kubeeye
KubeEye is a Kubernetes cluster inspection tool that identifies misconfigurations, unhealthy components, and node problems using customizable rules. It provides automated, scheduled inspections with HTML report generation and supports multiple rule types including OPA, PromQL, and kernel parameter checks.
Key facts
Objective fields from the source. Values we can't verify are shown as “Unknown” rather than guessed.
| Field | Value |
|---|---|
| Repository | kubesphere/kubeeye |
| Owner | kubesphere |
| Primary language | Go |
| License | Apache-2.0 — OSI-approved |
| Stars | 851 |
| Forks | 189 |
| Open issues | 38 |
| Latest release | v1.0.6 (2025-04-17) |
| Last updated | 2025-06-25 |
| Source | https://github.com/kubesphere/kubeeye |
What kubeeye is
KubeEye is a Go-based Kubernetes operator that deploys via Helm, exposes inspection results through a REST API, and executes inspections based on cron schedules or on-demand. It supports custom InspectPlan and InspectRule CRDs, integrates with Prometheus for PromQL-based checks, and generates downloadable HTML reports via its apiserver component.
Get the kubeeye source
Clone the repository and explore it locally.
git clone https://github.com/kubesphere/kubeeye.gitcd kubeeye# follow the project's README for install & configurationNeed it deployed, integrated, or customized instead? DEV.co ships production installs.
Best use cases
Implementation considerations
- Plan Prometheus endpoint configuration early if PromQL rules are needed; KubeEye requires pre-existing Prometheus setup and network access.
- Define and version control custom inspection rules in the `rules` directory; demo rules are provided but must be customized for organizational policies.
- Size the inspection schedule (cron expressions) and maxTasks retention to avoid resource overhead; timeout defaults to 10 minutes and is configurable.
- Coordinate RBAC permissions for kubeeye-system namespace; the tool requires read access to cluster resources (ConfigMaps, Deployments, Nodes, Events, etc.).
- Plan report delivery and archival; inspection results are retrieved via REST API; no built-in storage or alerting integration is mentioned.
When to avoid it — and what to weigh
- Need Real-Time Remediation — KubeEye is inspection-only; it does not automatically fix detected issues. If automatic remediation is required, consider tools with webhook/controller-based enforcement.
- Require Advanced Machine Learning or Anomaly Detection — KubeEye uses rule-based inspection without ML/AI anomaly detection. For predictive analytics or anomaly-driven alerting, evaluate specialized observability platforms.
- Operating Kubernetes Clusters Without Helm or Limited API Access — KubeEye requires Helm deployment, RBAC permissions, and CRD registration. Environments with restricted cluster API access or no Helm support may face deployment friction.
- Low Tolerance for Custom Rule Configuration — KubeEye's value depends on defining and maintaining custom inspection rules. Teams unwilling to invest in rule creation and updates will see limited benefit.
License & commercial use
KubeEye is licensed under Apache License 2.0, a permissive OSI-approved open-source license.
Apache-2.0 permits commercial use, redistribution, and modification with proper attribution and notice of changes. Consult legal counsel if bundling with proprietary software or offering as a managed service.
DEV.co evaluation signals
Editorial assessment — not user reviews. Directional, with an explicit confidence level.
| Signal | Assessment |
|---|---|
| Maintenance | Active |
| Documentation | Adequate |
| License clarity | Clear |
| Deployment complexity | Moderate |
| DEV.co fit | Good |
| Assessment confidence | High |
KubeEye requires elevated RBAC permissions to read cluster state (Nodes, Pods, ConfigMaps, Events, SystemD services). Ensure apiserver service (port 9090) is network-isolated; no authentication mentioned for report downloads. Inspection results may contain sensitive configuration data; secure report transmission and storage. Review custom OPA and PromQL rules for injection vulnerabilities before deployment.
Alternatives to consider
Polaris (Fairwinds)
Similar Kubernetes audit tool focusing on security, best practices, and resource efficiency; offers built-in policy library and web dashboard without Prometheus dependency.
Kube-score
Lightweight CLI-based Kubernetes manifest scanner that checks configuration best practices; simpler deployment for pre-deployment validation but lacks runtime cluster inspection.
Kubescape (CNCF)
Cloud-native security posture management tool; performs compliance scanning and risk assessment with CIS Kubernetes benchmarks; broader security focus than KubeEye's misconfiguration detection.
Build on kubeeye with DEV.co software developers
KubeEye provides scheduled, rule-driven cluster inspections with detailed HTML reports. Evaluate its fit for your compliance and operational resilience requirements.
Talk to DEV.coRelated open-source tools
Surfaced by semantic similarity across the DEV.co open-source index.
Related on DEV.co
Explore the category and the services that help you build with it.
kubeeye FAQ
Can KubeEye automatically fix detected issues?
Does KubeEye work without Prometheus?
Is there an official SLA or vendor support?
Can I run KubeEye on a disconnected (air-gapped) cluster?
Software development & web development with DEV.co
From first prototype to production, DEV.co delivers software development services around tools like kubeeye. Our software development agency staffs experienced software developers and web developers for custom software development, web development, integrations, and ongoing support across open-source observability and beyond.
Need Kubernetes Cluster Health Audits and Policy Enforcement?
KubeEye provides scheduled, rule-driven cluster inspections with detailed HTML reports. Evaluate its fit for your compliance and operational resilience requirements.