Kubernetes (any distribution) · 11 checks

In-cluster waste and posture, wherever it runs.

Cluster waste lives in the gap between what pods request and what they use: requests set far above real consumption, namespaces nobody runs anything in, PersistentVolumeClaims orphaned by deleted workloads, deployments scaled to zero but never cleaned up.

InfraSweep reads the cluster directly with a read-only kubeconfig, pairs requests against metrics-server usage, and infers the hosting cloud from node providerIDs, so right-sizing recommendations land where the spend is.

Requests ≫ usage

The biggest container waste: pods reserving far more CPU/memory than they ever use.

Posture too

Privileged pods, hostPath mounts, and latest-tag images flagged alongside the waste.

Any distro

EKS, GKE, AKS, or self-managed: the same read-only in-cluster pass.

What we scan on Kubernetes

2 security checks

A representative sample of the 11 Kubernetes checks, grouped by service domain. Cost waste and security risk are surfaced in the same read-only pass.

Workload right-sizing

Requests vs real usage from metrics-server.

Over-requested CPU / memory

Pods reserving far more than they consume.

Missing limits

Workloads with no resource ceilings.

Single-replica & zombie deployments

No redundancy, or scaled-down but never removed.

Idle & orphaned

Namespaces, PVCs, DaemonSets, pending pods.

Idle namespaces

Namespaces with no active workloads.

Orphaned PersistentVolumeClaims

Storage claims left by deleted workloads.

Pending pods & DaemonSet spread

Stuck scheduling and unnecessary DaemonSets.

Posture

Pod-security and image hygiene.

Privileged & hostPath pods

Containers with host-level access or mounts.

latest-tag images

Non-pinned images that undermine reproducibility.

How you connect

A read-only kubeconfig

Point InfraSweep at a kubeconfig with read access; it uses a lazy client and never writes to the cluster.

Read-only (get/list/watch). No mutating verbs.

How the dollars are calculated

Right-sizing is expressed in requested vs used resources; dollar mapping follows the hosting cloud inferred from node providerIDs.

Every finding is backed by the raw cloud API response it came from, with a confidence score and the pricing source labelled, no black-box numbers.

Scan your Kubernetes estate free

Connect a read-only kubeconfig and run a read-only scan. Findings come priced in real dollars with a fix and the evidence for each.

Start scanning free

Other clouds we scan