Release Notes — 2.3.3

Released: 2026-05-09

Kure Monitor 2.3.3 extends the Diagram tab with RBAC visualization: a new Roles mode that graphs Roles / ClusterRoles together with their bindings, synthesized Permission nodes, and the Users / Groups / ServiceAccounts they grant access to.

Operator action required: the backend ClusterRole has been expanded with rbac.authorization.k8s.io read permissions (roles, clusterroles, rolebindings, clusterrolebindings). After upgrading, reapply RBAC (helm upgrade for the chart or kubectl apply -f k8s/rbac.yaml for raw manifests). Without this, the new Roles mode returns HTTP 403; the rest of the dashboard is unaffected.

Highlights

Roles mode in the Diagram tab. Two scopes:
- Namespace — pick a namespace + Role; the graph shows the Role, its RoleBindings, synthesized Permission nodes (one per (apiGroup, resource) tuple), and the Subjects the Role is bound to.
- Cluster — pick a ClusterRole; same shape but for ClusterRoles + ClusterRoleBindings.
Synthesized node summary panel. Clicking a Permission, Subject:User, or Subject:Group node opens a new RbacSummaryModal that renders the data already on the node (verbs, resourceNames, kind, namespace) — no fetch is performed because these nodes have no underlying Kubernetes manifest. Real RBAC objects (Role, ClusterRole, RoleBinding, ClusterRoleBinding, ServiceAccount) still open the existing live-manifest panel.
No application-level breaking changes. Agent and security-scanner are unchanged. The only operator-action item is reapplying RBAC.

What’s changed

Added

Diagram tab: Roles mode in the dashboard, with namespace and cluster scopes.
Three new backend endpoints under /api/diagram/*, all gated by require_read:
- GET /api/diagram/roles
- GET /api/diagram/role/{ns}/{name}
- GET /api/diagram/clusterrole/{name}
Diagram manifest endpoint now serves Role, ClusterRole, RoleBinding, ClusterRoleBinding, and ServiceAccount (in addition to the existing workload kinds).
Frontend RbacSummaryModal component plus new node-type styling for Role, ClusterRole, RoleBinding, ClusterRoleBinding, Permission, and Subject:*.

Changed

Backend ClusterRole expanded with rbac.authorization.k8s.io reads. The full backend RBAC for the Diagram tab is now:

API group	Resources	Verbs
`""` (core)	`namespaces`	`list`
`""` (core)	`services`, `endpoints`, `configmaps`, `persistentvolumeclaims`	`get`, `list`
`""` (core)	`serviceaccounts`	`get`
`apps`	`deployments`, `replicasets`, `statefulsets`, `daemonsets`	`get`, `list`
`batch`	`jobs`, `cronjobs`	`get`, `list`
`networking.k8s.io`	`ingresses`, `networkpolicies`	`get`, `list`
`discovery.k8s.io`	`endpointslices`	`get`, `list`
`autoscaling`	`horizontalpodautoscalers`	`get`, `list`
`rbac.authorization.k8s.io`	`roles`, `clusterroles`, `rolebindings`, `clusterrolebindings`	`get`, `list` (added in 2.3.3)

secrets remains intentionally NOT granted — Kure Monitor never reads Secret values.

Upgrading

Helm

helm repo update
helm upgrade kure-monitor kure-monitor/kure \
  --namespace kure-system \
  --version 2.3.3

helm upgrade reapplies the ClusterRole automatically. There is no data migration step.

Raw k8s manifests

kubectl apply -f k8s/rbac.yaml

# Bump image tags in k8s/{backend,frontend,agent,security-scanner}.yaml to 2.3.3, then
kubectl apply -f k8s/

Verifying the upgrade

After upgrade, open the dashboard, switch to the Diagram tab, and pick the Roles mode.

If the graph renders, the new RBAC is in place.
If you see HTTP 403 in the backend logs when calling /api/diagram/roles, the ClusterRole hasn’t been updated — run kubectl apply -f k8s/rbac.yaml (or helm upgrade again).

Full changelog

See CHANGELOG.md in the repository.