SignalForge
Op
Operator priorities
3 ranked actions
01

Stabilize the cluster and namespace capacity first: investigate aks-system-000001 MemoryPressure, add memory capacity if needed, and resolve the FailedScheduling condition affecting payments-api.

02

Contain the exposed payments surface: verify whether payments-public must be LoadBalancer; if not, make it internal, and add namespace NetworkPolicies to default-deny traffic with explicit allows.

03

Harden and fix payments-api before the next rollout: correct the image pull failure and CrashLoopBackOff, then move to a dedicated least-privilege service account with token automount disabled, add probes, requests/limits, seccomp RuntimeDefault, and a read-only root filesystem.

Kubernetes namespace
cluster:aks-payments-prod:namespace:payments
Hostname snapshot: aks-payments-prod · Kubernetes (aks)
Artifact family
Kubernetes bundle
kubernetes-bundle
Source
api
Mar 27, 12:17 AM
Artifact source
signalforge-collectors:collect-kubernetes-bundle.sh
Collector
signalforge-collectors
1.1.0
Target ID
cluster:aks-payments-prod:namespace:payments
Collected at
Mar 27, 12:17 AM
Findings
14
7
high
7
medium
Run status
complete
Analysis completed successfully for this artifact snapshot.
Primary operator signal

Cluster Capacity Snapshot

Quantitative node-capacity signals and scheduling headroom captured directly from the Kubernetes bundle.

Needs action
Scope
Namespace payments
aks-payments-prod
Peak memory
0.0%
No node above 80%
Peak CPU
0.0%
Scheduling warnings present
Node pressure
1
Nodes with NotReady or pressure conditions
Operator summary

Cluster Guardrails

Autoscaling, disruption, quota, and namespace-default coverage that changes how operators should interpret capacity signals.

Stable context
HPAs
0
No HPA objects captured
Blocked PDBs
0
PDBs with zero allowed disruptions
Quota pressure
0
Quota resources at or above 90%
LimitRange coverage
0/0
Namespaces with default limits and requests
Pending claims
0
PersistentVolumeClaims still pending
Operator summary

Workload Instability

Short, operator-oriented callouts for scheduling, rollout, and failing-workload evidence.

Needs action
Scheduling pressure
0/3 nodes are available: 3 Insufficient memory.
Scheduling pressure
4 warning events captured in the bundle.
Image pull failure
2 warning events captured in the bundle.
Operator summary

Run Health Summary

A compact operator view of severity and signal distribution before you drop into detailed findings.

Needs action
Critical + high
7
Needs operator attention
Instability & pressure
5
Operational signal count
Identity & access
7
RBAC, tokens, service accounts, secrets
Exposure
2
Public reachability and listener posture
Findings table controls

Filter the findings table by signal or severity while keeping the current visible count in view.

14 of 14 visible·All signal buckets·All severities
Filter by signal
Filter by severity

Detailed review

Findings

14 findings
Analysis narrative
Full narrative summary

Expanded explanation for operators who want the model summary after reviewing the findings table.

  • The payments namespace has multiple high-severity exposure and stability issues: a public LoadBalancer Service, no NetworkPolicy isolation, and a workload using the default service account with token automount.
  • Cluster health is degraded by an unready node with MemoryPressure, and there are active scheduling failures due to insufficient memory.
  • The payments-api workload is unstable (CrashLoopBackOff) and also has image pull failures, indicating both runtime and deployment pipeline problems.
  • Several workload hardening gaps increase blast radius if the service is compromised: writable root filesystem, missing seccomp, and missing probes/resources.
  • Overall posture is risky for a production payments namespace because external reachability, weak namespace isolation, and node pressure coincide with an unreliable application deployment.

Run Metadata

Identity
Run ID
60982257
Artifact family
Kubernetes bundle
Normalized UTF-8 JSON manifest containing Kubernetes workload, exposure, RBAC, and status evidence.
Source type
API submit
api
Target ID
cluster:aks-payments-prod:namespace:payments
Source label
signalforge-collectors:collect-kubernetes-bundle.sh
Collection
Collector
signalforge-collectors
Collector version
1.1.0
Collected at
Mar 27, 12:17 AM
Analysis
Model
gpt-5.4-mini
Analysis time
16.8s
Tokens used
6,354

Environment Context

Target Host
aks-payments-prodKubernetes (aks)
Kernel
namespace:payments
Uptime
unknown