Code Review / integration.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | inline | side by side
k8s: Validate controller manager flags requiring appropriate values
[integration.git] / test / security / k8s / src / check / validators / master / controllermanager / controllermanager_test.go
diff --git a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
index 7fd8b5d..fcd337a 100644 (file)
--- a/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
+++ b/test/security/k8s/src/check/validators/master/controllermanager/controllermanager_test.go
@@ -16,6 +16,9 @@ var _ = Describe("Controllermanager", func() {
                        "--profiling=false",
                        "--use-service-account-credentials=true",
                        "--feature-gates=RotateKubeletServerCertificate=true",
+                       "--terminated-pod-gc-threshold=10",
+                       "--service-account-private-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem",
+                       "--root-ca-file=/etc/kubernetes/ssl/kube-ca.pem",
                }
 
                // kubeControllerManagerCasablanca was obtained from virtual environment for testing
@@ -78,6 +81,30 @@ var _ = Describe("Controllermanager", func() {
                )
        })
 
+       Describe("File path flags", func() {
+               DescribeTable("Service account private key",
+                       func(params []string, expected bool) {
+                               Expect(IsServiceAccountPrivateKeyFileSet(params)).To(Equal(expected))
+                       },
+                       Entry("Is absent on insecure cluster", []string{""}, false),
+                       Entry("Is empty on insecure cluster", []string{"--service-account-private-key-file="}, false),
+                       Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+                       Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true),
+                       Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true),
+               )
+
+               DescribeTable("Root certificate authority",
+                       func(params []string, expected bool) {
+                               Expect(IsRootCertificateAuthoritySet(params)).To(Equal(expected))
+                       },
+                       Entry("Is absent on insecure cluster", []string{""}, false),
+                       Entry("Is empty on insecure cluster", []string{"--root-ca-file="}, false),
+                       Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+                       Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true),
+                       Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true),
+               )
+       })
+
        Describe("Address flag", func() {
                DescribeTable("Bind address",
                        func(params []string, expected bool) {
@@ -90,6 +117,19 @@ var _ = Describe("Controllermanager", func() {
                )
        })
 
+       Describe("Numeric flags", func() {
+               DescribeTable("Terminated pod garbage collector threshold",
+                       func(params []string, expected bool) {
+                               Expect(IsTerminatedPodGcThresholdValid(params)).To(Equal(expected))
+                       },
+                       Entry("Is absent on insecure cluster", []string{""}, false),
+                       Entry("Is empty on insecure cluster", []string{"--terminated-pod-gc-threshold="}, false),
+                       Entry("Is absent on Casablanca cluster", kubeControllerManagerCasablanca, false),
+                       Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+                       Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true),
+               )
+       })
+
        Describe("Argument list flags", func() {
                DescribeTable("RotateKubeletServerCertificate",
                        func(params []string, expected bool) {
Integration framework, automated tools, code and scripts, best practice guidance related to cross-project Continuous System Integration Testing (CSIT), and delivery of ONAP.