14 // IsBasicAuthFileAbsent validates there is no basic authentication file specified.
15 func IsBasicAuthFileAbsent(params []string) bool {
16 return isFlagAbsent("--basic-auth-file=", params)
19 // IsTokenAuthFileAbsent validates there is no token based authentication file specified.
20 func IsTokenAuthFileAbsent(params []string) bool {
21 return isFlagAbsent("--token-auth-file=", params)
24 // IsInsecureAllowAnyTokenAbsent validates insecure tokens are not accepted.
25 func IsInsecureAllowAnyTokenAbsent(params []string) bool {
26 return isFlagAbsent("--insecure-allow-any-token", params)
29 // isFlagAbsent checks absence of selected flag in parameters.
30 func isFlagAbsent(flag string, params []string) bool {
31 found := filterFlags(params, flag)
38 // IsAnonymousAuthDisabled validates there is single "--anonymous-auth" flag and it is set to "false".
39 func IsAnonymousAuthDisabled(params []string) bool {
40 return hasSingleFlagArgument("--anonymous-auth=", "false", params)
43 // IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
44 func IsInsecurePortUnbound(params []string) bool {
45 return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params)
48 // IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
49 func IsProfilingDisabled(params []string) bool {
50 return hasSingleFlagArgument("--profiling=", "false", params)
53 // IsRepairMalformedUpdatesDisabled validates there is single "--repair-malformed-updates" flag and it is set to "false".
54 func IsRepairMalformedUpdatesDisabled(params []string) bool {
55 return hasSingleFlagArgument("--repair-malformed-updates=", "false", params)
58 // IsServiceAccountLookupEnabled validates there is single "--service-account-lookup" flag and it is set to "true".
59 func IsServiceAccountLookupEnabled(params []string) bool {
60 return hasSingleFlagArgument("--service-account-lookup=", "true", params)
63 // hasSingleFlagArgument checks whether selected flag was used once and has requested argument.
64 func hasSingleFlagArgument(flag string, argument string, params []string) bool {
65 found := filterFlags(params, flag)
70 _, value := splitKV(found[0], "=")
71 if value != argument {
77 // filterFlags returns all occurrences of selected flag.
78 func filterFlags(strs []string, flag string) []string {
80 for _, str := range strs {
81 if strings.HasPrefix(str, flag) {
82 filtered = append(filtered, str)
88 // splitKV splits key and value (after first occurrence of separator).
89 func splitKV(s, sep string) (string, string) {
90 ret := strings.SplitN(s, sep, 2)
94 // IsKubeletHTTPSAbsentOrEnabled validates there is single "--kubelet-https" flag and it is set to "true".
95 func IsKubeletHTTPSAbsentOrEnabled(params []string) bool {
96 return isFlagAbsent("--kubelet-https=", params) ||
97 hasSingleFlagArgument("--kubelet-https=", "true", params)
100 // IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
101 func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
102 return isFlagAbsent("--insecure-bind-address=", params) ||
103 hasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params)
106 // IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value.
107 func IsSecurePortAbsentOrValid(params []string) bool {
108 return isFlagAbsent("--secure-port=", params) ||
109 hasFlagValidPort("--secure-port=", params)
112 // hasFlagValidPort checks whether selected flag has valid port as an argument in given command.
113 func hasFlagValidPort(flag string, params []string) bool {
114 found := filterFlags(params, flag)
119 _, value := splitKV(found[0], "=")
120 port, err := strconv.Atoi(value) // what about empty parameter?
124 if port < portLowest || port > portHighest {
130 // IsAlwaysAdmitAdmissionControlPluginExcluded validates AlwaysAdmit is excluded from admission control plugins.
131 func IsAlwaysAdmitAdmissionControlPluginExcluded(params []string) bool {
132 if isSingleFlagPresent("--enable-admission-plugins=", params) {
133 return !hasFlagArgumentIncluded("--enable-admission-plugins=", "AlwaysAdmit", params)
135 if isSingleFlagPresent("--admission-control=", params) {
136 return !hasFlagArgumentIncluded("--admission-control=", "AlwaysAdmit", params)
141 // IsAlwaysPullImagesAdmissionControlPluginIncluded validates AlwaysPullImages is included in admission control plugins.
