Scanning & Risk Intelligence
Continuous cluster scanning with automated risk scoring for every Kubernetes component. Identify vulnerabilities before they impact production.
Kubernetes clusters are living systems. Every component, API version, and configuration setting changes over time as the upstream project evolves. The gap between what your clusters run today and what the next version requires creates a risk surface that grows wider with every release cycle. Left unmeasured, this gap becomes the primary source of unplanned downtime during infrastructure changes. Medulla's Scanning and Risk Intelligence continuously maps this surface, giving platform teams a clear, quantified understanding of their upgrade readiness at all times.
The Problem
Most organizations discover upgrade blockers during the upgrade itself. A deprecated API that was flagged in release notes months ago surfaces as a broken deployment at 2 AM during a maintenance window. An addon that worked fine on the previous version throws unexpected errors because its CRD definitions conflict with the new API server schema.
The downstream consequences are significant. Failed upgrades cascade into delayed feature releases, extended maintenance windows that exhaust on-call engineers, and compliance audit findings that flag outdated infrastructure. Teams that fall behind on Kubernetes versions accumulate technical debt that compounds with every skipped release, making the eventual forced upgrade far riskier than incremental updates would have been.
The root cause is not negligence. It is the absence of continuous, structured visibility into the compatibility state of a running cluster. Kubernetes deprecation timelines span multiple releases, and tracking them manually across a fleet of clusters with different versions, different addon stacks, and different workload profiles is a task that does not scale. Cost optimization platforms can tell you what you are spending. Observability tools can tell you what is happening right now. Neither can tell you what will break when you move from version 1.28 to 1.30.
The majority of Kubernetes upgrade failures trace back to issues that were knowable before the upgrade began. Deprecated APIs, incompatible addon versions, and unsupported configurations are documented well in advance, but the tooling to surface them proactively has not existed in the infrastructure management category.
How Medulla Solves It
Medulla runs a continuous background scan worker that evaluates every cluster in your fleet against the Kubernetes deprecation timeline, addon compatibility matrices, and known breaking changes. Scans are not one-time audits. They run continuously, updating risk assessments as your clusters change and as new Kubernetes versions are released.
The output is a multi-factor risk score for each cluster. This score is not a single number. It is a composite of blocker count, blast radius, rollback complexity, and estimated downtime probability. Each factor is independently visible and independently actionable. A cluster with twelve low-severity deprecation warnings scores differently than a cluster with two hard blockers that prevent the control plane from starting after an upgrade.
Risk intelligence feeds directly into every other Medulla capability. Simulation uses scan results to model upgrade outcomes. Scheduling uses risk scores to prioritize maintenance windows. Execution uses blocker data to gate upgrade steps. The scan is the foundation of the entire upgrade lifecycle.
Key Capabilities
- Continuous background scanning — Automated scan workers evaluate clusters on an ongoing basis, not just when an upgrade is planned. Risk assessments stay current as your infrastructure evolves, which means platform teams always have an accurate picture of readiness without running manual audits.
- Multi-factor risk scoring — Composite scores built from blocker count, blast radius, rollback complexity, and downtime probability. Each factor is independently visible for targeted remediation, allowing teams to address the highest-impact blockers first rather than working through undifferentiated lists.
- Deprecated API detection — Identifies every deprecated and removed API in use across your workloads, mapped against target Kubernetes version compatibility. Detection covers both explicit manifest references and transitive API usage through controllers and operators.
- Addon conflict analysis — Cross-references your installed addon versions against known compatibility matrices to flag conflicts before they cause failures.
- Breaking change mapping — Maps upstream Kubernetes breaking changes to your specific cluster configuration, highlighting exactly which components are affected.
- Fleet-wide visibility — Aggregated risk views across your entire cluster fleet, enabling platform teams to prioritize upgrades based on quantified risk rather than intuition. Fleet dashboards surface the clusters with the highest risk scores first, directing engineering attention where it has the greatest impact.
Scanning and Risk Intelligence transforms Kubernetes upgrades from a reactive discovery process into a proactive engineering practice. Platform teams gain the visibility they need to plan upgrades with confidence, remediate blockers on their own timeline, and eliminate the surprise failures that make infrastructure changes high-stress events. Risk data flows directly into Medulla's simulation engine and scheduling system, creating a continuous feedback loop where scan results inform upgrade planning across the entire fleet. When you know exactly what will break before you start, the upgrade becomes a routine operation rather than a crisis.