| Context | hidden |
| Provider | GKE |
| Kubernetes | v1.34.7-gke.1055000 |
| Platform | linux/amd64 |
| CNI | Calico |
| Collected | 2026-06-16T16:11 |
| Total pods | 132 | Running | 119 |
| Helm releases | 34 | Deployed | 34 |
| Ingress rules | 4 | Services | 66 |
| Version | Latest Patch | Released | EOL | Status |
|---|---|---|---|---|
| 1.36 | 1.36.2 | 2026-04-22 | 2027-06-28 | Supported |
| 1.35 | 1.35.6 | 2025-12-17 | 2027-02-28 | Supported |
| 1.34 | 1.34.9 | 2025-08-27 | 2026-10-27 | Supported |
| Node | Status | Region / Zone | Instance | CPU cap | Mem cap GiB | CPU % | Mem % | Kubelet | Age |
|---|---|---|---|---|---|---|---|---|---|
| node-1 | Ready app:NoSchedule | us-east4 / us-east4-c | c2d-highcpu-8 | 8.0 | 15.6 | 0% | 28% | v1.34.7-gke.1055000 | today |
| node-2 | Ready prometheus:NoSchedule | us-east4 / us-east4-b | n2d-standard-4 | 4.0 | 15.6 | 5% | 55% | v1.34.7-gke.1055000 | 3d |
| node-3 | Ready prometheus:NoSchedule | us-east4 / us-east4-a | n2d-standard-4 | 4.0 | 15.6 | 5% | 54% | v1.34.7-gke.1055000 | 3d |
| node-4 | Ready | us-east4 / us-east4-c | t2d-standard-8 | 8.0 | 31.3 | 43% | 68% | v1.34.7-gke.1055000 | 1d |
| node-5 | Ready | us-east4 / us-east4-b | t2d-standard-8 | 8.0 | 31.3 | 39% | 24% | v1.34.7-gke.1055000 | today |
| node-6 | Ready | us-east4 / us-east4-b | t2d-standard-8 | 8.0 | 31.3 | 37% | 71% | v1.34.7-gke.1055000 | 3d |
| node-7 | Ready | us-east4 / us-east4-a | t2d-standard-8 | 8.0 | 31.3 | 54% | 69% | v1.34.7-gke.1055000 | 1d |
| node-8 | Ready | us-east4 / us-east4-a | n2d-custom-16-24576 | 16.0 | 23.5 | 20% | 95% | v1.34.7-gke.1055000 | 3d |
| node-9 | Ready | us-east4 / us-east4-b | n2d-custom-16-24576 | 16.0 | 23.5 | 31% | 79% | v1.34.7-gke.1055000 | 3d |
| Namespace | Pods | Running | Issues |
|---|---|---|---|
| ns-1 | 69 | 66 | 69 |
| prometheus | 22 | 22 | 6 |
| ns-2 | 9 | 9 | 3 |
| ns-3 | 8 | 2 | 7 |
| cnrm-system | 5 | 5 | — |
| cert-manager | 3 | 3 | — |
| kubecost | 3 | 3 | — |
| ns-4 | 3 | 3 | 3 |
| ns-5 | 2 | 2 | — |
| ns-6 | 2 | 0 | — |
| ns-7 | 1 | 0 | 1 |
| ns-8 | 1 | 1 | 1 |
| configconnector-operator-system | 1 | 1 | — |
| external-dns | 1 | 0 | 1 |
| nginx | 1 | 1 | — |
| ns-9 | 1 | 1 | — |
| Kind | Namespace | Name | Ready | Age | Flags |
|---|---|---|---|---|---|
| Deploy | ns-7 | workload-1 | 0/1 | 2y 2mo | no-limits no-probe no-seccomp raw root |
| Deploy | ns-8 | workload-2 | 1/1 | 2y 0mo | no-limits no-probe no-seccomp root |
| Deploy | ns-5 | workload-3 | 1/1 | 3y 1mo | |
| Deploy | ns-5 | workload-4 | 1/1 | 3y 1mo | no-limits no-probe raw |
| Deploy | cert-manager | cert-manager | 1/1 | 2y 8mo | no-limits no-probe |
| Deploy | cert-manager | cert-manager-cainjector | 1/1 | 2y 8mo | no-limits no-probe |
