test/security/k8s/src/check/validators/master/api_test.go

   1 package master_test
   2
   3 import (
   4         . "check/validators/master"
   5
   6         . "github.com/onsi/ginkgo/extensions/table"
   7
   8         . "github.com/onsi/ginkgo"
   9         . "github.com/onsi/gomega"
  10 )
  11
  12 var _ = Describe("Api", func() {
  13         var (
  14                 // kubeApiServerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
  15                 kubeApiServerCISCompliant = []string{
  16                         "--anonymous-auth=false",
  17                         "--insecure-port=0",
  18                         "--profiling=false",
  19                         "--repair-malformed-updates=false",
  20                         "--service-account-lookup=true",
  21                 }
  22
  23                 // kubeApiServerCasablanca was obtained from virtual environment for testing
  24                 // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
  25                 kubeApiServerCasablanca = []string{
  26                         "--storage-backend=etcd2",
  27                         "--storage-media-type=application/json",
  28                         "--service-cluster-ip-range=10.43.0.0/16",
  29                         "--etcd-servers=https://etcd.kubernetes.rancher.internal:2379",
  30                         "--insecure-bind-address=0.0.0.0",
  31                         "--insecure-port=0",
  32                         "--cloud-provider=rancher",
  33                         "--allow-privileged=true",
  34                         "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount," +
  35                                 "PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota",
  36                         "--client-ca-file=/etc/kubernetes/ssl/ca.pem",
  37                         "--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
  38                         "--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
  39                         "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem",
  40                         "--kubelet-client-key=/etc/kubernetes/ssl/key.pem",
  41                         "--runtime-config=batch/v2alpha1",
  42                         "--anonymous-auth=false",
  43                         "--authentication-token-webhook-config-file=/etc/kubernetes/authconfig",
  44                         "--runtime-config=authentication.k8s.io/v1beta1=true",
  45                         "--external-hostname=kubernetes.kubernetes.rancher.internal",
  46                         "--etcd-cafile=/etc/kubernetes/etcd/ca.pem",
  47                         "--etcd-certfile=/etc/kubernetes/etcd/cert.pem",
  48                         "--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
  49                         "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
  50                                 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
  51                                 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
  52                                 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
  53                 }
  54
  55                 // kubeApiServerCasablanca was obtained from virtual environment for testing
  56                 // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3).
  57                 kubeApiServerDublin = []string{
  58                         "--requestheader-group-headers=X-Remote-Group",
  59                         "--proxy-client-cert-file=/etc/kubernetes/ssl/kube-apiserver-proxy-client.pem",
  60                         "--bind-address=0.0.0.0",
  61                         "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
  62                                 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
  63                                 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
  64                                 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
  65                         "--cloud-provider=",
  66                         "--etcd-cafile=/etc/kubernetes/ssl/kube-ca.pem",
  67                         "--etcd-servers=https://172.17.0.100:2379",
  68                         "--tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem",
  69                         "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount," +
  70                                 "DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook," +
  71                                 "ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,PersistentVolumeLabel",
  72                         "--insecure-port=0",
  73                         "--secure-port=6443",
  74                         "--storage-backend=etcd3",
  75                         "--kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem",
  76                         "--requestheader-client-ca-file=/etc/kubernetes/ssl/kube-apiserver-requestheader-ca.pem",
  77                         "--service-account-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem",
  78                         "--service-node-port-range=30000-32767",
  79                         "--tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem",
  80                         "--requestheader-username-headers=X-Remote-User",
  81                         "--repair-malformed-updates=false",
  82                         "--kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem",
  83                         "--service-cluster-ip-range=10.43.0.0/16",
  84                         "--advertise-address=172.17.0.100",
  85                         "--profiling=false",
  86                         "--requestheader-extra-headers-prefix=X-Remote-Extra-",
  87                         "--etcd-certfile=/etc/kubernetes/ssl/kube-node.pem",
  88                         "--anonymous-auth=false",
  89                         "--etcd-keyfile=/etc/kubernetes/ssl/kube-node-key.pem",
  90                         "--etcd-prefix=/registry",
  91                         "--client-ca-file=/etc/kubernetes/ssl/kube-ca.pem",
  92                         "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
  93                         "--requestheader-allowed-names=kube-apiserver-proxy-client",
  94                         "--service-account-lookup=true",
  95                         "--proxy-client-key-file=/etc/kubernetes/ssl/kube-apiserver-proxy-client-key.pem",
  96                         "--authorization-mode=Node,RBAC",
  97                         "--allow-privileged=true",
  98                 }
  99         )
 100
 101         Describe("Boolean flags", func() {
 102                 DescribeTable("Basic authentication file",
 103                         func(params []string, expected bool) {
 104                                 Expect(IsBasicAuthFileAbsent(params)).To(Equal(expected))
 105                         },
 106                         Entry("Is not absent on insecure cluster", []string{"--basic-auth-file=/path/to/file"}, false),
 107                         Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
 108                         Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
 109                         Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
 110                 )
 111
