From 57fae769fca12e55b0890316112fa3da19803cdc Mon Sep 17 00:00:00 2001 From: Pawel Wieczorek Date: Tue, 6 Aug 2019 15:56:56 +0200 Subject: [PATCH] k8s: Add test cases for Dublin API server Issue-ID: SECCOM-235 Change-Id: Ie6d43b9db767f191f883a2912916bc8abf9d3ad6 Signed-off-by: Pawel Wieczorek --- .../k8s/src/check/validators/master/api_test.go | 56 ++++++++++++++++++++++ 1 file changed, 56 insertions(+) diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go index ed93a5d13..bee199519 100644 --- a/test/security/k8s/src/check/validators/master/api_test.go +++ b/test/security/k8s/src/check/validators/master/api_test.go @@ -51,6 +51,51 @@ var _ = Describe("Api", func() { "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", } + + // kubeApiServerCasablanca was obtained from virtual environment for testing + // (introduced in Change-Id: I54ada5fade3b984dedd1715f20579e3ce901faa3). + kubeApiServerDublin = []string{ + "--requestheader-group-headers=X-Remote-Group", + "--proxy-client-cert-file=/etc/kubernetes/ssl/kube-apiserver-proxy-client.pem", + "--bind-address=0.0.0.0", + "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," + + "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," + + "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," + + "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305", + "--cloud-provider=", + "--etcd-cafile=/etc/kubernetes/ssl/kube-ca.pem", + "--etcd-servers=https://172.17.0.100:2379", + "--tls-cert-file=/etc/kubernetes/ssl/kube-apiserver.pem", + "--enable-admission-plugins=NamespaceLifecycle,LimitRanger,ServiceAccount," + + "DefaultStorageClass,DefaultTolerationSeconds,MutatingAdmissionWebhook," + + "ValidatingAdmissionWebhook,ResourceQuota,NodeRestriction,PersistentVolumeLabel", + "--insecure-port=0", + "--secure-port=6443", + "--storage-backend=etcd3", + "--kubelet-client-key=/etc/kubernetes/ssl/kube-apiserver-key.pem", + "--requestheader-client-ca-file=/etc/kubernetes/ssl/kube-apiserver-requestheader-ca.pem", + "--service-account-key-file=/etc/kubernetes/ssl/kube-service-account-token-key.pem", + "--service-node-port-range=30000-32767", + "--tls-private-key-file=/etc/kubernetes/ssl/kube-apiserver-key.pem", + "--requestheader-username-headers=X-Remote-User", + "--repair-malformed-updates=false", + "--kubelet-client-certificate=/etc/kubernetes/ssl/kube-apiserver.pem", + "--service-cluster-ip-range=10.43.0.0/16", + "--advertise-address=172.17.0.100", + "--profiling=false", + "--requestheader-extra-headers-prefix=X-Remote-Extra-", + "--etcd-certfile=/etc/kubernetes/ssl/kube-node.pem", + "--anonymous-auth=false", + "--etcd-keyfile=/etc/kubernetes/ssl/kube-node-key.pem", + "--etcd-prefix=/registry", + "--client-ca-file=/etc/kubernetes/ssl/kube-ca.pem", + "--kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname", + "--requestheader-allowed-names=kube-apiserver-proxy-client", + "--service-account-lookup=true", + "--proxy-client-key-file=/etc/kubernetes/ssl/kube-apiserver-proxy-client-key.pem", + "--authorization-mode=Node,RBAC", + "--allow-privileged=true", + } ) Describe("Boolean flags", func() { @@ -61,6 +106,7 @@ var _ = Describe("Api", func() { Entry("Is not absent on insecure cluster", []string{"--basic-auth-file=/path/to/file"}, false), Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), + Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) DescribeTable("Token authentication file", @@ -70,6 +116,7 @@ var _ = Describe("Api", func() { Entry("Is not absent on insecure cluster", []string{"--token-auth-file=/path/to/file"}, false), Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), + Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) DescribeTable("Accepting any token", @@ -79,6 +126,7 @@ var _ = Describe("Api", func() { Entry("Is not absent on insecure cluster", []string{"--insecure-allow-any-token"}, false), Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true), + Entry("Should be absent on Dublin cluster", kubeApiServerDublin, true), ) DescribeTable("Anonymous requests", @@ -88,6 +136,7 @@ var _ = Describe("Api", func() { Entry("Is not set on insecure cluster", []string{}, false), Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be set to false on Casablanca cluster", kubeApiServerCasablanca, true), + Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true), ) DescribeTable("HTTPS for kubelet", @@ -97,6 +146,7 @@ var _ = Describe("Api", func() { Entry("Is explicitly disabled on insecure cluster", []string{"--kubelet-https=false"}, false), Entry("Should be absent or set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be absent or set to true on Casablanca cluster", kubeApiServerCasablanca, true), + Entry("Should be absent or set to true on Dublin cluster", kubeApiServerDublin, true), ) DescribeTable("Bind address", @@ -106,6 +156,7 @@ var _ = Describe("Api", func() { Entry("Is not absent on insecure cluster", []string{"--insecure-bind-address=1.2.3.4"}, false), Entry("Is not absent nor set to loopback on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be absent or set to loopback on Dublin cluster", kubeApiServerDublin, true), ) DescribeTable("Bind port", @@ -116,6 +167,7 @@ var _ = Describe("Api", func() { Entry("Is explicitly enabled on insecure cluster", []string{"--insecure-port=1234"}, false), Entry("Should be set to 0 on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be set to 0 on Casablanca cluster", kubeApiServerCasablanca, true), + Entry("Should be set to 0 on Dublin cluster", kubeApiServerDublin, true), ) DescribeTable("Secure bind port", @@ -125,6 +177,7 @@ var _ = Describe("Api", func() { Entry("Is explicitly disabled on insecure cluster", []string{"--secure-port=0"}, false), Entry("Should be absent or set to valid port on CIS-compliant cluster", kubeApiServerCISCompliant, true), Entry("Should be absent or set to valid port on Casablanca cluster", kubeApiServerCasablanca, true), + Entry("Should be absent or set to valid port on Dublin cluster", kubeApiServerDublin, true), ) DescribeTable("Profiling", @@ -135,6 +188,7 @@ var _ = Describe("Api", func() { Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false), Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true), ) DescribeTable("Repairing malformed updates", @@ -145,6 +199,7 @@ var _ = Describe("Api", func() { Entry("Is explicitly enabled on insecure cluster", []string{"--repair-malformed-updates=true"}, false), Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be set to false on Dublin cluster", kubeApiServerDublin, true), ) DescribeTable("Service account lookup", @@ -155,6 +210,7 @@ var _ = Describe("Api", func() { Entry("Is explicitly disabled on insecure cluster", []string{"--service-account-lookup=false"}, false), Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false), Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true), + Entry("Should be set to true on Dublin cluster", kubeApiServerDublin, true), ) }) }) -- 2.16.6