| Deploy | cert-manager | cert-manager-webhook | 1/1 | 2y 8mo | no-limits |
| Sts | cnrm-system | cnrm-controller-manager | 1/1 | 3y 9mo | no-limits no-probe no-seccomp raw |
| Sts | cnrm-system | cnrm-deletiondefender | 1/1 | 3y 9mo | no-seccomp raw |
| Deploy | cnrm-system | cnrm-resource-stats-recorder | 1/1 | 3y 9mo | host-ns no-limits no-probe no-seccomp raw |
| Deploy | cnrm-system | cnrm-webhook-manager | 2/2 | 3y 9mo | no-seccomp raw |
| Sts | configconnector-operator-system | configconnector-operator | 1/1 | 3y 9mo | no-probe raw |
| Deploy | external-dns | external-dns | 0/1 | 2y 6mo | no-limits no-seccomp root |
| DS | gke-managed-networking-dra-driver | workload-5 | 0/0 | 3d | raw |
| Deploy | kubecost | kubecost-cost-analyzer | 1/1 | 2y 2mo | no-limits |
| Deploy | kubecost | kubecost-grafana | 1/1 | 2y 2mo | no-limits no-probe |
| Deploy | kubecost | kubecost-prometheus-server | 1/1 | 2y 2mo | no-limits |
| Deploy | nginx | nginx-ingress-nginx-controller | 1/1 | 3y 10mo | |
| Deploy | ns-3 | workload-6 | 1/1 | 1y 4mo | |
| Deploy | ns-3 | workload-7 | 1/1 | 1y 4mo | no-limits no-seccomp root |
| Deploy | ns-9 | workload-8 | 1/1 | 10mo | no-seccomp |
| Deploy | ns-1 | workload-9 | 3/3 | 3y 9mo | no-seccomp root |
| Deploy | ns-1 | workload-10 | 2/2 | 3y 9mo | no-seccomp root |
| Deploy | ns-1 | workload-11 | 2/2 | 3y 9mo | no-limits no-seccomp root |
| Deploy | ns-1 | workload-12 | 2/2 | 3y 9mo | no-limits no-seccomp root |
| Deploy | ns-1 | workload-13 | 4/4 | 3y 9mo | no-seccomp root |
| Deploy | ns-1 | workload-14 | 24/24 | 3y 9mo | :latest no-limits no-seccomp root |
| DS | ns-1 | workload-15 | 6/6 | 3y 9mo | :latest no-limits no-probe no-seccomp root |
| Deploy | ns-1 | workload-16 | 2/2 | 3y 9mo | no-seccomp root |
| Deploy | ns-1 | workload-17 | 5/5 | 3y 9mo | no-seccomp root |
| Deploy | ns-1 | workload-18 | 2/2 | 3y 9mo | no-seccomp root |
| Deploy | ns-1 | workload-19 | 6/6 | 3y 9mo | no-seccomp root |
| Deploy | ns-1 | workload-20 | 2/2 | 3y 9mo | no-seccomp root |
| Deploy | ns-1 | workload-21 | 2/2 | 3y 9mo | no-seccomp root |
| Deploy | ns-1 | workload-22 | 3/3 | 3y 9mo | no-seccomp root |
| Deploy | ns-1 | workload-23 | 1/1 | 9mo | no-seccomp root |
| Deploy | prometheus | blackbox-prometheus-blackbox-exporter | 1/1 | 3y 10mo | no-limits no-seccomp |
| Deploy | prometheus | prometheus-adapter | 1/1 | 3y 10mo | no-limits no-seccomp |
| Deploy | prometheus | prometheus-grafana | 1/1 | 2y 2mo | no-limits no-probe |
| Deploy | prometheus | prometheus-kube-prometheus-operator | 1/1 | 2y 2mo | |
| Deploy | prometheus | prometheus-kube-state-metrics | 1/1 | 2y 2mo | |
| Sts | prometheus | prometheus-prometheus-kube-prometheus-prometheus | 2/2 | 2y 2mo | no-limits no-probe |