 112                 DescribeTable("Token authentication file",
 113                         func(params []string, expected bool) {
 114                                 Expect(IsTokenAuthFileAbsent(params)).To(Equal(expected))
 115                         },
 116                         Entry("Is not absent on insecure cluster", []string{"--token-auth-file=/path/to/file"}, false),
 117                         Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
 118                         Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
 119                         Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
 120                 )
 121
 122                 DescribeTable("Accepting any token",
 123                         func(params []string, expected bool) {
 124                                 Expect(IsInsecureAllowAnyTokenAbsent(params)).To(Equal(expected))
 125                         },
 126                         Entry("Is not absent on insecure cluster", []string{"--insecure-allow-any-token"}, false),
 127                         Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
 128                         Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
 129                         Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
 130                 )
 131
 132                 DescribeTable("Anonymous requests",
 133                         func(params []string, expected bool) {
 134                                 Expect(IsAnonymousAuthDisabled(params)).To(Equal(expected))
 135                         },
 136                         Entry("Is not set on insecure cluster", []string{}, false),
 137                         Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
 138                         Entry("Should be set to false on Casablanca cluster", kubeApiServerCasablanca, true),
 139                         Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
 140                 )
 141
 142                 DescribeTable("HTTPS for kubelet",
 143                         func(params []string, expected bool) {
 144                                 Expect(IsKubeletHTTPSAbsentOrEnabled(params)).To(Equal(expected))
 145                         },
 146                         Entry("Is explicitly disabled on insecure cluster", []string{"--kubelet-https=false"}, false),
 147                         Entry("Should be absent or set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
 148                         Entry("Should be absent or set to true on Casablanca cluster", kubeApiServerCasablanca, true),
 149                         Entry("Should be absent or set to true on Dublin cluster", kubeApiServerDublin, true),
 150                 )
 151
 152                 DescribeTable("Bind address",
 153                         func(params []string, expected bool) {
 154                                 Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
 155                         },
 156                         Entry("Is not absent on insecure cluster", []string{"--insecure-bind-address=1.2.3.4"}, false),
 157                         Entry("Is not absent nor set to loopback on Casablanca cluster", kubeApiServerCasablanca, false),
 158                         Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeApiServerCISCompliant, true),
 159                         Entry("Should be absent or set to loopback on Dublin cluster", kubeApiServerDublin, true),
 160                 )
 161
 162                 DescribeTable("Bind port",
 163                         func(params []string, expected bool) {
 164                                 Expect(IsInsecurePortUnbound(params)).To(Equal(expected))
 165                         },
 166                         Entry("Is not set on insecure cluster", []string{}, false),
 167                         Entry("Is explicitly enabled on insecure cluster", []string{"--insecure-port=1234"}, false),
 168                         Entry("Should be set to 0 on CIS-compliant cluster", kubeApiServerCISCompliant, true),
 169                         Entry("Should be set to 0 on Casablanca cluster", kubeApiServerCasablanca, true),
 170                         Entry("Should be set to 0 on Dublin cluster", kubeApiServerDublin, true),
 171                 )
 172
 173                 DescribeTable("Secure bind port",
 174                         func(params []string, expected bool) {
 175                                 Expect(IsSecurePortAbsentOrValid(params)).To(Equal(expected))
 176                         },
 177                         Entry("Is explicitly disabled on insecure cluster", []string{"--secure-port=0"}, false),
 178                         Entry("Should be absent or set to valid port on CIS-compliant cluster", kubeApiServerCISCompliant, true),
 179                         Entry("Should be absent or set to valid port on Casablanca cluster", kubeApiServerCasablanca, true),
 180                         Entry("Should be absent or set to valid port on Dublin cluster", kubeApiServerDublin, true),
 181                 )
 182
 183                 DescribeTable("Profiling",
 184                         func(params []string, expected bool) {
 185                                 Expect(IsProfilingDisabled(params)).To(Equal(expected))
 186                         },
 187                         Entry("Is not set on insecure cluster", []string{}, false),
 188                         Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
 189                         Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
 190                         Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
 191                         Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
 192                 )
 193
 194                 DescribeTable("Repairing malformed updates",
 195                         func(params []string, expected bool) {
 196                                 Expect(IsRepairMalformedUpdatesDisabled(params)).To(Equal(expected))
 197                         },
 198                         Entry("Is not set on insecure cluster", []string{}, false),
 199                         Entry("Is explicitly enabled on insecure cluster", []string{"--repair-malformed-updates=true"}, false),
 200                         Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
 201                         Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
 202                         Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
 203                 )
 204
 205                 DescribeTable("Service account lookup",
 206                         func(params []string, expected bool) {
 207                                 Expect(IsServiceAccountLookupEnabled(params)).To(Equal(expected))
 208                         },
 209                         Entry("Is not set on insecure cluster", []string{}, false),
 210                         Entry("Is explicitly disabled on insecure cluster", []string{"--service-account-lookup=false"}, false),
 211                         Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
 212                         Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
 213                         Entry("Should be set to true on Dublin cluster", kubeApiServerDublin, true),
 214                 )
 215         })
 216 })