--- /dev/null
+package master_test
+
+import (
+ . "check/validators/master"
+
+ . "github.com/onsi/ginkgo/extensions/table"
+
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+)
+
+var _ = Describe("Api", func() {
+ var (
+ // kubeApiServerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
+ kubeApiServerCISCompliant = []string{
+ "--anonymous-auth=false",
+ "--insecure-port=0",
+ "--profiling=false",
+ "--repair-malformed-updates=false",
+ "--service-account-lookup=true",
+ }
+
+ // kubeApiServerCasablanca was obtained from virtual environment for testing
+ // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
+ kubeApiServerCasablanca = []string{
+ "--storage-backend=etcd2",
+ "--storage-media-type=application/json",
+ "--service-cluster-ip-range=10.43.0.0/16",
+ "--etcd-servers=https://etcd.kubernetes.rancher.internal:2379",
+ "--insecure-bind-address=0.0.0.0",
+ "--insecure-port=0",
+ "--cloud-provider=rancher",
+ "--allow-privileged=true",
+ "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount," +
+ "PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota",
+ "--client-ca-file=/etc/kubernetes/ssl/ca.pem",
+ "--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
+ "--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
+ "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem",
+ "--kubelet-client-key=/etc/kubernetes/ssl/key.pem",
+ "--runtime-config=batch/v2alpha1",
+ "--anonymous-auth=false",
+ "--authentication-token-webhook-config-file=/etc/kubernetes/authconfig",
+ "--runtime-config=authentication.k8s.io/v1beta1=true",
+ "--external-hostname=kubernetes.kubernetes.rancher.internal",
+ "--etcd-cafile=/etc/kubernetes/etcd/ca.pem",
+ "--etcd-certfile=/etc/kubernetes/etcd/cert.pem",
+ "--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
+ "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+ }
+ )
+
+ Describe("Boolean flags", func() {
+ DescribeTable("Basic authentication file",
+ func(params []string, expected bool) {
+ Expect(IsBasicAuthFileAbsent(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--basic-auth-file=/path/to/file"}, false),
+ Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ )
+
+ DescribeTable("Token authentication file",
+ func(params []string, expected bool) {
+ Expect(IsTokenAuthFileAbsent(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--token-auth-file=/path/to/file"}, false),
+ Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ )
+
+ DescribeTable("Accepting any token",
+ func(params []string, expected bool) {
+ Expect(IsInsecureAllowAnyTokenAbsent(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--insecure-allow-any-token"}, false),
+ Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ )
+
+ DescribeTable("Anonymous requests",
+ func(params []string, expected bool) {
+ Expect(IsAnonymousAuthDisabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be set to false on Casablanca cluster", kubeApiServerCasablanca, true),
+ )
+
+ DescribeTable("HTTPS for kubelet",
+ func(params []string, expected bool) {
+ Expect(IsKubeletHTTPSAbsentOrEnabled(params)).To(Equal(expected))
+ },
+ Entry("Is explicitly disabled on insecure cluster", []string{"--kubelet-https=false"}, false),
+ Entry("Should be absent or set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent or set to true on Casablanca cluster", kubeApiServerCasablanca, true),
+ )
+
+ DescribeTable("Bind address",
+ func(params []string, expected bool) {
+ Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--insecure-bind-address=1.2.3.4"}, false),
+ Entry("Is not absent nor set to loopback on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("Bind port",
+ func(params []string, expected bool) {
+ Expect(IsInsecurePortUnbound(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly enabled on insecure cluster", []string{"--insecure-port=1234"}, false),
+ Entry("Should be set to 0 on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be set to 0 on Casablanca cluster", kubeApiServerCasablanca, true),
+ )
+
+ DescribeTable("Secure bind port",
+ func(params []string, expected bool) {
+ Expect(IsSecurePortAbsentOrValid(params)).To(Equal(expected))
+ },
+ Entry("Is explicitly disabled on insecure cluster", []string{"--secure-port=0"}, false),
+ Entry("Should be absent or set to valid port on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent or set to valid port on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("Profiling",
+ func(params []string, expected bool) {
+ Expect(IsProfilingDisabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
+ Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("Repairing malformed updates",
+ func(params []string, expected bool) {
+ Expect(IsRepairMalformedUpdatesDisabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly enabled on insecure cluster", []string{"--repair-malformed-updates=true"}, false),
+ Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("Service account lookup",
+ func(params []string, expected bool) {
+ Expect(IsServiceAccountLookupEnabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly disabled on insecure cluster", []string{"--service-account-lookup=false"}, false),
+ Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ })
+})
Code Review / integration.git / commitdiff