Skip to content
Kubernetes object analysis with recommendations for improved reliability and security
Branch: master
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
cmd/kube-score scorecard: simplify representation of Scorecard Feb 10, 2019
.gitignore git: updated gitignore to not accidentaly ignore folders Oct 9, 2018
Dockerfile docker: remove unused ADD Feb 10, 2019


kube-score is a tool that performs static code analysis of your Kubernetes object definitions.

The output is a list of recommendations of what you can improve to make your application more secure and resilient.

You can test kube-score out in the browser with the online demo.


Pre-built releases can be downloaded from the GitHub releases, or from Docker Hub.


For a full list of checks, see

  • Container limits (should be set)
  • Pod is targeted by a NetworkPolicy, both egress and ingress rules are recommended
  • Deployments and StatefulSets should have a PodDisruptionPolicy
  • Deployments and StatefulSets should have host PodAntiAffinity configured
  • Container probes, both readiness and liveness checks should be configured, and should not be identical
  • Container securityContext, run as high number user/group, do not run as root or with privileged root fs
  • Stable APIs, use a stable API if available (supported: Deployments, StatefulSets, DaemonSet)

Example output

Usage in CI

kube-score can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found. The trigger level can be changed to warning with the --exit-one-on-warning argument.

The input to kube-score should be all applications that you deploy to the same namespace for the best result.

Example with Helm

helm template my-app | kube-score score -

Example with static yamls

kube-score score my-app/*.yaml
kube-score score my-app/deployment.yaml my-app/service.yaml


Usage of kube-score:
kube-score [action] --flags

	score 	Checks all files in the input, and gives them a score and recommendations
	list	Prints a cvs list of all available score checks

Flags for score:
      --exit-one-on-warning          Exit with code 1 in case of warnings
      --help                         Print help
      --ignore-container-cpu-limit   Disables the requirement of setting a container CPU limit
      --ignore-test strings          Disable a test, can be set multiple times
      --output-format string         Set to 'human' or 'ci'. If set to ci, kube-score will output the program in a format that is easier to parse by other programs. (default "human")
      --threshold-ok int             The score threshold for treating an score as OK. Must be between 1 and 10 (inclusive). Scores graded below this threshold are WARNING or CRITICAL. (default 10)
      --threshold-warning int        The score threshold for treating a score as WARNING. Grades below this threshold are CRITICAL. Must be between 1 and 10 (inclusive). (default 5)
      --v                            Verbose output

Ignoring a test

Tests can be ignored in the whole run of the program, with the --ignore-test flag.

A test can also be ignored on a per-object basis, by adding the annotation kube-score/ignore to the object. The value should be a comma separated string of the test IDs.


Testing this object will temporarily disable the service-type test, which warns against using services of type NodePort.

apiVersion: v1
kind: Service
  name: node-port-service-with-ignore
  namespace: foospace
    kube-score/ignore: service-type
    app: my-app
  - protocol: TCP
    port: 80
    targetPort: 8080
  type: NodePort

Building from source

kube-score requires Go 1.11 or later to build. Clone this repository, and then:

# Build the project
go build

# Run all tests
go test -v
You can’t perform that action at this time.