k8s.io/kubernetes@v1.29.3/test/e2e/cloud/gcp/kubelet_security.go (about) 1 /* 2 Copyright 2018 The Kubernetes Authors. 3 4 Licensed under the Apache License, Version 2.0 (the "License"); 5 you may not use this file except in compliance with the License. 6 You may obtain a copy of the License at 7 8 http://www.apache.org/licenses/LICENSE-2.0 9 10 Unless required by applicable law or agreed to in writing, software 11 distributed under the License is distributed on an "AS IS" BASIS, 12 WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13 See the License for the specific language governing permissions and 14 limitations under the License. 15 */ 16 17 package gcp 18 19 import ( 20 "context" 21 "fmt" 22 "net" 23 "net/http" 24 "time" 25 26 v1 "k8s.io/api/core/v1" 27 "k8s.io/kubernetes/pkg/cluster/ports" 28 "k8s.io/kubernetes/test/e2e/feature" 29 "k8s.io/kubernetes/test/e2e/framework" 30 e2ekubelet "k8s.io/kubernetes/test/e2e/framework/kubelet" 31 e2enode "k8s.io/kubernetes/test/e2e/framework/node" 32 admissionapi "k8s.io/pod-security-admission/api" 33 34 "github.com/onsi/ginkgo/v2" 35 ) 36 37 var _ = SIGDescribe("Ports Security Check", feature.KubeletSecurity, func() { 38 f := framework.NewDefaultFramework("kubelet-security") 39 f.NamespacePodSecurityLevel = admissionapi.LevelPrivileged 40 41 var node *v1.Node 42 var nodeName string 43 44 ginkgo.BeforeEach(func(ctx context.Context) { 45 var err error 46 node, err = e2enode.GetRandomReadySchedulableNode(ctx, f.ClientSet) 47 framework.ExpectNoError(err) 48 nodeName = node.Name 49 }) 50 51 // make sure kubelet readonly (10255) and cadvisor (4194) ports are disabled via API server proxy 52 ginkgo.It(fmt.Sprintf("should not be able to proxy to the readonly kubelet port %v using proxy subresource", ports.KubeletReadOnlyPort), func(ctx context.Context) { 53 result, err := e2ekubelet.ProxyRequest(ctx, f.ClientSet, nodeName, "pods/", ports.KubeletReadOnlyPort) 54 framework.ExpectNoError(err) 55 56 var statusCode int 57 result.StatusCode(&statusCode) 58 framework.ExpectNotEqual(statusCode, http.StatusOK) 59 }) 60 ginkgo.It("should not be able to proxy to cadvisor port 4194 using proxy subresource", func(ctx context.Context) { 61 result, err := e2ekubelet.ProxyRequest(ctx, f.ClientSet, nodeName, "containers/", 4194) 62 framework.ExpectNoError(err) 63 64 var statusCode int 65 result.StatusCode(&statusCode) 66 framework.ExpectNotEqual(statusCode, http.StatusOK) 67 }) 68 69 // make sure kubelet readonly (10255) and cadvisor (4194) ports are closed on the public IP address 70 disabledPorts := []int{ports.KubeletReadOnlyPort, 4194} 71 for _, port := range disabledPorts { 72 port := port 73 ginkgo.It(fmt.Sprintf("should not have port %d open on its all public IP addresses", port), func(ctx context.Context) { 74 portClosedTest(f, node, port) 75 }) 76 } 77 }) 78 79 // checks whether the target port is closed 80 func portClosedTest(f *framework.Framework, pickNode *v1.Node, port int) { 81 nodeAddrs := e2enode.GetAddresses(pickNode, v1.NodeExternalIP) 82 framework.ExpectNotEqual(len(nodeAddrs), 0) 83 84 for _, addr := range nodeAddrs { 85 conn, err := net.DialTimeout("tcp", fmt.Sprintf("%s:%d", addr, port), 1*time.Minute) 86 if err == nil { 87 conn.Close() 88 framework.Failf("port %d is not disabled", port) 89 } 90 } 91 }