Demo dashboard — cluster name and resource identifiers have been anonymized. Findings are illustrative. Want an audit like this? itaudit.yushkov.org

Kubernetes Audit 1.34

Demo · hidden · GKE
Generated 2026-06-16 16:13
CNI: Calico
9
Nodes
9 Ready
16
User Namespaces
132 pods running
8
Persistent Volumes
1,242.0 GiB total claimed
21
Findings
2 HIGH · 13 MEDIUM · 6 LOW
Cluster Overview
Contexthidden
ProviderGKE
Kubernetesv1.34.7-gke.1055000
Platformlinux/amd64
CNICalico
Collected2026-06-16T16:11
Kubernetes EOL Status
✓ Supported — version 1.34 supported until 2026-10-27 (133 days remaining). Latest patch: 1.34.9.
Total pods132 Running119
Helm releases34 Deployed34
Ingress rules4 Services66
Available Versions
Version Latest Patch Released EOL Status
1.36 1.36.2 2026-04-22 2027-06-28 Supported
1.35 1.35.6 2025-12-17 2027-02-28 Supported
1.34 1.34.9 2025-08-27 2026-10-27 Supported
Nodes
Node Status Region / Zone Instance CPU cap Mem cap GiB CPU % Mem % Kubelet Age
node-1 Ready app:NoSchedule us-east4 / us-east4-c c2d-highcpu-8 8.0 15.6 0% 28% v1.34.7-gke.1055000 today
node-2 Ready prometheus:NoSchedule us-east4 / us-east4-b n2d-standard-4 4.0 15.6 5% 55% v1.34.7-gke.1055000 3d
node-3 Ready prometheus:NoSchedule us-east4 / us-east4-a n2d-standard-4 4.0 15.6 5% 54% v1.34.7-gke.1055000 3d
node-4 Ready us-east4 / us-east4-c t2d-standard-8 8.0 31.3 43% 68% v1.34.7-gke.1055000 1d
node-5 Ready us-east4 / us-east4-b t2d-standard-8 8.0 31.3 39% 24% v1.34.7-gke.1055000 today
node-6 Ready us-east4 / us-east4-b t2d-standard-8 8.0 31.3 37% 71% v1.34.7-gke.1055000 3d
node-7 Ready us-east4 / us-east4-a t2d-standard-8 8.0 31.3 54% 69% v1.34.7-gke.1055000 1d
node-8 Ready us-east4 / us-east4-a n2d-custom-16-24576 16.0 23.5 20% 95% v1.34.7-gke.1055000 3d
node-9 Ready us-east4 / us-east4-b n2d-custom-16-24576 16.0 23.5 31% 79% v1.34.7-gke.1055000 3d
Workloads
Pods by Namespace
Namespace Pods Running Issues
ns-1 69 66 69
prometheus 22 22 6
ns-2 9 9 3
ns-3 8 2 7
cnrm-system 5 5
cert-manager 3 3
kubecost 3 3
ns-4 3 3 3
ns-5 2 2
ns-6 2 0
ns-7 1 0 1
ns-8 1 1 1
configconnector-operator-system 1 1
external-dns 1 0 1
nginx 1 1
ns-9 1 1
Deployments, StatefulSets & DaemonSets
Kind Namespace Name Ready Age Flags
Deploy ns-7 workload-1 0/1 2y 2mo no-limits no-probe no-seccomp raw root
Deploy ns-8 workload-2 1/1 2y 0mo no-limits no-probe no-seccomp root
Deploy ns-5 workload-3 1/1 3y 1mo
Deploy ns-5 workload-4 1/1 3y 1mo no-limits no-probe raw
Deploy cert-manager cert-manager 1/1 2y 8mo no-limits no-probe
Deploy cert-manager cert-manager-cainjector 1/1 2y 8mo no-limits no-probe
Deploy cert-manager cert-manager-webhook 1/1 2y 8mo no-limits
Sts cnrm-system cnrm-controller-manager 1/1 3y 9mo no-limits no-probe no-seccomp raw
Sts cnrm-system cnrm-deletiondefender 1/1 3y 9mo no-seccomp raw
Deploy cnrm-system cnrm-resource-stats-recorder 1/1 3y 9mo host-ns no-limits no-probe no-seccomp raw
Deploy cnrm-system cnrm-webhook-manager 2/2 3y 9mo no-seccomp raw
