Merge pull request #34 from aquasecurity/kubectl-version

Use kubectl to check the kubernetes version

OWNERS

@@ -0,0 +1,3 @@
+approvers:
+ - lizrice
+ - jerbia

cfg/config.yaml

@@ -29,7 +29,7 @@ installation:
       conf:
         apiserver: /etc/kubernetes/apiserver
         scheduler: /etc/kubernetes/scheduler
-        controller-manager: /etc/kubernetes/apiserver
+        controller-manager: /etc/kubernetes/controller-manager
     node:
       bin:
         kubelet: kubelet

cfg/master.yaml

@@ -479,19 +479,14 @@ groups:
               parameter to \"--experimental-encryption-provider-config=</path/to/EncryptionConfig/File>\""
       scored: true
 
-# TODO: provide flag to WARN of manual tasks which we can't automate.
     - id: 1.1.35
       text: "Ensure that the encryption provider is set to aescbc (Scored)"
       audit: "ps -ef | grep $apiserverbin | grep -v grep"
-      tests:
-        test_items:
-        - flag: "requires manual intervention"
-          set: true
+      type: "manual"
       remediation: "Follow the Kubernetes documentation and configure a EncryptionConfig file. In this file,
               choose aescbc as the encryption provider"
       scored: true
 
-
 - id: 1.2
   text: "Scheduler"
   checks:
@@ -573,7 +568,13 @@ groups:
               KUBE_CONTROLLER_MANAGER_ARGS parameter to include --root-ca-file=<file>"
       scored: true
 
-# TODO: 1.3.6 is manual, provide way to WARN
+    - id: 1.3.6
+      text: "Apply Security Context to Your Pods and Containers (Not Scored)"
+      type: "manual"
+      remediation: "Edit the /etc/kubernetes/controller-manager file on the master node and set the
+              KUBE_CONTROLLER_MANAGER_ARGS parameter to a value to include 
+              \"--feature-gates=RotateKubeletServerCertificate=true\""
+      scored: false
 
     - id: 1.3.7
       text: " Ensure that the RotateKubeletServerCertificate argument is set to true (Scored)"
@@ -717,6 +718,20 @@ groups:
               chmod 700 /var/lib/etcd/default.etcd"
       scored: true
 
