K8sgrade.sh: A Bash Script to Score Kubernetes Health and Security in Minutes

Kubernetes clusters generate a lot of signals, but converting those into a clear operational and security posture can be time-consuming. I built k8sgrade.sh to solve that problem with a simple terminal-first workflow.

k8sgrade.sh inspects a selected cluster context and namespace, runs practical checks, applies score deductions from 100, and produces a final grade with improvement suggestions.

Why I Built It

• I wanted quick visibility into workload health and security posture.
• I needed something lightweight and easy to run from any engineer workstation or VM.
• I wanted output that is actionable, not just informational.

What k8sgrade.sh Checks

• Cluster connectivity and node readiness
• Pod health (pending pods, restart trends)
• Top CPU and memory consumers
• Workload safety settings:
  • Resource requests/limits
  • Readiness/liveness probes
  • Run-as-non-root posture
  • Privileged containers
  • Read-only root filesystem
• Exposure and resilience checks:
  • NetworkPolicy presence
  • PodDisruptionBudget presence
  • Non-ClusterIP service exposure
• Scheduling affinity/anti-affinity coverage
• Service account and RBAC risk signals
• Optional Trivy-based critical vulnerability signals

How the Score Works

k8sgrade.sh starts at 100 and applies deductions based on detected risks and gaps. At the end, you get both a numeric score and a letter grade.

Score Range	Grade	Meaning
95-100	A+	Production hardened
85-94	A	Production ready
70-84	B	Mostly healthy, minor gaps
55-69	C	Needs attention
40-54	D	Significant issues
0-39	F	Critical, not production ready

Quick Start

git clone https://github.com/DevOpsArts/k8sgrade.sh.git
cd k8sgrade.sh
./k8sgrade.sh
./k8sgrade.sh -c your-context -n your-namespace
./k8sgrade.sh -c your-context -n your-namespace --export-csv ./k8sgrade-report.csv

Prerequisites

• bash
• kubectl
• Access to one or more Kubernetes contexts
• Valid kubeconfig

Optional: python3 (for JSON-backed parsing) and trivy (for vulnerability signals).

What Makes It Practical

• Interactive and non-interactive modes
• Context selection by name or number
• Namespace-first flow for faster targeting
• CSV export support for sharing and trending
• Works on macOS and Ubuntu (with prerequisites)

Final Thoughts

If you want quick, actionable visibility into Kubernetes health and security posture without heavy platform overhead, k8sgrade.sh is a strong starting point.

Repository: https://github.com/DevOpsArts/k8sgrade.sh