4 . "check/validators/master"
6 . "github.com/onsi/ginkgo/extensions/table"
8 . "github.com/onsi/ginkgo"
9 . "github.com/onsi/gomega"
12 var _ = Describe("Api", func() {
14 // kubeApiServerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
15 kubeApiServerCISCompliant = []string{
16 "--anonymous-auth=false",
19 "--repair-malformed-updates=false",
20 "--service-account-lookup=true",
21 "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount," +
22 "TaintNodesByCondition,Priority,DefaultTolerationSeconds,DefaultStorageClass," +
23 "PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook," +
24 "ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," +
25 "PodSecurityPolicy,NodeRestriction,EventRateLimit",
26 "--authorization-mode=Node,RBAC",
27 "--audit-log-path=/var/log/apiserver/audit.log",
28 "--audit-log-maxage=30",
29 "--audit-log-maxbackup=10",
30 "--audit-log-maxsize=100",
31 "--kubelet-certificate-authority=TrustedCA",
32 "--client-ca-file=/etc/kubernetes/ssl/ca.pem",
33 "--etcd-cafile=/etc/kubernetes/etcd/ca.pem",
34 "--service-account-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem",
35 "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem",
36 "--kubelet-client-key=/etc/kubernetes/ssl/key.pem",
37 "--etcd-certfile=/etc/kubernetes/etcd/cert.pem",
38 "--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
39 "--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
40 "--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
41 "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
42 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
43 "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305," +
44 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384," +
45 "TLS_RSA_WITH_AES_128_GCM_SHA256",
48 // kubeApiServerCasablanca was obtained from virtual environment for testing
49 // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
50 kubeApiServerCasablanca = []string{
51 "--storage-backend=etcd2",
52 "--storage-media-type=application/json",
53 "--service-cluster-ip-range=10.43.0.0/16",
54 "--etcd-servers=https://etcd.kubernetes.rancher.internal:2379",
55 "--insecure-bind-address=0.0.0.0",
57 "--cloud-provider=rancher",
58 "--allow-privileged=true",
59 "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount," +
60 "PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota",
61 "--client-ca-file=/etc/kubernetes/ssl/ca.pem",
62 "--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
63 "--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
64 "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem",
65 "--kubelet-client-key=/etc/kubernetes/ssl/key.pem",
66 "--runtime-config=batch/v2alpha1",
67 "--anonymous-auth=false",
68 "--authentication-token-webhook-config-file=/etc/kubernetes/authconfig",
69 "--runtime-config=authentication.k8s.io/v1beta1=true",
70 "--external-hostname=kubernetes.kubernetes.rancher.internal",
71 "--etcd-cafile=/etc/kubernetes/etcd/ca.pem",
72 "--etcd-certfile=/etc/kubernetes/etcd/cert.pem",
73 "--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
74 "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
75 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
76 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
77 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
80 // kubeApiServerCasablanca was obtained from virtual environment for testing
81 // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3).
