Kubernetes (any distribution) · 11 checks
In-cluster waste and posture, wherever it runs.
Cluster waste lives in the gap between what pods request and what they use: requests set far above real consumption, namespaces nobody runs anything in, PersistentVolumeClaims orphaned by deleted workloads, deployments scaled to zero but never cleaned up.
InfraSweep reads the cluster directly with a read-only kubeconfig, pairs requests against metrics-server usage, and infers the hosting cloud from node providerIDs, so right-sizing recommendations land where the spend is.
Requests ≫ usage
The biggest container waste: pods reserving far more CPU/memory than they ever use.
Posture too
Privileged pods, hostPath mounts, and latest-tag images flagged alongside the waste.
Any distro
EKS, GKE, AKS, or self-managed: the same read-only in-cluster pass.
What we scan on Kubernetes
2 security checksA representative sample of the 11 Kubernetes checks, grouped by service domain. Cost waste and security risk are surfaced in the same read-only pass.
Workload right-sizing
Requests vs real usage from metrics-server.Over-requested CPU / memory
Pods reserving far more than they consume.
Missing limits
Workloads with no resource ceilings.
Single-replica & zombie deployments
No redundancy, or scaled-down but never removed.
Idle & orphaned
Namespaces, PVCs, DaemonSets, pending pods.Idle namespaces
Namespaces with no active workloads.
Orphaned PersistentVolumeClaims
Storage claims left by deleted workloads.
Pending pods & DaemonSet spread
Stuck scheduling and unnecessary DaemonSets.
Posture
Pod-security and image hygiene.Privileged & hostPath pods
Containers with host-level access or mounts.
latest-tag images
Non-pinned images that undermine reproducibility.
How you connect
A read-only kubeconfig
Point InfraSweep at a kubeconfig with read access; it uses a lazy client and never writes to the cluster.
How the dollars are calculated
Right-sizing is expressed in requested vs used resources; dollar mapping follows the hosting cloud inferred from node providerIDs.
Every finding is backed by the raw cloud API response it came from, with a confidence score and the pricing source labelled, no black-box numbers.
Scan your Kubernetes estate free
Connect a read-only kubeconfig and run a read-only scan. Findings come priced in real dollars with a fix and the evidence for each.
Start scanning free