Kubernetes Audit
Free Kubernetes Audit - Security, Reliability & Cost (CIS Benchmark, NSA/CISA Hardening Guide)
A senior-platform-engineer-verified review of your Kubernetes estate - control plane, workload posture, networking, runtime security, and cost. Benchmarked against the CIS Kubernetes Benchmark, NSA/CISA Hardening Guide, and Pod Security Admission restricted profile. Combines kube-bench, kube-hunter, Trivy, Polaris, KubeLinter, Goldilocks, Kyverno / OPA Gatekeeper, Cilium / Calico, Falco, and Kubecost / OpenCost - plus Karpenter and KEDA tuning.
- Covers EKS, GKE, AKS, OpenShift, Rancher / RKE, and self-managed Kubernetes - across single clusters and fleet-wide estates
- Benchmarked against the CIS Kubernetes Benchmark, NSA/CISA Kubernetes Hardening Guide, and Pod Security Admission restricted profile
- Senior platform engineer verifies every finding and runs a 45-minute live walkthrough - typical first audit surfaces 12-25 critical misconfigurations and 20-40% over-provisioned compute
- Read-only access only
- No workload changes
- Senior platform-engineer verified
- Live findings walkthrough included
Supported Platforms
What We Audit Across Your Kubernetes Estate
Six areas covering every layer from control plane to workload - benchmarked against the CIS Kubernetes Benchmark, NSA/CISA Hardening Guide, and Pod Security Admission.
Security Posture & Hardening
RBAC and ServiceAccount audit, Pod Security Admission (privileged / baseline / restricted), pod security contexts, NetworkPolicy and Cilium / Calico coverage, admission control (Kyverno, OPA/Gatekeeper), image signing (cosign / Sigstore), runtime security (Falco), and secrets management (External Secrets, SealedSecrets) - benchmarked against CIS, NSA/CISA, and PSA.
CIS Benchmark & Misconfiguration Scan
Automated scans with kube-bench (CIS), kube-hunter (pen test), Trivy (CVEs and misconfigurations), Polaris and KubeLinter (workload best practices), and Pluto (deprecated APIs) - every finding triaged for blast radius and exploitability, not raw CVSS.
Performance & Capacity
Resource request and limit tuning (Goldilocks / VPA), CPU CFS throttling detection, HPA / VPA / KEDA effectiveness, node-pool sizing, image-pull latency, control-plane health, and capacity planning - so workloads run reliably without paying for headroom you don't need.
Cost Optimisation
Identifies over-provisioned workloads, idle namespaces, orphaned PVs and LoadBalancers, and node-pool inefficiencies - using Kubecost / OpenCost data where available, with Karpenter, Cluster Autoscaler, Spot / Preemptible, and KEDA recommendations and quantified $/month savings.
Reliability & Resilience
Pod Disruption Budgets, topology spread constraints, pod anti-affinity, multi-AZ posture, liveness / readiness / startup probes, restart and OOMKill patterns, GitOps drift (ArgoCD / Flux), and disaster-recovery (Velero, etcd backups) - surfacing the gaps that turn a small incident into an outage.
Audit Score & Remediation Roadmap
A Kubernetes Audit Score (0-100) across Security, Reliability, and Cost with per-area Crawl / Walk / Run maturity, a prioritised remediation backlog, and a 30 / 60 / 90-day roadmap your platform team can ticket and ship.
How It Works
Register & Grant Read-Only Access
Provide a read-only kubeconfig or a least-privileged ServiceAccount (cluster-wide get / list / watch only). Step-by-step setup guides for EKS, GKE, AKS, OpenShift, Rancher, and self-managed clusters - no write APIs, no exec into pods, no workload changes.
Automated Cluster & Workload Scan
We run kube-bench, kube-hunter, Trivy, Polaris, Pluto, KubeLinter, and Goldilocks against your cluster - plus configuration analysis of admission controllers, NetworkPolicy coverage, ingress, service mesh, and Kubecost / OpenCost data where available.
Senior Platform Engineer Verification
A senior Kubernetes engineer reviews every finding, removes false positives (e.g. legitimately permissive workloads with compensating controls), models blast radius for your team and tech stack, and rewrites recommendations into prioritised, repo-specific remediation steps.
Receive Report & Live Debrief
Get your Kubernetes Audit Score, red-flag list, CIS / NSA-CISA / PSA mapping, cost-savings backlog, and 30 / 60 / 90-day remediation roadmap - within 1-2 business days, plus a 45-minute live walkthrough.
What You Get
Your report will include the following deliverables.
Find the gaps before they become a 3 a.m. page.
Get a senior-engineer-verified Kubernetes audit covering security hardening, reliability, and cost - with a Kubernetes Audit Score, prioritised remediation backlog, and live debrief, completely free.
Get My Kubernetes Audit ReportHow We Handle Your Cluster Data
A cluster audit should never become a cluster incident. Here is exactly what we read - and what never leaves your environment.
