return isSingleFlagPresent("--authorization-mode=", params) &&
!hasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params)
}
+
+// IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument.
+func IsAuditLogPathSet(params []string) bool {
+ return hasSingleFlagNonemptyArgument("--audit-log-path=", params)
+}
+
+// hasSingleFlagNonemptyArgument checks whether selected flag was used once and has non-empty argument.
+func hasSingleFlagNonemptyArgument(flag string, params []string) bool {
+ found := filterFlags(params, flag)
+ if len(found) != 1 {
+ return false
+ }
+
+ _, value := splitKV(found[0], "=")
+ if value == "" {
+ return false
+ }
+ return true
+}
"ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," +
"PodSecurityPolicy,NodeRestriction,EventRateLimit",
"--authorization-mode=RBAC",
+ "--audit-log-path=/var/log/apiserver/audit.log",
}
// kubeApiServerCasablanca was obtained from virtual environment for testing
Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true),
)
+
+ DescribeTable("Audit log path",
+ func(params []string, expected bool) {
+ Expect(IsAuditLogPathSet(params)).To(Equal(expected))
+ },
+ Entry("Is absent on insecure cluster", []string{}, false),
+ Entry("Is empty on insecure cluster", []string{"--audit-log-path="}, false),
+ Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Is absent on Dublin cluster", kubeApiServerDublin, false),
+ Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
})
Describe("Address and port flags", func() {