kube-score is a tool that does static code analysis of your Kubernetes object definitions. The output is a list of recommendations of what you can improve to make your application more secure and resiliant.

Pre-built releases can be downloaded from the Github Releases page.

kube-score requires go in version 1.11.+ with go modules. To install kube-score into you local gobin path run the following commands:

go get github.com/zegl/kube-score
cd $GOPATH/src/github.com/zegl/kube-score/
GO111MODULE=on go install github.com/zegl/kube-score/cmd/kube-score

• Container limits (should be set)
• Container image tag (should not be :latest)
• Container image pull policy (should be Always)
• Pod is targeted by a NetworkPolicy, both egress and ingress rules are recommended
• Container probes, both readiness and liveness checks should be configured, and should not be identical
• Container securityContext, run as high number user/group, do not run as root or with privileged root fs
• Stable APIs, use a stable API if available (supported: Deployments, StatefulSets, DaemonSet)

kube-score can run in your CI/CD environment and will exit with exit code 1 if a critical error has been found. The trigger level can be changed to warning with the --exit-one-on-warning argument.

The input to kube-score should be all applications that you deploy to the same namespace for the best result.

helm template my-app | kube-score -

kube-score my-app/*.yaml

kube-score my-app/deployment.yaml my-app/service.yaml

Usage: kube-score [--flag1 --flag2] file1 file2 ...

Use "-" as filename to read from STDIN.

Usage of ./kube-score:
  -exit-one-on-warning
    	Exit with code 1 in case of warnings
  -help
    	Print help
  -v	Verbose output