Docs
Analyzers
Analyzers run after every probe cycle. All are read-only. Findings attach to DriftReport CRs and route to Slack, Alertmanager, and ticketing sinks.
Analyzers inspect the raw Kubernetes API state — they don't call external services unless an integration is configured. Each analyzer emits a finding with a severity, a human-readable summary, and actionable remediation hints.
Disable any analyzer with SRENIX_ANALYZER_NAME=off or the per-analyzer Helm toggle (analyzers.name.enabled: false).
Diagnostic analyzers (10)
| Analyzer | What it detects | Severity | Disable env var |
|---|---|---|---|
| SecretKeyMissing | Pod in CreateContainerConfigError — names the missing key, consuming Deployment, and owning ExternalSecret | Critical | SRENIX_ANALYZER_SECRET_KEY_MISSING=off |
| FailingExternalSecrets | ExternalSecret with Ready=False — surfaces the controller error message including the specific missing Vault property | Warning | SRENIX_ANALYZER_FAILING_EXTERNAL_SECRETS=off |
| ProactiveSecretKeyCheck | Workload env references to Secret keys that don't exist yet — fires before the pod crashes | Warning | SRENIX_ANALYZER_PROACTIVE_SECRET_KEY_CHECK=off |
| UnprovisionedSecret | Workload references a Secret with no ExternalSecret provisioning it | Warning | SRENIX_ANALYZER_UNPROVISIONED_SECRET=off |
| ImagePullAuth | Pod in ImagePullBackOff with kubelet auth-failure signals (401, denied, unauthorized) | Critical | SRENIX_ANALYZER_IMAGE_PULL_AUTH=off |
| CertExpiry | cert-manager Certificate not Ready, expiring within 14 days, or already expired | Critical / Warning | SRENIX_ANALYZER_CERT_EXPIRY=off |
| TLSSecretMismatch | Ingress points at an expired Secret while cert-manager renews into a different Secret (two-Secret naming drift) | Warning | SRENIX_ANALYZER_TLS_SECRET_MISMATCH=off |
| VaultPathMissing opt-in — not in the 20 default-on count | Queries Vault directly to catch drift before ESO's next refresh. Apache-2.0; you provide the Vault client. Paid tier auto-wires from your Vault config. | Warning | — (opt-in, not default-registered) |
| DNSChainDrift | Cloudflare DNS → cluster ingress LB → Ingress host → Service → ready Endpoints. Emits the highest broken layer per host. Also detects multiple Ingresses claiming the same host+path combination. | Warning | SRENIX_ANALYZER_DNS_CHAIN_DRIFT=off |
| NetworkPolicyProposer | User namespaces with no NetworkPolicy on CNIs that enforce NetworkPolicy — emits a ready-to-apply policy YAML per uncovered namespace. Silent on non-enforcing CNIs (e.g. k3s Flannel-only) | Warning | SRENIX_ANALYZER_NETPOL_PROPOSER=off |
Drift-class analyzers (6)
| Analyzer | What it detects | Disable env var |
|---|---|---|
| GitOpsDrift | Resources that have drifted from their GitOps-managed desired state | SRENIX_ANALYZER_GITOPS_DRIFT=off |
| WorkloadStateDrift | CNPG cluster phase and primary-switchover detection, StatefulSet pod-0 absence or not-ready | SRENIX_ANALYZER_WORKLOAD_STATE_DRIFT=off |
| RBACDrift | ClusterRoleBinding/RoleBinding changes not reflected in expected state | SRENIX_ANALYZER_RBAC_DRIFT=off |
| ConfigDrift | CRD storage version drift, stuck Deployment rollout (generation vs observedGeneration), and Helm checksum annotation divergence across pods | SRENIX_ANALYZER_CONFIG_DRIFT=off |
| CapacityDrift | Resource request/limit ratios that have drifted from baseline | SRENIX_ANALYZER_CAPACITY_DRIFT=off |
| SecurityDrift | Missing Pod Security Standards enforcement labels, mutable image tags (no digest pin), and NetworkPolicy coverage gaps per namespace. Mutable-tag severity is registry-dependent: Info for trusted upstream registries (quay.io, gcr.io, ghcr.io, registry.k8s.io, docker.io/library, etc.), Warning for untrusted/in-house registries (tunable via SRENIX_DIGEST_PIN_UNTRUSTED_SEVERITY) | SRENIX_ANALYZER_SECURITY_DRIFT=off |
Log / workload analyzers (5)
| Analyzer | What it detects | Disable env var |
|---|---|---|
| LogPatternMatcher | Recent Events matching high-signal failure patterns (ImagePullBackOff, OOMKilled, VolumeAttachFailed, ProbeFailed, RBAC Forbidden) — dedup'd per (object, pattern) | SRENIX_ANALYZER_LOG_PATTERN_MATCHER=off |
| DisruptionDrift | PDB: disruptionsAllowed=0 past 5 min; Indexed-Job failed indexes past 10 min; ResourceQuota at 100% past 1h | SRENIX_ANALYZER_DISRUPTION_DRIFT=off |
| OOMKillRecurrence | Pod with ≥3 OOMKilled restarts in 24h — signals a persistent memory sizing issue | SRENIX_ANALYZER_OOMKILL_RECURRENCE=off |
| PVOrphan | PersistentVolume Released >7 days — still billing on the underlying cloud disk | SRENIX_ANALYZER_PV_ORPHAN=off |
| CronJobStuck | Warning: >24h since last success or suspended CronJob; Critical: never succeeded | SRENIX_ANALYZER_CRONJOB_STUCK=off |
Paid-tier analyzers (4)
The srenix-enterprise paid binary adds four additional analyzers via the same pkg/registry interface as OSS analyzers. They do not have per-analyzer env toggles; registration is wiring-driven — e.g. VaultPathDriftPro registers only when Vault credentials (VAULT_ADDR plus a token or K8s-auth role) are configured.
| Analyzer | What it detects |
|---|---|
| VaultPathDriftPro | Extended Vault path analysis with auto-wired client and cross-namespace drift |
| CertificateChainAnomaly | Full cert chain validation including intermediate CAs and trust anchors |
| MultiClusterDrift | Cross-cluster state divergence across federated or ArgoCD-managed clusters |
| StatefulSetReplicaPressure | StatefulSet rolling-update stalls and replica pressure patterns |