k8s: Validate scheduler flags

author Pawel Wieczorek <p.wieczorek2@samsung.com>

Fri, 27 Sep 2019 14:26:39 +0000 (16:26 +0200)

committer Pawel Wieczorek <p.wieczorek2@samsung.com>

Fri, 27 Sep 2019 16:06:10 +0000 (18:06 +0200)
author Pawel Wieczorek <p.wieczorek2@samsung.com>
Fri, 27 Sep 2019 14:26:39 +0000 (16:26 +0200)
committer Pawel Wieczorek <p.wieczorek2@samsung.com>
Fri, 27 Sep 2019 16:06:10 +0000 (18:06 +0200)
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go

index e609128..2d25100 100644 (file)
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -43,8 +43,9 @@ func main() {
         }
         master.CheckAPI(apiParams)
  
-       _, err = info.GetSchedulerParams()
+       schedulerParams, err := info.GetSchedulerParams()
         if err != nil {
                 log.Fatal(err)
         }
+       master.CheckScheduler(schedulerParams)
  }
diff --git a/test/security/k8s/src/check/validators/master/master.go b/test/security/k8s/src/check/validators/master/master.go

index ff3b796..bc019a6 100644 (file)
--- a/test/security/k8s/src/check/validators/master/master.go
+++ b/test/security/k8s/src/check/validators/master/master.go
@@ -4,6 +4,7 @@ import (
         "log"
  
         "check/validators/master/api"
+       "check/validators/master/scheduler"
  )
  
  // CheckAPI validates API server complies with CIS guideliness.
@@ -56,3 +57,10 @@ func CheckAPI(params []string) {
  
         log.Printf("IsStrongCryptoCipherInUse: %t\n", api.IsStrongCryptoCipherInUse(params))
  }
+
+// CheckScheduler validates scheduler complies with CIS guideliness.
+func CheckScheduler(params []string) {
+       log.Println("==> Scheduler:")
+       log.Printf("IsProfilingDisabled: %t\n", scheduler.IsProfilingDisabled(params))
+       log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", scheduler.IsInsecureBindAddressAbsentOrLoopback(params))
+}
diff --git a/test/security/k8s/src/check/validators/master/scheduler/scheduler.go b/test/security/k8s/src/check/validators/master/scheduler/scheduler.go

new file mode 100644 (file)

index 0000000..14a0fa2
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/scheduler/scheduler.go
@@ -0,0 +1,17 @@
+package scheduler
+
+import (
+       "check/validators/master/args"
+       "check/validators/master/boolean"
+)
+
+// IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
+func IsProfilingDisabled(params []string) bool {
+       return args.HasSingleFlagArgument("--profiling=", "false", params)
+}
+
+// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
+func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
+       return boolean.IsFlagAbsent("--address=", params) ||
+               args.HasSingleFlagArgument("--address=", "127.0.0.1", params)
+}
diff --git a/test/security/k8s/src/check/validators/master/scheduler/scheduler_suite_test.go b/test/security/k8s/src/check/validators/master/scheduler/scheduler_suite_test.go

new file mode 100644 (file)

index 0000000..8f83208
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/scheduler/scheduler_suite_test.go
@@ -0,0 +1,13 @@
+package scheduler_test
+
+import (
+       "testing"
+
+       . "github.com/onsi/ginkgo"
+       . "github.com/onsi/gomega"
+)
+
+func TestScheduler(t *testing.T) {
+       RegisterFailHandler(Fail)
+       RunSpecs(t, "Scheduler Suite")
+}
diff --git a/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go

new file mode 100644 (file)

index 0000000..4166a58
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go
@@ -0,0 +1,61 @@
+package scheduler_test
+
+import (
+       . "github.com/onsi/ginkgo/extensions/table"
+
+       . "github.com/onsi/ginkgo"
+       . "github.com/onsi/gomega"
+
+       . "check/validators/master/scheduler"
+)
+
+var _ = Describe("Scheduler", func() {
+       var (
+               // kubeSchedulerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
+               kubeSchedulerCISCompliant = []string{
+                       "--profiling=false",
+               }
+
+               // kubeSchedulerCasablanca was obtained from virtual environment for testing
+               // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
+               kubeSchedulerCasablanca = []string{
+                       "--kubeconfig=/etc/kubernetes/ssl/kubeconfig",
+                       "--address=0.0.0.0",
+               }
+
+               // kubeSchedulerCasablanca was obtained from virtual environment for testing
+               // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3).
+               kubeSchedulerDublin = []string{
+                       "--kubeconfig=/etc/kubernetes/ssl/kubecfg-kube-scheduler.yaml",
+                       "--address=0.0.0.0",
+                       "--profiling=false",
+                       "--leader-elect=true",
+                       "--v=2",
+               }
+       )
+
+       Describe("Boolean flag", func() {
+               DescribeTable("Profiling",
+                       func(params []string, expected bool) {
+                               Expect(IsProfilingDisabled(params)).To(Equal(expected))
+                       },
+                       Entry("Is not set on insecure cluster", []string{}, false),
+                       Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
+                       Entry("Is not set on Casablanca cluster", kubeSchedulerCasablanca, false),
+                       Entry("Should be set to false on CIS-compliant cluster", kubeSchedulerCISCompliant, true),
+                       Entry("Should be set to false on Dublin cluster", kubeSchedulerDublin, true),
+               )
+       })
+
+       Describe("Address flag", func() {
+               DescribeTable("Bind address",
+                       func(params []string, expected bool) {
+                               Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
+                       },
+                       Entry("Is not absent on insecure cluster", []string{"--address=1.2.3.4"}, false),
+                       Entry("Is not absent nor set to loopback on Casablanca cluster", kubeSchedulerCasablanca, false),
+                       Entry("Is not absent nor set to loopback on Dublin cluster", kubeSchedulerDublin, false),
+                       Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeSchedulerCISCompliant, true),
+               )
+       })
+})
author	Pawel Wieczorek <p.wieczorek2@samsung.com>
	Fri, 27 Sep 2019 14:26:39 +0000 (16:26 +0200)
committer	Pawel Wieczorek <p.wieczorek2@samsung.com>
	Fri, 27 Sep 2019 16:06:10 +0000 (18:06 +0200)
test/security/k8s/src/check/cmd/check/check.go		patch \| blob \| history
test/security/k8s/src/check/validators/master/master.go		patch \| blob \| history
test/security/k8s/src/check/validators/master/scheduler/scheduler.go	[new file with mode: 0644]	patch \| blob
test/security/k8s/src/check/validators/master/scheduler/scheduler_suite_test.go	[new file with mode: 0644]	patch \| blob
test/security/k8s/src/check/validators/master/scheduler/scheduler_test.go	[new file with mode: 0644]	patch \| blob