k8s: Add tests for API server validators
This patch also adds convenience target to the Makefile and updates
documentation on relevant dependencies.
Issue-ID: SECCOM-235
Change-Id: I57e00af3cd4c60af3128e3094607cc61bc1e5dbe
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
diff --git a/test/security/k8s/Makefile b/test/security/k8s/Makefile
index aeb1d90..05fbba0 100644
--- a/test/security/k8s/Makefile
+++ b/test/security/k8s/Makefile
@@ -13,8 +13,12 @@
$(BIN):
go install $(PROJECT)/cmd/$(BIN)
+test: export GOPATH = $(shell pwd)
+test:
+ go test $(PROJECT)/...
+
clean:
rm $(BIN_DIR)/$(BIN)
rmdir $(BIN_DIR)
-.PHONY: all run build clean $(BIN)
+.PHONY: all run build test clean $(BIN)
diff --git a/test/security/k8s/README b/test/security/k8s/README
index f69eb6e..4f14e37 100644
--- a/test/security/k8s/README
+++ b/test/security/k8s/README
@@ -28,6 +28,13 @@
.. _`Rancher CLI`: https://rancher.com/docs/rancher/v1.6/en/cli
.. _Docker: https://docs.docker.com/install
+Test
+----
+
+- Ginkgo_
+
+.. _Ginkgo: https://onsi.github.io/ginkgo/#getting-ginkgo
+
Running
=======
@@ -36,3 +43,12 @@
make run
will build and run configuration check executable. It is the default target.
+
+Testing
+=======
+
+Calling::
+
+ make test
+
+will run tests.
diff --git a/test/security/k8s/src/check/validators/master/api_test.go b/test/security/k8s/src/check/validators/master/api_test.go
new file mode 100644
index 0000000..95b68da
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/api_test.go
@@ -0,0 +1,160 @@
+package master_test
+
+import (
+ . "check/validators/master"
+
+ . "github.com/onsi/ginkgo/extensions/table"
+
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+)
+
+var _ = Describe("Api", func() {
+ var (
+ // kubeApiServerCISCompliant uses secure defaults or follows CIS guidelines explicitly.
+ kubeApiServerCISCompliant = []string{
+ "--anonymous-auth=false",
+ "--insecure-port=0",
+ "--profiling=false",
+ "--repair-malformed-updates=false",
+ "--service-account-lookup=true",
+ }
+
+ // kubeApiServerCasablanca was obtained from virtual environment for testing
+ // (introduced in Change-Id: I57f9f3caac0e8b391e9ed480f6bebba98e006882).
+ kubeApiServerCasablanca = []string{
+ "--storage-backend=etcd2",
+ "--storage-media-type=application/json",
+ "--service-cluster-ip-range=10.43.0.0/16",
+ "--etcd-servers=https://etcd.kubernetes.rancher.internal:2379",
+ "--insecure-bind-address=0.0.0.0",
+ "--insecure-port=0",
+ "--cloud-provider=rancher",
+ "--allow-privileged=true",
+ "--admission-control=NamespaceLifecycle,LimitRanger,ServiceAccount," +
+ "PersistentVolumeLabel,DefaultStorageClass,DefaultTolerationSeconds,ResourceQuota",
+ "--client-ca-file=/etc/kubernetes/ssl/ca.pem",
+ "--tls-cert-file=/etc/kubernetes/ssl/cert.pem",
+ "--tls-private-key-file=/etc/kubernetes/ssl/key.pem",
+ "--kubelet-client-certificate=/etc/kubernetes/ssl/cert.pem",
+ "--kubelet-client-key=/etc/kubernetes/ssl/key.pem",
+ "--runtime-config=batch/v2alpha1",
+ "--anonymous-auth=false",
+ "--authentication-token-webhook-config-file=/etc/kubernetes/authconfig",
+ "--runtime-config=authentication.k8s.io/v1beta1=true",
+ "--external-hostname=kubernetes.kubernetes.rancher.internal",
+ "--etcd-cafile=/etc/kubernetes/etcd/ca.pem",
+ "--etcd-certfile=/etc/kubernetes/etcd/cert.pem",
+ "--etcd-keyfile=/etc/kubernetes/etcd/key.pem",
+ "--tls-cipher-suites=TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256," +
+ "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305," +
+ "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384," +
+ "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
+ }
+ )
+
+ Describe("Boolean flags", func() {
+ DescribeTable("Basic authentication file",
+ func(params []string, expected bool) {
+ Expect(IsBasicAuthFileAbsent(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--basic-auth-file=/path/to/file"}, false),
+ Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ )
+
+ DescribeTable("Token authentication file",
+ func(params []string, expected bool) {
