Release Notes — 2.3.2

Released: 2026-04-27

Kure Monitor 2.3.2 ships the Diagram tab — an interactive Kubernetes topology graph — and the backend RBAC needed to power it.

Operator action required: the backend ClusterRole has been expanded. After upgrading, reapply RBAC (helm upgrade for the chart or kubectl apply -f k8s/rbac.yaml for raw manifests). Without this, the backend returns HTTP 403 when the Diagram tab is opened.

Highlights

Diagram tab — new top-level dashboard tab with two view modes (per-namespace and per-workload). Click any node for its live manifest; click any edge to focus that path (highlights ancestors + descendants, dims the rest).
Backend topology service with a 15s TTL cache. Builds a deterministic graph from owner refs, label selectors, service → endpoints, ingress backends, HPA targets, NetworkPolicy selectors, and volume / envFrom references. EndpointSlice with Endpoints fallback.
Security by design: the backend ServiceAccount is intentionally not granted access to Secrets. Secret nodes are derived purely from workload spec references; the manifest endpoint hard-rejects kind=Secret with HTTP 403; the UI shows a “no read access by design” info banner.
No application-level breaking changes. Agent and security-scanner are unchanged. The only operator-action item is reapplying RBAC.

What’s changed

Added

Diagram tab in the dashboard. Two modes:
- Per-namespace: every workload in a namespace plus their fan-out.
- Per-workload: a single workload plus its ancestors / descendants.
- Click a node → live manifest in a side panel.
- Click an edge → focus that path; click again or click background to clear.
- Group collapse / expand by app.kubernetes.io/name (or app) label.
Four new backend endpoints under /api/diagram/*, all gated by require_read:
- GET /api/diagram/namespaces
- GET /api/diagram/namespace/{ns}
- GET /api/diagram/workload/{ns}/{kind}/{name}
- GET /api/diagram/manifest/{ns}/{kind}/{name}
Frontend deps: reactflow ^11.11.4 and @dagrejs/dagre ^3.0.0.

Changed

ManifestModal is now reusable — new opt-in props (title, subtitle, infoMessage, loading) added in a backwards-compatible way.
Frontend Jest config moved into package.json (Create React App was ignoring the standalone jest.config.js). structuredClone polyfill added to setupTests.js.

Notes for operators

Backend ClusterRole expanded. The kure-backend ServiceAccount now needs:

API group	Resources	Verbs
`""` (core)	`namespaces`	`list`
`""` (core)	`services`, `endpoints`, `configmaps`, `persistentvolumeclaims`	`get`, `list`
`""` (core)	`serviceaccounts`	`get`
`apps`	`deployments`, `replicasets`, `statefulsets`, `daemonsets`	`get`, `list`
`batch`	`jobs`, `cronjobs`	`get`, `list`
`networking.k8s.io`	`ingresses`, `networkpolicies`	`get`, `list`
`discovery.k8s.io`	`endpointslices`	`get`, `list`
`autoscaling`	`horizontalpodautoscalers`	`get`, `list`

secrets is intentionally NOT granted — this is a deliberate security choice. Kure Monitor never reads Secret values.

Upgrading

Helm

helm repo update
helm upgrade kure-monitor kure-monitor/kure \
  --namespace kure-system \
  --version 2.3.2

helm upgrade reapplies the ClusterRole automatically. There is no data migration step.

Raw k8s manifests

kubectl apply -f k8s/rbac.yaml

# Bump image tags in k8s/{backend,frontend,agent,security-scanner}.yaml to 2.3.2, then
kubectl apply -f k8s/

Verifying the upgrade

After upgrade, open the dashboard and switch to the Diagram tab.

If the graph renders, the new RBAC is in place.
If you see HTTP 403 errors in the backend logs, the ClusterRole hasn’t been updated — run kubectl apply -f k8s/rbac.yaml (or helm upgrade again).

Full changelog

See CHANGELOG.md in the repository.