kube-score is a tool that performs static code analysis of your Kubernetes object definitions.
The output is a list of recommendations of what you can improve to make your application more secure and resilient.
You can test kube-score out in the browser with the online demo.
For a full list of checks, see README_CHECKS.md.
- Container limits (should be set)
- Pod is targeted by a
NetworkPolicy, both egress and ingress rules are recommended
- Deployments and StatefulSets should have a
- Deployments and StatefulSets should have host PodAntiAffinity configured
- Container probes, both readiness and liveness checks should be configured, and should not be identical
- Container securityContext, run as high number user/group, do not run as root or with privileged root fs
- Stable APIs, use a stable API if available (supported: Deployments, StatefulSets, DaemonSet)
Usage in CI
kube-score can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found.
The trigger level can be changed to warning with the
The input to
kube-score should be all applications that you deploy to the same namespace for the best result.
Example with Helm
helm template my-app | kube-score score -
Example with static yamls
kube-score score my-app/*.yaml
kube-score score my-app/deployment.yaml my-app/service.yaml
Usage of kube-score: kube-score [action] --flags Actions: score Checks all files in the input, and gives them a score and recommendations list Prints a cvs list of all available score checks Flags for score: --exit-one-on-warning Exit with code 1 in case of warnings --help Print help --ignore-container-cpu-limit Disables the requirement of setting a container CPU limit --ignore-test strings Disable a test, can be set multiple times --output-format string Set to 'human' or 'ci'. If set to ci, kube-score will output the program in a format that is easier to parse by other programs. (default "human") --threshold-ok int The score threshold for treating an score as OK. Must be between 1 and 10 (inclusive). Scores graded below this threshold are WARNING or CRITICAL. (default 10) --threshold-warning int The score threshold for treating a score as WARNING. Grades below this threshold are CRITICAL. Must be between 1 and 10 (inclusive). (default 5) --v Verbose output
Ignoring a test
Tests can be ignored in the whole run of the program, with the
A test can also be ignored on a per-object basis, by adding the annotation
kube-score/ignore to the object.
The value should be a comma separated string of the test IDs.
Testing this object will temporarily disable the
service-type test, which warns against using services of type NodePort.
apiVersion: v1 kind: Service metadata: name: node-port-service-with-ignore namespace: foospace annotations: kube-score/ignore: service-type spec: selector: app: my-app ports: - protocol: TCP port: 80 targetPort: 8080 type: NodePort
Building from source
kube-score requires Go
1.11 or later to build. Clone this repository, and then:
# Build the project go build github.com/zegl/kube-score/cmd/kube-score # Run all tests go test -v github.com/zegl/kube-score/...