Code Review / integration.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
k8s: Validate API server included authorization mode
[integration.git] / test / security / k8s / src / check / validators / master / api_test.go
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index c0906bb..35860c6 100644 (file)
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -23,7 +23,7 @@ var _ = Describe("Api", func() {
                                "PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook," +
                                "ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," +
                                "PodSecurityPolicy,NodeRestriction,EventRateLimit",
-                       "--authorization-mode=RBAC",
+                       "--authorization-mode=Node,RBAC",
                        "--audit-log-path=/var/log/apiserver/audit.log",
                        "--audit-log-maxage=30",
                        "--audit-log-maxbackup=10",
@@ -478,6 +478,17 @@ var _ = Describe("Api", func() {
                        Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
                        Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
                )
+
+               DescribeTable("Node authorization mode",
+                       func(params []string, expected bool) {
+                               Expect(IsNodeAuthorizationModeIncluded(params)).To(Equal(expected))
+                       },
+                       Entry("Is not explicitly enabled on insecure cluster", []string{}, false),
+                       Entry("Is not present on insecure cluster", []string{"--authorization-mode=Foo,Bar"}, false),
+                       Entry("Is not explicitly enabled on Casablanca cluster", kubeApiServerCasablanca, false),
+                       Entry("Should present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+                       Entry("Should present on Dublin cluster", kubeApiServerDublin, true),
+               )
        })
 
        Describe("Flags requiring strict equality", func() {
Integration framework, automated tools, code and scripts, best practice guidance related to cross-project Continuous System Integration Testing (CSIT), and delivery of ONAP.