Sts configconnector-operator-system configconnector-operator 1/1 3y 9mo no-probe raw
Deploy external-dns external-dns 0/1 2y 6mo no-limits no-seccomp root
DS gke-managed-networking-dra-driver workload-5 0/0 3d raw
Deploy kubecost kubecost-cost-analyzer 1/1 2y 2mo no-limits
Deploy kubecost kubecost-grafana 1/1 2y 2mo no-limits no-probe
Deploy kubecost kubecost-prometheus-server 1/1 2y 2mo no-limits
Deploy nginx nginx-ingress-nginx-controller 1/1 3y 10mo
Deploy ns-3 workload-6 1/1 1y 4mo
Deploy ns-3 workload-7 1/1 1y 4mo no-limits no-seccomp root
Deploy ns-9 workload-8 1/1 10mo no-seccomp
Deploy ns-1 workload-9 3/3 3y 9mo no-seccomp root
Deploy ns-1 workload-10 2/2 3y 9mo no-seccomp root
Deploy ns-1 workload-11 2/2 3y 9mo no-limits no-seccomp root
Deploy ns-1 workload-12 2/2 3y 9mo no-limits no-seccomp root
Deploy ns-1 workload-13 4/4 3y 9mo no-seccomp root
Deploy ns-1 workload-14 24/24 3y 9mo :latest no-limits no-seccomp root
DS ns-1 workload-15 6/6 3y 9mo :latest no-limits no-probe no-seccomp root
Deploy ns-1 workload-16 2/2 3y 9mo no-seccomp root
Deploy ns-1 workload-17 5/5 3y 9mo no-seccomp root
Deploy ns-1 workload-18 2/2 3y 9mo no-seccomp root
Deploy ns-1 workload-19 6/6 3y 9mo no-seccomp root
Deploy ns-1 workload-20 2/2 3y 9mo no-seccomp root
Deploy ns-1 workload-21 2/2 3y 9mo no-seccomp root
Deploy ns-1 workload-22 3/3 3y 9mo no-seccomp root
Deploy ns-1 workload-23 1/1 9mo no-seccomp root
Deploy prometheus blackbox-prometheus-blackbox-exporter 1/1 3y 10mo no-limits no-seccomp
Deploy prometheus prometheus-adapter 1/1 3y 10mo no-limits no-seccomp
Deploy prometheus prometheus-grafana 1/1 2y 2mo no-limits no-probe
Deploy prometheus prometheus-kube-prometheus-operator 1/1 2y 2mo
Deploy prometheus prometheus-kube-state-metrics 1/1 2y 2mo
Sts prometheus prometheus-prometheus-kube-prometheus-prometheus 2/2 2y 2mo no-limits no-probe
DS prometheus prometheus-prometheus-node-exporter 9/9 2y 2mo host-ns no-limits no-seccomp
Deploy prometheus thanos-bucket 1/1 3y 10mo no-probe no-seccomp root
Deploy prometheus thanos-compact 1/1 3y 10mo no-probe no-seccomp root
Deploy prometheus thanos-query 2/2 3y 10mo no-seccomp root
Deploy prometheus thanos-store-0 2/2 3y 10mo no-probe no-seccomp root
Deploy ns-4 workload-24 1/1 2y 0mo no-limits no-seccomp root
Deploy ns-4 workload-25 2/2 2y 0mo no-limits no-seccomp root
Deploy ns-6 workload-26 0/1 2y 7mo no-limits
Sts ns-6 workload-27 0/1 2y 7mo no-limits no-seccomp
Deploy ns-2 workload-28 2/2 28d no-seccomp root
Deploy ns-2 workload-29 1/1 28d no-seccomp root
Deploy ns-2 workload-30 2/2 28d no-limits no-probe no-seccomp
Deploy ns-2 workload-31 2/2 28d no-limits no-probe no-seccomp
Deploy ns-2 workload-32 2/2 28d no-limits no-probe no-seccomp
⚠ 20 Namespace(s) Without PSA Enforce Label
Namespace
ns-7
ns-8
ns-5
cert-manager
cnrm-system
configconnector-operator-system
ns-10
external-dns
gke-managed-networking-dra-driver
gke-managed-system
gke-managed-volumepopulator
kubecost
nginx
ns-3
ns-9
ns-1
prometheus
ns-4
ns-6
ns-2