| DS | prometheus | prometheus-prometheus-node-exporter | 9/9 | 2y 2mo | host-ns no-limits no-seccomp |
| Deploy | prometheus | thanos-bucket | 1/1 | 3y 10mo | no-probe no-seccomp root |
| Deploy | prometheus | thanos-compact | 1/1 | 3y 10mo | no-probe no-seccomp root |
| Deploy | prometheus | thanos-query | 2/2 | 3y 10mo | no-seccomp root |
| Deploy | prometheus | thanos-store-0 | 2/2 | 3y 10mo | no-probe no-seccomp root |
| Deploy | ns-4 | workload-24 | 1/1 | 2y 0mo | no-limits no-seccomp root |
| Deploy | ns-4 | workload-25 | 2/2 | 2y 0mo | no-limits no-seccomp root |
| Deploy | ns-6 | workload-26 | 0/1 | 2y 7mo | no-limits |
| Sts | ns-6 | workload-27 | 0/1 | 2y 7mo | no-limits no-seccomp |
| Deploy | ns-2 | workload-28 | 2/2 | 28d | no-seccomp root |
| Deploy | ns-2 | workload-29 | 1/1 | 28d | no-seccomp root |
| Deploy | ns-2 | workload-30 | 2/2 | 28d | no-limits no-probe no-seccomp |
| Deploy | ns-2 | workload-31 | 2/2 | 28d | no-limits no-probe no-seccomp |
| Deploy | ns-2 | workload-32 | 2/2 | 28d | no-limits no-probe no-seccomp |
| Namespace |
|---|
| ns-7 |
| ns-8 |
| ns-5 |
| cert-manager |
| cnrm-system |
| configconnector-operator-system |
| ns-10 |
| external-dns |
| gke-managed-networking-dra-driver |
| gke-managed-system |
| gke-managed-volumepopulator |
| kubecost |
| nginx |
| ns-3 |
| ns-9 |
| ns-1 |
| prometheus |
| ns-4 |
| ns-6 |
| ns-2 |
pod-security.kubernetes.io/enforce=baseline to secure namespaces
| Kind | Namespace | Name | Replicas |
|---|---|---|---|
| Deploy | cnrm-system | cnrm-webhook-manager | 2 no PDB |
| Deploy | trino | trino-cluster-worker | 2 no PDB |
| Namespace | Name | Target | Min | Max | Current |
|---|---|---|---|---|---|
| cnrm-system | hpa-1 | Deployment/hpa-1 | 2 | 20 | 2 |
| nginx | hpa-2 | Deployment/hpa-2 | 1 | 15 | 1 |
| ns-9 | hpa-3 | Deployment/hpa-3 | 1 | 10 | 1 |
| ns-1 | hpa-4 | Deployment/hpa-4 | 3 | 20 | 3 |
| ns-1 | hpa-5 | Deployment/hpa-5 | 2 | 4 | 2 |
| ns-1 | hpa-6 | Deployment/hpa-6 | 2 | 15 | 2 |
| ns-1 | hpa-7 | Deployment/hpa-7 | 2 | 200 | 2 |
| ns-1 | hpa-8 | Deployment/hpa-8 | 2 | 60 | 4 |
| ns-1 | hpa-9 | Deployment/hpa-9 | 8 | 666 | 24 |
| ns-1 | hpa-10 | Deployment/hpa-10 | 2 | 10 | 2 |
| ns-1 | hpa-11 | Deployment/hpa-11 | 5 | 20 | 5 |
| ns-1 | hpa-12 | Deployment/hpa-12 | 2 | 10 | 2 |
| ns-1 | hpa-13 | Deployment/hpa-13 | 3 | 20 | 6 |
| ns-1 | hpa-14 | Deployment/hpa-14 | 2 | 3 | 2 |
| ns-1 | hpa-15 | Deployment/hpa-15 | 2 | 5 | 2 |
| ns-1 | hpa-16 | Deployment/hpa-16 | 3 | 15 | 3 |
| Reason | Count | Example Object |
|---|---|---|
| Failed | 62086 | Pod/ns-7/ |
| FailedToRetrieveImagePullSecret | 27132 | Pod/ns-8/ |
| Sync | 338 | Ingress/prometheus/prometheus-ingress |
| Translate | 337 | Ingress/ns-6/ |