+    - id: 1.4.12
+      text: "Ensure that the etcd data directory ownership is set to etcd:etcd (Scored)"
+      audit: "ps -ef | grep $etcdbin | grep -v grep | grep -o data-dir=.* | cut -d= -f2 | xargs stat -c %U:%G"
+      tests:
+        test_items:
+        - flag: "etcd:etcd"
+          set: true
+      remediation: "On the etcd server node, get the etcd data directory, passed as an argument --data-dir ,
+              from the below command:\n
+                      ps -ef | grep etcd\n
+              Run the below command (based on the etcd data directory found above). For example,\n
+                      chown etcd:etcd /var/lib/etcd/default.etcd"
+      scored: true
+
 - id: 1.5
   text: "etcd"
   checks:
@@ -859,3 +874,65 @@ groups:
       remediation: "Follow the etcd documentation and create a dedicated certificate authority setup for the 
               etcd service."
       scored: false 
+
+- id: 1.6
+  text: "General Security Primitives"
+  checks:
+    - id: 1.6.1
+      text: "Ensure that the cluster-admin role is only used where required (Not Scored)"
+      type: "manual"
+      remediation: "Remove any unneeded clusterrolebindings: kubectl delete clusterrolebinding [name]"
+      scored: false
+
+    - id: 1.6.2
+      text: "Create Pod Security Policies for your cluster (Not Scored)"
+      type: "manual"
+      remediation: "Follow the documentation and create and enforce Pod Security Policies for your cluster.
+              Additionally, you could refer the \"CIS Security Benchmark for Docker\" and follow the
+              suggested Pod Security Policies for your environment."
+      scored: false
+
+    - id: 1.6.3
+      text: "Create administrative boundaries between resources using namespaces (Not Scored)"
+      type: "manual"
+      remediation: "Follow the documentation and create namespaces for objects in your deployment as you
+              need them."
+      scored: false
+
+    - id: 1.6.4
+      text: "Create network segmentation using Network Policies (Not Scored)"
+      type: "manual"
+      remediation: "Follow the documentation and create NetworkPolicy objects as you need them."
+      scored: false
+
+    - id: 1.6.5
+      text: "Ensure that the seccomp profile is set to docker/default in your pod definitions (Not Scored)"
+      type: "manual"
+      remediation: "Seccomp is an alpha feature currently. By default, all alpha features are disabled. So, you
+              would need to enable alpha features in the apiserver by passing \"--feature-
+              gates=AllAlpha=true\" argument.\n
+              Edit the $apiserverconf file on the master node and set the KUBE_API_ARGS
+              parameter to \"--feature-gates=AllAlpha=true\"
+              KUBE_API_ARGS=\"--feature-gates=AllAlpha=true\""
+      scored: false
+
+    - id: 1.6.6
+      text: "Apply Security Context to Your Pods and Containers (Not Scored)"
+      type: "manual"
+      remediation: "Follow the Kubernetes documentation and apply security contexts to your pods. For a
+              suggested list of security contexts, you may refer to the CIS Security Benchmark for Docker
+              Containers."
+      scored: false
+
+    - id: 1.6.7
+      text: "Configure Image Provenance using ImagePolicyWebhook admission controller (Not Scored)"
+      type: "manual"
+      remediation: "Follow the Kubernetes documentation and setup image provenance."
+      scored: false
+
+    - id: 1.6.8
+      text: "Configure Network policies as appropriate (Not Scored)"
+      type: "manual"
+      remediation: "Follow the Kubernetes documentation and setup network policies as appropriate."
+      scored: false
+

cfg/node.yaml

@@ -285,7 +285,6 @@ groups:
               \nFor example, chown root:root $proxyconf"
       scored: true
 
-# TODO: provide flag to WARN about manual checks.
     - id: 2.2.7
       text: "Ensure that the certificate authorities file permissions are set to
               644 or more restrictive (Scored)"
@@ -298,7 +297,6 @@ groups:
               \nchmod 644 <filename>"
       scored: true
 
-# TODO: provide flag to WARN about manual checks.
     - id: 2.2.8
       text: "Ensure that the client certificate authorities file ownership is set to root:root"
       audit: "if test -e $ca-file; then stat -c %U:%G $ca-file; fi"

check/check.go

@@ -18,9 +18,10 @@ import (
 	"bytes"
 	"fmt"
 	"io"
-	"os"
 	"os/exec"
 	"strings"
+
+	"github.com/golang/glog"
 )
 
 // NodeType indicates the type of node (master, node, federated).
@@ -60,6 +61,7 @@ type Check struct {
 	ID          string `yaml:"id" json:"id"`
 	Text        string
 	Audit       string      `json:"omit"`
+	Type        string      `json:"type"`
 	Commands    []*exec.Cmd `json:"omit"`
 	Tests       *tests      `json:"omit"`
 	Set         bool        `json:"omit"`
@@ -69,7 +71,13 @@ type Check struct {
 
 // Run executes the audit commands specified in a check and outputs
 // the results.
-func (c *Check) Run(verbose bool) {
+func (c *Check) Run() {
+	// If check type is manual, force result to WARN.
+	if c.Type == "manual" {
+		c.State = WARN
+		return
+	}
+
 	var out bytes.Buffer
 	var errmsgs string
 
@@ -148,9 +156,7 @@ func (c *Check) Run(verbose bool) {
 		i++
 	}
 
-	if verbose && errmsgs != "" {
-		fmt.Fprintf(os.Stderr, "%s\n", errmsgs)
-	}
+	glog.V(2).Info("%s\n", errmsgs)
 
 	res := c.Tests.execute(out.String())
 	if res {

check/controls.go

@@ -68,7 +68,7 @@ func NewControls(t NodeType, in []byte) (*Controls, error) {
 }
 
