Rollout
Replica availability and controller reconciliation changes between the two runs.
Workloads with rollout issues
0 -> 1
Unavailable workload replicas
0 -> 3
Drift review
Compare drift: payments-bundle.json → payments-rollout-bundle.json
Compare normalized findings and stable evidence drift without relying on hidden query-string knowledge. Automatic baseline selection uses the latest older run for the same logical target when one exists.
Current run
payments-rollout-bundle.json
Target: cluster:aks-payments-prod:namespace:payments
Mar 27, 01:19 AM
Baseline
payments-bundle.json
Target: cluster:aks-payments-prod:namespace:payments
Mar 26, 11:48 PM
Baseline selection
Explicit baseline
This compare view is pinned to a specific older run instead of the automatic same-target default.
Choose another older run
payments-bundle.json
cluster:aks-payments-prod:namespace:payments
Mar 27, 12:18 AM
payments-bundle.json
cluster:aks-payments-prod:namespace:payments
Mar 27, 12:17 AM
payments-bundle.json
cluster:aks-payments-prod:namespace:payments
Mar 26, 11:48 PM
payments-bundle.json
cluster:aks-payments-prod:namespace:payments
Selected
Mar 26, 11:48 PM
Evidence delta
Stable evidence and metadata drift for the selected baseline.
Metadata 3Metrics 17Artifact changed
Operational delta
Stable rollout, pressure, runtime-health, and namespace-guardrail changes are pulled out first so you can see meaningful movement before scanning the raw metric table.
Pressure
Cluster pressure and warning-event changes between the two runs.
Operational warning events
6 -> 2
Nodes not Ready
1 -> 0
Nodes with pressure conditions
1 -> 0
Posture
Security and posture changes between the two runs.
Bundle documents
8 -> 9
External services
1 -> 0
NetworkPolicies
0 -> 1
Externally exposed namespaces without NetworkPolicy
1 -> 0
Workload hardening gaps
5 -> 1
Workloads with service account token automount
1 -> 0
Workloads with writable root filesystems
1 -> 0
Workloads using the default service account with token automount
1 -> 0
Externally exposed workloads using the default service account with token automount
1 -> 0
Metadata changes
Filename
Changed
Collected at
Changed
Collector version
Changed
Stable metric changes
| Metric | Status | Before | After |
|---|---|---|---|
| Finding count | Changed | 14 | 5 |
| High findings | Changed | 7 | 2 |
| Medium findings | Changed | 7 | 3 |
| Bundle documents | Changed | 8 | 9 |
| Operational warning events | Changed | 6 | 2 |
| Nodes not Ready | Changed | 1 | 0 |
| Nodes with pressure conditions | Changed | 1 | 0 |
| Workloads with rollout issues | Changed | 0 | 1 |
| Unavailable workload replicas | Changed | 0 | 3 |
| External services | Changed | 1 | 0 |
| NetworkPolicies | Changed | 0 | 1 |
| Externally exposed namespaces without NetworkPolicy | Changed | 1 | 0 |
| Workload hardening gaps | Changed | 5 | 1 |
| Workloads with service account token automount | Changed | 1 | 0 |
| Workloads with writable root filesystems | Changed | 1 | 0 |
| Workloads using the default service account with token automount | Changed | 1 | 0 |
| Externally exposed workloads using the default service account with token automount | Changed | 1 | 0 |
Finding changes
Drift in normalized findings between the current run and selected baseline.
| Status | Title | Category | Before | After | Evidence delta |
|---|---|---|---|---|---|
| Resolved | Kubernetes externally exposed workload uses the default service account with token automount: payments/payments-api | kubernetes | high | — | −{"workload":{"namespace":"payments","name":"payments-api","kind":"Deployment","pod_spec":{"serviceAccountName":"default","automountServiceAccountToken":true,"co… |
| Resolved | Kubernetes namespace exposed externally without NetworkPolicy isolation: payments | kubernetes | high | — | −{"namespace":"payments","has_network_policy":false} |
| Resolved | Kubernetes node is not Ready: aks-system-000001 | kubernetes | high | — | −{"name":"aks-system-000001","ready":false,"unschedulable":false,"pressure_conditions":["MemoryPressure"]} |
| Resolved | Kubernetes node reports pressure conditions: aks-system-000001 (MemoryPressure) | kubernetes | high | — | −{"name":"aks-system-000001","ready":false,"unschedulable":false,"pressure_conditions":["MemoryPressure"]} |
| New | Kubernetes rollout controller has not observed the latest spec generation: Deployment payments/payments-api | kubernetes | — | medium | +{"namespace":"payments","name":"payments-api","kind":"Deployment","desired_replicas":4,"ready_replicas":1,"available_replicas":1,"updated_replicas":2,"unavailab… |
| New | Kubernetes rollout incomplete: Deployment payments/payments-api (ready 1/4, updated 2/4) | kubernetes | — | high | +{"namespace":"payments","name":"payments-api","kind":"Deployment","desired_replicas":4,"ready_replicas":1,"available_replicas":1,"updated_replicas":2,"unavailab… |
| Resolved | Kubernetes Service exposed externally: payments/payments-public (LoadBalancer) | kubernetes | high | — | −{"namespace":"payments","name":"payments-public","type":"LoadBalancer","external":true} |
| Resolved | Kubernetes warning events indicate image pull failures (2 events) | kubernetes | high | — | −{"warning_event_count":2,"namespaces":["payments"],"affected_objects":["Pod/payments-api-abc123"],"samples":[{"namespace":"payments","involved_kind":"Pod","invo… |
| New | Kubernetes warning events indicate scheduling failures (2 events) | kubernetes | — | high | +{"warning_event_count":2,"namespaces":["payments"],"affected_objects":["Pod/payments-api-abc123"],"samples":[{"namespace":"payments","involved_kind":"Pod","invo… |
| Resolved | Kubernetes warning events indicate scheduling failures (4 events) | kubernetes | high | — | −{"warning_event_count":4,"namespaces":["payments"],"affected_objects":["Pod/payments-api-abc123"],"samples":[{"namespace":"payments","involved_kind":"Pod","invo… |
| Resolved | Kubernetes workload automatically mounts service account tokens: payments/payments-api | kubernetes | medium | — | −{"namespace":"payments","name":"payments-api","kind":"Deployment","pod_spec":{"serviceAccountName":"default","automountServiceAccountToken":true,"containers":[{… |
| Resolved | Kubernetes workload missing liveness or readiness probes: payments/payments-api | kubernetes | medium | — | −{"workload":{"namespace":"payments","name":"payments-api","kind":"Deployment","pod_spec":{"serviceAccountName":"default","automountServiceAccountToken":true,"co… |
| Resolved | Kubernetes workload missing resource requests or limits: payments/payments-api | kubernetes | medium | — | −{"workload":{"namespace":"payments","name":"payments-api","kind":"Deployment","pod_spec":{"serviceAccountName":"default","automountServiceAccountToken":true,"co… |
| Resolved | Kubernetes workload uses a writable root filesystem: payments/payments-api | kubernetes | medium | — | −{"workload":{"namespace":"payments","name":"payments-api","kind":"Deployment","pod_spec":{"serviceAccountName":"default","automountServiceAccountToken":true,"co… |
| Resolved | Kubernetes workload uses the default service account with token automount: payments/payments-api | kubernetes | medium | — | −{"namespace":"payments","name":"payments-api","kind":"Deployment","pod_spec":{"serviceAccountName":"default","automountServiceAccountToken":true,"containers":[{… |