| Unhealthy | 61 | Pod/kube-system/calico-node-9znrb |
| FailedDaemonPod | 35 | DaemonSet/kube-system/calico-node |
| NodeShutdown | 30 | Pod/kube-system/calico-node-2l8rc |
| FailedScheduling | 9 | Pod/ns-1/ |
| ContainerdStart | 4 | Node/ns-10/ |
| DockerStart | 4 | Node/ns-10/ |
| Reason | Object | Count | Message |
|---|---|---|---|
| FailedScheduling | Pod/production/fluidconfigure-imagecomposer-766b948b64-2spfw | 3 | 0/8 nodes are available: 2 Insufficient memory, 3 Insufficient cpu, 3 node(s) had untolerated taint(s). no new claims to |
| FailedScheduling | Pod/production/fluidconfigure-imagecomposer-766b948b64-2wlxl | 3 | 0/9 nodes are available: 2 Insufficient memory, 3 node(s) had untolerated taint(s), 4 Insufficient cpu. no new claims to |
| FailedScheduling | Pod/production/fluidconfigure-imagecomposer-766b948b64-fmhn8 | 3 | 0/9 nodes are available: 2 Insufficient memory, 3 node(s) had untolerated taint(s), 4 Insufficient cpu. no new claims to |
| Namespace | Name | IP | Ports | Managed by |
|---|---|---|---|---|
| nginx | lb-1 | 10.175.26.36 | 80/TCP, 443/TCP | Helm |
| ns-1 | lb-2 | 10.216.19.96 | 80/TCP, 443/TCP | Helm |
| Namespace | Name | Ports | Managed by |
|---|---|---|---|
| trino | trino-cluster | 30984 | Helm |
| Namespace | Name | Hosts | Class | TLS | Managed by |
|---|---|---|---|---|---|
| ns-1 | ingress-1 | host-1-1.demo.local, host-1-2.demo.local, host-1-3.demo.local, host-1-4.demo.local | TLS | raw | |
| prometheus | ingress-2 | host-2-1.demo.local, host-2-2.demo.local, host-2-3.demo.local | TLS | raw | |
| ns-4 | ingress-3 | host-3-1.demo.local | TLS | Helm | |
| ns-6 | ingress-4 | host-4-1.demo.local | No TLS | Helm |
| Total ClusterRoles | 162 |
| ClusterRoleBindings | 153 |
| Wildcard roles | 2 |
| default SA bindings | 2 |
| User ServiceAccounts | 0 |
| Namespace | Binding |
|---|---|
| ns-7 | binding-1 |
| kubecost | binding-2 |
| Namespace | Name | Phase | Size GiB | Class | Age |
|---|---|---|---|---|---|
| kubecost | pvc-1 | Bound | 32.0 | standard | 2y 2mo |
| kubecost | pvc-2 | Bound | 32.0 | standard | 2y 2mo |
| ns-3 | pvc-3 | Bound | 8.0 | standard | 1y 4mo |
| ns-1 | pvc-4 | Bound | 800.0 | 3y 9mo | |
| prometheus | pvc-5 | Bound | 10.0 | standard | 2y 2mo |
| prometheus | pvc-6 | Bound | 300.0 | standard-rwo | 3y 5mo |
| ns-6 | pvc-7 | Bound | 20.0 | standard | 2y 7mo |
| ns-6 | pvc-8 | Bound | 40.0 | standard | 2y 7mo |
| Name | Provisioner | Reclaim | |
|---|---|---|---|
| premium-rwo | pd.csi.storage.gke.io | Delete | |
| standard | kubernetes.io/gce-pd | Delete | default |
| standard-rwo | pd.csi.storage.gke.io | Delete |
| Namespace | Release | Chart | App Version | Status | Rev | Updated |
|---|---|---|---|---|---|---|