 // RunGroup runs all checks in a group.
-func (controls *Controls) RunGroup(verbose bool, gids ...string) Summary {
+func (controls *Controls) RunGroup(gids ...string) Summary {
 	g := []*Group{}
 	controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn = 0, 0, 0
 
@@ -82,7 +82,7 @@ func (controls *Controls) RunGroup(verbose bool, gids ...string) Summary {
 		for _, gid := range gids {
 			if gid == group.ID {
 				for _, check := range group.Checks {
-					check.Run(verbose)
+					check.Run()
 					summarize(controls, check)
 				}
 
@@ -96,7 +96,7 @@ func (controls *Controls) RunGroup(verbose bool, gids ...string) Summary {
 }
 
 // RunChecks runs the checks with the supplied IDs.
-func (controls *Controls) RunChecks(verbose bool, ids ...string) Summary {
+func (controls *Controls) RunChecks(ids ...string) Summary {
 	g := []*Group{}
 	m := make(map[string]*Group)
 	controls.Summary.Pass, controls.Summary.Fail, controls.Summary.Warn = 0, 0, 0
@@ -110,7 +110,7 @@ func (controls *Controls) RunChecks(verbose bool, ids ...string) Summary {
 		for _, check := range group.Checks {
 			for _, id := range ids {
 				if id == check.ID {
-					check.Run(verbose)
+					check.Run()
 					summarize(controls, check)
 
 					// Check if we have already added this checks group.

cmd/common.go

@@ -17,7 +17,6 @@ package cmd
 import (
 	"fmt"
 	"io/ioutil"
-	"os"
 	"strings"
 
 	"github.com/aquasecurity/kube-bench/check"
@@ -46,7 +45,8 @@ var (
 	errmsgs string
 
 	// TODO: Consider specifying this in config file.
-	kubeVersion = "1.7.0"
+	kubeMajorVersion = "1"
+	kubeMinorVersion = "7"
 )
 
 func runChecks(t check.NodeType) {
@@ -59,7 +59,7 @@ func runChecks(t check.NodeType) {
 	schedulerBin = viper.GetString("installation." + installation + ".master.bin.scheduler")
 	schedulerConf = viper.GetString("installation." + installation + ".master.conf.scheduler")
 	controllerManagerBin = viper.GetString("installation." + installation + ".master.bin.controller-manager")
-	controllerManagerConf = viper.GetString("installation." + installation + ".master.conf.controler-manager")
+	controllerManagerConf = viper.GetString("installation." + installation + ".master.conf.controller-manager")
 	config = viper.GetString("installation." + installation + ".config")
 
 	etcdBin = viper.GetString("etcd.bin")
@@ -78,7 +78,8 @@ func runChecks(t check.NodeType) {
 	fedControllerManagerBin = viper.GetString("installation." + installation + ".federated.bin.controller-manager")
 
 	// Run kubernetes installation validation checks.
-	warns := verifyNodeType(t)
+	verifyKubeVersion(kubeMajorVersion, kubeMinorVersion)
+	verifyNodeType(t)
 
 	switch t {
 	case check.MASTER:
@@ -91,8 +92,7 @@ func runChecks(t check.NodeType) {
 
 	in, err := ioutil.ReadFile(file)
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "error opening %s controls file: %v\n", t, err)
-		os.Exit(1)
+		exitWithError(fmt.Errorf("error opening %s controls file: %v", t, err))
 	}
 
