Check that should scan all pods -> their service accounts and identify if they can access API server resources (leading to leaking access to API server in case of compromising a Kubernetes node)

There could be two variants:

• Alert if given cluster node has API key
• Alert if given pods are having API keys

• Is certificate valid?
• When it expires? Alert X days before expiration

Optional description field can be helpful to keep the note for other administrators

Example:

{
    "type": "rkd://rkd.standardlib.shell:sh",
    "input": {
        "-c": "ls -la"
    }
}

Requires rkd >= 2.3

That would also simplify the code by removing "lazy" and "force" features. The application could refresh the data by its own, without having to manually control the process by the user - just run the application and access the endpoint.

• Todo is to collect all phrases and create regexps for monitorng
• Implement collecting logs from file
• Implement collecting logs from docker container
• Make a shared mechanism inside infracheck for logs reading from those two sources, so any checks could use this mechanism

Verification if curl -H 'Host: example.org' https://1.2.3.4 matches curl https://example.org certificate.
Reason: Manipulated man-in-the-middle proxy detection

Example:

{
    "type": "tls-integrity",
    "input": {
        "src_url": "1.2.3.4",
        "hostname": "example.org"
    }
}

Implement a check that will search for docker container logs, allow limiting by X last lines, since given time (in seconds could be), and specifying if the regexp should be in logs or not.

A check that is checking if the SMTP credentials and parameters are still valid.

1. A check is proposed to be written in Python 3.7+ using smtplib
   https://www.tutorialspoint.com/python/python_sending_email.htm
   https://docs.python.org/3/library/smtplib.html
   https://stackoverflow.com/a/12555214/6782994
   https://www.authsmtp.com/python/index.html

2. SMTP check should NOT send any e-mails

3. SMTP check should verify that connecting to a remote SMTP server using selected credentials, encryption and authentication method works

4. A unittest should be written to cover at least basic cases (test that can be used as an example: https://github.com/riotkit-org/infracheck/blob/master/tests/functional_test_docker_container_log_check.py)

5. A check file that could be used as an example and a starting point to write new check basing on it - https://github.com/riotkit-org/infracheck/blob/master/infracheck/checks/docker-container-log

6. Credentials, host, port, username, password should be possible to provide via environment variables

7. Script should return status as exit code - 0 when success, 1 or higher on failure

8. Script should describe the status of the check eg. "SMTP connection successful" or "Cannot authorize". Best if possible would be to catch exceptions thrown by smtplib and translate them to meaningful messages

9. There should be a documentation written in the check file as a comment. Check should be also added to sphinx documentaton there: https://raw.githubusercontent.com/riotkit-org/infracheck/master/docs/source/reference.rst (see includes at the bottom of the file)

Todo is a check domains eg. priamaakcia.sk and federacja-anarchistyczna.pl and fix handlers for those TLDs.

There could be custom resources implemented in a cluster, that would allow to define checks.

DaemonSet mode should collect results from all infracheck instances placed on multiple Kubernetes nodes and join together into a single results page.

Current implementation (we can call it "Deployment" mode in Kubernetes way) is showing results from single node.

Make a possibility to query the InfluxDB database. A good health check could be to verify if given host is reporting metrics to the InfluxDB at all - an example query for telegraf could be also provided in the documentation.

In case, when any application have synchronization issue, then it should be reported with a proper message.
There should be a selector that allows to specify which applications to monitor.

Not every check must be ran every time. Some things needs to be checked ex. once a day like domain expiration or tls expiration. Others like "is service working" should be checked as often as possible.

Goal: There should be a possibility to specify that some checks can be checked rarely, by keeping the results in the cache for longer time

Given I configure check with setting "results_cache_time" = 3600
And I run checks every 120s
When I run once the check then it gets cached
And I run try to run next time the check after 120s
Then the check will not run until 3600s = 1h will not pass

Integration with Backup Repository project to find backups that failed to execute