Score your cluster health across 8 dimensions

One read-only scan grades resources, security, networking, storage, availability, observability, configuration, and cost efficiency - then tells you exactly how to fix what's broken.

Cluster Health Scanner | kubeqa

Most teams find out a cluster is unhealthy when something pages them at 2am - a single-replica deployment that died with its node, a pod with no limits that OOM-killed its neighbors, a privileged container nobody remembered. The Cluster Health Scanner turns that reactive guesswork into a single number you can track. It reads your live cluster, grades it across 8 health dimensions, and gives you the exact remediation for every finding instead of just flagging it red.

How it works

The scanner talks to the Kubernetes API read-only - no agents, no CRDs, no Helm charts to install. Point it at a cluster and it walks every namespace, scoring each dimension and rolling them into one weighted cluster health score out of 100.

$ kubeqa health scan

  Health Score: 87/100

  ✓ Resources:    82/100  (4 pods without limits)
  ✓ Security:     91/100  (1 privileged container)
  ✓ Networking:   95/100
  ✗ Availability: 68/100  (2 single-replica deployments)
  ✓ Observability: 78/100 (3 pods without probes)

Every line is a dimension; every parenthetical is a concrete, addressable finding. The score is deterministic, so you can run it on a schedule or in CI and watch it trend up as you close findings.

The 8 health dimensions

kubeqa grades your cluster across eight independent areas so a perfect security posture never hides a broken availability story:

  • Resources - CPU and memory requests and limits on every container, so one workload can’t starve the node.
  • Security - non-root users, read-only root filesystems, dropped capabilities, no privileged containers (the same controls in our manifest hardening checklist).
  • Networking - default-deny NetworkPolicies and scoped allow rules instead of a flat, lateral-movement-friendly network.
  • Storage - PersistentVolume health, reclaim policies, and unbound or orphaned claims.
  • Availability - replica counts, PodDisruptionBudgets, and anti-affinity so a node drain isn’t an outage.
  • Observability - liveness and readiness probes so Kubernetes can actually tell when a pod is dead or not ready.
  • Configuration - image tag hygiene, pinned digests, and the manifest-level settings that drift over time.
  • Cost efficiency - over-provisioned requests and idle capacity you’re paying for but not using.

AI-powered remediation

This is what separates a health scan from yet another linter. The optional Python AI backend doesn’t stop at “this is wrong” - it generates the exact kubectl patch or Helm override to fix each finding, adapted for your chart structure. So an Availability: 68/100 line backed by two single-replica deployments comes with the precise patch to bump replicas and add a PodDisruptionBudget, not a link to the docs.

The AI backend is optional. The core scoring engine runs on its own and is fully deterministic; the backend layers intelligent fixes on top when you want them, and it runs locally without touching the cluster.

Why it matters

  • Catch issues before prod. A scheduled scan surfaces single-replica deployments, missing probes, and privileged containers before they page someone.
  • One tool, not four. Health, security, reliability, and cost in a single score instead of stitching kube-score, Polaris, and three custom scripts together.
  • A number you can trend. A deterministic score makes “is the cluster getting healthier?” an answerable question, release over release.
  • Fixes, not just findings. Every red line comes with the patch that turns it green.

How the scoring model works

Each of the 8 dimensions is scored 0-100 from the weighted findings inside it, then combined into the overall cluster health score. A dimension loses points per finding scaled by severity, so a single privileged container dents Security more than a handful of missing probes dents Observability. Because the model is deterministic, the same cluster state always yields the same score - which is what makes it safe to gate on or chart over time. New to it? The getting started tutorial walks through reading your first scan and acting on the findings.

Open source and pricing

The Cluster Health Scanner is free forever under Apache 2.0. The CLI is the whole product - we never gate OSS features behind a paywall. kubeqa Cloud (coming soon) adds multi-cluster dashboards, historical health trends, team collaboration, SSO, audit logs, and compliance PDF exports on top, but the scanning engine stays open. See pricing for details.

Install it and run a scan against your own cluster:

brew install nomadx-ae/tap/kubeqa
kubeqa health scan

Star kubeqa on GitHub | See pricing

Ship Kubernetes with Confidence

Free for open-source use. No credit card required. Install kubeqa and run your first cluster scan in under 5 minutes.

Get Started Free