Add pod-security.kubernetes.io/enforce=baseline to secure namespaces
Reliability
PodDisruptionBudgets 21 defined
Kind Namespace Name Replicas
Deploy cnrm-system cnrm-webhook-manager 2 no PDB
Deploy trino trino-cluster-worker 2 no PDB
HorizontalPodAutoscalers 16 configured
Namespace Name Target Min Max Current
cnrm-system hpa-1 Deployment/hpa-1 2 20 2
nginx hpa-2 Deployment/hpa-2 1 15 1
ns-9 hpa-3 Deployment/hpa-3 1 10 1
ns-1 hpa-4 Deployment/hpa-4 3 20 3
ns-1 hpa-5 Deployment/hpa-5 2 4 2
ns-1 hpa-6 Deployment/hpa-6 2 15 2
ns-1 hpa-7 Deployment/hpa-7 2 200 2
ns-1 hpa-8 Deployment/hpa-8 2 60 4
ns-1 hpa-9 Deployment/hpa-9 8 666 24
ns-1 hpa-10 Deployment/hpa-10 2 10 2
ns-1 hpa-11 Deployment/hpa-11 5 20 5
ns-1 hpa-12 Deployment/hpa-12 2 10 2
ns-1 hpa-13 Deployment/hpa-13 3 20 6
ns-1 hpa-14 Deployment/hpa-14 2 3 2
ns-1 hpa-15 Deployment/hpa-15 2 5 2
ns-1 hpa-16 Deployment/hpa-16 3 15 3
Runtime Events
Top Warning Reasons 90048 total events
Reason Count Example Object
Failed 62086 Pod/ns-7/
FailedToRetrieveImagePullSecret 27132 Pod/ns-8/
Sync 338 Ingress/prometheus/prometheus-ingress
Translate 337 Ingress/ns-6/
Unhealthy 61 Pod/kube-system/calico-node-9znrb
FailedDaemonPod 35 DaemonSet/kube-system/calico-node
NodeShutdown 30 Pod/kube-system/calico-node-2l8rc
FailedScheduling 9 Pod/ns-1/
ContainerdStart 4 Node/ns-10/
DockerStart 4 Node/ns-10/
High-Signal Events
Reason Object Count Message
FailedScheduling Pod/production/fluidconfigure-imagecomposer-766b948b64-2spfw 3 0/8 nodes are available: 2 Insufficient memory, 3 Insufficient cpu, 3 node(s) had untolerated taint(s). no new claims to
FailedScheduling Pod/production/fluidconfigure-imagecomposer-766b948b64-2wlxl 3 0/9 nodes are available: 2 Insufficient memory, 3 node(s) had untolerated taint(s), 4 Insufficient cpu. no new claims to
FailedScheduling Pod/production/fluidconfigure-imagecomposer-766b948b64-fmhn8 3 0/9 nodes are available: 2 Insufficient memory, 3 node(s) had untolerated taint(s), 4 Insufficient cpu. no new claims to
Network Security
Network Policies
✓ 1 NetworkPolicy(ies) defined
⚠ 19 namespace(s) still unprotected:
ns-7 ns-8 ns-5 cert-manager cnrm-system configconnector-operator-system ns-10 external-dns gke-managed-networking-dra-driver gke-managed-system gke-managed-volumepopulator kubecost nginx ns-9 ns-1 prometheus ns-4 ns-6 ns-2
Externally Exposed Services
LoadBalancer
NamespaceNameIPPortsManaged by
nginx lb-1 10.175.26.36 80/TCP, 443/TCP Helm
ns-1 lb-2 10.216.19.96 80/TCP, 443/TCP Helm
NodePort
NamespaceNamePortsManaged by
trino trino-cluster 30984 Helm
Ingress Resources
Namespace Name Hosts Class TLS Managed by
ns-1 ingress-1 host-1-1.demo.local, host-1-2.demo.local, host-1-3.demo.local, host-1-4.demo.local TLS raw
prometheus ingress-2 host-2-1.demo.local, host-2-2.demo.local, host-2-3.demo.local TLS raw
ns-4 ingress-3 host-3-1.demo.local TLS Helm
ns-6 ingress-4 host-4-1.demo.local No TLS Helm
RBAC
cluster-admin Bindings
✓ No non-system cluster-admin bindings
