/
242426.go
104 lines (83 loc) · 3.2 KB
/
242426.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
// SPDX-FileCopyrightText: 2023 SAP SE or an SAP affiliate company and Gardener contributors
//
// SPDX-License-Identifier: Apache-2.0
package v1r11
import (
"context"
"strings"
"gopkg.in/yaml.v3"
appsv1 "k8s.io/api/apps/v1"
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
"sigs.k8s.io/controller-runtime/pkg/client"
"github.com/gardener/diki/pkg/kubernetes/config"
kubeutils "github.com/gardener/diki/pkg/kubernetes/utils"
"github.com/gardener/diki/pkg/rule"
)
var _ rule.Rule = &Rule242426{}
type Rule242426 struct {
Client client.Client
Namespace string
StatefulSetETCDMain string
StatefulSetETCDEvents string
}
func (r *Rule242426) ID() string {
return ID242426
}
func (r *Rule242426) Name() string {
return "Kubernetes etcd must enable client authentication to secure service (MEDIUM 242426)"
}
func (r *Rule242426) Run(ctx context.Context) (rule.RuleResult, error) {
checkResults := []rule.CheckResult{}
etcdMain := "etcd-main"
etcdEvents := "etcd-events"
if r.StatefulSetETCDMain != "" {
etcdMain = r.StatefulSetETCDMain
}
if r.StatefulSetETCDEvents != "" {
etcdEvents = r.StatefulSetETCDEvents
}
checkResults = append(checkResults, r.checkStatefulSet(ctx, etcdMain))
checkResults = append(checkResults, r.checkStatefulSet(ctx, etcdEvents))
return rule.RuleResult{
RuleID: r.ID(),
RuleName: r.Name(),
CheckResults: checkResults,
}, nil
}
func (r *Rule242426) checkStatefulSet(ctx context.Context, statefulSetName string) rule.CheckResult {
statefulSet := &appsv1.StatefulSet{
ObjectMeta: metav1.ObjectMeta{
Name: statefulSetName,
Namespace: r.Namespace,
},
}
target := rule.NewTarget("name", statefulSetName, "namespace", r.Namespace, "kind", "statefulSet")
if err := r.Client.Get(ctx, client.ObjectKeyFromObject(statefulSet), statefulSet); err != nil {
return rule.ErroredCheckResult(err.Error(), target)
}
volume, found := kubeutils.GetVolumeFromStatefulSet(statefulSet, "etcd-config-file")
if !found {
return rule.ErroredCheckResult("StatefulSet does not contain volume with name: etcd-config-file.", target)
}
configByteSlice, err := kubeutils.GetFileDataFromVolume(ctx, r.Client, r.Namespace, volume, "etcd.conf.yaml")
if err != nil {
return rule.ErroredCheckResult(err.Error(), target)
}
config := &config.EtcdConfig{}
err = yaml.Unmarshal(configByteSlice, config)
if err != nil {
return rule.ErroredCheckResult(err.Error(), target)
}
// We do not check the command-line flags and environment variables,
// since they are ignored when a config file is set. ref https://etcd.io/docs/v3.5/op-guide/configuration/
if len(strings.Split(config.InitialCluster, ",")) == 1 {
return rule.SkippedCheckResult("ETCD runs as a single instance, peer communication options are not used.", target)
}
if config.PeerTransportSecurity.CertAuth == nil {
return rule.WarningCheckResult("Option peer-transport-security.client-cert-auth has not been set.", target)
}
if *config.PeerTransportSecurity.CertAuth {
return rule.PassedCheckResult("Option peer-transport-security.client-cert-auth set to allowed value.", target)
}
return rule.FailedCheckResult("Option peer-transport-security.client-cert-auth set to not allowed value.", target)
}