From: Pawel Wieczorek Date: Tue, 17 Sep 2019 16:45:41 +0000 (+0200) Subject: k8s: Validate API server auditing is enabled X-Git-Tag: 6.0.0-ONAP~353 X-Git-Url: https://gerrit.onap.org/r/gitweb?a=commitdiff_plain;h=6c95c5ca28dd3f48a58dc11cc9c17fd8b4934881;p=integration.git k8s: Validate API server auditing is enabled This patch verifies if CIS Kubernetes Benchmark v1.3.0 section regarding master node configuration is satisfied (1.1.15). Issue-ID: SECCOM-235 Change-Id: Ia1d27ed7a9e439bb0abf4bd8941bdd4573a50bd5 Signed-off-by: Pawel Wieczorek --- diff --git a/test/security/k8s/src/check/cmd/check/check.go b/test/security/k8s/src/check/cmd/check/check.go index c9b34aa42..23465d66a 100644 --- a/test/security/k8s/src/check/cmd/check/check.go +++ b/test/security/k8s/src/check/cmd/check/check.go @@ -65,4 +65,6 @@ func main() { log.Printf("IsNamespaceLifecycleAdmissionControlPluginNotExcluded: %t\n", master.IsNamespaceLifecycleAdmissionControlPluginNotExcluded(k8sParams)) log.Printf("IsAlwaysAllowAuthorizationModeExcluded: %t\n", master.IsAlwaysAllowAuthorizationModeExcluded(k8sParams)) + + log.Printf("IsAuditLogPathSet: %t\n", master.IsAuditLogPathSet(k8sParams)) } diff --git a/test/security/k8s/src/check/validators/master/api.go b/test/security/k8s/src/check/validators/master/api.go index 47a2a8e01..a316bbc00 100644 --- a/test/security/k8s/src/check/validators/master/api.go +++ b/test/security/k8s/src/check/validators/master/api.go @@ -253,3 +253,22 @@ func IsAlwaysAllowAuthorizationModeExcluded(params []string) bool { return isSingleFlagPresent("--authorization-mode=", params) && !hasFlagArgumentIncluded("--authorization-mode=", "AlwaysAllow", params) } + +// IsAuditLogPathSet validates there is single "--audit-log-path" flag and has non-empty argument. +func IsAuditLogPathSet(params []string) bool { + return hasSingleFlagNonemptyArgument("--audit-log-path=", params) +} + +// hasSingleFlagNonemptyArgument checks whether selected flag was used once and has non-empty argument. +func hasSingleFlagNonemptyArgument(flag string, params []string) bool { + found := filterFlags(params, flag) + if len(found) != 1 { + return false + } + + _, value := splitKV(found[0], "=") + if value == "" { + return false + } + return true +} diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go index 01f1824b0..ba72c33df 100644 --- a/test/security/k8s/src/check/validators/master/api_test.go +++ b/test/security/k8s/src/check/validators/master/api_test.go @@ -24,6 +24,7 @@ var _ = Describe("Api", func() { "ResourceQuota,AlwaysPullImages,DenyEscalatingExec,SecurityContextDeny," + "PodSecurityPolicy,NodeRestriction,EventRateLimit", "--authorization-mode=RBAC", + "--audit-log-path=/var/log/apiserver/audit.log", } // kubeApiServerCasablanca was obtained from virtual environment for testing @@ -189,6 +190,17 @@ var _ = Describe("Api", func() { Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) + + DescribeTable("Audit log path", + func(params []string, expected bool) { + Expect(IsAuditLogPathSet(params)).To(Equal(expected)) + }, + Entry("Is absent on insecure cluster", []string{}, false), + Entry("Is empty on insecure cluster", []string{"--audit-log-path="}, false), + Entry("Is absent on Casablanca cluster", kubeApiServerCasablanca, false), + Entry("Is absent on Dublin cluster", kubeApiServerDublin, false), + Entry("Should be present on CIS-compliant cluster", kubeApiServerCISCompliant, true), + ) }) Describe("Address and port flags", func() {