k8s: Relax kublet HTTPS connection requirement

According to kube-apiserver documentation [1] and CIS guideline 1.1.4
option "--kubelet-https=" might be absent in API server configuration.

It has secure configuration (being set to "true") by default.

[1] https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/

Issue-ID: SECCOM-235
Change-Id: I604cdcace03f65185aab6a0b34d48cfec94277ab
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index 81e96e6..c4dd398 100644 (file)
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -20,12 +20,12 @@ func main() {
        log.Printf("IsInsecureAllowAnyTokenAbsent: %t\n", master.IsInsecureAllowAnyTokenAbsent(k8sParams))
 
        log.Printf("IsAnonymousAuthDisabled: %t\n", master.IsAnonymousAuthDisabled(k8sParams))
-       log.Printf("IsKubeletHTTPSConnected: %t\n", master.IsKubeletHTTPSConnected(k8sParams))
        log.Printf("IsInsecurePortUnbound: %t\n", master.IsInsecurePortUnbound(k8sParams))
        log.Printf("IsProfilingDisabled: %t\n", master.IsProfilingDisabled(k8sParams))
        log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", master.IsRepairMalformedUpdatesDisabled(k8sParams))
        log.Printf("IsServiceAccountLookupEnabled: %t\n", master.IsServiceAccountLookupEnabled(k8sParams))
 
+       log.Printf("IsKubeletHTTPSAbsentOrEnabled: %t\n", master.IsKubeletHTTPSAbsentOrEnabled(k8sParams))
        log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", master.IsInsecureBindAddressAbsentOrLoopback(k8sParams))
        log.Printf("IsSecurePortAbsentOrValid: %t\n", master.IsSecurePortAbsentOrValid(k8sParams))
 }

diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index ac84d8f..c91b77e 100644 (file)
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -40,11 +40,6 @@ func IsAnonymousAuthDisabled(params []string) bool {
        return hasSingleFlagArgument("--anonymous-auth=", "false", params)
 }
 
-// IsKubeletHTTPSConnected validates there is single "--kubelet-https" flag and it is set to "true".
-func IsKubeletHTTPSConnected(params []string) bool {
-       return hasSingleFlagArgument("--kubelet-https=", "true", params)
-}
-
 // IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
 func IsInsecurePortUnbound(params []string) bool {
        return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params)
@@ -96,6 +91,12 @@ func splitKV(s, sep string) (string, string) {
        return ret[0], ret[1]
 }
 
+// IsKubeletHTTPSAbsentOrEnabled validates there is single "--kubelet-https" flag and it is set to "true".
+func IsKubeletHTTPSAbsentOrEnabled(params []string) bool {
+       return isFlagAbsent("--kubelet-https=", params) ||
+               hasSingleFlagArgument("--kubelet-https=", "true", params)
+}
+
 // IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
 func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
        return isFlagAbsent("--insecure-bind-address=", params) ||