| YES/NO | CHECK ITEM | Description |
|---|---|---|
| ✅ | NodeDockerHung | Docker hung, you can check docker log |
| ✅ | PrivilegeEscalationAllowed | Privilege escalation is allowed |
| ✅ | CanImpersonateUser | The role/clusterrole can impersonate other user |
| ✅ | CanDeleteResources | The role/clusterrole can delete kubernetes resources |
| ✅ | CanModifyWorkloads | The role/clusterrole can modify kubernetes workloads |
| ✅ | NoCPULimits | The resource does not set limits of CPU in containers.resources |
| ✅ | NoCPURequests | The resource does not set requests of CPU in containers.resources |
| ✅ | HighRiskCapabilities | Have high-Risk options in capabilities such as ALL/SYS_ADMIN/NET_ADMIN |
| ✅ | HostIPCAllowed | HostIPC Set to true |
| ✅ | HostNetworkAllowed | HostNetwork Set to true |
| ✅ | HostPIDAllowed | HostPID Set to true |
| ✅ | HostPortAllowed | HostPort Set to true |
| ✅ | ImagePullPolicyNotAlways | Image pull policy not always |
| ✅ | ImageTagIsLatest | The image tag is latest |
| ✅ | ImageTagMiss | The image tag do not declare |
| ✅ | InsecureCapabilities | Have insecure options in capabilities such as KILL/SYS_CHROOT/CHOWN |
| ✅ | NoLivenessProbe | The resource does not set livenessProbe |
| ✅ | NoMemoryLimits | The resource does not set limits of memory in containers.resources |
| ✅ | NoMemoryRequests | The resource does not set requests of memory in containers.resources |
| ✅ | NoPriorityClassName | The resource does not set priorityClassName |
| ✅ | PrivilegedAllowed | Running a pod in a privileged mode means that the pod can access the host’s resources and kernel capabilities |
| ✅ | NoReadinessProbe | The resource does not set readinessProbe |
| ✅ | NotReadOnlyRootFilesystem | The resource does not set readOnlyRootFilesystem to true |
| ✅ | NotRunAsNonRoot | The resource does not set runAsNonRoot to true, maybe executed run as a root account |
| ✅ | ETCDHealthStatus | if etcd is up and running normally, please check etcd status |
| ✅ | ControllerManagerHealthStatus | if kubernetes kube-controller-manager is up and running normally, please check kube-controller-manager status |
| ✅ | SchedulerHealthStatus | if kubernetes kube-scheduler is up and running normally, please check kube-scheduler status |
| ✅ | NodeMemory | if node memory usage is above threshold, please check node memory usage |
| ✅ | DockerHealthStatus | if docker is up and running, please check docker status |
| ✅ | NodeDisk | if node disk usage is above given threshold, please check node disk usage |
| ✅ | KubeletHealthStatus | if kubelet is active and running normally |
| ✅ | NodeCPU | if node cpu usage is above the given threshold |
| ✅ | NodeCorruptOverlay2 | Overlay2 is not available |
| ✅ | NodeKernelNULLPointer | the node displays NotReady |
| ✅ | NodeDeadlock | A deadlock is a phenomenon in which two or more processes are waiting for each other as they compete for resources |
| ✅ | NodeOOM | Monitor processes that consume too much memory, especially those that consume a lot of memory very quickly, and the kernel kill them to prevent them from running out of memory |
| ✅ | NodeExt4Error | Ext4 mount error |
| ✅ | NodeTaskHung | Check to see if there is a process in state D for more than 120s |
| ✅ | NodeUnregisterNetDevice | Check corresponding net |
| ✅ | NodeCorruptDockerImage | Check docker image |
| ✅ | NodeAUFSUmountHung | Check storage |
| ✅ | PodSetImagePullBackOff | Pod can't pull the image properly, so it can be pulled manually on the corresponding node |
| ✅ | PodNoSuchFileOrDirectory | Go into the container to see if the corresponding file exists |
| ✅ | PodIOError | This is usually due to file IO performance bottlenecks |
| ✅ | PodNoSuchDeviceOrAddress | Check corresponding net |
| ✅ | PodInvalidArgument | Check the storage |
| ✅ | PodDeviceOrResourceBusy | Check corresponding dirctory and PID |
| ✅ | PodFileExists | Check for existing files |
| ✅ | PodTooManyOpenFiles | The number of file /socket connections opened by the program exceeds the system set value |
| ✅ | PodNoSpaceLeftOnDevice | Check for disk and inode usage |
| ✅ | NodeApiServerExpiredPeriod | ApiServer certificate expiration date less than 30 days will be checked |
| NodeNotReadyAndUseOfClosedNetworkConnection | http2-max-streams-per-connection | |
| NodeNotReady | Failed to start ContainerManager Cannot set property TasksAccounting, or unknown property |
unmarked items are under heavy development