
Kor is a tool to discover unused Kubernetes resources. Currently, Kor can identify and list unused:
Looking for cost analysis and multi-cluster management? Check out KorPro, our cloud-based platform built on top of Kor.

Download the binary for your operating system from the releases page and add it to your system's PATH.
For macOS users, you can install Kor using Homebrew:
brew install kor
Install the binary to your $GOBIN or $GOPATH/bin:
go install github.com/yonahd/kor@latest
Build the locally cloned source code:
go build main.go
Run a container with your kubeconfig mounted:
docker run --rm -i yonahdissen/kor
docker run --rm -i -v "/path/to/.kube/config:/root/.kube/config" yonahdissen/kor all
kubectl krew install kor
helm repo add kor https://yonahd.github.io/kor
Run as a cronjob in your Cluster (with an option for sending slack updates)
helm upgrade -i kor \
--namespace kor \
--create-namespace \
--set cronJob.enabled=true
./charts/kor
Run as a deployment in your Cluster exposing prometheus metrics
helm upgrade -i kor \
--namespace kor \
--create-namespace \
./charts/kor
For more information see in cluster usage
Kor provides various subcommands to identify and list unused resources. The available commands are:
all - Gets all unused resources for the specified namespace or all namespaces.configmap - Gets unused ConfigMaps for the specified namespace or all namespaces.secret - Gets unused Secrets for the specified namespace or all namespaces.service - Gets unused Services for the specified namespace or all namespaces.serviceaccount - Gets unused ServiceAccounts for the specified namespace or all namespaces.deployment - Gets unused Deployments for the specified namespace or all namespaces.statefulset - Gets unused StatefulSets for the specified namespace or all namespaces.role - Gets unused Roles for the specified namespace or all namespaces.clusterrole - Gets unused ClusterRoles for the specified namespace or all namespaces (namespace refers to RoleBinding).clusterrolebinding - Gets unused ClusterRoleBindings in the cluster (non namespaced resource).rolebinding - Gets unused RoleBindings for the specified namespace or all namespaces.hpa - Gets unused HPAs for the specified namespace or all namespaces.pod - Gets unused Pods for the specified namespace or all namespaces.pvc - Gets unused PVCs for the specified namespace or all namespaces.pv - Gets unused PVs in the cluster (non namespaced resource).storageclass - Gets unused StorageClasses in the cluster (non namespaced resource).ingress - Gets unused Ingresses for the specified namespace or all namespaces.pdb - Gets unused PDBs for the specified namespace or all namespaces.crd - Gets unused CRDs in the cluster (non namespaced resource).job - Gets unused jobs for the specified namespace or all namespaces.replicaset - Gets unused replicaSets for the specified namespace or all namespaces.daemonset- Gets unused DaemonSets for the specified namespace or all namespaces.volumeattachment - Gets unused VolumeAttachments in the cluster (non-namespaced resource).priorityclass - Gets unused PriorityClasses in the cluster (non-namespaced resource).finalizer - Gets unused pending deletion resources for the specified namespace or all namespaces.networkpolicy - Gets unused NetworkPolicies for the specified namespace or all namespaces.exporter - Export Prometheus metrics.version - Print kor version information. --delete Delete unused resources
-l, --exclude-labels strings Selector to filter out, Example: --exclude-labels key1=value1,key2=value2. If --include-labels is set, --exclude-labels will be ignored
-e, --exclude-namespaces strings Namespaces to be excluded, split by commas. Example: --exclude-namespaces ns1,ns2,ns3. If --include-namespaces is set, --exclude-namespaces will be ignored
--group-by string Group output by (namespace, resource) (default "namespace")
-h, --help help for kor
--include-labels string Selector to filter in, Example: --include-labels key1=value1 (currently supports one label)
-n, --include-namespaces strings Namespaces to run on, split by commas. Example: --include-namespaces ns1,ns2,ns3. If set, non-namespaced resources will be ignored
-k, --kubeconfig string Path to kubeconfig file (optional)
--newer-than string The maximum age of the resources to be considered unused. This flag cannot be used together with older-than flag. Example: --newer-than=1h2m
--no-interactive Do not prompt for confirmation when deleting resources. Be careful when using this flag!
--older-than string The minimum age of the resources to be considered unused. This flag cannot be used together with newer-than flag. Example: --older-than=1h2m
-o, --output string Output format (table, json or yaml) (default "table")
--show-reason Print reason resource is considered unused
--ignore-owner-references Skip resources that have ownerReferences set (for all resource types)
--slack-auth-token string Slack auth token to send notifications to, requires --slack-channel to be set
--slack-channel string Slack channel to send notifications to, requires --slack-auth-token to be set
--slack-webhook-url string Slack webhook URL to send notifications to
-v, --verbose Verbose output (print empty namespaces)
To use a specific subcommand, run kor [subcommand] [flags].
kor all --include-namespaces my-namespace
For more information about each subcommand and its available flags, you can use the --help flag.
kor [subcommand] --help
| Resource | What it looks for | Known False Positives ⚠️ |
|---|---|---|
| ConfigMaps | ConfigMaps not used in the following places: |
Pods
Containers
ConfigMaps used through Volumes
ConfigMaps used through environment variables | ConfigMaps used by resources which don't explicitly state them in the config.
e.g Grafana dashboards loaded dynamically OPA policies fluentd configs CRD configs | | CRDs | CRDs not used the cluster | | | ClusterRoleBindings | ClusterRoleBindings referencing invalid ClusterRole or ServiceAccounts | | | ClusterRoles | ClusterRoles not used in RoleBinding or ClusterRoleBinding
ClusterRoles not used in ClusterRole aggregation | | | DaemonSets | DaemonSets not scheduled on any nodes | | | Deployments | Deployments with no replicas | | | HPAs | HPAs not used in Deployments
HPAs not used in StatefulSets | | | Ingresses | Ingresses not pointing at any Service | | | Jobs | Jobs status is completed
Jobs status is suspended
Jobs failed with backoff limit exceeded (including indexed jobs)
Jobs failed with dedaline exceeded | | | NetworkPolicies | NetworkPolicies with no Pods selected by podSelector or Ingress / Egress rules | | PDBs | PDBs not used in Deployments / StatefulSets (templates) or in arbitrary Pods
PDBs with empty selectors (match every pod) but no running pods in namespace | |
| Pods | Pods in Failed phase with reason Evicted (i.e., evicted pods)
Pods in Crashloopbackoff | | | PVs | PVs not bound to a PVC | | | PVCs | PVCs not used in Pods