# Checks Checks are recommendations from the Center for Internet Security for Kubernetes 1.6+ installations. ## YAML Representation In this application these recommendations are represented as YAML documents. An example is as listed below: ``` --- controls: id: 1 text: "Master Checks" type: "master" groups: - id: 1.1 text: "Kube-apiserver" checks: - id: 1.1.1 text: "Ensure that the --allow-privileged argument is set (Scored)" audit: "ps -ef | grep kube-apiserver | grep -v grep" tests: - flag: "--allow-privileged" set: true remediation: "Edit the /etc/kubernetes/config file on the master node and set the KUBE_ALLOW_PRIV parameter to '--allow-privileged=false'" scored: true ``` Recommendations (called `checks` in this document) can run on Kubernetes Master, Node or Federated API Servers. Checks are organized into `groups` which share similar controls (things to check for) and are grouped together in the section of the CIS Kubernetes document. These groups are further organized under `controls` which can be of the type `master`, `node` or `federated apiserver` to reflect the various Kubernetes node types. ## Tests Tests are the items we actually look for to determine if a check is successful or not. Checks can have multiple tests, which must all be successful for the check to pass. The syntax for tests: ``` tests: - flag: set: compare: op: value: ... ``` Tests have various `operations` which are used to compare the output of audit commands for success. These operations are: - `eq`: tests if the flag value is equal to the compared value. - `noteq`: tests if the flag value is unequal to the compared value. - `gt`: tests if the flag value is greater than the compared value. - `gte`: tests if the flag value is greater than or equal to the compared value. - `lt`: tests if the flag value is less than the compared value. - `lte`: tests if the flag value is less than or equal to the compared value. - `has`: tests if the flag value contains the compared value. - `nothave`: tests if the flag value does not contain the compared value.