82 kubeApiServerDublin = []string{
83 "--requestheader-group-headers=X-Remote-Group",
84 "--proxy-client-cert-file=/etc/kubernetes/ssl/kube-apiserver-proxy-client.pem",
85 "--bind-address=0.0.0.0",
86 "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
87 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
88 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
89 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
91 "--etcd-cafile=/etc/kubernetes/ssl/kube-ca.pem",
92 "--etcd-servers=https://172.17.0.100:2379",
93 "--tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem",
94 "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount," +
95 "DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook," +
96 "ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,PersistentVolumeLabel",
99 "--storage-backend=etcd3",
100 "--kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem",
101 "--requestheader-client-ca-file=/etc/kubernetes/ssl/kube-apiserver-requestheader-ca.pem",
102 "--service-account-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem",
103 "--service-node-port-range=30000-32767",
104 "--tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem",
105 "--requestheader-username-headers=X-Remote-User",
106 "--repair-malformed-updates=false",
107 "--kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem",
108 "--service-cluster-ip-range=10.43.0.0/16",
109 "--advertise-address=172.17.0.100",
111 "--requestheader-extra-headers-prefix=X-Remote-Extra-",
112 "--etcd-certfile=/etc/kubernetes/ssl/kube-node.pem",
113 "--anonymous-auth=false",
114 "--etcd-keyfile=/etc/kubernetes/ssl/kube-node-key.pem",
115 "--etcd-prefix=/registry",
116 "--client-ca-file=/etc/kubernetes/ssl/kube-ca.pem",
117 "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
118 "--requestheader-allowed-names=kube-apiserver-proxy-client",
119 "--service-account-lookup=true",
120 "--proxy-client-key-file=/etc/kubernetes/ssl/kube-apiserver-proxy-client-key.pem",
121 "--authorization-mode=Node,RBAC",
122 "--allow-privileged=true",
126 Describe("Boolean flags", func() {
127 DescribeTable("Accepting any token",
128 func(params []string, expected bool) {
129 Expect(IsInsecureAllowAnyTokenAbsent(params)).To(Equal(expected))
131 Entry("Is not absent on insecure cluster", []string{"--insecure-allow-any-token"}, false),
132 Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
133 Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
134 Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
137 DescribeTable("Anonymous requests",
138 func(params []string, expected bool) {
139 Expect(IsAnonymousAuthDisabled(params)).To(Equal(expected))
141 Entry("Is not set on insecure cluster", []string{}, false),
142 Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
143 Entry("Should be set to false on Casablanca cluster", kubeApiServerCasablanca, true),
144 Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
147 DescribeTable("Profiling",
148 func(params []string, expected bool) {
149 Expect(IsProfilingDisabled(params)).To(Equal(expected))
151 Entry("Is not set on insecure cluster", []string{}, false),
152 Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
153 Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
154 Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
155 Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
158 DescribeTable("HTTPS for kubelet",
159 func(params []string, expected bool) {
160 Expect(IsKubeletHTTPSAbsentOrEnabled(params)).To(Equal(expected))
162 Entry("Is explicitly disabled on insecure cluster", []string{"--kubelet-https=false"}, false),
163 Entry("Should be absent or set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
164 Entry("Should be absent or set to true on Casablanca cluster", kubeApiServerCasablanca, true),
165 Entry("Should be absent or set to true on Dublin cluster", kubeApiServerDublin, true),
168 DescribeTable("Repairing malformed updates",
169 func(params []string, expected bool) {
170 Expect(IsRepairMalformedUpdatesDisabled(params)).To(Equal(expected))
172 Entry("Is not set on insecure cluster", []string{}, false),
173 Entry("Is explicitly enabled on insecure cluster", []string{"--repair-malformed-updates=true"}, false),
174 Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
175 Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
176 Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
179 DescribeTable("Service account lookup",
180 func(params []string, expected bool) {
181 Expect(IsServiceAccountLookupEnabled(params)).To(Equal(expected))
183 Entry("Is not set on insecure cluster", []string{}, false),
184 Entry("Is explicitly disabled on insecure cluster", []string{"--service-account-lookup=false"}, false),
185 Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
186 Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
187 Entry("Should be set to true on Dublin cluster", kubeApiServerDublin, true),
191 Describe("File path flags", func() {