 	// Variable substitutions. Replace all occurrences of variables in controls files.
@@ -102,7 +102,6 @@ func runChecks(t check.NodeType) {
 	s = strings.Replace(s, "$schedulerconf", schedulerConf, -1)
 	s = strings.Replace(s, "$controllermanagerbin", controllerManagerBin, -1)
 	s = strings.Replace(s, "$controllermanagerconf", controllerManagerConf, -1)
-	s = strings.Replace(s, "$controllermanagerconf", controllerManagerConf, -1)
 	s = strings.Replace(s, "$config", config, -1)
 
 	s = strings.Replace(s, "$etcdbin", etcdBin, -1)
@@ -120,63 +119,47 @@ func runChecks(t check.NodeType) {
 
 	controls, err := check.NewControls(t, []byte(s))
 	if err != nil {
-		fmt.Fprintf(os.Stderr, "error setting up %s controls: %v\n", t, err)
-		os.Exit(1)
+		exitWithError(fmt.Errorf("error setting up %s controls: %v", t, err))
 	}
 
 	if groupList != "" && checkList == "" {
 		ids := cleanIDs(groupList)
-		summary = controls.RunGroup(verbose, ids...)
+		summary = controls.RunGroup(ids...)
 	} else if checkList != "" && groupList == "" {
 		ids := cleanIDs(checkList)
-		summary = controls.RunChecks(verbose, ids...)
+		summary = controls.RunChecks(ids...)
 	} else if checkList != "" && groupList != "" {
-		fmt.Fprintf(os.Stderr, "group option and check option can't be used together\n")
-		os.Exit(1)
+		exitWithError(fmt.Errorf("group option and check option can't be used together"))
 	} else {
-		summary = controls.RunGroup(verbose)
+		summary = controls.RunGroup()
 	}
 
 	// if we successfully ran some tests and it's json format, ignore the warnings
 	if (summary.Fail > 0 || summary.Warn > 0 || summary.Pass > 0) && jsonFmt {
 		out, err := controls.JSON()
 		if err != nil {
-			fmt.Fprintf(os.Stderr, "failed to output in JSON format: %v\n", err)
-			os.Exit(1)
+			exitWithError(fmt.Errorf("failed to output in JSON format: %v", err))
 		}
 
 		fmt.Println(string(out))
 	} else {
-		prettyPrint(warns, controls, summary)
+		prettyPrint(controls, summary)
 	}
 }
 
 // verifyNodeType checks the executables and config files are as expected
 // for the specified tests (master, node or federated).
-func verifyNodeType(t check.NodeType) []string {
-	var w []string
-	// Always clear out error messages.
-	errmsgs = ""
-
+func verifyNodeType(t check.NodeType) {
 	switch t {
 	case check.MASTER:
-		w = append(w, verifyBin(apiserverBin, schedulerBin, controllerManagerBin)...)
-		w = append(w, verifyConf(apiserverConf, schedulerConf, controllerManagerConf)...)
-		w = append(w, verifyKubeVersion(apiserverBin)...)
+		verifyBin(apiserverBin, schedulerBin, controllerManagerBin)
+		verifyConf(apiserverConf, schedulerConf, controllerManagerConf)
 	case check.NODE:
-		w = append(w, verifyBin(kubeletBin, proxyBin)...)
-		w = append(w, verifyConf(kubeletConf, proxyConf)...)
-		w = append(w, verifyKubeVersion(kubeletBin)...)
+		verifyBin(kubeletBin, proxyBin)
+		verifyConf(kubeletConf, proxyConf)
 	case check.FEDERATED:
-		w = append(w, verifyBin(fedApiserverBin, fedControllerManagerBin)...)
-		w = append(w, verifyKubeVersion(fedApiserverBin)...)
+		verifyBin(fedApiserverBin, fedControllerManagerBin)
 	}
-
-	if verbose {
-		fmt.Fprintf(os.Stderr, "%s\n", errmsgs)
-	}
-
-	return w
 }
 
 // colorPrint outputs the state in a specific colour, along with a message string
@@ -186,13 +169,9 @@ func colorPrint(state check.State, s string) {
 }
 
