k8s: Validate API server Certificate Authorities

This patch verifies if CIS Kubernetes Benchmark v1.3.0 sections
regarding master node configuration are satisfied (1.1.21, 1.1.29
and 1.1.31).

Issue-ID: SECCOM-235
Change-Id: Ia2f55f6962885a7aa878c970a406189902cfab10
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>

diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go
index 7468bc4..d124b87 100644 (file)
--- a/test/security/k8s/src/check/cmd/check/check.go
+++ b/test/security/k8s/src/check/cmd/check/check.go
@@ -70,4 +70,8 @@ func main() {
        log.Printf("IsAuditLogMaxAgeValid: %t\n", master.IsAuditLogPathSet(k8sParams))
        log.Printf("IsAuditLogMaxBackupValid: %t\n", master.IsAuditLogPathSet(k8sParams))
        log.Printf("IsAuditLogMaxSizeValid: %t\n", master.IsAuditLogPathSet(k8sParams))
+
+       log.Printf("IsKubeletCertificateAuthoritySet: %t\n", master.IsKubeletCertificateAuthoritySet(k8sParams))
+       log.Printf("IsClientCertificateAuthoritySet: %t\n", master.IsClientCertificateAuthoritySet(k8sParams))
+       log.Printf("IsEtcdCertificateAuthoritySet: %t\n", master.IsEtcdCertificateAuthoritySet(k8sParams))
 }

diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go
index ca517c1..4a70e53 100644 (file)
--- a/test/security/k8s/src/check/validators/master/api.go
+++ b/test/security/k8s/src/check/validators/master/api.go
@@ -263,6 +263,21 @@ func IsAuditLogPathSet(params []string) bool {
        return hasSingleFlagNonemptyArgument("--audit-log-path=", params)
 }
 
+// IsKubeletCertificateAuthoritySet validates there is single "--kubelet-certificate-authority" flag and has non-empty argument.
+func IsKubeletCertificateAuthoritySet(params []string) bool {
+       return hasSingleFlagNonemptyArgument("--kubelet-certificate-authority", params)
+}
+
+// IsClientCertificateAuthoritySet validates there is single "--client-ca-file" flag and has non-empty argument.
+func IsClientCertificateAuthoritySet(params []string) bool {
+       return hasSingleFlagNonemptyArgument("--client-ca-file", params)
+}
+
+// IsEtcdCertificateAuthoritySet validates there is single "--etcd-cafile" flag and has non-empty argument.
+func IsEtcdCertificateAuthoritySet(params []string) bool {
+       return hasSingleFlagNonemptyArgument("--etcd-cafile", params)
+}
+
 // hasSingleFlagNonemptyArgument checks whether selected flag was used once and has non-empty argument.
 func hasSingleFlagNonemptyArgument(flag string, params []string) bool {
        found := filterFlags(params, flag)

diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
index 23c2838..f0db8b7 100644 (file)
--- a/test/security/k8s/src/check/validators/master/api_test.go
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -28,6 +28,9 @@ var _ = Describe("Api", func() {
                        "--audit-log-maxage=30",
                        "--audit-log-maxbackup=10",
                        "--audit-log-maxsize=100",
+                       "--kubelet-certificate-authority=TrustedCA",
+                       "--client-ca-file=/etc/kubernetes/ssl/ca.pem",
+                       "--etcd-cafile=/etc/kubernetes/etcd/ca.pem",
                }
 
                // kubeApiServerCasablanca was obtained from virtual environment for testing
@@ -204,6 +207,39 @@ var _ = Describe("Api", func() {
                        Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
                        Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
                )
+
+               DescribeTable("Kubelet certificate authority",
+                       func(params []string, expected bool) {
+                               Expect(IsKubeletCertificateAuthoritySet(params)).To(Equal(expected))
+                       },
+                       Entry("Is absent on insecure cluster", []string{}, false),
+                       Entry("Is empty on insecure cluster", []string{"--kubelet-certificate-authority="}, false),
+                       Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+                       Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+                       Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+               )
+
+               DescribeTable("Client certificate authority",
+                       func(params []string, expected bool) {
+                               Expect(IsClientCertificateAuthoritySet(params)).To(Equal(expected))
+                       },
+                       Entry("Is absent on insecure cluster", []string{}, false),
+                       Entry("Is empty on insecure cluster", []string{"--client-ca-file="}, false),
+                       Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+                       Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
+                       Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+               )
+
+               DescribeTable("Etcd certificate authority",
+                       func(params []string, expected bool) {
+                               Expect(IsEtcdCertificateAuthoritySet(params)).To(Equal(expected))
+                       },
+                       Entry("Is absent on insecure cluster", []string{}, false),
+                       Entry("Is empty on insecure cluster", []string{"-etcd-cafile="}, false),
+                       Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+                       Entry("Should be present on Casablanca cluster", kubeApiServerCasablanca, true),
+                       Entry("Should be present on Dublin cluster", kubeApiServerDublin, true),
+               )
        })
 
        Describe("Address and port flags", func() {