192 DescribeTable("Basic authentication file",
193 func(params []string, expected bool) {
194 Expect(IsBasicAuthFileAbsent(params)).To(Equal(expected))
196 Entry("Is not absent on insecure cluster", []string{"--basic-auth-file=/path/to/file"}, false),
197 Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
198 Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
199 Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
202 DescribeTable("Token authentication file",
203 func(params []string, expected bool) {
204 Expect(IsTokenAuthFileAbsent(params)).To(Equal(expected))
206 Entry("Is not absent on insecure cluster", []string{"--token-auth-file=/path/to/file"}, false),
207 Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
208 Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
209 Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
212 DescribeTable("Audit log path",
213 func(params []string, expected bool) {
214 Expect(IsAuditLogPathSet(params)).To(Equal(expected))
216 Entry("Is absent on insecure cluster", []string{}, false),
217 Entry("Is empty on insecure cluster", []string{"--audit-log-path="}, false),
218 Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
219 Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
220 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
223 DescribeTable("Kubelet certificate authority",
224 func(params []string, expected bool) {
225 Expect(IsKubeletCertificateAuthoritySet(params)).To(Equal(expected))
227 Entry("Is absent on insecure cluster", []string{}, false),
228 Entry("Is empty on insecure cluster", []string{"--kubelet-certificate-authority="}, false),
229 Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
230 Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
231 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
234 DescribeTable("Client certificate authority",
235 func(params []string, expected bool) {
236 Expect(IsClientCertificateAuthoritySet(params)).To(Equal(expected))
238 Entry("Is absent on insecure cluster", []string{}, false),
239 Entry("Is empty on insecure cluster", []string{"--client-ca-file="}, false),
240 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
241 Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
242 Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
245 DescribeTable("Etcd certificate authority",
246 func(params []string, expected bool) {
247 Expect(IsEtcdCertificateAuthoritySet(params)).To(Equal(expected))
249 Entry("Is absent on insecure cluster", []string{}, false),
250 Entry("Is empty on insecure cluster", []string{"-etcd-cafile="}, false),
251 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
252 Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
253 Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
256 DescribeTable("Service account key",
257 func(params []string, expected bool) {
258 Expect(IsServiceAccountKeySet(params)).To(Equal(expected))
260 Entry("Is absent on insecure cluster", []string{}, false),
261 Entry("Is empty on insecure cluster", []string{"--service-account-key-file="}, false),
262 Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
263 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
264 Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
267 DescribeTable("Kubelet client certificate and key",
268 func(params []string, expected bool) {
269 Expect(IsKubeletClientCertificateAndKeySet(params)).To(Equal(expected))
271 Entry("Is absent on insecure cluster", []string{}, false),
272 Entry("Is empty on insecure cluster", []string{"--kubelet-client-certificate= --kubelet-client-key="}, false),
273 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
274 Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
275 Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
278 DescribeTable("Etcd certificate and key",
279 func(params []string, expected bool) {
280 Expect(IsEtcdCertificateAndKeySet(params)).To(Equal(expected))
282 Entry("Is absent on insecure cluster", []string{}, false),
283 Entry("Is empty on insecure cluster", []string{"--etcd-certfile= --etcd-keyfile="}, false),
284 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
285 Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
286 Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
289 DescribeTable("TLS certificate and key",
290 func(params []string, expected bool) {
291 Expect(IsTLSCertificateAndKeySet(params)).To(Equal(expected))
293 Entry("Is absent on insecure cluster", []string{}, false),
294 Entry("Is empty on insecure cluster", []string{"--tls-cert-file= --tls-private-key-file="}, false),
295 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
296 Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
297 Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
301 Describe("Address and port flags", func() {
302 DescribeTable("Bind address",
303 func(params []string, expected bool) {
304 Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
