Sonobuoy was always designed to facilitate third-party plugins in order to accommodate custom testing requirements, and recently, the work on Sonobuoy made some advanced plugins possible to create.

Read more about the first Sonobuoy plugins here.

CIS Benchmarks

This plugin utilizes the kube-bench implementation of the CIS security benchmarks. It is technically two plugins; one to run the checks on the master nodes and another to run the checks on the worker nodes.

End-to-End Testing

The Kubernetes end-to-end testing plugin (the e2e plugin) is used to run tests which are maintained by the upstream Kubernetes community in the kubernetes/kubernetes repo.


Gather log information from systemd, by chrooting into the node’s filesystem and running journalctl. Used by Sonobuoy for gathering host logs in a Kubernetes cluster.


This plugin runs Aqua Security’s kube-hunter. It increases awareness and visibility of security issues in Kubernetes environments.


This plugin utilizes the kubectl-who-can project from Aqua Security to produce a report that shows which subjects have RBAC permissions to perform actions (verbs) against resources in the cluster.


This plugin allows the collection of cluster information, such as workload and operational details, across all namespaces.

Reliability Scanner

The Reliability Scanner is a customizable Sonobuoy Plugin that captures good practices for operating workloads reliably atop Kubernetes.

Getting Started

To help you get started, see the documentation.