How to use the Kubernetes / Helm Policy Inspector
Paste your Kubernetes manifests — or the output of helm template — and the inspector lints every workload (Deployment, StatefulSet, DaemonSet, Job, CronJob, Pod) against common pod-security and best-practice rules, grouping findings by severity. It reads multi-document YAML and runs entirely in your browser; nothing is uploaded.
What it does
- Flags privileged containers, root users, and host namespace sharing (critical).
- Warns on missing runAsNonRoot, allowPrivilegeEscalation, readOnlyRootFilesystem, and un-dropped capabilities.
- Warns on missing resource requests/limits and on
:latest or untagged images.
- Notes missing liveness/readiness probes and default service-account token mounts.
When to use it
- Reviewing a Helm chart or manifest change before deploy.
- Hardening workloads toward the restricted Pod Security Standard.
- Spot-checking a third-party chart for risky defaults.
- Teaching pod-security best practices.
How to use it
- Paste one or more manifests (separate documents with
---).
- Read the severity summary and grouped findings.
- Fix the critical and warning items, then re-check.
Tips & pitfalls
- Render Helm charts first (
helm template) — the inspector reads concrete manifests, not templates.
- This is a heuristic linter, not a full OPA/Kyverno policy engine; use it as guidance alongside your admission controllers.
- Set both container- and pod-level securityContext for defense in depth.
FAQ
- What rules does the policy inspector check? It checks pod-security and best-practice rules: privileged containers, runAsNonRoot and runAsUser, allowPrivilegeEscalation, readOnlyRootFilesystem, dropped capabilities, host namespaces (hostNetwork/hostPID/hostIPC), hostPath volumes, resource requests and limits, image tags, and liveness/readiness probes.
- Can I paste Helm output? Yes. Render your chart first with helm template, then paste the resulting YAML. The inspector reads multi-document YAML and evaluates every workload it finds.
- Is my YAML uploaded anywhere? No. The manifests are parsed and analyzed entirely in your browser. Nothing is sent to any server.
Related guides
