SignalForge
Op
Operator priorities
3 ranked actions
01

Audit every ClusterRoleBinding and RoleBinding to `cluster-admin`, `system:masters`, and other high-privilege roles; remove any binding that is not strictly required for cluster operations.

02

Break apart the over-broad Argo CD, edit/aggregate, and controller roles into least-privilege roles, removing `impersonate`, `escalate`, wildcard permissions, and unnecessary secret/RBAC writes.

03

Review and restrict all node-proxy/kubelet-access bindings (`nodes/proxy`, `nodes/log`, `nodes/stats`, `nodes/configz`, `nodes/pods`) to only the exact controller or monitoring service accounts that need them.

Kubernetes namespace
cluster:oke-cluster:namespace:default:phase9-e2e-20260326224649
Hostname snapshot: oke-cluster · Kubernetes (oke)
Artifact family
Kubernetes bundle
kubernetes-bundle
Source
agent
Mar 26, 10:48 PM
Artifact source
agent:62d95e9f-c0fe-40e5-b503-59fd94d0546b
Collector
signalforge-collectors
Target ID
cluster:oke-cluster:namespace:default:phase9-e2e-20260326224649
Recorded at
Mar 26, 10:48 PM
Findings
19
19
high
Run status
complete
Analysis completed successfully for this artifact snapshot.
Primary operator signal

Cluster Capacity Snapshot

Quantitative node-capacity signals and scheduling headroom captured directly from the Kubernetes bundle.

Stable context
Scope
Namespace default
oke-cluster
Peak memory
0.0%
No node above 80%
Peak CPU
0.0%
No scheduling warning captured
Node pressure
0
Nodes with NotReady or pressure conditions
Operator summary

Cluster Guardrails

Autoscaling, disruption, quota, and namespace-default coverage that changes how operators should interpret capacity signals.

Stable context
HPAs
0
No HPA objects captured
Blocked PDBs
0
PDBs with zero allowed disruptions
Quota pressure
0
Quota resources at or above 90%
LimitRange coverage
0/0
Namespaces with default limits and requests
Pending claims
0
PersistentVolumeClaims still pending
Operator summary

Run Health Summary

A compact operator view of severity and signal distribution before you drop into detailed findings.

Needs action
Critical + high
19
Needs operator attention
Instability & pressure
0
Operational signal count
Identity & access
19
RBAC, tokens, service accounts, secrets
Exposure
0
Public reachability and listener posture
Findings table controls

Filter the findings table by signal or severity while keeping the current visible count in view.

19 of 19 visible·All signal buckets·All severities
Filter by signal
Filter by severity

Detailed review

Findings

19 findings
Analysis narrative
Full narrative summary

Expanded explanation for operators who want the model summary after reviewing the findings table.

  • The namespace-scoped bundle shows multiple high-severity RBAC exposures that materially weaken cluster isolation and least-privilege controls.
  • Several roles include wildcard permissions or privilege-escalation verbs such as impersonate and escalate, increasing the risk of lateral movement and control-plane abuse if any bound identity is compromised.
  • Node proxy/kubelet-access roles are present, which can expose node-level information and operational interfaces from within the cluster if misbound or overused.
  • The strongest issue is the presence of cluster-admin style access via both a cluster-admin binding and a cluster-admin role, creating broad blast radius for any subject mapped to those privileges.
  • No noise items were supplied, and the scope is Kubernetes namespace context, so remediation should focus on RBAC bindings, cluster roles, and workload identity review.

Run Metadata

Identity
Run ID
ff9e723b
Artifact family
Kubernetes bundle
Normalized UTF-8 JSON manifest containing Kubernetes workload, exposure, RBAC, and status evidence.
Source type
Agent collection
agent
Target ID
cluster:oke-cluster:namespace:default:phase9-e2e-20260326224649
Source label
agent:62d95e9f-c0fe-40e5-b503-59fd94d0546b
Collection
Collector
signalforge-collectors
Recorded at
Mar 26, 10:48 PM
Analysis
Model
gpt-5.4-mini
Analysis time
69.0s
Tokens used
21,083

Environment Context

Target Host
oke-clusterKubernetes (oke)
Kernel
namespace:default
Uptime
unknown