 // prettyPrint outputs the results to stdout in human-readable format
-func prettyPrint(warnings []string, r *check.Controls, summary check.Summary) {
+func prettyPrint(r *check.Controls, summary check.Summary) {
 	colorPrint(check.INFO, fmt.Sprintf("Using config file: %s\n", viper.ConfigFileUsed()))
 
-	for _, w := range warnings {
-		colorPrint(check.WARN, w)
-	}
-
 	colorPrint(check.INFO, fmt.Sprintf("%s %s\n", r.ID, r.Text))
 	for _, g := range r.Groups {
 		colorPrint(check.INFO, fmt.Sprintf("%s %s\n", g.ID, g.Text))

cmd/root.go

@@ -15,6 +15,7 @@
 package cmd
 
 import (
+	goflag "flag"
 	"fmt"
 	"os"
 
@@ -34,11 +35,12 @@ var (
 	nodeFile      string
 	federatedFile string
 
+	loud bool
+
 	kubeConfDir     string
 	etcdConfDir     string
 	flanneldConfDir string
 
-	verbose      bool
 	installation string
 )
 
@@ -52,6 +54,9 @@ var RootCmd = &cobra.Command{
 // Execute adds all child commands to the root command sets flags appropriately.
 // This is called by main.main(). It only needs to happen once to the rootCmd.
 func Execute() {
+	goflag.Set("logtostderr", "true")
+	goflag.CommandLine.Parse([]string{})
+
 	if err := RootCmd.Execute(); err != nil {
 		fmt.Println(err)
 		os.Exit(-1)
@@ -83,7 +88,11 @@ func init() {
 		`Run all the checks under this comma-delimited list of groups. Example --group="1.1"`,
 	)
 	RootCmd.PersistentFlags().StringVar(&cfgFile, "config", "", "config file (default is ./cfg/config.yaml)")
-	RootCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "verbose output (default false)")
+
+	goflag.CommandLine.VisitAll(func(goflag *goflag.Flag) {
+		RootCmd.PersistentFlags().AddGoFlag(goflag)
+	})
+
 }
 
 // initConfig reads in config file and ENV variables if set.
@@ -103,5 +112,4 @@ func initConfig() {
 		colorPrint(check.FAIL, fmt.Sprintf("Failed to read config file: %v\n", err))
 		os.Exit(1)
 	}
-
 }

cmd/util.go

@@ -4,10 +4,12 @@ import (
 	"fmt"
 	"os"
 	"os/exec"
+	"regexp"
 	"strings"
 
 	"github.com/aquasecurity/kube-bench/check"
 	"github.com/fatih/color"
+	"github.com/golang/glog"
 )
 
 var (
@@ -20,11 +22,35 @@ var (
 	}
 )
 
-func handleError(err error, context string) (errmsg string) {
+func printlnWarn(msg string) {
+	fmt.Fprintf(os.Stderr, "[%s] %s\n",
+		colors[check.WARN].Sprintf("%s", check.WARN),
+		msg,
+	)
+}
+
+func sprintlnWarn(msg string) string {
+	return fmt.Sprintf("[%s] %s",
+		colors[check.WARN].Sprintf("%s", check.WARN),
+		msg,
+	)
+}
+
+func exitWithError(err error) {
+	fmt.Fprintf(os.Stderr, "\n%v\n", err)
+	os.Exit(1)
+}
+
+func continueWithError(err error, msg string) string {
 	if err != nil {
-		errmsg = fmt.Sprintf("%s, error: %s\n", context, err)
+		glog.V(1).Info(err)
 	}
-	return
+
+	if msg != "" {
+		fmt.Fprintf(os.Stderr, "%s\n", msg)
+	}
+
+	return ""
 }
 
 func cleanIDs(list string) []string {
@@ -38,76 +64,121 @@ func cleanIDs(list string) []string {
 	return ids
 }
 
