gerrit.onap Code Review - integration.git/commit

author	Pawel Wieczorek <p.wieczorek2@samsung.com>
	Mon, 16 Sep 2019 15:51:39 +0000 (17:51 +0200)
committer	Pawel Wieczorek <p.wieczorek2@samsung.com>
	Tue, 17 Sep 2019 13:51:37 +0000 (15:51 +0200)
commit	aeaa5a1f5e57f63dd203db43fb6992ab1728c504
tree	99eff91cebb8792defa77cee62d5e562b67c2018	tree \| snapshot
parent	0dc16f1f0c60625a1637ee1ec106a4df543dab92	commit \| diff

k8s: Validate API server excluded admission plugins

This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.10).

However, CIS Kubernetes Benchmark v1.3.0 mismatches official
documentation: Kubernetes 1.10+ already provides safe defaults from
security standpoint [1] (ONAP Casablanca uses 1.11).

Deprecated admission control plugin flag has also been validated since
it was still available in Kubernetes provided by Rancher [2].

[1] https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#is-there-a-recommended-set-of-admission-controllers-to-use
[2] https://github.com/rancher/rancher/issues/15064

Issue-ID: SECCOM-235
Change-Id: I0e8fe9f885861f155cb8265df085fa93dbdff6d2
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

Integration framework, automated tools, code and scripts, best practice guidance related to cross-project Continuous System Integration Testing (CSIT), and delivery of ONAP.

RSS Atom

test/security/k8s/src/check/cmd/check/check.go		diff \| blob \| history
test/security/k8s/src/check/validators/master/api.go		diff \| blob \| history
test/security/k8s/src/check/validators/master/api_test.go		diff \| blob \| history