⚠ 2 ClusterRole(s) with Wildcard Permissions
cluster-admin prometheus-adapter-server-resources
RBAC Summary
Total ClusterRoles162
ClusterRoleBindings153
Wildcard roles2
default SA bindings 2
User ServiceAccounts0
⚠ default ServiceAccount has role bindings
NamespaceBinding
ns-7binding-1
kubecostbinding-2
Storage
PersistentVolumeClaims
8 / 8 Bound · 1,242.0 GiB total
Namespace Name Phase Size GiB Class Age
kubecost pvc-1 Bound 32.0 standard 2y 2mo
kubecost pvc-2 Bound 32.0 standard 2y 2mo
ns-3 pvc-3 Bound 8.0 standard 1y 4mo
ns-1 pvc-4 Bound 800.0 3y 9mo
prometheus pvc-5 Bound 10.0 standard 2y 2mo
prometheus pvc-6 Bound 300.0 standard-rwo 3y 5mo
ns-6 pvc-7 Bound 20.0 standard 2y 7mo
ns-6 pvc-8 Bound 40.0 standard 2y 7mo
Storage Classes
NameProvisionerReclaim
premium-rwo pd.csi.storage.gke.io Delete
standard kubernetes.io/gce-pd Delete default
standard-rwo pd.csi.storage.gke.io Delete
Service Inventory
Helm Releases 34 total · 34 deployed
Namespace Release Chart App Version Status Rev Updated
ns-8 app-1 app-chart-1 deployed 3 2024-06-25
cert-manager cert-manager cert-manager-v1.12.4 v1.12.4 deployed 1 2023-09-26
external-dns external-dns external-dns-6.24.1 0.13.5 deployed 1 2023-11-29
kubecost kubecost kubecost-1.107.1 deployed 1 2024-03-27
nginx nginx ingress-nginx-4.12.1 1.12.1 deployed 4 2025-03-25
ns-3 mongodb mongodb-18.6.28 8.2.7 deployed 10 2026-04-22
ns-3 app-2 app-chart-2 deployed 10 2026-04-22
ns-9 app-3 app-chart-3 deployed 2 2025-07-31
ns-1 app-4 app-chart-4 4.3.0 deployed 22 2026-04-02
ns-1 app-5 app-chart-5 0.222.2 deployed 99 2026-06-10
ns-1 app-6 app-chart-6 0.208.0 deployed 86 2026-06-10
ns-1 app-7 app-chart-7 0.208.0 deployed 90 2026-06-10
ns-1 app-8 app-chart-8 3.15.3 deployed 26 2026-05-26
ns-1 app-9 app-chart-9 3.5.1 deployed 24 2026-04-23
ns-1 app-10 app-chart-10 9.18.1 deployed 21 2026-06-05
ns-1 app-11 app-chart-11 2.21.1 deployed 44 2026-03-25
ns-1 app-12 app-chart-12 3.0.0 deployed 8 2024-08-12
ns-1 app-13 app-chart-13 5.16.0 deployed 24 2026-01-23
ns-1 app-14 app-chart-14 deployed 5 2022-09-09
ns-1 app-15 app-chart-15 3.0.5 deployed 3 2023-05-24
ns-1 app-16 app-chart-16 6.0.1 deployed 4 2025-03-13
ns-1 app-17 app-chart-17 2.21.0 deployed 7 2023-07-11
ns-1 app-18 app-chart-18 deployed 4 2026-05-29
prometheus app-19 app-chart-19 0.22.0 deployed 1 2022-08-18
prometheus prometheus kube-prometheus-stack-77.6.1 v0.85.0 deployed 14 2026-05-26
prometheus app-20 app-chart-20 v0.10.0 deployed 1 2022-08-18
prometheus app-21 app-chart-21 0.17.1 deployed 46 2023-01-06
ns-4 app-22 app-chart-22 448 deployed 10 2024-06-10
ns-6 wordpress wordpress-17.0.5 6.2.2 deployed 1 2023-10-20
ns-2 app-23 app-chart-23 deployed 6 2026-06-10
ns-2 app-24 app-chart-24 deployed 4 2026-06-12
ns-2 app-25 app-chart-25 deployed 7 2026-06-10
ns-2 app-26 app-chart-26 deployed 4 2026-06-10
ns-2 app-27 app-chart-27 deployed 4 2026-06-10
Backups
Velero
⛔ Velero not installed
No cluster-level backup solution detected. Data loss risk in case of cluster failure.