-func verifyConf(confPath ...string) []string {
-	var w []string
+func verifyConf(confPath ...string) {
+	var missing string
+
 	for _, c := range confPath {
 		if _, err := os.Stat(c); err != nil && os.IsNotExist(err) {
-			w = append(w, fmt.Sprintf("config file %s does not exist\n", c))
+			continueWithError(err, "")
+			missing += c + ", "
 		}
 	}
 
-	return w
+	if len(missing) > 0 {
+		missing = strings.Trim(missing, ", ")
+		printlnWarn(fmt.Sprintf("Missing kubernetes config files: %s", missing))
+	}
+
 }
 
-func verifyBin(binPath ...string) []string {
-	var w []string
-	var binList string
+func verifyBin(binPath ...string) {
+	var binSlice []string
+	var bin string
+	var missing string
+	var notRunning string
 
 	// Construct proc name for ps(1)
 	for _, b := range binPath {
-		binList += b + ","
 		_, err := exec.LookPath(b)
-		errmsgs += handleError(
-			err,
-			fmt.Sprintf("%s: command not found in path", b),
-		)
+		bin = bin + "," + b
+		binSlice = append(binSlice, b)
+		if err != nil {
+			missing += b + ", "
+			continueWithError(err, "")
+		}
+	}
+	bin = strings.Trim(bin, ",")
+
+	cmd := exec.Command("ps", "-C", bin, "-o", "cmd", "--no-headers")
+	out, err := cmd.Output()
+	if err != nil {
+		continueWithError(fmt.Errorf("%s: %s", cmd.Args, err), "")
 	}
 
-	binList = strings.Trim(binList, ",")
-
-	// Run ps command
-	cmd := exec.Command("ps", "-C", binList, "-o", "cmd", "--no-headers")
-	out, err := cmd.Output()
-	errmsgs += handleError(
-		err,
-		fmt.Sprintf("failed to run: %s", cmd.Args),
-	)
-
-	// Actual verification
-	for _, b := range binPath {
+	for _, b := range binSlice {
 		matched := strings.Contains(string(out), b)
 
 		if !matched {
-			w = append(w, fmt.Sprintf("%s is not running\n", b))
+			notRunning += b + ", "
 		}
 	}
 
-	return w
-}
-
-func verifyKubeVersion(b string) []string {
-	// These executables might not be on the user's path.
-	// TODO! Check the version number using kubectl, which is more likely to be on the path.
-	var w []string
-
-	_, err := exec.LookPath(b)
-	errmsgs += handleError(
-		err,
-		fmt.Sprintf("%s: command not found on path - version check skipped", b),
-	)
-
-	// Check version
-	cmd := exec.Command(b, "--version")
-	out, err := cmd.Output()
-	errmsgs += handleError(
-		err,
-		fmt.Sprintf("failed to run:%s", cmd.Args),
-	)
-
-	matched := strings.Contains(string(out), kubeVersion)
-	if !matched {
-		w = append(w, fmt.Sprintf("%s unsupported version\n", b))
+	if len(missing) > 0 {
+		missing = strings.Trim(missing, ", ")
+		printlnWarn(fmt.Sprintf("Missing kubernetes binaries: %s", missing))
 	}
 
