4 . "check/validators/master"
6 . "github.com/onsi/ginkgo/extensions/table"
8 . "github.com/onsi/ginkgo"
9 . "github.com/onsi/gomega"
12 var _ = Describe("Api", func() {
14 // kubeApiServerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
15 kubeApiServerCISCompliant = []string{
16 "--anonymous-auth=false",
19 "--repair-malformed-updates=false",
20 "--service-account-lookup=true",
23 // kubeApiServerCasablanca was obtained from virtual environment for testing
24 // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
25 kubeApiServerCasablanca = []string{
26 "--storage-backend=etcd2",
27 "--storage-media-type=application/json",
28 "--service-cluster-ip-range=10.43.0.0/16",
29 "--etcd-servers=https://etcd.kubernetes.rancher.internal:2379",
30 "--insecure-bind-address=0.0.0.0",
32 "--cloud-provider=rancher",
33 "--allow-privileged=true",
34 "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount," +
35 "PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota",
36 "--client-ca-file=/etc/kubernetes/ssl/ca.pem",
37 "--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
38 "--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
39 "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem",
40 "--kubelet-client-key=/etc/kubernetes/ssl/key.pem",
41 "--runtime-config=batch/v2alpha1",
42 "--anonymous-auth=false",
43 "--authentication-token-webhook-config-file=/etc/kubernetes/authconfig",
44 "--runtime-config=authentication.k8s.io/v1beta1=true",
45 "--external-hostname=kubernetes.kubernetes.rancher.internal",
46 "--etcd-cafile=/etc/kubernetes/etcd/ca.pem",
47 "--etcd-certfile=/etc/kubernetes/etcd/cert.pem",
48 "--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
49 "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
50 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
51 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
52 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
55 // kubeApiServerCasablanca was obtained from virtual environment for testing
56 // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3).
57 kubeApiServerDublin = []string{
58 "--requestheader-group-headers=X-Remote-Group",
59 "--proxy-client-cert-file=/etc/kubernetes/ssl/kube-apiserver-proxy-client.pem",
60 "--bind-address=0.0.0.0",
61 "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
62 "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
63 "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
64 "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
66 "--etcd-cafile=/etc/kubernetes/ssl/kube-ca.pem",
67 "--etcd-servers=https://172.17.0.100:2379",
68 "--tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem",
69 "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount," +
70 "DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook," +
71 "ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,PersistentVolumeLabel",
74 "--storage-backend=etcd3",
75 "--kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem",
76 "--requestheader-client-ca-file=/etc/kubernetes/ssl/kube-apiserver-requestheader-ca.pem",
77 "--service-account-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem",
78 "--service-node-port-range=30000-32767",
79 "--tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem",
80 "--requestheader-username-headers=X-Remote-User",
81 "--repair-malformed-updates=false",
82 "--kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem",
83 "--service-cluster-ip-range=10.43.0.0/16",
84 "--advertise-address=172.17.0.100",
86 "--requestheader-extra-headers-prefix=X-Remote-Extra-",
87 "--etcd-certfile=/etc/kubernetes/ssl/kube-node.pem",
88 "--anonymous-auth=false",
89 "--etcd-keyfile=/etc/kubernetes/ssl/kube-node-key.pem",
90 "--etcd-prefix=/registry",
91 "--client-ca-file=/etc/kubernetes/ssl/kube-ca.pem",
92 "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname",
93 "--requestheader-allowed-names=kube-apiserver-proxy-client",
94 "--service-account-lookup=true",
95 "--proxy-client-key-file=/etc/kubernetes/ssl/kube-apiserver-proxy-client-key.pem",
96 "--authorization-mode=Node,RBAC",
97 "--allow-privileged=true",
101 Describe("Boolean flags", func() {
102 DescribeTable("Basic authentication file",
103 func(params []string, expected bool) {
104 Expect(IsBasicAuthFileAbsent(params)).To(Equal(expected))
106 Entry("Is not absent on insecure cluster", []string{"--basic-auth-file=/path/to/file"}, false),
107 Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
108 Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
109 Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
112 DescribeTable("Token authentication file",
113 func(params []string, expected bool) {
114 Expect(IsTokenAuthFileAbsent(params)).To(Equal(expected))
