k8s: Validate API server boolean flags

This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.1 - 1.1.5, 1.1.8,
1.1.9, 1.1.20 and 1.1.23).

Issue-ID: SECCOM-235
Change-Id: Ib964b5111b616a891c3963ef9695af660810e8ba
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index e48088a..fd4c2af 100644 (file)
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -5,6 +5,7 @@ import (
        "log"
 
        "check/rancher"
+       "check/validators/master"
 )
 
 func main() {
@@ -13,5 +14,15 @@ func main() {
        if err != nil {
                log.Fatal(err)
        }
-       log.Printf("%s\n", k8sParams)
+
+       log.Printf("IsBasicAuthFileAbsent: %t\n", master.IsBasicAuthFileAbsent(k8sParams))
+       log.Printf("IsTokenAuthFileAbsent: %t\n", master.IsTokenAuthFileAbsent(k8sParams))
+       log.Printf("IsInsecureAllowAnyTokenAbsent: %t\n", master.IsInsecureAllowAnyTokenAbsent(k8sParams))
+
+       log.Printf("IsAnonymousAuthDisabled: %t\n", master.IsAnonymousAuthDisabled(k8sParams))
+       log.Printf("IsKubeletHTTPSConnected: %t\n", master.IsKubeletHTTPSConnected(k8sParams))
+       log.Printf("IsInsecurePortUnbound: %t\n", master.IsInsecurePortUnbound(k8sParams))
+       log.Printf("IsProfilingDisabled: %t\n", master.IsProfilingDisabled(k8sParams))
+       log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", master.IsRepairMalformedUpdatesDisabled(k8sParams))
+       log.Printf("IsServiceAccountLookupEnabled: %t\n", master.IsServiceAccountLookupEnabled(k8sParams))
 }

diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
new file mode 100644 (file)
index 0000000..bf275c1
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -0,0 +1,95 @@
+package master
+
+import (
+       "strconv"
+       "strings"
+)
+
+const (
+       disabledPort = 0
+)
+
+// IsBasicAuthFileAbsent validates there is no basic authentication file specified.
+func IsBasicAuthFileAbsent(params []string) bool {
+       return isFlagAbsent("--basic-auth-file=", params)
+}
+
+// IsTokenAuthFileAbsent validates there is no token based authentication file specified.
+func IsTokenAuthFileAbsent(params []string) bool {
+       return isFlagAbsent("--token-auth-file=", params)
+}
+
+// IsInsecureAllowAnyTokenAbsent validates insecure tokens are not accepted.
+func IsInsecureAllowAnyTokenAbsent(params []string) bool {
+       return isFlagAbsent("--insecure-allow-any-token", params)
+}
+
+// isFlagAbsent checks absence of selected flag in parameters.
+func isFlagAbsent(flag string, params []string) bool {
+       found := filterFlags(params, flag)
+       if len(found) != 0 {
+               return false
+       }
+       return true
+}
+
+// IsAnonymousAuthDisabled validates there is single "--anonymous-auth" flag and it is set to "false".
+func IsAnonymousAuthDisabled(params []string) bool {
+       return hasSingleFlagArgument("--anonymous-auth=", "false", params)
+}
+
+// IsKubeletHTTPSConnected validates there is single "--kubelet-https" flag and it is set to "true".
+func IsKubeletHTTPSConnected(params []string) bool {
+       return hasSingleFlagArgument("--kubelet-https=", "true", params)
+}
+
+// IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
+func IsInsecurePortUnbound(params []string) bool {
+       return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(disabledPort), params)
+}
+
+// IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
+func IsProfilingDisabled(params []string) bool {
+       return hasSingleFlagArgument("--profiling=", "false", params)
+}
+
+// IsRepairMalformedUpdatesDisabled validates there is single "--repair-malformed-updates" flag and it is set to "false".
+func IsRepairMalformedUpdatesDisabled(params []string) bool {
+       return hasSingleFlagArgument("--repair-malformed-updates=", "false", params)
+}
+
+// IsServiceAccountLookupEnabled validates there is single "--service-account-lookup" flag and it is set to "true".
+func IsServiceAccountLookupEnabled(params []string) bool {
+       return hasSingleFlagArgument("--service-account-lookup=", "true", params)
+}
+
+// hasSingleFlagArgument checks whether selected flag was used once and has requested argument.
+func hasSingleFlagArgument(flag string, argument string, params []string) bool {
+       found := filterFlags(params, flag)
+       if len(found) != 1 {
+               return false
+       }
+
+       _, value := splitKV(found[0], "=")
+       if value != argument {
+               return false
+       }
+       return true
+}
+
+// filterFlags returns all occurrences of selected flag.
+func filterFlags(strs []string, flag string) []string {
+       var filtered []string
+       for _, str := range strs {
+               if strings.HasPrefix(str, flag) {
+                       filtered = append(filtered, str)
+               }
+       }
+       return filtered
+}
+
+// splitKV splits key and value (after first occurrence of separator).
+func splitKV(s, sep string) (string, string) {
+       ret := strings.SplitN(s, sep, 2)
+       return ret[0], ret[1]
+}