Skip to content
Kure Monitor

Release Notes — 2.4.2

Released: 2026-05-21

Kure Monitor 2.4.2 grows the AI Advice layer with sixteen new detectors (38 total, up from 23), adds Active / Ignored tabs so you can dismiss findings without losing them, and removes a detector that was producing false positives whenever a workload referenced a Secret.

No breaking changes. No API changes. No DB migrations.

What’s new

Section titled “What’s new”

Sixteen new advice detectors

Section titled “Sixteen new advice detectors”

Grouped by category:

Resource hygiene (4)

  • missing-requests-limits — containers without CPU/memory requests or limits
  • requests-equal-limits-burstable — Deployments where CPU requests == limits (becomes Guaranteed QoS, loses burst headroom)
  • cpu-limit-throttling-risk — any container with a CPU limit set (CFS throttling antipattern for latency-sensitive workloads)
  • oom-prone-memory-headroom — containers where memory limit == request (no headroom for spikes → OOMKill risk)

Scheduling / availability (4)

  • missing-pod-anti-affinity-replicasreplicas > 1 without podAntiAffinity
  • missing-topology-spread-constraintsreplicas > 1 without topologySpreadConstraints
  • single-replica-behind-service — a Service routes to a single-replica Deployment (SPOF)
  • missing-priority-class — workloads with a PDB but no priorityClassName

Networking (3)

  • service-target-port-mismatch — Service targetPort doesn’t match any container port on selected pods
  • ingress-host-collision — multiple Ingresses share the same (host, path) tuple
  • networkpolicy-selects-nothing — NetworkPolicy podSelector matches zero pods (dead config)

Lifecycle (3)

  • prestop-missing-short-grace — no lifecycle.preStop and terminationGracePeriodSeconds < 30 on Service-fronted Deployments
  • job-restart-policy-mismatch — Job/CronJob pod template with restartPolicy other than Never or OnFailure
  • image-pull-always-with-mutable-tagimagePullPolicy: Always combined with a mutable tag (pull on every restart)

Storage (2)

  • pvc-no-storage-class — PVC with no storageClassName and no volumeName (relies on default StorageClass, which may not exist)
  • rwo-pvc-multi-replica — a ReadWriteOnce PVC mounted by a Deployment with replicas > 1

All new detectors are conservative (confidence 0.6–0.9) and emit Low/Medium/High severities as appropriate.

Active / Ignored tabs for AI Advice

Section titled “Active / Ignored tabs for AI Advice”

The AI Advice panel now uses Pod-Monitoring-style tabs:

  • Active — non-dismissed findings (default view).
  • Ignored — dismissed findings, with a one-click Restore action to bring them back.

Tab labels show live counts (“Active (12) / Ignored (3)”) that update optimistically on dismiss/restore. WebSocket upserts respect the active tab. Export honors the current tab.

The backend dismiss/restore APIs already existed in 2.4.0; this release surfaces them in the UI.

Fixed

Section titled “Fixed”

referenced-config-missing detector removed

Section titled “referenced-config-missing detector removed”

The advice detector previously flagged Secret references as missing whenever the topology service couldn’t list them — which is always, by design (Kure has no Secret-read RBAC). The result was a steady stream of false positives like “DaemonSet kure-monitor-agent references 1 ConfigMap/Secret(s) that are absent from namespace ‘kure-system’”.

The pod-watcher already reports CreateContainerConfigError for genuinely missing ConfigMap or Secret references, with better evidence (which pod, which container, exact event message) and better timing (immediate, not on next scan). The detector was redundant for ConfigMaps and structurally broken for Secrets, so it was removed.

If you had explicitly disabled referenced-config-missing via app_settings.advice_detector_enabled, the dead key is harmless — unknown detector IDs are ignored at scan time — but you can clean it up if you like.

Upgrade

Section titled “Upgrade”

Helm

Section titled “Helm”
Terminal window
helm repo update
helm upgrade kure-monitor kure-monitor/kure \
  --namespace kure-system \
  --version 2.4.2

No values changes are required. New detectors are enabled by default; you can toggle individual detectors off via the Admin → Advice Detectors UI or directly in app_settings.advice_detector_enabled.

Verifying the upgrade

Section titled “Verifying the upgrade”
  1. Open the Advice tab. The detector count in the header should read 38.
  2. Dismiss a finding from the Active tab. It should move to the Ignored tab and the counts should update without a refresh.
  3. Restore a finding from the Ignored tab. It should reappear in Active.
  4. Re-run a scan. Dismissed findings stay dismissed; newly detected ones surface in Active.

Full changelog

Section titled “Full changelog”

See CHANGELOG.md in the repository.