k8s: Validate API server not excluded authorization mode

This patch verifies if CIS Kubernetes Benchmark v1.3.0 section
regarding master node configuration is satisfied (1.1.19).

Issue-ID: SECCOM-235
Change-Id: I00c9600fd0d351afb7141a5fa16f348eab67b12d
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index a351199..c9b34aa 100644 (file)
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -63,4 +63,6 @@ func main() {
        log.Printf("IsEventRateLimitAdmissionControlPluginIncluded: %t\n", master.IsEventRateLimitAdmissionControlPluginIncluded(k8sParams))
 
        log.Printf("IsNamespaceLifecycleAdmissionControlPluginNotExcluded: %t\n", master.IsNamespaceLifecycleAdmissionControlPluginNotExcluded(k8sParams))
+
+       log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", master.IsAlwaysAllowAuthorizationModeExcluded(k8sParams))
 }

diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index dc22e35..47a2a8e 100644 (file)
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -247,3 +247,9 @@ func hasFlagArgumentIncluded(flag string, argument string, params []string) bool
        }
        return false
 }
+
+// IsAlwaysAllowAuthorizationModeExcluded validates AlwaysAllow is excluded from admission control plugins.
+func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool {
+       return isSingleFlagPresent("--authorization-mode=", params) &&
+               !hasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params)
+}

diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index 233662a..4176162 100644 (file)
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -23,6 +23,7 @@ var _ = Describe("Api", func() {
                                "PersistentVolumeClaimResize,MutatingAdmissionWebhook,ValidatingAdmissionWebhook," +
                                "ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," +
                                "PodSecurityPolicy,NodeRestriction,EventRateLimit",
+                       "--authorization-mode=RBAC",
                }
 
                // kubeApiServerCasablanca was obtained from virtual environment for testing
@@ -315,5 +316,16 @@ var _ = Describe("Api", func() {
                        Entry("Should not be disabled on Casablanca cluster", kubeApiServerCasablanca, true),
                        Entry("Should not be disabled on Dublin cluster", kubeApiServerDublin, true),
                )
+
+               DescribeTable("AlwaysAllow authorization mode",
+                       func(params []string, expected bool) {
+                               Expect(IsAlwaysAllowAuthorizationModeExcluded(params)).To(Equal(expected))
+                       },
+                       Entry("Is not explicitly disabled on insecure cluster", []string{}, false),
+                       Entry("Is not absent on insecure cluster", []string{"--authorization-mode=Foo,Bar,AlwaysAllow,Baz,Quuz"}, false),
+                       Entry("Is not explicitly disabled on Casablanca cluster", kubeApiServerCasablanca, false),
+                       Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+                       Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
+               )
        })
 })