Skip to content
KubeGlass

Drift Detection

Drift detection pipeline: on-demand, scheduled, and cross-cluster triggers feed the drift scanner checking 6 categories, findings stream via SSE with severity badges, stored in BoltDB with 30-day retention, and dispatched to log, webhook, and Slack alert channels

What it detects

Section titled “What it detects”

Drift scanning covers:

CategoryExamples
Operator versionsOut-of-date or mismatched operator deployments
Helm configsDeployed values diverging from chart defaults or declared values
CRD schemasSchema drift between expected and installed CRD versions
K8s version skewControl plane vs. kubelet version mismatches
GitOps syncResources deployed manually that should be managed by Argo/Flux
Add-on presenceExpected cluster add-ons missing or misconfigured

Running a scan

Section titled “Running a scan”

Scans can be triggered:

  • On-demand - Click “Run Scan” from the Drift page
  • Scheduled - Create drift policies with cron schedules
  • Cross-cluster - Scan multiple clusters in parallel (bounded concurrency)

Results stream over SSE (Server-Sent Events) so you see findings as they arrive.

Drift policies

Section titled “Drift policies”

Policies define what to scan and when:

  • Schedule - Cron expression for automated scanning
  • Scope - Namespace filters, resource type filters
  • Severity thresholds - Minimum severity to report
  • Alerting - Route findings to log, webhook, or Slack

Historical comparison

Section titled “Historical comparison”

Scan results are stored in BoltDB for historical comparison. You can:

  • Compare scan results over time to track drift trends
  • View what changed between consecutive scans
  • Export results for compliance reporting

Alerts

Section titled “Alerts”

Wire up alerts for drift findings via:

  • Log - Structured JSON log entries
  • Webhook - HTTP POST to your endpoint with finding details
  • Slack - Channel notifications with severity-colored messages and finding summary

Webhook payload

Section titled “Webhook payload”

Webhook alerts send a JSON payload with the scan ID, cluster name, finding severity, affected resource, drift category, and a human-readable description. The endpoint must respond with a 2xx status within 10 seconds.

Section titled “Related”
GitOps Integration Detect drift from GitOps-managed state
Multi-Cluster Fleet Cross-cluster drift scanning
Health Scanning Best-practices scanner for cluster hygiene