Introducing kubeqa: The Open-Source Kubernetes QA Platform

Most Kubernetes teams run 4-6 separate tools to validate their clusters - one for security scanning, another for chaos testing, a third for compliance, and custom scripts for deployment gates. Each produces its own reports in its own format, runs on its own schedule, and none of them talk to each other.

kubeqa unifies all four into a single CLI.

What kubeqa does

kubeqa is an open-source Kubernetes QA platform built in Go with a Python AI backend. It scans your cluster across four dimensions:

1. Cluster Health Scanner

An 8-dimension health score for your cluster: resources, security, networking, storage, availability, observability, configuration, and cost efficiency.

$ kubeqa health scan

  Health Score: 87/100

  ✓ Resources:    82/100  (4 pods without limits)
  ✓ Security:     91/100  (1 privileged container)
  ✓ Networking:   95/100
  ✗ Availability: 68/100  (2 single-replica deployments)
  ✓ Observability: 78/100 (3 pods without probes)

2. Chaos Engineering

Controlled failure injection - pod kill, network partition, CPU stress, node drain - with steady-state validation and blast-radius controls built in.

$ kubeqa chaos run pod-failure --namespace production --count 1 --duration 30s
  ✓ Steady state validated
  ✓ Pod payments-7b9f4 killed
  ✓ Recovery time: 8.2s
  ✓ Steady state re-validated
  Resilience score: 4/5

3. Compliance Automation

Built-in profiles for CIS Benchmarks, NSA/CISA, SOC 2, HIPAA, PCI DSS, NESA, and NCA. Continuous audit with drift detection and evidence collection.

$ kubeqa compliance audit --framework cis-1.8
  Pass: 128/142 controls (90.1%)
  Fail: 14 controls
  Top finding: 4.2.1 - Minimize access to secrets

4. Deployment Gates

CI/CD-native quality gates that block bad deployments before production. Works with GitHub Actions, GitLab CI, ArgoCD, Jenkins, and Flux.

# .github/workflows/deploy.yaml
- name: kubeqa gate
  uses: nomadx-ae/kubeqa-action@v1
  with:
    fail-on: critical
    compliance: cis-1.8

Why we built kubeqa

We’re the team behind kubernetes.ae - a Kubernetes consulting firm that has assessed hundreds of clusters across the GCC and globally. Every engagement started the same way: run kube-bench, run Polaris, check RBAC, test resilience manually, write a report.

After the third time we wrote the same health check script, we productized it. After the fifth compliance audit, we automated the evidence collection. After Datree shut down in 2023 and left a vacuum in deployment policy enforcement, we built gates.

kubeqa is the tool we wished existed when we started consulting.

Architecture

kubeqa is a Go CLI that talks directly to the Kubernetes API using read-only access. No cluster-side agents required. No privileged access needed.

The optional Python AI backend provides intelligent remediation recommendations - not just “this is wrong” but “here’s the kubectl patch to fix it, adapted for your Helm chart.”

kubeqa CLI (Go)  →  K8s API (read-only)
     ↓
AI Backend (Python)  →  LLM analysis + RAG knowledge base

Open source, always

kubeqa is Apache 2.0 licensed. The CLI is free forever. We will never gate OSS features behind a paywall.

The kubeqa Cloud (coming soon) adds multi-cluster dashboards, historical trends, team collaboration, and enterprise features (SSO, audit logs, compliance PDF exports). But the core scanning engine - health, chaos, compliance, and gates - stays open.

Get started

# Install
brew install nomadx-ae/tap/kubeqa

# Run your first scan
kubeqa health scan

# Star us on GitHub
# github.com/nomadx-ae/kubeqa

We’re building kubeqa in the open. Star the repo, join our Discord, and help us define the “Kubernetes QA” category.

kubeqa is built by NomadX - a Kubernetes and DevSecOps consulting firm based in Dubai. For hands-on Kubernetes consulting, visit kubernetes.ae.