kube-bench/check/README.md

# Checks
Checks are recommendations from the Center for Internet Security for Kubernetes 1.6+ installations.

## YAML Representation
In this application these recommendations are represented as YAML documents.
An example is as listed below:
```
---
controls:
id: 1
text: "Master Checks"
type: "master"
groups:
- id: 1.1
  text: "Kube-apiserver"
  checks:
    - id: 1.1.1
      text: "Ensure that the --allow-privileged argument is set (Scored)"
      audit: "ps -ef | grep kube-apiserver | grep -v grep"
      tests:
      - flag: "--allow-privileged"
        set: true
      remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"
      scored: true
```

Recommendations (called `checks` in this document) can run on Kubernetes Master, Node or Federated API Servers.
Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document.
These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types.

## Tests
Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass.

The syntax for tests:
```
tests:
- flag:
  set:
  compare:
    op:
    value:
...
```
Tests have various `operations` which are used to compare the output of audit commands for success.
These operations are:

- `eq`: tests if the flag value is equal to the compared value.
- `noteq`: tests if the flag value is unequal to the compared value.
- `gt`: tests if the flag value is greater than the compared value.
- `gte`: tests if the flag value is greater than or equal to the compared value.
- `lt`: tests if the flag value is less than the compared value.
- `lte`: tests if the flag value is less than or equal to the compared value.
- `has`: tests if the flag value contains the compared value.
- `nothave`: tests if the flag value does not contain the compared value.
Initial commit 2017-05-26 09:25:29 +00:00			`# Checks`
			`Checks are recommendations from the Center for Internet Security for Kubernetes 1.6+ installations.`

			`## YAML Representation`
			`In this application these recommendations are represented as YAML documents.`
			`An example is as listed below:`
			```
			`---`
			`controls:`
			`id: 1`
			`text: "Master Checks"`
			`type: "master"`
			`groups:`
			`- id: 1.1`
			`text: "Kube-apiserver"`
			`checks:`
			`- id: 1.1.1`
			`text: "Ensure that the --allow-privileged argument is set (Scored)"`
			`audit: "ps -ef \| grep kube-apiserver \| grep -v grep"`
			`tests:`
			`- flag: "--allow-privileged"`
			`set: true`
			`remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'"`
			`scored: true`
			```

			Recommendations (called `checks` in this document) can run on Kubernetes Master, Node or Federated API Servers.
			Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document.
			These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types.

			`## Tests`
			`Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass.`

			`The syntax for tests:`
			```
			`tests:`
			`- flag:`
			`set:`
			`compare:`
			`op:`
			`value:`
			`...`
			```
			Tests have various `operations` which are used to compare the output of audit commands for success.
			`These operations are:`

			- `eq`: tests if the flag value is equal to the compared value.
			- `noteq`: tests if the flag value is unequal to the compared value.
			- `gt`: tests if the flag value is greater than the compared value.
			- `gte`: tests if the flag value is greater than or equal to the compared value.
			- `lt`: tests if the flag value is less than the compared value.
			- `lte`: tests if the flag value is less than or equal to the compared value.
			- `has`: tests if the flag value contains the compared value.
			- `nothave`: tests if the flag value does not contain the compared value.