SignalForge
Op

Drift review

Compare drift: payments-bundle.json → payments-top-bundle.json

Compare normalized findings and stable evidence drift without relying on hidden query-string knowledge. Automatic baseline selection uses the latest older run for the same logical target when one exists.

Open current runOpen baseline

Current run

payments-top-bundle.json
Target: cluster:aks-payments-prod:namespace:payments
Mar 27, 01:23 AM

Baseline

payments-bundle.json
Target: cluster:aks-payments-prod:namespace:payments
Mar 26, 11:48 PM

Baseline selection

Explicit baseline

This compare view is pinned to a specific older run instead of the automatic same-target default.

Choose another older run
payments-rollout-bundle.json
cluster:aks-payments-prod:namespace:payments
Mar 27, 01:19 AM
payments-bundle.json
cluster:aks-payments-prod:namespace:payments
Mar 27, 12:18 AM
payments-bundle.json
cluster:aks-payments-prod:namespace:payments
Mar 27, 12:17 AM
payments-bundle.json
cluster:aks-payments-prod:namespace:payments
Mar 26, 11:48 PM
payments-bundle.json
cluster:aks-payments-prod:namespace:payments
Selected
Mar 26, 11:48 PM
Evidence delta
Stable evidence and metadata drift for the selected baseline.
Metadata 3Metrics 17Artifact changed
Operational delta

Stable rollout, pressure, runtime-health, and namespace-guardrail changes are pulled out first so you can see meaningful movement before scanning the raw metric table.

Rollout

Replica availability and controller reconciliation changes between the two runs.

Workloads with rollout issues
0 -> 1
Unavailable workload replicas
0 -> 3
Pressure

Cluster pressure and warning-event changes between the two runs.

Operational warning events
6 -> 2
Nodes not Ready
1 -> 0
Nodes with pressure conditions
1 -> 0
Posture

Security and posture changes between the two runs.

Bundle documents
8 -> 11
External services
1 -> 0
NetworkPolicies
0 -> 1
Externally exposed namespaces without NetworkPolicy
1 -> 0
Workload hardening gaps
5 -> 1
Workloads with service account token automount
1 -> 0
Workloads with writable root filesystems
1 -> 0
Workloads using the default service account with token automount
1 -> 0
Externally exposed workloads using the default service account with token automount
1 -> 0
Metadata changes
Filename
Changed
Collected at
Changed
Collector version
Changed
Stable metric changes
MetricStatusBeforeAfter
Finding countChanged147
High findingsChanged72
Medium findingsChanged75
Bundle documentsChanged811
Operational warning eventsChanged62
Nodes not ReadyChanged10
Nodes with pressure conditionsChanged10
Workloads with rollout issuesChanged01
Unavailable workload replicasChanged03
External servicesChanged10
NetworkPoliciesChanged01
Externally exposed namespaces without NetworkPolicyChanged10
Workload hardening gapsChanged51
Workloads with service account token automountChanged10
Workloads with writable root filesystemsChanged10
Workloads using the default service account with token automountChanged10
Externally exposed workloads using the default service account with token automountChanged10

Finding changes

Drift in normalized findings between the current run and selected baseline.
Unchanged: 2
StatusTitleCategoryBeforeAfterEvidence delta
ResolvedKubernetes externally exposed workload uses the default service account with token automount: payments/payments-apikuberneteshigh
{"workload":{"namespace":"payments","name":"payments-api","kind":"Deployment","pod_spec":{"serviceAccountName":"default","automountServiceAccountToken":true,"co…
ResolvedKubernetes namespace exposed externally without NetworkPolicy isolation: paymentskuberneteshigh
{"namespace":"payments","has_network_policy":false}
NewKubernetes node CPU usage is elevated: aks-system-000001 (92.0%)kubernetesmedium
+{"name":"aks-system-000001","cpu":"1850m","cpu_percent":92,"memory":"14900Mi","memory_percent":91}
ResolvedKubernetes node is not Ready: aks-system-000001kuberneteshigh
{"name":"aks-system-000001","ready":false,"unschedulable":false,"pressure_conditions":["MemoryPressure"]}
NewKubernetes node memory usage is elevated: aks-system-000001 (91.0%)kubernetesmedium
+{"name":"aks-system-000001","cpu":"1850m","cpu_percent":92,"memory":"14900Mi","memory_percent":91}
ResolvedKubernetes node reports pressure conditions: aks-system-000001 (MemoryPressure)kuberneteshigh
{"name":"aks-system-000001","ready":false,"unschedulable":false,"pressure_conditions":["MemoryPressure"]}
NewKubernetes rollout controller has not observed the latest spec generation: Deployment payments/payments-apikubernetesmedium
+{"namespace":"payments","name":"payments-api","kind":"Deployment","desired_replicas":4,"ready_replicas":1,"available_replicas":1,"updated_replicas":2,"unavailab…
NewKubernetes rollout incomplete: Deployment payments/payments-api (ready 1/4, updated 2/4)kuberneteshigh
+{"namespace":"payments","name":"payments-api","kind":"Deployment","desired_replicas":4,"ready_replicas":1,"available_replicas":1,"updated_replicas":2,"unavailab…
ResolvedKubernetes Service exposed externally: payments/payments-public (LoadBalancer)kuberneteshigh
{"namespace":"payments","name":"payments-public","type":"LoadBalancer","external":true}
ResolvedKubernetes warning events indicate image pull failures (2 events)kuberneteshigh
{"warning_event_count":2,"namespaces":["payments"],"affected_objects":["Pod/payments-api-abc123"],"samples":[{"namespace":"payments","involved_kind":"Pod","invo…
NewKubernetes warning events indicate scheduling failures (2 events)kuberneteshigh
+{"warning_event_count":2,"namespaces":["payments"],"affected_objects":["Pod/payments-api-abc123"],"samples":[{"namespace":"payments","involved_kind":"Pod","invo…
ResolvedKubernetes warning events indicate scheduling failures (4 events)kuberneteshigh
{"warning_event_count":4,"namespaces":["payments"],"affected_objects":["Pod/payments-api-abc123"],"samples":[{"namespace":"payments","involved_kind":"Pod","invo…
ResolvedKubernetes workload automatically mounts service account tokens: payments/payments-apikubernetesmedium
{"namespace":"payments","name":"payments-api","kind":"Deployment","pod_spec":{"serviceAccountName":"default","automountServiceAccountToken":true,"containers":[{…
ResolvedKubernetes workload missing liveness or readiness probes: payments/payments-apikubernetesmedium
{"workload":{"namespace":"payments","name":"payments-api","kind":"Deployment","pod_spec":{"serviceAccountName":"default","automountServiceAccountToken":true,"co…
ResolvedKubernetes workload missing resource requests or limits: payments/payments-apikubernetesmedium
{"workload":{"namespace":"payments","name":"payments-api","kind":"Deployment","pod_spec":{"serviceAccountName":"default","automountServiceAccountToken":true,"co…
ResolvedKubernetes workload uses a writable root filesystem: payments/payments-apikubernetesmedium
{"workload":{"namespace":"payments","name":"payments-api","kind":"Deployment","pod_spec":{"serviceAccountName":"default","automountServiceAccountToken":true,"co…
ResolvedKubernetes workload uses the default service account with token automount: payments/payments-apikubernetesmedium
{"namespace":"payments","name":"payments-api","kind":"Deployment","pod_spec":{"serviceAccountName":"default","automountServiceAccountToken":true,"containers":[{…