| ns-8 | app-1 | app-chart-1 | — | deployed | 3 | 2024-06-25 |
| cert-manager | cert-manager | cert-manager-v1.12.4 | v1.12.4 | deployed | 1 | 2023-09-26 |
| external-dns | external-dns | external-dns-6.24.1 | 0.13.5 | deployed | 1 | 2023-11-29 |
| kubecost | kubecost | kubecost-1.107.1 | — | deployed | 1 | 2024-03-27 |
| nginx | nginx | ingress-nginx-4.12.1 | 1.12.1 | deployed | 4 | 2025-03-25 |
| ns-3 | mongodb | mongodb-18.6.28 | 8.2.7 | deployed | 10 | 2026-04-22 |
| ns-3 | app-2 | app-chart-2 | — | deployed | 10 | 2026-04-22 |
| ns-9 | app-3 | app-chart-3 | — | deployed | 2 | 2025-07-31 |
| ns-1 | app-4 | app-chart-4 | 4.3.0 | deployed | 22 | 2026-04-02 |
| ns-1 | app-5 | app-chart-5 | 0.222.2 | deployed | 99 | 2026-06-10 |
| ns-1 | app-6 | app-chart-6 | 0.208.0 | deployed | 86 | 2026-06-10 |
| ns-1 | app-7 | app-chart-7 | 0.208.0 | deployed | 90 | 2026-06-10 |
| ns-1 | app-8 | app-chart-8 | 3.15.3 | deployed | 26 | 2026-05-26 |
| ns-1 | app-9 | app-chart-9 | 3.5.1 | deployed | 24 | 2026-04-23 |
| ns-1 | app-10 | app-chart-10 | 9.18.1 | deployed | 21 | 2026-06-05 |
| ns-1 | app-11 | app-chart-11 | 2.21.1 | deployed | 44 | 2026-03-25 |
| ns-1 | app-12 | app-chart-12 | 3.0.0 | deployed | 8 | 2024-08-12 |
| ns-1 | app-13 | app-chart-13 | 5.16.0 | deployed | 24 | 2026-01-23 |
| ns-1 | app-14 | app-chart-14 | — | deployed | 5 | 2022-09-09 |
| ns-1 | app-15 | app-chart-15 | 3.0.5 | deployed | 3 | 2023-05-24 |
| ns-1 | app-16 | app-chart-16 | 6.0.1 | deployed | 4 | 2025-03-13 |
| ns-1 | app-17 | app-chart-17 | 2.21.0 | deployed | 7 | 2023-07-11 |
| ns-1 | app-18 | app-chart-18 | — | deployed | 4 | 2026-05-29 |
| prometheus | app-19 | app-chart-19 | 0.22.0 | deployed | 1 | 2022-08-18 |
| prometheus | prometheus | kube-prometheus-stack-77.6.1 | v0.85.0 | deployed | 14 | 2026-05-26 |
| prometheus | app-20 | app-chart-20 | v0.10.0 | deployed | 1 | 2022-08-18 |
| prometheus | app-21 | app-chart-21 | 0.17.1 | deployed | 46 | 2023-01-06 |
| ns-4 | app-22 | app-chart-22 | 448 | deployed | 10 | 2024-06-10 |
| ns-6 | wordpress | wordpress-17.0.5 | 6.2.2 | deployed | 1 | 2023-10-20 |
| ns-2 | app-23 | app-chart-23 | — | deployed | 6 | 2026-06-10 |
| ns-2 | app-24 | app-chart-24 | — | deployed | 4 | 2026-06-12 |
| ns-2 | app-25 | app-chart-25 | — | deployed | 7 | 2026-06-10 |
| ns-2 | app-26 | app-chart-26 | — | deployed | 4 | 2026-06-10 |
| ns-2 | app-27 | app-chart-27 | — | deployed | 4 | 2026-06-10 |
No VolumeSnapshots found.
| Namespace | Name | Age |
|---|---|---|
| gke-managed-networking-dra-driver | ds-1 | 3d |
| Severity | Category | Finding | Detail |
|---|---|---|---|
| HIGH | Reliability |
No backup solution detected
→ Install Velero with a scheduled backup or configure VolumeSnapshot policies.
