k8s.io/kubernetes@v1.29.3/test/e2e/cloud/gcp/kubelet_security.go

k8s.io/kubernetes@v1.29.3/test/e2e/cloud/gcp/kubelet_security.go (about)

     1  /*
     2  Copyright 2018 The Kubernetes Authors.
     3  
     4  Licensed under the Apache License, Version 2.0 (the "License");
     5  you may not use this file except in compliance with the License.
     6  You may obtain a copy of the License at
     7  
     8      http://www.apache.org/licenses/LICENSE-2.0
     9  
    10  Unless required by applicable law or agreed to in writing, software
    11  distributed under the License is distributed on an "AS IS" BASIS,
    12  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    13  See the License for the specific language governing permissions and
    14  limitations under the License.
    15  */
    16  
    17  package gcp
    18  
    19  import (
    20  	"context"
    21  	"fmt"
    22  	"net"
    23  	"net/http"
    24  	"time"
    25  
    26  	v1 "k8s.io/api/core/v1"
    27  	"k8s.io/kubernetes/pkg/cluster/ports"
    28  	"k8s.io/kubernetes/test/e2e/feature"
    29  	"k8s.io/kubernetes/test/e2e/framework"
    30  	e2ekubelet "k8s.io/kubernetes/test/e2e/framework/kubelet"
    31  	e2enode "k8s.io/kubernetes/test/e2e/framework/node"
    32  	admissionapi "k8s.io/pod-security-admission/api"
    33  
    34  	"github.com/onsi/ginkgo/v2"
    35  )
    36  
    37  var _ = SIGDescribe("Ports Security Check", feature.KubeletSecurity, func() {
    38  	f := framework.NewDefaultFramework("kubelet-security")
    39  	f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged
    40  
    41  	var node *v1.Node
    42  	var nodeName string
    43  
    44  	ginkgo.BeforeEach(func(ctx context.Context) {
    45  		var err error
    46  		node, err = e2enode.GetRandomReadySchedulableNode(ctx, f.ClientSet)
    47  		framework.ExpectNoError(err)
    48  		nodeName = node.Name
    49  	})
    50  
    51  	// make sure kubelet readonly (10255) and cadvisor (4194) ports are disabled via API server proxy
    52  	ginkgo.It(fmt.Sprintf("should not be able to proxy to the readonly kubelet port %v using proxy subresource", ports.KubeletReadOnlyPort), func(ctx context.Context) {
    53  		result, err := e2ekubelet.ProxyRequest(ctx, f.ClientSet, nodeName, "pods/", ports.KubeletReadOnlyPort)
    54  		framework.ExpectNoError(err)
    55  
    56  		var statusCode int
    57  		result.StatusCode(&statusCode)
    58  		framework.ExpectNotEqual(statusCode, http.StatusOK)
    59  	})
    60  	ginkgo.It("should not be able to proxy to cadvisor port 4194 using proxy subresource", func(ctx context.Context) {
    61  		result, err := e2ekubelet.ProxyRequest(ctx, f.ClientSet, nodeName, "containers/", 4194)
    62  		framework.ExpectNoError(err)
    63  
    64  		var statusCode int
    65  		result.StatusCode(&statusCode)
    66  		framework.ExpectNotEqual(statusCode, http.StatusOK)
    67  	})
    68  
    69  	// make sure kubelet readonly (10255) and cadvisor (4194) ports are closed on the public IP address
    70  	disabledPorts := []int{ports.KubeletReadOnlyPort, 4194}
    71  	for _, port := range disabledPorts {
    72  		port := port
    73  		ginkgo.It(fmt.Sprintf("should not have port %d open on its all public IP addresses", port), func(ctx context.Context) {
    74  			portClosedTest(f, node, port)
    75  		})
    76  	}
    77  })
    78  
    79  // checks whether the target port is closed
    80  func portClosedTest(f *framework.Framework, pickNode *v1.Node, port int) {
    81  	nodeAddrs := e2enode.GetAddresses(pickNode, v1.NodeExternalIP)
    82  	framework.ExpectNotEqual(len(nodeAddrs), 0)
    83  
    84  	for _, addr := range nodeAddrs {
    85  		conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:%d", addr, port), 1*time.Minute)
    86  		if err == nil {
    87  			conn.Close()
    88  			framework.Failf("port %d is not disabled", port)
    89  		}
    90  	}
    91  }