Kubernetes has a peculiar failure mode: the cluster is up, pods are green, the dashboard looks fine. And there's a latent problem that'll take down production the next time something unusual happens. A missing PodDisruptionBudget. No network policies. Secrets in a plaintext ConfigMap. No resource limits, so one runaway pod evicts its neighbors.
The Kubernetes Audit is the checklist for catching those before they matter. Twenty signals organized across five buckets. Resource governance, health and reliability, security, observability, operations. Tick what you already have; the AI fix prompt produces patch YAML for everything you don't.
The signals
The ones that bite hardest, in my experience:
Resource requests and limits. Without requests, the scheduler can pack pods onto already-starved nodes. Without limits, one pod's memory leak evicts a neighbor. The fix is one stanza per container. The audit tracks both.
Liveness, readiness, and startup probes. Separate concerns. Liveness restarts unhealthy pods, readiness gates traffic until the pod is ready, startup gives slow-booting apps grace before liveness fires. Missing any one of the three means some class of failure goes undetected or some class of rollout flaps.
NetworkPolicies default-deny. Kubernetes default is wide-open east-west traffic. Every pod can talk to every other pod. A compromised pod can scan the whole cluster. Default-deny + explicit allow is the security baseline.
Secrets in Vault / External Secrets Operator / Sealed Secrets. Not in ConfigMaps (visible to anyone with get pods permission). Not in git even in encrypted form without clear rotation policy. This is the security signal that embarrasses people when they discover it's been missing.
Velero or managed snapshot backups. Untested backups don't exist. The audit's opinion: run a quarterly restore drill or you have no backups, only hope.
Cluster-context-aware prompts
The audit adjusts its output based on who's using it. Beginner: the AI fix prompt explains each fix in plain English before showing YAML. Advanced: skip explanations, deliver patch YAML and kubectl verification commands only. Intermediate is the default.
It also scales to cluster size. A k3s cluster with one node has a different remediation shape than an EKS multi-zone cluster. The prompt reflects that context.
Pair with
- Docker Gen. Most small businesses should stop at docker-compose and never jump to K8s. The K8s audit is for when you've already made the jump and need to do it right.
- Container Visualizer. Visual decision tree for when the jump is worth it.
Methodology: Chapter 6 of The $100 Network, The Provider Stack, covers the infrastructure decision matrix. Chapter 26, Monitoring at Scale, is the observability companion. A K8s cluster without metrics and log aggregation is a cluster you can't fix.