k8s: Validate API server crypto ciphers in use

author Pawel Wieczorek <p.wieczorek2@samsung.com>

Fri, 20 Sep 2019 09:42:58 +0000 (11:42 +0200)

committer Pawel Wieczorek <p.wieczorek2@samsung.com>

Thu, 26 Sep 2019 17:02:01 +0000 (19:02 +0200)
author Pawel Wieczorek <p.wieczorek2@samsung.com>
Fri, 20 Sep 2019 09:42:58 +0000 (11:42 +0200)
committer Pawel Wieczorek <p.wieczorek2@samsung.com>
Thu, 26 Sep 2019 17:02:01 +0000 (19:02 +0200)
diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go

index 0288437..f348cd0 100644 (file)
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -79,4 +79,6 @@ func main() {
         log.Printf("IsKubeletClientCertificateAndKeySet: %t\n", master.IsKubeletClientCertificateAndKeySet(k8sParams))
         log.Printf("IsEtcdCertificateAndKeySet: %t\n", master.IsEtcdCertificateAndKeySet(k8sParams))
         log.Printf("IsTLSCertificateAndKeySet: %t\n", master.IsTLSCertificateAndKeySet(k8sParams))
+
+       log.Printf("IsStrongCryptoCipherInUse: %t\n", master.IsStrongCryptoCipherInUse(k8sParams))
  }
diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go

index 95a02d1..ea0d9ec 100644 (file)
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -13,6 +13,11 @@ const (
         auditLogAge     = 30
         auditLogBackups = 10
         auditLogSize    = 100
+
+       strongCryptoCiphers = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM" +
+               "_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM" +
+               "_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM" +
+               "_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
  )
  
  // IsBasicAuthFileAbsent validates there is no basic authentication file specified.
@@ -64,6 +69,11 @@ func IsServiceAccountLookupEnabled(params []string) bool {
         return hasSingleFlagArgument("--service-account-lookup=", "true", params)
  }
  
+// IsStrongCryptoCipherInUse validates there is single "--tls-cipher-suites=" flag and it is set to strong crypto ciphers.
+func IsStrongCryptoCipherInUse(params []string) bool {
+       return hasSingleFlagArgument("--tls-cipher-suites=", strongCryptoCiphers, params)
+}
+
  // hasSingleFlagArgument checks whether selected flag was used once and has requested argument.
  func hasSingleFlagArgument(flag string, argument string, params []string) bool {
         found := filterFlags(params, flag)
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go

index f9eb943..c0906bb 100644 (file)
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -38,6 +38,11 @@ var _ = Describe("Api", func() {
                         "--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
                         "--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
                         "--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
+                       "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
+                               "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
+                               "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305," +
+                               "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384," +
+                               "TLS_RSA_WITH_AES_128_GCM_SHA256",
                 }
  
                 // kubeApiServerCasablanca was obtained from virtual environment for testing
@@ -474,4 +479,18 @@ var _ = Describe("Api", func() {
                         Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
                 )
         })
+
+       Describe("Flags requiring strict equality", func() {
+               DescribeTable("Strong Cryptographic Ciphers",
+                       func(params []string, expected bool) {
+                               Expect(IsStrongCryptoCipherInUse(params)).To(Equal(expected))
+                       },
+                       Entry("Is absent on insecure cluster", []string{}, false),
+                       Entry("Is empty on insecure cluster", []string{"--tls-cipher-suites="}, false),
+                       Entry("Is incomplete on insecure cluster", []string{"--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}, false),
+                       Entry("Is incomplete on Casablanca cluster", kubeApiServerCasablanca, false),
+                       Entry("Is incomplete on Dublin cluster", kubeApiServerDublin, false),
+                       Entry("Should be complete on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+               )
+       })
  })
author	Pawel Wieczorek <p.wieczorek2@samsung.com>
	Fri, 20 Sep 2019 09:42:58 +0000 (11:42 +0200)
committer	Pawel Wieczorek <p.wieczorek2@samsung.com>
	Thu, 26 Sep 2019 17:02:01 +0000 (19:02 +0200)
test/security/k8s/src/check/cmd/check/check.go		patch \| blob \| history
test/security/k8s/src/check/validators/master/api.go		patch \| blob \| history
test/security/k8s/src/check/validators/master/api_test.go		patch \| blob \| history