KubeBuddy runs checks to find issues and misconfigurations in your Kubernetes cluster. These checks power the health report and help you fix problems, reduce risk, and improve stability. This page lists all checks by category, with their ID, name, description, severity, and score weight.
Each check targets a specific part of your cluster—nodes, pods, workloads, security, etc. Tables group checks by category. Use them to understand what’s being evaluated, how serious the issue is, and how much it affects your overall health score.
Identifies services that have no backing endpoints, which means no pods are matched.
critical
2
NET002
Publicly Accessible Services
Detects services of type LoadBalancer or NodePort that are potentially exposed to the internet.
critical
4
NET003
Ingress Health Validation
Validates ingress definitions for missing classes, invalid backends, missing TLS secrets, duplicate host/path entries, and incorrect path types.
critical
3
NET004
Namespace Missing Network Policy
Detects namespaces that have running pods but no associated NetworkPolicy resources. This could allow unrestricted pod-to-pod communication.
warning
3
NET005
Ingress Host/Path Conflicts
Identifies Ingress resources that define conflicting host and path combinations, leading to unpredictable routing.
critical
5
NET006
Ingress Using Wildcard Hosts
Identifies Ingress resources that utilize wildcard hosts (e.g., '*https://www.google.com/search?q=.example.com'), which may offer broader exposure than intended.
medium
2
NET007
Service TargetPort Mismatch
Identifies services whose 'targetPort' does not match any 'containerPort' in the backing pods, preventing traffic delivery.
critical
4
NET008
ExternalName Service to Internal IP
Identifies 'ExternalName' type services pointing to private IP ranges, which might indicate a misconfiguration or an unusual routing pattern.
medium
2
NET009
Overly Permissive Network Policy
Identifies NetworkPolicies that define 'policyTypes' but have no rules, effectively allowing all traffic for that type, or containing overly broad 'ipBlock' rules.
high
4
NET010
Network Policy Overly Permissive IPBlock
Flags NetworkPolicies that include '0.0.0.0/0' in their 'ipBlock' rules, effectively allowing traffic to/from all IPs for that rule, which can be a security risk.
high
5
NET011
Network Policy Missing PolicyTypes
Detects NetworkPolicies that do not explicitly define 'policyTypes'. While defaulting to Ingress in some older versions, explicit definition improves clarity and future compatibility across different CNI plugins and Kubernetes versions.
low
1
NET012
Pod HostNetwork Usage
Identifies pods configured to use 'hostNetwork: true', which allows direct access to the node's network interfaces, bypassing Kubernetes networking.
high
4
PROM003
High Network Receive Rate (Prometheus)
Detects pods receiving large amounts of network traffic over the last 24 hours.
Detects Persistent Volumes that are not bound to any Persistent Volume Claim.
Warning
3
PVC001
Unused Persistent Volume Claims
Detects PVCs not attached to any pod.
Warning
2
PVC002
PVCs Using Default StorageClass
Detects PVCs that do not explicitly specify a storageClassName.
Low
1
PVC003
ReadWriteMany PVCs on Incompatible Storage
Detects PVCs requesting ReadWriteMany access mode where the underlying storage is typically block-based and does not support concurrent writes from multiple nodes.
High
5
PVC004
Unbound Persistent Volume Claims
Detects Persistent Volume Claims that are in a Pending phase and have not been bound to a Persistent Volume.
High
3
SC001
Deprecated StorageClass Provisioners
Detects StorageClasses using deprecated or legacy in-tree provisioners, which should be migrated to CSI drivers.
High
4
SC002
StorageClass Prevents Volume Expansion
Identifies StorageClasses that do not permit volume expansion, which can limit dynamic scaling of stateful applications.
Medium
2
SC003
High Cluster Storage Usage
Monitors the overall percentage of used storage across the cluster.