DEV.co
Open-Source Observability · kubesphere

kubeeye

KubeEye is a Kubernetes cluster inspection tool that identifies misconfigurations, unhealthy components, and node problems using customizable rules. It provides automated, scheduled inspections with HTML report generation and supports multiple rule types including OPA, PromQL, and kernel parameter checks.

Source: GitHub — github.com/kubesphere/kubeeye
851
GitHub stars
189
Forks
Go
Primary language
Apache-2.0
License (OSI-approved)

Key facts

Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.

FieldValue
Repositorykubesphere/kubeeye
Ownerkubesphere
Primary languageGo
LicenseApache-2.0 — OSI-approved
Stars851
Forks189
Open issues38
Latest releasev1.0.6 (2025-04-17)
Last updated2025-06-25
Sourcehttps://github.com/kubesphere/kubeeye

What kubeeye is

KubeEye is a Go-based Kubernetes operator that deploys via Helm, exposes inspection results through a REST API, and executes inspections based on cron schedules or on-demand. It supports custom InspectPlan and InspectRule CRDs, integrates with Prometheus for PromQL-based checks, and generates downloadable HTML reports via its apiserver component.

Quickstart

Get the kubeeye source

Clone the repository and explore it locally.

terminalbash
git clone https://github.com/kubesphere/kubeeye.gitcd kubeeye# follow the project's README for install & configuration

Need it deployed, integrated, or customized instead? DEV.co ships production installs.

Best use cases

Automated Kubernetes Cluster Health Audits

Schedule periodic inspections (e.g., every 12 hours) to detect misconfigurations, pod state issues, and node problems before they impact production workloads.

Multi-Cluster Compliance and Policy Enforcement

Use OPA rules to enforce organizational policies across Kubernetes clusters and generate compliance reports; KubeSphere multi-cluster support enables centralized inspection.

Proactive Incident Prevention and Root Cause Analysis

Correlate event logs, node metrics, and resource configurations to identify systemic issues early; PromQL integration enables metric-driven diagnostics.

Implementation considerations

  • Plan Prometheus endpoint configuration early if PromQL rules are needed; KubeEye requires pre-existing Prometheus setup and network access.
  • Define and version control custom inspection rules in the `rules` directory; demo rules are provided but must be customized for organizational policies.
  • Size the inspection schedule (cron expressions) and maxTasks retention to avoid resource overhead; timeout defaults to 10 minutes and is configurable.
  • Coordinate RBAC permissions for kubeeye-system namespace; the tool requires read access to cluster resources (ConfigMaps, Deployments, Nodes, Events, etc.).
  • Plan report delivery and archival; inspection results are retrieved via REST API; no built-in storage or alerting integration is mentioned.

When to avoid it — and what to weigh

  • Need Real-Time Remediation — KubeEye is inspection-only; it does not automatically fix detected issues. If automatic remediation is required, consider tools with webhook/controller-based enforcement.
  • Require Advanced Machine Learning or Anomaly Detection — KubeEye uses rule-based inspection without ML/AI anomaly detection. For predictive analytics or anomaly-driven alerting, evaluate specialized observability platforms.
  • Operating Kubernetes Clusters Without Helm or Limited API Access — KubeEye requires Helm deployment, RBAC permissions, and CRD registration. Environments with restricted cluster API access or no Helm support may face deployment friction.
  • Low Tolerance for Custom Rule Configuration — KubeEye's value depends on defining and maintaining custom inspection rules. Teams unwilling to invest in rule creation and updates will see limited benefit.

License & commercial use

KubeEye is licensed under Apache License 2.0, a permissive OSI-approved open-source license.

Apache-2.0 permits commercial use, redistribution, and modification with proper attribution and notice of changes. Consult legal counsel if bundling with proprietary software or offering as a managed service.

DEV.co evaluation signals

Editorial assessment — not user reviews. Directional, with an explicit confidence level.

SignalAssessment
MaintenanceActive
DocumentationAdequate
License clarityClear
Deployment complexityModerate
DEV.co fitGood
Assessment confidenceHigh
Security considerations

KubeEye requires elevated RBAC permissions to read cluster state (Nodes, Pods, ConfigMaps, Events, SystemD services). Ensure apiserver service (port 9090) is network-isolated; no authentication mentioned for report downloads. Inspection results may contain sensitive configuration data; secure report transmission and storage. Review custom OPA and PromQL rules for injection vulnerabilities before deployment.

Alternatives to consider

Polaris (Fairwinds)

Similar Kubernetes audit tool focusing on security, best practices, and resource efficiency; offers built-in policy library and web dashboard without Prometheus dependency.

Kube-score

Lightweight CLI-based Kubernetes manifest scanner that checks configuration best practices; simpler deployment for pre-deployment validation but lacks runtime cluster inspection.

Kubescape (CNCF)

Cloud-native security posture management tool; performs compliance scanning and risk assessment with CIS Kubernetes benchmarks; broader security focus than KubeEye's misconfiguration detection.

Software development agency

Build on kubeeye with DEV.co software developers

KubeEye provides scheduled, rule-driven cluster inspections with detailed HTML reports. Evaluate its fit for your compliance and operational resilience requirements.

Talk to DEV.co

Related open-source tools

Surfaced by semantic similarity across the DEV.co open-source index.

kubeeye FAQ

Can KubeEye automatically fix detected issues?
No. KubeEye is inspection-only and generates reports; it does not implement fixes or enforcement. External controllers or CI/CD pipelines must act on findings.
Does KubeEye work without Prometheus?
Yes, for non-PromQL rules (OPA, File Change, Node Basic Info, etc.). PromQL rules specifically require a Prometheus endpoint configured in the rule definition.
Is there an official SLA or vendor support?
Unknown. KubeEye is community-driven and open-source. Support depends on KubeSphere ecosystem contributions; no commercial support terms are documented.
Can I run KubeEye on a disconnected (air-gapped) cluster?
Yes. The installation package includes offline images and Helm charts; you must pre-import container images into a local registry and update the chart values.

Software development & web development with DEV.co

From first prototype to production, DEV.co delivers software development services around tools like kubeeye. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source observability and beyond.

Need Kubernetes Cluster Health Audits and Policy Enforcement?

KubeEye provides scheduled, rule-driven cluster inspections with detailed HTML reports. Evaluate its fit for your compliance and operational resilience requirements.