First-response triage for suspicious Kubernetes workloads.
A read-only kubectl plugin that collapses the first 60 seconds of incident triage into a single command. Pod context, security signals, events, logs, network policy, and RBAC — summary first, details after.
kubectl krew install triage
kubectl triage pod suspicious-pod -n paymentsOne command. Structured output. No cluster write access needed.
══ kubectl-triage: payments/suspicious-pod [Pod] ══
2026-04-05 17:00:00 UTC
▸ Summary
- pod is not ready
- restart loop indicators present
- image uses :latest (app)
- service account token is auto-mounted
- uses default service account
- no NetworkPolicy selects this workload
- runAsNonRoot is not set
▸ Security
privileged no
runAsNonRoot not set ⚠
readOnlyRootFilesystem not set
allowPrivilegeEscalation not set
added capabilities none
▸ Service Account
name default (default SA)
automount token enabled ⚠
▸ Key Events
⚠ Warning BackOff: Back-off restarting failed container
⚠ Warning PolicyViolation: require-run-as-non-root
▸ Network
NetworkPolicy ✗ none — unrestrictedSecurity context gaps
runAsNonRoot, privileged, allowPrivilegeEscalation, added capabilities
Service account exposure
Default SA usage, token automount, RBAC bindings
Network policy coverage
Whether any NetworkPolicy selects this workload
Image signals
:latest tags, image pull policy
Events and logs
Recent warning events and log tail without exec
Policy violations
Kyverno and OPA/Gatekeeper admission events
Incident triage
Something is behaving oddly. Start here before exec'ing into a container or running kubectl describe manually.
Suspicious workload review
Security team flagged a workload. Get a structured view of every relevant signal before the review call.
Policy rollout validation
Check that a namespace's workloads look clean before flipping enforcement mode.
kubectl-triage surfaces the signals. A Baseline Review turns those signals into a clear, shared operating model your whole team can follow.
Book a Baseline Review