142 func IsAlwaysPullImagesAdmissionControlPluginIncluded(params []string) bool {
143 if isSingleFlagPresent("--enable-admission-plugins=", params) {
144 return hasFlagArgumentIncluded("--enable-admission-plugins=", "AlwaysPullImages", params)
146 if isSingleFlagPresent("--admission-control=", params) {
147 return hasFlagArgumentIncluded("--admission-control=", "AlwaysPullImages", params)
152 // IsDenyEscalatingExecAdmissionControlPluginIncluded validates DenyEscalatingExec is included in admission control plugins.
153 func IsDenyEscalatingExecAdmissionControlPluginIncluded(params []string) bool {
154 if isSingleFlagPresent("--enable-admission-plugins=", params) {
155 return hasFlagArgumentIncluded("--enable-admission-plugins=", "DenyEscalatingExec", params)
157 if isSingleFlagPresent("--admission-control=", params) {
158 return hasFlagArgumentIncluded("--admission-control=", "DenyEscalatingExec", params)
163 // IsSecurityContextDenyAdmissionControlPluginIncluded validates SecurityContextDeny is included in admission control plugins.
164 func IsSecurityContextDenyAdmissionControlPluginIncluded(params []string) bool {
165 if isSingleFlagPresent("--enable-admission-plugins=", params) {
166 return hasFlagArgumentIncluded("--enable-admission-plugins=", "SecurityContextDeny", params)
168 if isSingleFlagPresent("--admission-control=", params) {
169 return hasFlagArgumentIncluded("--admission-control=", "SecurityContextDeny", params)
174 // IsPodSecurityPolicyAdmissionControlPluginIncluded validates PodSecurityPolicy is included in admission control plugins.
175 func IsPodSecurityPolicyAdmissionControlPluginIncluded(params []string) bool {
176 if isSingleFlagPresent("--enable-admission-plugins=", params) {
177 return hasFlagArgumentIncluded("--enable-admission-plugins=", "PodSecurityPolicy", params)
179 if isSingleFlagPresent("--admission-control=", params) {
180 return hasFlagArgumentIncluded("--admission-control=", "PodSecurityPolicy", params)
185 // IsServiceAccountAdmissionControlPluginIncluded validates ServiceAccount is included in admission control plugins.
186 func IsServiceAccountAdmissionControlPluginIncluded(params []string) bool {
187 if isSingleFlagPresent("--enable-admission-plugins=", params) {
188 return hasFlagArgumentIncluded("--enable-admission-plugins=", "ServiceAccount", params)
190 if isSingleFlagPresent("--admission-control=", params) {
191 return hasFlagArgumentIncluded("--admission-control=", "ServiceAccount", params)
196 // IsNodeRestrictionAdmissionControlPluginIncluded validates NodeRestriction is included in admission control plugins.
197 func IsNodeRestrictionAdmissionControlPluginIncluded(params []string) bool {
198 if isSingleFlagPresent("--enable-admission-plugins=", params) {
199 return hasFlagArgumentIncluded("--enable-admission-plugins=", "NodeRestriction", params)
201 if isSingleFlagPresent("--admission-control=", params) {
202 return hasFlagArgumentIncluded("--admission-control=", "NodeRestriction", params)
207 // IsEventRateLimitAdmissionControlPluginIncluded validates EventRateLimit is included in admission control plugins.
208 func IsEventRateLimitAdmissionControlPluginIncluded(params []string) bool {
209 if isSingleFlagPresent("--enable-admission-plugins=", params) {
210 return hasFlagArgumentIncluded("--enable-admission-plugins=", "EventRateLimit", params)
212 if isSingleFlagPresent("--admission-control=", params) {
213 return hasFlagArgumentIncluded("--admission-control=", "EventRateLimit", params)
218 // IsNamespaceLifecycleAdmissionControlPluginNotExcluded validates NamespaceLifecycle is excluded from admission control plugins.
219 func IsNamespaceLifecycleAdmissionControlPluginNotExcluded(params []string) bool {
220 if isSingleFlagPresent("--disable-admission-plugins=", params) {
221 return !hasFlagArgumentIncluded("--disable-admission-plugins=", "NamespaceLifecycle", params)
226 // isSingleFlagPresent checks presence of selected flag and whether it was used once.
227 func isSingleFlagPresent(flag string, params []string) bool {
228 found := filterFlags(params, flag)
235 // hasFlagArgumentIncluded checks whether selected flag includes requested argument.
236 func hasFlagArgumentIncluded(flag string, argument string, params []string) bool {
237 found := filterFlags(params, flag)
242 _, values := splitKV(found[0], "=")
243 for _, v := range strings.Split(values, ",") {