Score your cluster health across 8 dimensions
One read-only scan grades resources, security, networking, storage, availability, observability, configuration, and cost efficiency - then tells you exactly how to fix what's broken.
Most teams find out a cluster is unhealthy when something pages them at 2am - a single-replica deployment that died with its node, a pod with no limits that OOM-killed its neighbors, a privileged container nobody remembered. The Cluster Health Scanner turns that reactive guesswork into a single number you can track. It reads your live cluster, grades it across 8 health dimensions, and gives you the exact remediation for every finding instead of just flagging it red.
How it works
The scanner talks to the Kubernetes API read-only - no agents, no CRDs, no Helm charts to install. Point it at a cluster and it walks every namespace, scoring each dimension and rolling them into one weighted cluster health score out of 100.
$ kubeqa health scan
Health Score: 87/100
✓ Resources: 82/100 (4 pods without limits)
✓ Security: 91/100 (1 privileged container)
✓ Networking: 95/100
✗ Availability: 68/100 (2 single-replica deployments)
✓ Observability: 78/100 (3 pods without probes)
Every line is a dimension; every parenthetical is a concrete, addressable finding. The score is deterministic, so you can run it on a schedule or in CI and watch it trend up as you close findings.
The 8 health dimensions
kubeqa grades your cluster across eight independent areas so a perfect security posture never hides a broken availability story:
- Resources - CPU and memory requests and limits on every container, so one workload can’t starve the node.
- Security - non-root users, read-only root filesystems, dropped capabilities, no privileged containers (the same controls in our manifest hardening checklist).
- Networking - default-deny NetworkPolicies and scoped allow rules instead of a flat, lateral-movement-friendly network.
- Storage - PersistentVolume health, reclaim policies, and unbound or orphaned claims.
- Availability - replica counts, PodDisruptionBudgets, and anti-affinity so a node drain isn’t an outage.
- Observability - liveness and readiness probes so Kubernetes can actually tell when a pod is dead or not ready.
- Configuration - image tag hygiene, pinned digests, and the manifest-level settings that drift over time.
- Cost efficiency - over-provisioned requests and idle capacity you’re paying for but not using.
AI-powered remediation
This is what separates a health scan from yet another linter. The optional Python AI backend doesn’t stop at “this is wrong” - it generates the exact kubectl patch or Helm override to fix each finding, adapted for your chart structure. So an Availability: 68/100 line backed by two single-replica deployments comes with the precise patch to bump replicas and add a PodDisruptionBudget, not a link to the docs.
The AI backend is optional. The core scoring engine runs on its own and is fully deterministic; the backend layers intelligent fixes on top when you want them, and it runs locally without touching the cluster.
Why it matters
- Catch issues before prod. A scheduled scan surfaces single-replica deployments, missing probes, and privileged containers before they page someone.
- One tool, not four. Health, security, reliability, and cost in a single score instead of stitching kube-score, Polaris, and three custom scripts together.
- A number you can trend. A deterministic score makes “is the cluster getting healthier?” an answerable question, release over release.
- Fixes, not just findings. Every red line comes with the patch that turns it green.
How the scoring model works
Each of the 8 dimensions is scored 0-100 from the weighted findings inside it, then combined into the overall cluster health score. A dimension loses points per finding scaled by severity, so a single privileged container dents Security more than a handful of missing probes dents Observability. Because the model is deterministic, the same cluster state always yields the same score - which is what makes it safe to gate on or chart over time. New to it? The getting started tutorial walks through reading your first scan and acting on the findings.
Open source and pricing
The Cluster Health Scanner is free forever under Apache 2.0. The CLI is the whole product - we never gate OSS features behind a paywall. kubeqa Cloud (coming soon) adds multi-cluster dashboards, historical health trends, team collaboration, SSO, audit logs, and compliance PDF exports on top, but the scanning engine stays open. See pricing for details.
Related
- Kubernetes Manifest Hardening Checklist: 25 Fixes - the security and reliability fixes the scanner grades
- Getting started with kubeqa - run your first scan in minutes
- Chaos Engineering - controlled failure injection with steady-state validation
- Compliance Automation - CIS, SOC 2, NESA, and NCA audits with evidence collection
- Deployment Gates - block bad releases in CI/CD before they ship
- Kubernetes QA tools comparison - how kubeqa stacks up against the alternatives
Install it and run a scan against your own cluster:
brew install nomadx-ae/tap/kubeqa
kubeqa health scan
Ship Kubernetes with Confidence
Free for open-source use. No credit card required. Install kubeqa and run your first cluster scan in under 5 minutes.
Get Started Free