Read-Only kubeconfig or ServiceAccount
We use a read-only kubeconfig or a least-privileged ServiceAccount with cluster-wide get / list / watch verbs only - scoped to the audit window and time-limited. We can never apply manifests, exec into pods, port-forward, modify RBAC, or restart workloads.
No Workload Data or Secrets Read
We never read the contents of Secrets, ConfigMaps used as secrets, or PersistentVolume data. The audit reads cluster, workload, and policy specs plus aggregated metrics only - never the application data, environment variables, or live traffic of your workloads.
Auto-Revoked & Destroyed After Audit
As soon as your report is delivered, the ServiceAccount or kubeconfig is revoked, the analysis sandbox is destroyed, and your manifest exports are deleted. Only aggregate, anonymised findings are retained for QA - never namespace, workload, or RBAC details.
Frequently Asked Questions
The most common questions we hear from teams running this assessment.
What access do you actually need? Does any workload data or secret leave our environment?
A read-only kubeconfig or a ServiceAccount with cluster-wide get / list / watch verbs only, scoped to the audit window. We never apply, exec, port-forward, or modify anything. We do not read Secret data, the contents of ConfigMaps used as secrets, or PersistentVolume contents - only cluster, workload, and policy specs plus aggregated utilisation metrics. Step-by-step setup guides are included for EKS, GKE, AKS, OpenShift, Rancher, and self-managed clusters.
Which Kubernetes distributions and managed services do you support?
All major distributions: Amazon EKS, Google GKE (including Autopilot), Azure AKS, Red Hat OpenShift / OKD, Rancher / RKE / RKE2 / K3s, and self-managed Kubernetes (kubeadm, kops). The audit also covers common platform add-ons - Istio and Linkerd (service mesh), Cilium and Calico (CNI / network policy), ArgoCD and Flux (GitOps), Karpenter and Cluster Autoscaler (scaling), Kyverno and OPA/Gatekeeper (admission), Falco (runtime), and Kubecost / OpenCost (cost).
Do you align with the CIS Kubernetes Benchmark and NSA/CISA Hardening Guide?
Yes. Findings are mapped to specific controls in the CIS Kubernetes Benchmark, the NSA/CISA Kubernetes Hardening Guide, and the Pod Security Admission restricted profile, plus the relevant SDLC controls in SOC 2 CC8.1, ISO 27001, PCI-DSS 6, and HIPAA technical safeguards. The output is designed to drop directly into auditor evidence packs.
How is this different from running kube-bench or Trivy in CI?
Those tools produce raw findings; this audit interprets them. A senior Kubernetes engineer triages every finding for actual blast radius and exploitability against your context, removes false positives (e.g. permissive workloads with compensating controls), and combines results across kube-bench, kube-hunter, Trivy, Polaris, Pluto, KubeLinter, and Goldilocks with a manual review of admission control, networking, GitOps, and cost posture - into a prioritised, ticket-ready remediation plan rather than a 4,000-line report.
Can the audit cover cost optimisation as well as security?
Yes - most teams see 20-40% over-provisioned compute on first audit. We use Kubecost / OpenCost data where you have it, profile request-vs-usage with Goldilocks / VPA, and recommend Karpenter, Cluster Autoscaler, Spot / Preemptible, and KEDA changes with quantified $/month savings. You can also choose a cost-first focus during scoping if cost is the primary driver.
Will the audit affect performance or workload availability?
No. The audit is fully read-only and works against the API server's get / list / watch verbs at a controlled rate. Nothing we do can drain a node, evict a pod, modify RBAC, or trigger autoscaling. You can run the audit during normal business hours with zero risk to delivery.
How do you handle multi-cluster fleets?
We can audit a single cluster, a representative sample, or a full fleet. For fleet-wide audits we deduplicate findings (e.g. a misconfiguration shared across 30 clusters becomes one finding with affected-cluster list), surface drift between clusters that should be identical (production / staging parity), and prioritise based on environment criticality and exposure.
How long until we receive the report?
Typical turnaround is 1-2 business days from the moment read-only access is granted, plus a 45-minute live findings walkthrough at a time that suits your team. Larger fleets with dozens of clusters can take a little longer; we confirm the timeline as soon as we see the scope.
Register for Your Free Kubernetes Audit
Fill out the form below and our team will get back to you within 2 business days.
You Might Also Be Interested In
DevOps DORA Checklist
See where your delivery performance stands against Elite, High, Medium, and Low performers - automatically scored, expert-verified.
Pipeline Inspector
Find every weak link in your CI/CD - automated scanning across GitHub Actions, GitLab, Jenkins, Bitbucket, and Azure DevOps, verified by a senior platform engineer.
FinOps Review
Cut cloud waste and build a real FinOps practice - automated AWS, Azure, and GCP cost analysis verified by a senior FinOps engineer, with quantified monthly savings and a 30/60/90 day roadmap.