k8s: Validate API server address and port flags

This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.6 and 1.1.7).

Issue-ID: SECCOM-235
Change-Id: I5f215a6642b177e85d7e1c70860ba0c7e558ec4e
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index fd4c2af..81e96e6 100644 (file)
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -25,4 +25,7 @@ func main() {
        log.Printf("IsProfilingDisabled: %t\n", master.IsProfilingDisabled(k8sParams))
        log.Printf("IsRepairMalformedUpdatesDisabled: %t\n", master.IsRepairMalformedUpdatesDisabled(k8sParams))
        log.Printf("IsServiceAccountLookupEnabled: %t\n", master.IsServiceAccountLookupEnabled(k8sParams))
+
+       log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", master.IsInsecureBindAddressAbsentOrLoopback(k8sParams))
+       log.Printf("IsSecurePortAbsentOrValid: %t\n", master.IsSecurePortAbsentOrValid(k8sParams))
 }

diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index bf275c1..ac84d8f 100644 (file)
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -6,7 +6,9 @@ import (
 )
 
 const (
-       disabledPort = 0
+       portDisabled = 0
+       portLowest   = 1
+       portHighest  = 65536
 )
 
 // IsBasicAuthFileAbsent validates there is no basic authentication file specified.
@@ -45,7 +47,7 @@ func IsKubeletHTTPSConnected(params []string) bool {
 
 // IsInsecurePortUnbound validates there is single "--insecure-port" flag and it is set to "0" (disabled).
 func IsInsecurePortUnbound(params []string) bool {
-       return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(disabledPort), params)
+       return hasSingleFlagArgument("--insecure-port=", strconv.Itoa(portDisabled), params)
 }
 
 // IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
@@ -93,3 +95,33 @@ func splitKV(s, sep string) (string, string) {
        ret := strings.SplitN(s, sep, 2)
        return ret[0], ret[1]
 }
+
+// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
+func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
+       return isFlagAbsent("--insecure-bind-address=", params) ||
+               hasSingleFlagArgument("--insecure-bind-address=", "127.0.0.1", params)
+}
+
+// IsSecurePortAbsentOrValid validates there is no secure port set explicitly or it has legal value.
+func IsSecurePortAbsentOrValid(params []string) bool {
+       return isFlagAbsent("--secure-port=", params) ||
+               hasFlagValidPort("--secure-port=", params)
+}
+
+// hasFlagValidPort checks whether selected flag has valid port as an argument in given command.
+func hasFlagValidPort(flag string, params []string) bool {
+       found := filterFlags(params, flag)
+       if len(found) != 1 {
+               return false
+       }
+
+       _, value := splitKV(found[0], "=")
+       port, err := strconv.Atoi(value) // what about empty parameter?
+       if err != nil {
+               return false
+       }
+       if port < portLowest || port > portHighest {
+               return false
+       }
+       return true
+}