-	return w
+	if len(notRunning) > 0 {
+		notRunning = strings.Trim(notRunning, ", ")
+		printlnWarn(fmt.Sprintf("Kubernetes binaries not running: %s", notRunning))
+	}
+}
+
+func verifyKubeVersion(major string, minor string) {
+	// These executables might not be on the user's path.
+
+	_, err := exec.LookPath("kubectl")
+	if err != nil {
+		continueWithError(err, sprintlnWarn("Kubernetes version check skipped"))
+		return
+	}
+
+	cmd := exec.Command("kubectl", "version")
+	out, err := cmd.Output()
+	if err != nil {
+		s := fmt.Sprintf("Kubernetes version check skipped with error %v", err)
+		continueWithError(err, sprintlnWarn(s))
+		return
+	}
+
+	msg := checkVersion("Client", string(out), major, minor)
+	if msg != "" {
+		continueWithError(fmt.Errorf(msg), msg)
+	}
+
+	msg = checkVersion("Server", string(out), major, minor)
+	if msg != "" {
+		continueWithError(fmt.Errorf(msg), msg)
+	}
+}
+
+var regexVersionMajor = regexp.MustCompile("Major:\"([0-9]+)\"")
+var regexVersionMinor = regexp.MustCompile("Minor:\"([0-9]+)\"")
+
+func checkVersion(x string, s string, expMajor string, expMinor string) string {
+	regexVersion, err := regexp.Compile(x + " Version: version.Info{(.*)}")
+	if err != nil {
+		return fmt.Sprintf("Error checking Kubernetes version: %v", err)
+	}
+
+	ss := regexVersion.FindString(s)
+	major := versionMatch(regexVersionMajor, ss)
+	minor := versionMatch(regexVersionMinor, ss)
+	if major == "" || minor == "" {
+		return fmt.Sprintf("Couldn't find %s version from kubectl output '%s'", x, s)
+	}
+
+	if major != expMajor || minor != expMinor {
+		return fmt.Sprintf("Unexpected %s version %s.%s", x, major, minor)
+	}
+
+	return ""
+}
+
+func versionMatch(r *regexp.Regexp, s string) string {
+	match := r.FindStringSubmatch(s)
+	if len(match) < 2 {
+		return ""
+	}
+	return match[1]
 }

cmd/util_test.go

@@ -0,0 +1,77 @@
+// Copyright © 2017 Aqua Security Software Ltd. <info@aquasec.com>
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package cmd
+
+import (
+	"regexp"
+	"testing"
+)
+
+func TestCheckVersion(t *testing.T) {
+	kubeoutput := `Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-06-30T09:51:01Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"}
+	Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-07-26T00:12:31Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}`
+	cases := []struct {
+		t     string
+		s     string
+		major string
+		minor string
+		exp   string
+	}{
+		{t: "Client", s: kubeoutput, major: "1", minor: "7"},
+		{t: "Server", s: kubeoutput, major: "1", minor: "7"},
+		{t: "Client", s: kubeoutput, major: "1", minor: "6", exp: "Unexpected Client version 1.7"},
+		{t: "Client", s: kubeoutput, major: "2", minor: "0", exp: "Unexpected Client version 1.7"},
+		{t: "Server", s: "something unexpected", major: "2", minor: "0", exp: "Couldn't find Server version from kubectl output 'something unexpected'"},
+	}
+
+	for _, c := range cases {
+		t.Run("", func(t *testing.T) {
+			m := checkVersion(c.t, c.s, c.major, c.minor)
+			if m != c.exp {
+				t.Fatalf("Got: %s, expected: %s", m, c.exp)
+			}
+		})
+	}
+
+}
+
+func TestVersionMatch(t *testing.T) {
+	minor := regexVersionMinor
+	major := regexVersionMajor
+	client := `Client Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-06-30T09:51:01Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"darwin/amd64"}`
+	server := `Server Version: version.Info{Major:"1", Minor:"7", GitVersion:"v1.7.0", GitCommit:"d3ada0119e776222f11ec7945e6d860061339aad", GitTreeState:"clean", BuildDate:"2017-07-26T00:12:31Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}`
+
+	cases := []struct {
+		r   *regexp.Regexp
+		s   string
+		exp string
+	}{
+		{r: major, s: server, exp: "1"},
+		{r: minor, s: server, exp: "7"},
+		{r: major, s: client, exp: "1"},
+		{r: minor, s: client, exp: "7"},
+		{r: major, s: "Some unexpected string"},
+		{r: minor}, // Checking that we don't fall over if the string is empty
+	}
+
+	for _, c := range cases {
+		t.Run("", func(t *testing.T) {
+			m := versionMatch(c.r, c.s)
+			if m != c.exp {
+				t.Fatalf("Got %s expected %s", m, c.exp)
+			}
+		})
+	}
+}