Docs
Cloud Probes
30 probes across AWS, GCP, and Azure. Workload-identity auth only — no long-lived credentials. All off by default; enable per-provider.
Cloud probes run alongside the K8s probes on every cycle. They use the same workload-identity credentials your cluster already has — IRSA on EKS, GCP Workload Identity on GKE, AAD Workload Identity on AKS. No cloud credentials are stored in Srenix.
| Provider | Probes | Enable (Helm) | Auth |
|---|---|---|---|
| AWS | 10 | cloud.aws.enabled: true | IRSA (no long-lived keys) |
| GCP | 10 | cloud.gcp.enabled: true | GCP Workload Identity |
| Azure | 10 | cloud.azure.enabled: true | AAD Workload Identity |
Cloud probes are off by default. Enable with --set cloud.enabled=true --set cloud.aws.enabled=true (or equivalent for GCP/Azure) — cloud.enabled is the master switch; each provider is toggled independently underneath it. Within an enabled provider, every probe is individually disablable: set cloud.<provider>.probes.<name>: false (rendered as SRENIX_CLOUD_PROBE_<PROVIDER>_<NAME>=off; one key gates both EKS/GKE/AKS control-plane + node-group probes). The K8s-only value is unchanged if you never enable cloud probes.
AWS probes (10)
| Probe | What it checks | Disable env var |
|---|---|---|
| RDS | Instance/cluster status, storage %, multi-AZ, backup retention drift | SRENIX_CLOUD_PROBE_AWS_RDS=off |
| EBSVolumes | Orphan/unattached volumes, snapshot age | SRENIX_CLOUD_PROBE_AWS_EBS=off |
| EKSControlPlane | Version skew vs node groups, addon staleness | SRENIX_CLOUD_PROBE_AWS_EKS=off |
| EKSNodeGroups | Capacity, scaling activity, version drift | SRENIX_CLOUD_PROBE_AWS_EKS=off |
| IAMRoles | Trust policy drift on cluster service-account roles | SRENIX_CLOUD_PROBE_AWS_IAM=off |
| ALBTargetHealth | Unhealthy targets in Load Balancer Controller-managed target groups | SRENIX_CLOUD_PROBE_AWS_ALB=off |
| ACMCertExpiry | Certs expiring within 14 days | SRENIX_CLOUD_PROBE_AWS_ACM=off |
| KMSKeys | Pending-deletion KMS keys still referenced by cluster resources | SRENIX_CLOUD_PROBE_AWS_KMS=off |
| S3BucketPublicAccess | Public-ACL drift on buckets referenced by cluster IAM | SRENIX_CLOUD_PROBE_AWS_S3=off |
| VPCSubnets | Exhausted IP space affecting pod CIDR allocation | SRENIX_CLOUD_PROBE_AWS_VPC=off |
GCP probes (10)
| Probe | What it checks | Disable env var |
|---|---|---|
| CloudSQL | Instance status; live disk-utilization % via the Cloud Monitoring API (skips the storage check when no recent datapoint, never reports 0%) | SRENIX_CLOUD_PROBE_GCP_CLOUDSQL=off |
| PersistentDisks | Disk health and attachment status | SRENIX_CLOUD_PROBE_GCP_DISKS=off |
| GKEControlPlane | Cluster status, control-plane version | SRENIX_CLOUD_PROBE_GCP_GKE=off |
| GKENodePools | Node pool status, version drift vs control plane | SRENIX_CLOUD_PROBE_GCP_GKE=off |
| IAMServiceAccounts | Workload Identity binding drift | SRENIX_CLOUD_PROBE_GCP_IAM=off |
| Subnets | Capacity-only: warns when a primary CIDR is smaller than /26 (threshold configurable via cloud.gcp.subnetsSmallPrefixThreshold + SRENIX_CLOUD_PROBE_GCP_SUBNETS_SMALL_PREFIX). GCP’s Compute API exposes no cheap used-IP count, so per-IP utilization is honestly not measured — review Network Analyzer for the real allocation ratio | SRENIX_CLOUD_PROBE_GCP_SUBNETS=off |
| LoadBalancerBackends | Backend health | SRENIX_CLOUD_PROBE_GCP_LB=off |
| ManagedCertificates | Managed-cert provisioning status and expiry | SRENIX_CLOUD_PROBE_GCP_CERTS=off |
| GCSPublicAccess | Public-access drift on buckets referenced by the cluster | SRENIX_CLOUD_PROBE_GCP_GCS=off |
| KMSKeys | Key state/policy drift on keys referenced by cluster resources | SRENIX_CLOUD_PROBE_GCP_KMS=off |
Azure probes (10)
| Probe | What it checks | Disable env var |
|---|---|---|
| SQLDatabases | Instance status, storage_percent (live Azure Monitor) | SRENIX_CLOUD_PROBE_AZURE_SQL=off |
| Disks | Disk health and attachment | SRENIX_CLOUD_PROBE_AZURE_DISKS=off |
| AKSControlPlane | Cluster status, control-plane version | SRENIX_CLOUD_PROBE_AZURE_AKS=off |
| AKSNodePools | Node pool status, version drift | SRENIX_CLOUD_PROBE_AZURE_AKS=off |
| ManagedIdentities | AAD Workload Identity binding drift | SRENIX_CLOUD_PROBE_AZURE_IDENTITIES=off |
| Subnets | Live used-IP measurement: counts every subnet-attached resource (NIC IP configs, AppGW IP configs, IP-config profiles, private endpoints) so available = total − used | SRENIX_CLOUD_PROBE_AZURE_SUBNETS=off |
| AppGatewayBackends | Live BackendHealth LRO | SRENIX_CLOUD_PROBE_AZURE_APPGW=off |
| Certificates | Cert expiry | SRENIX_CLOUD_PROBE_AZURE_CERTS=off |
| StoragePublicAccess | Public-access policy drift | SRENIX_CLOUD_PROBE_AZURE_STORAGE=off |
| KeyVaults | Key/secret expiry | SRENIX_CLOUD_PROBE_AZURE_KEYVAULTS=off |