return boolean.IsFlagAbsent("--address=", params) ||
args.HasSingleFlagArgument("--address=", "127.0.0.1", params)
}
+
+// IsTerminatedPodGcThresholdValid validates terminated pod garbage collector threshold is set and it has non-empty argument.
+func IsTerminatedPodGcThresholdValid(params []string) bool {
+ return args.HasSingleFlagNonemptyArgument("--terminated-pod-gc-threshold", params)
+}
+
+// IsServiceAccountPrivateKeyFileSet validates service account private key is set and it has non-empty argument.
+func IsServiceAccountPrivateKeyFileSet(params []string) bool {
+ return args.HasSingleFlagNonemptyArgument("--service-account-private-key-file", params)
+}
+
+// IsRootCertificateAuthoritySet validates root certificate authority is set and it has non-empty argument.
+func IsRootCertificateAuthoritySet(params []string) bool {
+ return args.HasSingleFlagNonemptyArgument("--root-ca-file", params)
+}
"--profiling=false",
"--use-service-account-credentials=true",
"--feature-gates=RotateKubeletServerCertificate=true",
+ "--terminated-pod-gc-threshold=10",
+ "--service-account-private-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem",
+ "--root-ca-file=/etc/kubernetes/ssl/kube-ca.pem",
}
// kubeControllerManagerCasablanca was obtained from virtual environment for testing
)
})
+ Describe("File path flags", func() {
+ DescribeTable("Service account private key",
+ func(params []string, expected bool) {
+ Expect(IsServiceAccountPrivateKeyFileSet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{""}, false),
+ Entry("Is empty on insecure cluster", []string{"--service-account-private-key-file="}, false),
+ Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+ Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true),
+ Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true),
+ )
+
+ DescribeTable("Root certificate authority",
+ func(params []string, expected bool) {
+ Expect(IsRootCertificateAuthoritySet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{""}, false),
+ Entry("Is empty on insecure cluster", []string{"--root-ca-file="}, false),
+ Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+ Entry("Should be explicitly set on Casablanca cluster", kubeControllerManagerCasablanca, true),
+ Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true),
+ )
+ })
+
Describe("Address flag", func() {
DescribeTable("Bind address",
func(params []string, expected bool) {
)
})
+ Describe("Numeric flags", func() {
+ DescribeTable("Terminated pod garbage collector threshold",
+ func(params []string, expected bool) {
+ Expect(IsTerminatedPodGcThresholdValid(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{""}, false),
+ Entry("Is empty on insecure cluster", []string{"--terminated-pod-gc-threshold="}, false),
+ Entry("Is absent on Casablanca cluster", kubeControllerManagerCasablanca, false),
+ Entry("Should be explicitly set on CIS-compliant cluster", kubeControllerManagerCISCompliant, true),
+ Entry("Should be explicitly set on Dublin cluster", kubeControllerManagerDublin, true),
+ )
+ })
+
Describe("Argument list flags", func() {
DescribeTable("RotateKubeletServerCertificate",
func(params []string, expected bool) {
func CheckControllerManager(params []string) {
log.Println("==> Controller Manager:")
log.Printf("IsProfilingDisabled: %t\n", controllermanager.IsProfilingDisabled(params))
+ log.Printf("IsTerminatedPodGcThresholdValid: %t\n", controllermanager.IsTerminatedPodGcThresholdValid(params))
log.Printf("IsUseServiceAccountCredentialsEnabled: %t\n", controllermanager.IsUseServiceAccountCredentialsEnabled(params))
log.Printf("IsRotateKubeletServerCertificateIncluded: %t\n", controllermanager.IsRotateKubeletServerCertificateIncluded(params))
+ log.Printf("IsServiceAccountPrivateKeyFileSet: %t\n", controllermanager.IsServiceAccountPrivateKeyFileSet(params))
+ log.Printf("IsRootCertificateAuthoritySet: %t\n", controllermanager.IsRootCertificateAuthoritySet(params))
log.Printf("IsInsecureBindAddressAbsentOrLoopback: %t\n", controllermanager.IsInsecureBindAddressAbsentOrLoopback(params))
}