlagPresent("--admission-control=", params) {
196 return hasFlagArgumentIncluded("--admission-control=", "PodSecurityPolicy", params)
201 // IsServiceAccountAdmissionControlPluginIncluded validates ServiceAccount is included in admission control plugins.
202 func IsServiceAccountAdmissionControlPluginIncluded(params []string) bool {
203 if isSingleFlagPresent("--enable-admission-plugins=", params) {
204 return hasFlagArgumentIncluded("--enable-admission-plugins=", "ServiceAccount", params)
206 if isSingleFlagPresent("--admission-control=", params) {
207 return hasFlagArgumentIncluded("--admission-control=", "ServiceAccount", params)
212 // IsNodeRestrictionAdmissionControlPluginIncluded validates NodeRestriction is included in admission control plugins.
213 func IsNodeRestrictionAdmissionControlPluginIncluded(params []string) bool {
214 if isSingleFlagPresent("--enable-admission-plugins=", params) {
215 return hasFlagArgumentIncluded("--enable-admission-plugins=", "NodeRestriction", params)
217 if isSingleFlagPresent("--admission-control=", params) {
218 return hasFlagArgumentIncluded("--admission-control=", "NodeRestriction", params)
223 // IsEventRateLimitAdmissionControlPluginIncluded validates EventRateLimit is included in admission control plugins.
224 func IsEventRateLimitAdmissionControlPluginIncluded(params []string) bool {
225 if isSingleFlagPresent("--enable-admission-plugins=", params) {
226 return hasFlagArgumentIncluded("--enable-admission-plugins=", "EventRateLimit", params)
228 if isSingleFlagPresent("--admission-control=", params) {
229 return hasFlagArgumentIncluded("--admission-control=", "EventRateLimit", params)
234 // IsNamespaceLifecycleAdmissionControlPluginNotExcluded validates NamespaceLifecycle is excluded from admission control plugins.
235 func IsNamespaceLifecycleAdmissionControlPluginNotExcluded(params []string) bool {
236 if isSingleFlagPresent("--disable-admission-plugins=", params) {
237 return !hasFlagArgumentIncluded("--disable-admission-plugins=", "NamespaceLifecycle", params)
242 // isSingleFlagPresent checks presence of selected flag and whether it was used once.
243 func isSingleFlagPresent(flag string, params []string) bool {
244 found := filterFlags(params, flag)
251 // hasFlagArgumentIncluded checks whether selected flag includes requested argument.
252 func hasFlagArgumentIncluded(flag string, argument string, params []string) bool {
253 found := filterFlags(params, flag)
258 _, values := splitKV(found[0], "=")
259 for _, v := range strings.Split(values, ",") {
267 // IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from authorization modes.
268 func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool {
269 return isSingleFlagPresent("--authorization-mode=", params) &&
270 !hasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params)
273 // IsNodeAuthorizationModeIncluded validates Node is included in authorization modes.
274 func IsNodeAuthorizationModeIncluded(params []string) bool {
275 return hasFlagArgumentIncluded("--authorization-mode=", "Node", params)
278 // IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument.
279 func IsAuditLogPathSet(params []string) bool {
280 return hasSingleFlagNonemptyArgument("--audit-log-path=", params)
283 // IsKubeletCertificateAuthoritySet validates there is single "--kubelet-certificate-authority" flag and has non-empty argument.
284 func IsKubeletCertificateAuthoritySet(params []string) bool {
285 return hasSingleFlagNonemptyArgument("--kubelet-certificate-authority", params)
288 // IsClientCertificateAuthoritySet validates there is single "--client-ca-file" flag and has non-empty argument.
289 func IsClientCertificateAuthoritySet(params []string) bool {
290 return hasSingleFlagNonemptyArgument("--client-ca-file", params)
293 // IsEtcdCertificateAuthoritySet validates there is single "--etcd-cafile" flag and has non-empty argument.
294 func IsEtcdCertificateAuthoritySet(params []string) bool {
295 return hasSingleFlagNonemptyArgument("--etcd-cafile", params)
298 // IsServiceAccountKeySet validates there is single "--service-account-key-file" flag and has non-empty argument.
299 func IsServiceAccountKeySet(params []string) bool {
300 return hasSingleFlagNonemptyArgument("--service-account-key-file", params)
303 // IsKubeletClientCertificateAndKeySet validates there are single "--kubelet-client-certificate" and "--kubelet-client-key" flags and have non-empty arguments.
304 func IsKubeletClientCertificateAndKeySet(params []string) bool {
305 return hasSingleFlagNonemptyArgument("--kubelet-client-certificate", params) &&
306 hasSingleFlagNonemptyArgument("--kubelet-client-key", params)
309 // IsEtcdCertificateAndKeySet validates there are single "--etcd-certfile" and "--etcd-keyfile" flags and have non-empty arguments.
310 func IsEtcdCertificateAndKeySet(params []string) bool {
311 return hasSingleFlagNonemptyArgument("--etcd-certfile", params) &&
312 hasSingleFlagNonemptyArgument("--etcd-keyfile", params)
315 // IsTLSCertificateAndKeySet validates there are single "--tls-cert-file" and "--tls-private-key-file" flags and have non-empty arguments.
316 func IsTLSCertificateAndKeySet(params []string) bool {
317 return hasSingleFlagNonemptyArgument("--tls-cert-file", params) &&
318 hasSingleFlagNonemptyArgument("--tls-private-key-file", params)
321 // hasSingleFlagNonemptyArgument checks whether selected flag was used once and has non-empty argument.
322 func hasSingleFlagNonemptyArgument(flag string, params []string) bool {
323 found := filterFlags(params, flag)
328 _, value := splitKV(found[0], "=")
335 // IsAuditLogMaxAgeValid validates audit log age is set and it has recommended value.
336 func IsAuditLogMaxAgeValid(params []string) bool {
337 return hasSingleFlagRecommendedNumericArgument("--audit-log-maxage", auditLogAge, params)
340 // IsAuditLogMaxBackupValid validates audit log age is set and it has recommended value.
341 func IsAuditLogMaxBackupValid(params []string) bool {
342 return hasSingleFlagRecommendedNumericArgument("--audit-log-maxbackup", auditLogBackups, params)
345 // IsAuditLogMaxSizeValid validates audit log age is set and it has recommended value.
346 func IsAuditLogMaxSizeValid(params []string) bool {
347 return hasSingleFlagRecommendedNumericArgument("--audit-log-maxsize", auditLogSize, params)
350 // hasSingleFlagRecommendedNumericArgument checks whether selected flag was used once and has
351 // an argument that is greater or equal than the recommended value for given command.
352 func hasSingleFlagRecommendedNumericArgument(flag string, recommendation int, params []string) bool {
353 found := filterFlags(params, flag)
358 _, value := splitKV(found[0], "=")
359 arg, err := strconv.Atoi(value) // what about empty parameter?
363 if arg < recommendation {
369 // IsRequestTimeoutValid validates request timeout is set and it has recommended value.
370 func IsRequestTimeoutValid(params []string) bool {
371 return isFlagAbsent("--request-timeout", params) ||
372 hasSingleFlagValidTimeout("--request-timeout", requestTimeout, 2*requestTimeout, params)
375 // hasSingleFlagValidTimeout checks whether selected flag has valid timeout as an argument in given command.
376 func hasSingleFlagValidTimeout(flag string, min int, max int, params []string) bool {
377 found := filterFlags(params, flag)
382 _, value := splitKV(found[0], "=")
383 timeout, err := strconv.Atoi(value) // what about empty parameter?
387 if timeout < min || timeout > max {