306 Entry("Is not absent on insecure cluster", []string{"--insecure-bind-address=1.2.3.4"}, false),
307 Entry("Is not absent nor set to loopback on Casablanca cluster", kubeApiServerCasablanca, false),
308 Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeApiServerCISCompliant, true),
309 Entry("Should be absent or set to loopback on Dublin cluster", kubeApiServerDublin, true),
312 DescribeTable("Bind port",
313 func(params []string, expected bool) {
314 Expect(IsInsecurePortUnbound(params)).To(Equal(expected))
316 Entry("Is not set on insecure cluster", []string{}, false),
317 Entry("Is explicitly enabled on insecure cluster", []string{"--insecure-port=1234"}, false),
318 Entry("Should be set to 0 on CIS-compliant cluster", kubeApiServerCISCompliant, true),
319 Entry("Should be set to 0 on Casablanca cluster", kubeApiServerCasablanca, true),
320 Entry("Should be set to 0 on Dublin cluster", kubeApiServerDublin, true),
323 DescribeTable("Secure bind port",
324 func(params []string, expected bool) {
325 Expect(IsSecurePortAbsentOrValid(params)).To(Equal(expected))
327 Entry("Is explicitly disabled on insecure cluster", []string{"--secure-port=0"}, false),
328 Entry("Should be absent or set to valid port on CIS-compliant cluster", kubeApiServerCISCompliant, true),
329 Entry("Should be absent or set to valid port on Casablanca cluster", kubeApiServerCasablanca, true),
330 Entry("Should be absent or set to valid port on Dublin cluster", kubeApiServerDublin, true),
334 Describe("Numeric flags", func() {
335 DescribeTable("Audit log age",
336 func(params []string, expected bool) {
337 Expect(IsAuditLogMaxAgeValid(params)).To(Equal(expected))
339 Entry("Is absent on insecure cluster", []string{}, false),
340 Entry("Is empty on insecure cluster", []string{"--audit-log-maxage="}, false),
341 Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxage=5"}, false),
342 Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
343 Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
344 Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
347 DescribeTable("Audit log backups",
348 func(params []string, expected bool) {
349 Expect(IsAuditLogMaxBackupValid(params)).To(Equal(expected))
351 Entry("Is absent on insecure cluster", []string{}, false),
352 Entry("Is empty on insecure cluster", []string{"--audit-log-maxbackup="}, false),
353 Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxbackup=2"}, false),
354 Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
355 Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
356 Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
359 DescribeTable("Audit log size",
360 func(params []string, expected bool) {
361 Expect(IsAuditLogMaxSizeValid(params)).To(Equal(expected))
363 Entry("Is absent on insecure cluster", []string{}, false),
364 Entry("Is empty on insecure cluster", []string{"--audit-log-maxsize="}, false),
365 Entry("Is insufficient on insecure cluster", []string{"--audit-log-maxsize=5"}, false),
366 Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
367 Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
368 Entry("Should be set appropriately on CIS-compliant cluster", kubeApiServerCISCompliant, true),
372 Describe("Argument list flags", func() {
373 DescribeTable("AlwaysAdmit admission control plugin",
374 func(params []string, expected bool) {
375 Expect(IsAlwaysAdmitAdmissionControlPluginExcluded(params)).To(Equal(expected))
377 Entry("Is not absent on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar,AlwaysAdmit,Baz,Quuz"}, false),
378 Entry("Is not absent on insecure deprecated cluster", []string{"--admission-control=Foo,Bar,AlwaysAdmit,Baz,Quuz"}, false),
379 Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
380 Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
381 Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
384 DescribeTable("AlwaysPullImages admission control plugin",
385 func(params []string, expected bool) {
386 Expect(IsAlwaysPullImagesAdmissionControlPluginIncluded(params)).To(Equal(expected))
388 Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
389 Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
390 Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
391 Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
392 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
395 DescribeTable("DenyEscalatingExec admission control plugin",
396 func(params []string, expected bool) {
397 Expect(IsDenyEscalatingExecAdmissionControlPluginIncluded(params)).To(Equal(expected))
399 Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
400 Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
401 Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
402 Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
403 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
406 DescribeTable("SecurityContextDeny admission control plugin",
407 func(params []string, expected bool) {
