Skip to content
Go to file

Latest commit

323: build(deps): bump from 0.19.2 to 0.19.3 r=zegl a=dependabot-preview[bot]

Bumps []( from 0.19.2 to 0.19.3.
<li><a href=""><code>93c4467</code></a> Update dependencies to v0.19.3 tag</li>
<li><a href=""><code>50fcaa7</code></a> Merge pull request <a href="">#94973</a> from liggitt/automated-cherry-pick-of-#94936-upstre...</li>
<li><a href=""><code>411ee58</code></a> Return the Kubernetes version which stopped serving deprecated APIs by default</li>
<li>See full diff in <a href="">compare view</a></li>
<br />

[![Dependabot compatibility score](](

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)


<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot [dashboard](
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)


Co-authored-by: dependabot-preview[bot] <27856297+dependabot-preview[bot]>

Git stats


Failed to load latest commit information.


Go Report Card Build Status Releases GitHub stars Downloads License

kube-score is a tool that performs static code analysis of your Kubernetes object definitions.

The output is a list of recommendations of what you can improve to make your application more secure and resilient.

You can test kube-score out in the browser with the online demo (source).


kube-score is easy to install, and is available from the following sources:

Distribution Command / Link
Pre-built binaries for macOS, Linux, and Windows GitHub releases
Docker docker pull zegl/kube-score (Docker Hub)
Homebrew (macOS and Linux) brew install kube-score/tap/kube-score
Krew (macOS and Linux) kubectl krew install score


For a full list of checks, see

  • Container limits (should be set)
  • Pod is targeted by a NetworkPolicy, both egress and ingress rules are recommended
  • Deployments and StatefulSets should have a PodDisruptionPolicy
  • Deployments and StatefulSets should have host PodAntiAffinity configured
  • Container probes, a readiness should be configured, and should not be identical to the liveness probe. Read more in
  • Container securityContext, run as high number user/group, do not run as root or with privileged root fs
  • Stable APIs, use a stable API if available (supported: Deployments, StatefulSets, DaemonSet)

Example output

Usage in CI

kube-score can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found. The trigger level can be changed to warning with the --exit-one-on-warning argument.

The input to kube-score should be all applications that you deploy to the same namespace for the best result.

Example with Helm

helm template my-app | kube-score score -

Example with Kustomize

kustomize build . | kube-score score -

Example with static YAMLs

kube-score score my-app/*.yaml
kube-score score my-app/deployment.yaml my-app/service.yaml

Example with an existing cluster

kubectl api-resources --verbs=list --namespaced -o name \
  | xargs -n1 -I{} bash -c "kubectl get {} --all-namespaces -oyaml && echo ---" \
  | kube-score score -

Example with Docker

docker run -v $(pwd):/project zegl/kube-score:v1.7.0 score my-app/*.yaml


Usage of kube-score:
kube-score [action] --flags

	score	Checks all files in the input, and gives them a score and recommendations
	list	Prints a CSV list of all available score checks
	version	Print the version of kube-score
	help	Print this message

Flags for score:
      --disable-ignore-checks-annotations   Set to true to disable the effect of the 'kube-score/ignore' annotations
      --enable-optional-test strings        Enable an optional test, can be set multiple times
      --exit-one-on-warning                 Exit with code 1 in case of warnings
      --help                                Print help
      --ignore-container-cpu-limit          Disables the requirement of setting a container CPU limit
      --ignore-container-memory-limit       Disables the requirement of setting a container memory limit
      --ignore-test strings                 Disable a test, can be set multiple times
      --kubernetes-version string           Setting the kubernetes-version will affect the checks ran against the manifests. Set this to the version of Kubernetes that you're using in production for the best results. (default "v1.18")
  -o, --output-format string                Set to 'human', 'json' or 'ci'. If set to ci, kube-score will output the program in a format that is easier to parse by other programs. (default "human")
      --output-version string               Changes the version of the --output-format. The 'json' format has version 'v2' (default) and 'v1' (deprecated, will be removed in v1.7.0). The 'human' and 'ci' formats has only version 'v1' (default). If not explicitly set, the default version for that particular output format will be used.
  -v, --verbose count                       Enable verbose output, can be set multiple times for increased verbosity.

Ignoring a test

Tests can be ignored in the whole run of the program, with the --ignore-test flag.

A test can also be ignored on a per-object basis, by adding the annotation kube-score/ignore to the object. The value should be a comma separated string of the test IDs.


Testing this object will temporarily disable the service-type test, which warns against using services of type NodePort.

apiVersion: v1
kind: Service
  name: node-port-service-with-ignore
  namespace: foospace
    kube-score/ignore: service-type
    app: my-app
  - protocol: TCP
    port: 80
    targetPort: 8080
  type: NodePort

Building from source

kube-score requires Go 1.11 or later to build. Clone this repository, and then:

# Build the project
go build

# Run all tests
go test -v


Do you want to help out? Take a look at the Contributing Guidelines for more info. 🤩

You can’t perform that action at this time.