116 Entry("Is not absent on insecure cluster", []string{"--token-auth-file=/path/to/file"}, false),
117 Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
118 Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
119 Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
122 DescribeTable("Accepting any token",
123 func(params []string, expected bool) {
124 Expect(IsInsecureAllowAnyTokenAbsent(params)).To(Equal(expected))
126 Entry("Is not absent on insecure cluster", []string{"--insecure-allow-any-token"}, false),
127 Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
128 Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
129 Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
132 DescribeTable("Anonymous requests",
133 func(params []string, expected bool) {
134 Expect(IsAnonymousAuthDisabled(params)).To(Equal(expected))
136 Entry("Is not set on insecure cluster", []string{}, false),
137 Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
138 Entry("Should be set to false on Casablanca cluster", kubeApiServerCasablanca, true),
139 Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
142 DescribeTable("HTTPS for kubelet",
143 func(params []string, expected bool) {
144 Expect(IsKubeletHTTPSAbsentOrEnabled(params)).To(Equal(expected))
146 Entry("Is explicitly disabled on insecure cluster", []string{"--kubelet-https=false"}, false),
147 Entry("Should be absent or set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
148 Entry("Should be absent or set to true on Casablanca cluster", kubeApiServerCasablanca, true),
149 Entry("Should be absent or set to true on Dublin cluster", kubeApiServerDublin, true),
152 DescribeTable("Bind address",
153 func(params []string, expected bool) {
154 Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
156 Entry("Is not absent on insecure cluster", []string{"--insecure-bind-address=1.2.3.4"}, false),
157 Entry("Is not absent nor set to loopback on Casablanca cluster", kubeApiServerCasablanca, false),
158 Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeApiServerCISCompliant, true),
159 Entry("Should be absent or set to loopback on Dublin cluster", kubeApiServerDublin, true),
162 DescribeTable("Bind port",
163 func(params []string, expected bool) {
164 Expect(IsInsecurePortUnbound(params)).To(Equal(expected))
166 Entry("Is not set on insecure cluster", []string{}, false),
167 Entry("Is explicitly enabled on insecure cluster", []string{"--insecure-port=1234"}, false),
168 Entry("Should be set to 0 on CIS-compliant cluster", kubeApiServerCISCompliant, true),
169 Entry("Should be set to 0 on Casablanca cluster", kubeApiServerCasablanca, true),
170 Entry("Should be set to 0 on Dublin cluster", kubeApiServerDublin, true),
173 DescribeTable("Secure bind port",
174 func(params []string, expected bool) {
175 Expect(IsSecurePortAbsentOrValid(params)).To(Equal(expected))
177 Entry("Is explicitly disabled on insecure cluster", []string{"--secure-port=0"}, false),
178 Entry("Should be absent or set to valid port on CIS-compliant cluster", kubeApiServerCISCompliant, true),
179 Entry("Should be absent or set to valid port on Casablanca cluster", kubeApiServerCasablanca, true),
180 Entry("Should be absent or set to valid port on Dublin cluster", kubeApiServerDublin, true),
183 DescribeTable("Profiling",
184 func(params []string, expected bool) {
185 Expect(IsProfilingDisabled(params)).To(Equal(expected))
187 Entry("Is not set on insecure cluster", []string{}, false),
188 Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
189 Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
190 Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
191 Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
194 DescribeTable("Repairing malformed updates",
195 func(params []string, expected bool) {
196 Expect(IsRepairMalformedUpdatesDisabled(params)).To(Equal(expected))
198 Entry("Is not set on insecure cluster", []string{}, false),
199 Entry("Is explicitly enabled on insecure cluster", []string{"--repair-malformed-updates=true"}, false),
200 Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
201 Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
202 Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true),
205 DescribeTable("Service account lookup",
206 func(params []string, expected bool) {
207 Expect(IsServiceAccountLookupEnabled(params)).To(Equal(expected))
209 Entry("Is not set on insecure cluster", []string{}, false),
210 Entry("Is explicitly disabled on insecure cluster", []string{"--service-account-lookup=false"}, false),
211 Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
212 Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
213 Entry("Should be set to true on Dublin cluster", kubeApiServerDublin, true),