Volume Snapshots

No VolumeSnapshots found.

Orphaned Resources
DaemonSets With No Scheduled Nodes (1)
NamespaceNameAge
gke-managed-networking-dra-driver ds-1 3d
Findings & Recommendations
Severity Category Finding Detail
HIGH Reliability No backup solution detected
→ Install Velero with a scheduled backup or configure VolumeSnapshot policies.
Velero is not installed and no VolumeSnapshots found.
HIGH Security 10 pod(s) using host namespaces (hostPID/IPC/Network)
→ Remove hostPID/hostIPC/hostNetwork unless strictly required by the workload.
MEDIUM Capacity Node gke-prod-us-east-4-prod-us-east-4-sta-705dd2e3-7itx high memory usage
→ Consider scaling the node pool or adding nodes.
95% memory utilised
MEDIUM Security 19 namespace(s) without NetworkPolicy
→ Add a default-deny NetworkPolicy to each listed namespace.
ns-7, ns-8, ns-5, cert-manager, cnrm-system, configconnector-operator-system, ns-10, external-dns
MEDIUM Security 2 ClusterRole(s) with wildcard permissions
→ Replace wildcard rules with specific resource+verb grants.
cluster-admin, prometheus-adapter-server-resources
MEDIUM Security 2 default ServiceAccount role binding(s)
→ Assign roles to named ServiceAccounts, not to 'default'.
ns-7/kube-app-manager-leader-election-rolebinding, kubecost/ns-10
MEDIUM Reliability 50 pod(s) missing resource limits
→ Set resources.limits on all containers or add a LimitRange to each namespace.
MEDIUM Security 1 Ingress resource(s) without TLS
→ Add TLS configuration to all Ingress resources.
ns-6/ns-6-wp
MEDIUM Security 20 namespace(s) without Pod Security Admission enforce label
→ Set pod-security.kubernetes.io/enforce=baseline or restricted on each user namespace.
MEDIUM Reliability 2 multi-replica workload(s) without PodDisruptionBudget
→ Create a PodDisruptionBudget with minAvailable≥1 for each multi-replica workload.
MEDIUM Reliability 15 namespace(s) without ResourceQuota
→ Add ResourceQuota to each user namespace to cap CPU, memory, and object counts.
MEDIUM Reliability 16 namespace(s) without LimitRange
→ Add a LimitRange with default CPU/memory limits to each user namespace.
MEDIUM Storage 1 default StorageClass(es) with Delete reclaim policy
→ Consider Retain reclaim policy for production workloads, or ensure backups exist.
MEDIUM Reliability 3 deployment(s) using Recreate update strategy
→ Switch to RollingUpdate strategy with appropriate maxUnavailable/maxSurge settings.
MEDIUM Security 5 admission webhook(s) with failurePolicy=Ignore
→ Set failurePolicy=Fail on security-critical webhooks, or investigate why they fail.
LOW Governance 10 resource(s) deployed with raw manifests (no Helm/ArgoCD/Flux)
→ Migrate to a GitOps or Helm-based deployment workflow for lifecycle tracking and rollback.
Deployment ns-7/kube-app-manager-controller, Deployment ns-5/ns-5-cpvpa, Deployment cnrm-system/cnrm-resource-stats-recorder, Deployment cnrm-system/cnrm-webhook-manager … +6 more
LOW Reliability 20 container(s) using :latest or unversioned image tag
→ Pin all images to a specific digest or version tag for reproducible deployments.
LOW Reliability 37 container(s) without readinessProbe
→ Add a readinessProbe to all application containers.
LOW Security 50 pod(s) without seccomp profile
→ Set securityContext.seccompProfile.type=RuntimeDefault on pods or containers.
LOW Reliability 5 workload(s) with 3+ replicas but no spread constraints
→ Add topologySpreadConstraints or podAntiAffinity to spread pods across nodes/zones.
LOW Cost 1 DaemonSet(s) with no scheduled nodes
→ Remove unused DaemonSets or fix node selector labels.