"check/validators/master/boolean"
)
+// IsProfilingDisabled validates there is single "--profiling" flag and it is set to "false".
+func IsProfilingDisabled(params []string) bool {
+ return args.HasSingleFlagArgument("--profiling=", "false", params)
+}
+
+// IsUseServiceAccountCredentialsEnabled validates there is single "--use-service-account-credentials" flag and it is set to "true".
+func IsUseServiceAccountCredentialsEnabled(params []string) bool {
+ return args.HasSingleFlagArgument("--use-service-account-credentials=", "true", params)
+}
+
+// IsRotateKubeletServerCertificateIncluded validates RotateKubeletServerCertificate=true is included.
+func IsRotateKubeletServerCertificateIncluded(params []string) bool {
+ return args.HasFlagArgumentIncluded("--feature-gates=", "RotateKubeletServerCertificate=true", params)
+}
+
// IsInsecureBindAddressAbsentOrLoopback validates there is no insecure bind address or it is loopback address.
func IsInsecureBindAddressAbsentOrLoopback(params []string) bool {
return boolean.IsFlagAbsent("--address=", params) ||
var _ = Describe("Controllermanager", func() {
var (
// kubeControllerManagerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
- kubeControllerManagerCISCompliant = []string{}
+ kubeControllerManagerCISCompliant = []string{
+ "--profiling=false",
+ "--use-service-account-credentials=true",
+ "--feature-gates=RotateKubeletServerCertificate=true",
+ }
// kubeControllerManagerCasablanca was obtained from virtual environment for testing
// (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
}
)
+ Describe("Boolean flags", func() {
+ DescribeTable("Profiling",
+ func(params []string, expected bool) {
+ Expect(IsProfilingDisabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
+ Entry("Is not set on Casablanca cluster", kubeControllerManagerCasablanca, false),
+ Entry("Should be set to false on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+ Entry("Should be set to false on Dublin cluster", kubeControllerManagerDublin, true),
+ )
+
+ DescribeTable("Service account credentials use",
+ func(params []string, expected bool) {
+ Expect(IsUseServiceAccountCredentialsEnabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly disabled on insecure cluster", []string{"--use-service-account-credentials=false"}, false),
+ Entry("Is not set on Casablanca cluster", kubeControllerManagerCasablanca, false),
+ Entry("Should be set to true on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+ Entry("Should be set to true on Dublin cluster", kubeControllerManagerDublin, true),
+ )
+ })
+
Describe("Address flag", func() {
DescribeTable("Bind address",
func(params []string, expected bool) {
Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
)
})
+
+ Describe("Argument list flags", func() {
+ DescribeTable("RotateKubeletServerCertificate",
+ func(params []string, expected bool) {
+ Expect(IsRotateKubeletServerCertificateIncluded(params)).To(Equal(expected))
+ },
+ Entry("Is not enabled on insecure cluster", []string{"--feature-gates=Foo=Bar,Baz=Quuz"}, false),
+ Entry("Is explicitly disabled on insecure cluster", []string{"--feature-gates=Foo=Bar,RotateKubeletServerCertificate=false,Baz=Quuz"}, false),
+ Entry("Is not enabled on Casablanca cluster", kubeControllerManagerCasablanca, false),
+ Entry("Is not enabled on Dublin cluster", kubeControllerManagerDublin, false),
+ Entry("Should be enabled on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+ )
+ })
})
Code Review / integration.git / commitdiff