What does the Kubernetes best practices audit check?

Kubeadapt runs 28+ checks across 7 categories: security (running as root, privileged containers, dangerous capabilities, network policies), reliability (single replicas, missing PDBs, missing probes), resource configuration (no requests/limits), scheduling, storage, workload config, and namespace organization.

How is the compliance score calculated?

Each workload is checked against all active rules and scored 0–100. Scores above 80 are graded Good, 60–80 Fair, and below 60 Needs Work. Findings are categorized as critical, warning, or info severity. Individual checks can be disabled per cluster, and namespaces can be excluded.

Kubernetes FinOps Best Practices Audit

Best Practices

Audit your Kubernetes configurations against FinOps best practices and cost governance policies. Get a clear score with specific fixes for resource efficiency, reliability, and security.

Book a Demo Start Free

50+

Check Rules

0–100

Compliance Score

YAML

Fix Snippets

Best Practices — Kubeadapt

78/ 100

Grade B+

Category Scores

Cost87%

Reliability72%

Security64%

Checks

Resource limits definedCost

Health probes configuredReliability

Security context setSecurity

PDB configuredReliability

Anti-affinity rulesReliability

Image tag pinnedSecurity

How it Works

Three steps from setup to savings

Audit

Kubeadapt scans every workload across all namespaces against 50+ rules covering cost efficiency, reliability, and security posture.

Score

Each cluster receives a 0–100 compliance score (Good / Fair / Needs Work) with per-namespace breakdowns and category-level scoring for fast executive reporting.

Fix

Every finding includes severity, estimated cost and reliability impact, and copy-paste YAML remediation patches.

Capabilities

What's Included

FinOps Best Practices & Cost Governance

Configuration Findings

SEC-003Critical

Container running with root privileges in production namespace

Security

RES-007Warning

No resource limits defined for deployment api-gateway

Resource Configuration

REL-002Info

Pod disruption budget not configured for statefulset redis

Reliability

Configuration Audit

50+ checks covering resource limits, health probes, security contexts, anti-affinity, and PDB configurations.

Covers resource limits, health probes, security contexts, and PDB configs
Checks against CIS Kubernetes benchmarks and community best practices

Compliance Summary

◎84%ScoreGood

!3Critical

▲8Warnings

i12Info

Cluster Compliance Score

Get a 0–100 compliance score with category breakdowns across cost efficiency, reliability, scheduling, and security.

Overall score: 80+ is Good, 60-80 is Fair, below 60 Needs Work. Readable at a glance for any stakeholder.
Category breakdowns show exactly which of the 7 areas is dragging your score down

Prioritized Fixes

SEC-003Critical

3 containers running as root in production

Fix: Set runAsNonRoot: true

RES-007Warning

Missing resource limits on api-gateway deployment

Fix: Add resources.limits to pod spec

Prioritized Fixes

Each finding includes severity, estimated impact, and step-by-step remediation instructions.

Each finding ranked by severity and estimated cost/reliability impact
Step-by-step remediation instructions with copy-paste YAML patches

Filter Findings

🔍Search checks, resources...

CategoryAll▾

SeverityAll▾

StatusOpen▾

Security×Critical×kube-system×

3 findings matchClear All

Trend Tracking

Track your score over time to measure improvement and ensure teams maintain configuration quality.

Historical score graph shows improvement trajectory over weeks and months
Set score targets and get notified when clusters regress below thresholds

Remediation

SEC-001 FixCopy YAML

apiVersion: v1

kind: Pod

metadata:

name: api-server

spec:

containers:

- name: api

securityContext:

runAsNonRoot: true

readOnlyRootFs: true

Apply with:

kubectl apply -f remediation.yaml

Namespace Comparison

Compare best practice scores across namespaces to identify teams that need additional guidance.

Side-by-side namespace scores to identify teams that need guidance
Leaderboard view encourages healthy competition across engineering teams

Finding Detail×

SEC-001CriticalSecurity

Container Running as Root

Detected2 hours ago

Namespacekube-system

Affected3 pods

Affected Resources

api-server-7d4f8broot

worker-pool-3a2c1droot

cache-redis-8e5f2aroot

View Remediation

Policy Enforcement

Integrate checks into CI/CD to prevent non-compliant configurations from reaching production.

Pre-deploy gates that block manifests failing critical best practice checks
GitHub PR comments with score changes before merging to main

Frequently Asked Questions

Common questions about Best Practices

Explore More

Ready to Start Your
Kubernetes FinOps Journey?

Stop overpaying for Kubernetes. See potential savings within 10 minutes.

Start Free Today Get in Touch

No credit card required

14-day free trial

Cancel anytime

Read-only Agent

GDPR Ready

Read-Only Metrics Only

Best Practices

Three steps from setup to savings

Audit

Score

Fix

What's Included

Configuration Audit

Cluster Compliance Score

Prioritized Fixes

Trend Tracking

Namespace Comparison

Policy Enforcement

Frequently Asked Questions

What does the Kubernetes best practices audit check?

How is the compliance score calculated?

Explore More Features

Cost Monitoring

Workload Rightsizing

Smart Alerting

Ready to Start Your
Kubernetes FinOps Journey?

Best Practices

Three steps from setup to savings

Audit

Score

Fix

What's Included

Configuration Audit

Cluster Compliance Score

Prioritized Fixes

Trend Tracking

Namespace Comparison

Policy Enforcement

Frequently Asked Questions

What does the Kubernetes best practices audit check?

How is the compliance score calculated?

Explore More Features

Cost Monitoring

Workload Rightsizing

Smart Alerting

Ready to Start YourKubernetes FinOps Journey?

Ready to Start Your
Kubernetes FinOps Journey?