|
Velero is not installed and no VolumeSnapshots found. |
| HIGH | Security |
10 pod(s) using host namespaces (hostPID/IPC/Network)
→ Remove hostPID/hostIPC/hostNetwork unless strictly required by the workload.
|
|
| MEDIUM | Capacity |
Node gke-prod-us-east-4-prod-us-east-4-sta-705dd2e3-7itx high memory usage
→ Consider scaling the node pool or adding nodes.
|
95% memory utilised |
| MEDIUM | Security |
19 namespace(s) without NetworkPolicy
→ Add a default-deny NetworkPolicy to each listed namespace.
|
ns-7, ns-8, ns-5, cert-manager, cnrm-system, configconnector-operator-system, ns-10, external-dns |
| MEDIUM | Security |
2 ClusterRole(s) with wildcard permissions
→ Replace wildcard rules with specific resource+verb grants.
|
cluster-admin, prometheus-adapter-server-resources |
| MEDIUM | Security |
2 default ServiceAccount role binding(s)
→ Assign roles to named ServiceAccounts, not to 'default'.
|
ns-7/kube-app-manager-leader-election-rolebinding, kubecost/ns-10 |
| MEDIUM | Reliability |
50 pod(s) missing resource limits
→ Set resources.limits on all containers or add a LimitRange to each namespace.
|
|
| MEDIUM | Security |
1 Ingress resource(s) without TLS
→ Add TLS configuration to all Ingress resources.
|
ns-6/ns-6-wp |
| MEDIUM | Security |
20 namespace(s) without Pod Security Admission enforce label
→ Set pod-security.kubernetes.io/enforce=baseline or restricted on each user namespace.
|
|
| MEDIUM | Reliability |
2 multi-replica workload(s) without PodDisruptionBudget
→ Create a PodDisruptionBudget with minAvailable≥1 for each multi-replica workload.
|
|
| MEDIUM | Reliability |
15 namespace(s) without ResourceQuota
→ Add ResourceQuota to each user namespace to cap CPU, memory, and object counts.
|
|
| MEDIUM | Reliability |
16 namespace(s) without LimitRange
→ Add a LimitRange with default CPU/memory limits to each user namespace.
|
|
| MEDIUM | Storage |
1 default StorageClass(es) with Delete reclaim policy
→ Consider Retain reclaim policy for production workloads, or ensure backups exist.
|
|
| MEDIUM | Reliability |
3 deployment(s) using Recreate update strategy
→ Switch to RollingUpdate strategy with appropriate maxUnavailable/maxSurge settings.
|
|
| MEDIUM | Security |
5 admission webhook(s) with failurePolicy=Ignore
→ Set failurePolicy=Fail on security-critical webhooks, or investigate why they fail.
|
|
| LOW | Governance |
10 resource(s) deployed with raw manifests (no Helm/ArgoCD/Flux)
→ Migrate to a GitOps or Helm-based deployment workflow for lifecycle tracking and rollback.
|
Deployment ns-7/kube-app-manager-controller, Deployment ns-5/ns-5-cpvpa, Deployment cnrm-system/cnrm-resource-stats-recorder, Deployment cnrm-system/cnrm-webhook-manager … +6 more |
| LOW | Reliability |
20 container(s) using :latest or unversioned image tag
→ Pin all images to a specific digest or version tag for reproducible deployments.
|
|
| LOW | Reliability |
37 container(s) without readinessProbe
→ Add a readinessProbe to all application containers.
|
|
| LOW | Security |
50 pod(s) without seccomp profile
→ Set securityContext.seccompProfile.type=RuntimeDefault on pods or containers.
|
|
| LOW | Reliability |
5 workload(s) with 3+ replicas but no spread constraints
→ Add topologySpreadConstraints or podAntiAffinity to spread pods across nodes/zones.
|
|
| LOW | Cost |
1 DaemonSet(s) with no scheduled nodes
→ Remove unused DaemonSets or fix node selector labels.
|
|