Health Scanning
Overview
Section titled “Overview”The health scanner is a read-only best-practices engine inspired by Popeye. It checks your cluster against a set of rules and reports findings grouped by severity.
It never mutates cluster state.
Severity levels
Section titled “Severity levels”| Level | Meaning |
|---|---|
| Critical | Immediate action required - pods in CrashLoopBackOff, nodes not ready |
| Warning | Should be addressed - over-provisioned resources, deprecated APIs |
| Info | Best practice suggestion - missing labels, no PDB configured |
What it checks
Section titled “What it checks”- Container resource constraints (missing requests, limits, excessive over-provisioning)
- Pod anti-affinity and spread constraints
- Deprecated API versions
- Image pull policies and tag usage
- Service account token auto-mounting
- NetworkPolicy coverage
- PodDisruptionBudget presence
- Liveness and readiness probe configuration
- Node conditions and taints
Filtering
Section titled “Filtering”Filter findings by:
- Namespace - Focus on specific namespaces
- Category - Resource type grouping
- Severity - Show only critical, warning, or info
- Resource - Search for specific resource names
Custom checks
Section titled “Custom checks”The scanner is extensible with custom check functions. Each check receives a resource and returns zero or more findings with severity, description, and remediation guidance.
Running a scan
Section titled “Running a scan”Scans run in read-only mode and complete in seconds for typical clusters. You can:
- Run on-demand - Click “Run Scan” from the Health page
- Filter results - Drill into specific namespaces, categories, or severities
- Export - Download findings as JSON for integration with ticketing systems
Example findings
Section titled “Example findings”| Finding | Severity | Remediation |
|---|---|---|
Pod web-abc has no resource requests | Warning | Add resources.requests to container spec |
Deployment api uses deprecated extensions/v1beta1 | Critical | Migrate to apps/v1 |
Namespace payments has no NetworkPolicy | Info | Create a default-deny NetworkPolicy |
Container sidecar has imagePullPolicy: Always with :latest tag | Warning | Pin image to specific digest or version tag |
Related
Section titled “Related” FinOps & Cost Find over-provisioned and under-provisioned workloads
Drift Detection Detect configuration drift and mismatches