auditLogAge = 30
auditLogBackups = 10
auditLogSize = 100
+
+ strongCryptoCiphers = "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM" +
+ "_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_AES_256_GCM" +
+ "_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_AES_256_GCM" +
+ "_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256"
)
// IsBasicAuthFileAbsent validates there is no basic authentication file specified.
return hasSingleFlagArgument("--service-account-lookup=", "true", params)
}
+// IsStrongCryptoCipherInUse validates there is single "--tls-cipher-suites=" flag and it is set to strong crypto ciphers.
+func IsStrongCryptoCipherInUse(params []string) bool {
+ return hasSingleFlagArgument("--tls-cipher-suites=", strongCryptoCiphers, params)
+}
+
// hasSingleFlagArgument checks whether selected flag was used once and has requested argument.
func hasSingleFlagArgument(flag string, argument string, params []string) bool {
found := filterFlags(params, flag)
"--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
"--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
"--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
+ "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
+ "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305," +
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384," +
+ "TLS_RSA_WITH_AES_128_GCM_SHA256",
}
// kubeApiServerCasablanca was obtained from virtual environment for testing
Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
})
+
+ Describe("Flags requiring strict equality", func() {
+ DescribeTable("Strong Cryptographic Ciphers",
+ func(params []string, expected bool) {
+ Expect(IsStrongCryptoCipherInUse(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--tls-cipher-suites="}, false),
+ Entry("Is incomplete on insecure cluster", []string{"--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"}, false),
+ Entry("Is incomplete on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is incomplete on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be complete on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ })
})