408 Expect(IsSecurityContextDenyAdmissionControlPluginIncluded(params)).To(Equal(expected))
410 Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
411 Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
412 Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
413 Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
414 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
417 DescribeTable("PodSecurityPolicy admission control plugin",
418 func(params []string, expected bool) {
419 Expect(IsPodSecurityPolicyAdmissionControlPluginIncluded(params)).To(Equal(expected))
421 Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
422 Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
423 Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
424 Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
425 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
428 DescribeTable("ServiceAccount admission control plugin",
429 func(params []string, expected bool) {
430 Expect(IsServiceAccountAdmissionControlPluginIncluded(params)).To(Equal(expected))
432 Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
433 Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
434 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
435 Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
436 Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
439 DescribeTable("NodeRestriction admission control plugin",
440 func(params []string, expected bool) {
441 Expect(IsNodeRestrictionAdmissionControlPluginIncluded(params)).To(Equal(expected))
443 Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
444 Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
445 Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
446 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
447 Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
450 DescribeTable("EventRateLimit admission control plugin",
451 func(params []string, expected bool) {
452 Expect(IsEventRateLimitAdmissionControlPluginIncluded(params)).To(Equal(expected))
454 Entry("Is not present on insecure cluster", []string{"--enable-admission-plugins=Foo,Bar"}, false),
455 Entry("Is not present on insecure deprecated cluster", []string{"--admission-control=Foo,Bar"}, false),
456 Entry("Is not present on Casablanca cluster", kubeApiServerCasablanca, false),
457 Entry("Is not present on Dublin cluster", kubeApiServerDublin, false),
458 Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
461 DescribeTable("NamespaceLifecycle admission control plugin",
462 func(params []string, expected bool) {
463 Expect(IsNamespaceLifecycleAdmissionControlPluginNotExcluded(params)).To(Equal(expected))
465 Entry("Is explicitly disabled on insecure cluster", []string{"--disable-admission-plugins=Foo,Bar,NamespaceLifecycle,Baz,Quuz"}, false),
466 Entry("Should not be disabled on CIS-compliant cluster", kubeApiServerCISCompliant, true),
467 Entry("Should not be disabled on Casablanca cluster", kubeApiServerCasablanca, true),
468 Entry("Should not be disabled on Dublin cluster", kubeApiServerDublin, true),
471 DescribeTable("AlwaysAllow authorization mode",
472 func(params []string, expected bool) {
473 Expect(IsAlwaysAllowAuthorizationModeExcluded(params)).To(Equal(expected))
475 Entry("Is not explicitly disabled on insecure cluster", []string{}, false),
476 Entry("Is not absent on insecure cluster", []string{"--authorization-mode=Foo,Bar,AlwaysAllow,Baz,Quuz"}, false),
477 Entry("Is not explicitly disabled on Casablanca cluster", kubeApiServerCasablanca, false),
478 Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
479 Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
482 DescribeTable("Node authorization mode",
483 func(params []string, expected bool) {
484 Expect(IsNodeAuthorizationModeIncluded(params)).To(Equal(expected))
486 Entry("Is not explicitly enabled on insecure cluster", []string{}, false),
487 Entry("Is not present on insecure cluster", []string{"--authorization-mode=Foo,Bar"}, false),
488 Entry("Is not explicitly enabled on Casablanca cluster", kubeApiServerCasablanca, false),
489 Entry("Should present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
490 Entry("Should present on Dublin cluster", kubeApiServerDublin, true),
494 Describe("Flags requiring strict equality", func() {
495 DescribeTable("Strong Cryptographic Ciphers",
496 func(params []string, expected bool) {
497 Expect(IsStrongCryptoCipherInUse(params)).To(Equal(expected))
499 Entry("Is absent on insecure cluster", []string{}, false),
500 Entry("Is empty on insecure cluster", []string{"--tls-cipher-suites="}, false),
501 Entry("Is incomplete on insecure cluster", []string{"--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}, false),
502 Entry("Is incomplete on Casablanca cluster", kubeApiServerCasablanca, false),
503 Entry("Is incomplete on Dublin cluster", kubeApiServerDublin, false),
504 Entry("Should be complete on CIS-compliant cluster", kubeApiServerCISCompliant, true),