Radar OSS · Cluster Audit

31 best-practice checks. Zero install on your cluster.

Security, reliability, and efficiency checks — inspired by Polaris, Kubescape, Trivy, and the NSA/CISA hardening guide. Runs against Radar's cached cluster state, finishes in under a second.

Install OSSStar on GitHub
Apache 2.0 · Runs on your laptop or in-cluster · No account needed
radar · cluster audit
Checks run
31
Critical
2
Warning
3
Passing
26
Critical
Privileged container
DaemonSet/logging-agent · kube-system
SecurityNSA/CISACIS 5.2.1
Critical
Runtime socket mounted
Deployment/build-runner · ci
SecurityNSA/CISACIS 5.1.5
Warning
No resource limits set
Deployment/api-gateway · edge
EfficiencyCIS 5.7.3
Warning
Readiness probe missing
Deployment/payments · prod
ReliabilityPolaris
Warning
Image tagged :latest
Deployment/worker · jobs
ReliabilityPolarisKubescape
Info
Auto-mount service account token
Pod/ingress-nginx-abc · ingress
SecurityNSA/CISA
Showing 6 of 31 checksScan completed in 420ms · cached resources

Illustrative layout · real checks listed below

The problem

Three tools, one ops fight, and a cluster you still can't sign off on.

You want the CIS hardening advice. You install Kubescape. You want the efficiency best-practices. You install Polaris. You want container CVEs. You install Trivy. Three operators, three CRD sets, three maintenance surfaces.

And your first output is a YAML report you have to diff against last week's to know if anything got worse.

Radar's audit runs 31 checks spanning all three concerns — security, reliability, efficiency — grouped into one view, with per-check remediation, labeled by which framework originated it (NSA/CISA, CIS, Polaris). No operator to deploy. No CRDs installed. No scan schedule to maintain. The audit runs against Radar's already-cached cluster state, so it finishes in milliseconds.

What gets checked

Three categories. 31 checks. Zero config.

Inspired by Polaris, Kubescape, Trivy, and the NSA/CISA Kubernetes hardening guide. Categories from the Radar README; example checks below are representative.

Security

~12 checks
  • Privileged containers
  • Privilege escalation allowed
  • Host namespaces shared (hostPID, hostIPC, hostNetwork)
  • Container runtime sockets mounted
  • Service account tokens auto-mounted

Reliability

~11 checks
  • Liveness / readiness probes missing
  • Image tagged `:latest`
  • Single-replica Deployments in production
  • HA risk (all replicas on one node)
  • Deprecated APIs still in use

Efficiency

~8 checks
  • Resource requests missing
  • Resource limits missing
  • Orphan ConfigMaps / Secrets
  • Overprovisioned limits

The Radar README states “31 checks across security, reliability, and efficiency.” The checks above are representative examples cited in the source; the running audit enumerates the full set with remediation guidance.

Under the hood

Why the audit is instant.

01

Runs on cached state

Radar's informer cache is already the source of truth for the topology and resource views. The audit re-uses it. No extra API calls, no cluster-side scan scheduler.

02

Framework-labeled findings

Each finding carries labels for the framework it came from — NSA/CISA, CIS, Polaris — so you can filter to the one your auditor cares about or the set your compliance program requires.

03

Ignore lists

Configurable per-namespace ignore rules for the controllers you already know break the checks on purpose (kube-system, GPU operators, etc.) — so real findings aren't buried by noise.

Compared to the stack you'd otherwise assemble

One install instead of three operators.

What you wantTypical toolRadar audit
Security best-practices (NSA/CISA, CIS)Kubescape operator + KyvernoBuilt-in, labeled
Reliability hygiene (probes, replicas, :latest)Polaris operatorBuilt-in
Efficiency checks (requests/limits, orphans)Polaris operator or custom kubectl scriptsBuilt-in
Per-check remediation guidanceTool-dependentIn every finding
Install cost3 operators + 3 CRD setsbrew install
Scan latencyScheduled CronJob, minutesSub-second, on demand
Open source

Apache 2.0. Yours to inspect, fork, or self-host.

Radar's source is on GitHub. Every feature on this page is in the binary you install with brew install. No telemetry, no mandatory login, no phone-home. If we ever change that, you'll see it in a diff first.

skyhook-io/radar
1.3k★ GitHub stars
Apache 2.0 · Actively maintained
When you're auditing more than one cluster

Radar runs the audit across your whole fleet.

Same 31 checks. Same framework labels. Fleet-wide rollup. The Enterprise tier retains audit results, so you can show an auditor a finding trend over the last year instead of screenshotting today's scan.

See the OSS vs Hub comparison
More of the Radar surface

Four more things Radar does in the same binary.

Live topology graph

Every resource and connection, laid out by ELK.js, updated via SSE.

Event timeline

Every K8s event and resource change, retained past the 1-hour TTL.

Image filesystem viewer

Browse any container image tree without kubectl exec or docker pull.

AI via MCP

Give Claude, Cursor, or Copilot a safe, token-optimized view of your cluster.

Stop juggling three operators to learn what's wrong.

Radar runs the checks the moment it connects. brew install, open the Audit tab, read the list.

Install with HelmStart freeBook a demo

Apache 2.0 OSS · Unlimited clusters self-hosted · Hosted free tier for up to 3 clusters