+ Expect(IsTokenAuthFileAbsent(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--token-auth-file=/path/to/file"}, false),
+ Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ )
+
+ DescribeTable("Accepting any token",
+ func(params []string, expected bool) {
+ Expect(IsInsecureAllowAnyTokenAbsent(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--insecure-allow-any-token"}, false),
+ Entry("Should be absent on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent on Casablanca cluster", kubeApiServerCasablanca, true),
+ )
+
+ DescribeTable("Anonymous requests",
+ func(params []string, expected bool) {
+ Expect(IsAnonymousAuthDisabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be set to false on Casablanca cluster", kubeApiServerCasablanca, true),
+ )
+
+ DescribeTable("HTTPS for kubelet",
+ func(params []string, expected bool) {
+ Expect(IsKubeletHTTPSAbsentOrEnabled(params)).To(Equal(expected))
+ },
+ Entry("Is explicitly disabled on insecure cluster", []string{"--kubelet-https=false"}, false),
+ Entry("Should be absent or set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be absent or set to true on Casablanca cluster", kubeApiServerCasablanca, true),
+ )
+
+ DescribeTable("Bind address",
+ func(params []string, expected bool) {
+ Expect(IsInsecureBindAddressAbsentOrLoopback(params)).To(Equal(expected))
+ },
+ Entry("Is not absent on insecure cluster", []string{"--insecure-bind-address=1.2.3.4"}, false),
+ Entry("Is not absent nor set to loopback on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be absent or set to loopback on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("Bind port",
+ func(params []string, expected bool) {
+ Expect(IsInsecurePortUnbound(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly enabled on insecure cluster", []string{"--insecure-port=1234"}, false),
+ Entry("Should be set to 0 on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ Entry("Should be set to 0 on Casablanca cluster", kubeApiServerCasablanca, true),
+ )
+
+ DescribeTable("Secure bind port",
+ func(params []string, expected bool) {
+ Expect(IsSecurePortAbsentOrValid(params)).To(Equal(expected))
+ },
+ Entry("Is explicitly disabled on insecure cluster", []string{"--secure-port=0"}, false),
+ Entry("Should be absent or set to valid port on Casablanca cluster", kubeApiServerCasablanca, true),
+ Entry("Should be absent or set to valid port on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("Profiling",
+ func(params []string, expected bool) {
+ Expect(IsProfilingDisabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly enabled on insecure cluster", []string{"--profiling=true"}, false),
+ Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("Repairing malformed updates",
+ func(params []string, expected bool) {
+ Expect(IsRepairMalformedUpdatesDisabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly enabled on insecure cluster", []string{"--repair-malformed-updates=true"}, false),
+ Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be set to false on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+
+ DescribeTable("Service account lookup",
+ func(params []string, expected bool) {
+ Expect(IsServiceAccountLookupEnabled(params)).To(Equal(expected))
+ },
+ Entry("Is not set on insecure cluster", []string{}, false),
+ Entry("Is explicitly disabled on insecure cluster", []string{"--service-account-lookup=false"}, false),
+ Entry("Is not set on Casablanca cluster", kubeApiServerCasablanca, false),
+ Entry("Should be set to true on CIS-compliant cluster", kubeApiServerCISCompliant, true),
+ )
+ })
+})
diff --git a/test/security/k8s/src/check/validators/master/master_suite_test.go b/test/security/k8s/src/check/validators/master/master_suite_test.go
new file mode 100644
index 0000000..5c957d8
--- /dev/null
+++ b/test/security/k8s/src/check/validators/master/master_suite_test.go
@@ -0,0 +1,13 @@
+package master_test
+
+import (
+ "testing"
+
+ . "github.com/onsi/ginkgo"
+ . "github.com/onsi/gomega"
+)
+
+func TestMaster(t *testing.T) {
+ RegisterFailHandler(Fail)
+ RunSpecs(t, "Master Suite")
+}