Releases: ppiankov/kubenow
Releases · ppiankov/kubenow
v0.5.0
v0.4.1
Fixed
- Check error return from JSON encoder in
version --jsonoutput
Install
# macOS (Apple Silicon)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.4.1/kubenow_0.4.1_darwin_arm64.tar.gz
tar -xzf kubenow_0.4.1_darwin_arm64.tar.gz
sudo mv kubenow /usr/local/bin/
# macOS (Intel)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.4.1/kubenow_0.4.1_darwin_amd64.tar.gz
tar -xzf kubenow_0.4.1_darwin_amd64.tar.gz
sudo mv kubenow /usr/local/bin/
# Linux (amd64)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.4.1/kubenow_0.4.1_linux_amd64.tar.gz
tar -xzf kubenow_0.4.1_linux_amd64.tar.gz
sudo mv kubenow /usr/local/bin/Verify checksums: sha256sum -c checksums.txt
v0.4.0
Added
- Post-apply recommendation tracking (
pro-monitor track): validates whether past recommendations were accurate by comparing post-apply Prometheus metrics against new resource requests. Classifies outcomes as SAFE, TIGHT, WRONG, or PENDING. Supports--format jsonfor CI integration - Cost impact estimation for requests-skew analysis: new
--cost-cpu,--cost-memory, and--instance-typeflags attach dollar estimates to resource waste. Includes per-workload, per-namespace, and cluster-wide cost summaries with built-in pricing for AWS, GCP, and Azure instance types - Kustomize export format (
--format kustomize): generateskustomization.yaml+ strategic merge patch files for GitOps workflows - Helm export format (
--format helm): generatesvalues.yamlfragment with resource overrides - JSON version output (
version --json): machine-readable build info for CI pipelines - Commit hash and build timestamp in version output, matching project-wide convention
Fixed
- Wire ldflags version injection to CLI — version was hardcoded as a const and never read from build-time injection, causing brew-installed binaries to report stale version strings
- Reduce cyclomatic complexity across 10 functions and eliminate code duplication across 4 sites
- Resolve 433 lint warnings (errcheck, gocritic, revive, gocyclo, dupl) down to 1 pre-existing excluded warning
Install
# macOS (Apple Silicon)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.4.0/kubenow_0.4.0_darwin_arm64.tar.gz
tar -xzf kubenow_0.4.0_darwin_arm64.tar.gz
sudo mv kubenow /usr/local/bin/
# macOS (Intel)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.4.0/kubenow_0.4.0_darwin_amd64.tar.gz
tar -xzf kubenow_0.4.0_darwin_amd64.tar.gz
sudo mv kubenow /usr/local/bin/
# Linux (amd64)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.4.0/kubenow_0.4.0_linux_amd64.tar.gz
tar -xzf kubenow_0.4.0_linux_amd64.tar.gz
sudo mv kubenow /usr/local/bin/Verify checksums: sha256sum -c checksums.txt
v0.3.3
Security
- Fix PromQL injection across 38+ interpolation sites in 4 files — new
escapeLabel()andescapeRegex()functions replace unsafequote()helper - Pin all third-party GitHub Actions to SHA (Trivy, Codecov, golangci-lint, action-gh-release)
- Add Prometheus URL validation — reject
file://scheme and link-local (169.254.x.x) SSRF targets - Remove global mutable
SilentMode— replaced with config struct fields on both analyzers - Add context timeouts for all Prometheus API calls
- Add regex DoS protection — cap namespace regex patterns at 256 characters
- Validate policy file paths with
filepath.Cleanto prevent traversal - Tighten file permissions from 0644 to 0600 on audit bundles, latch data, rate-limit state, and export files
- Add
-trimpathto all build targets to prevent filesystem path leaks in binaries - Scope release workflow permissions to job level (
contents: writeonly on release job) - Fix LDFLAGS to use
VERSION_NUM(novprefix) per project convention - Add
go mod verifyto release workflow for supply chain integrity - Add GPG signing step for release checksums (activates when
GPG_PRIVATE_KEYsecret is configured)
Fixed
- Handle ignored
FinalizeBundleerror in apply flow — now logs warning to stderr - Handle ignored
io.ReadAllerror in LLM client — truncate response body in error messages - Propagate
yaml.Marshalerror in export patch format instead of silently returning empty string - Return errors from
deepCopyMapinstead of silently returning nil on marshal/unmarshal failure - Log best-effort audit rate-limit recording failures instead of discarding with
_ = - Bounds-check
ParseDuration— reject negative values and cap at 365 days - Cap latch sample buffer at 17,280 entries (24h at 5s intervals) to bound memory usage
- Validate API key minimum length before use in LLM client
Install
# macOS (Apple Silicon)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.3.3/kubenow_0.3.3_darwin_arm64.tar.gz
tar -xzf kubenow_0.3.3_darwin_arm64.tar.gz
sudo mv kubenow /usr/local/bin/
# macOS (Intel)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.3.3/kubenow_0.3.3_darwin_amd64.tar.gz
tar -xzf kubenow_0.3.3_darwin_amd64.tar.gz
sudo mv kubenow /usr/local/bin/
# Linux (amd64)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.3.3/kubenow_0.3.3_linux_amd64.tar.gz
tar -xzf kubenow_0.3.3_linux_amd64.tar.gz
sudo mv kubenow /usr/local/bin/Verify checksums: sha256sum -c checksums.txt
v0.3.2
Fixed
- Empty requests-skew analysis table ("Analyzed: 0 of N workloads") caused by three root issues:
- Hardcoded 1-minute query step overloaded Prometheus on 30d windows (43,200 points); now uses adaptive step targeting ~1,000 points
unit="core"/unit="byte"labels in PromQL queries incompatible with kube-state-metrics v2+; removed- Request queries used wrong pod pattern (hardcoded
-.*) andby (pod)aggregation; replaced with workload-type-aware queries (WorkloadCPURequests,WorkloadMemoryRequests) usingworkloadPodPattern()helper
- Silent error swallowing in Prometheus queries now logs warnings to stderr
Added
- Resource limits vs actual usage analysis in requests-skew analyzer
- New
WorkloadCPULimits/WorkloadMemoryLimitsPromQL query methods LimitCPU,LimitMemoryGi,LimitSkewCPU,LimitSkewMemoryfields on workload analysis- "Lim CPU" and "Lim Skew" columns in table output
- Recommendations flag over-provisioned limits (limit > 3x P95 usage)
- Summary tracks total wasted limit capacity
- New
Install
# macOS (Apple Silicon)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.3.2/kubenow_0.3.2_darwin_arm64.tar.gz
tar -xzf kubenow_0.3.2_darwin_arm64.tar.gz
sudo mv kubenow /usr/local/bin/
# macOS (Intel)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.3.2/kubenow_0.3.2_darwin_amd64.tar.gz
tar -xzf kubenow_0.3.2_darwin_amd64.tar.gz
sudo mv kubenow /usr/local/bin/
# Linux (amd64)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.3.2/kubenow_0.3.2_linux_amd64.tar.gz
tar -xzf kubenow_0.3.2_linux_amd64.tar.gz
sudo mv kubenow /usr/local/bin/Verify checksums: sha256sum -c checksums.txt
v0.3.1
Fixed
- README version badge updated from 0.2.5 to 0.3.0
- Hardcoded "0.2.0" version strings in apply bundle and policy validation
- Documentation references to "v2.0" corrected to match actual versioning
- Pro-monitor v0.3.0 spec status changed from DRAFT to SHIPPED
- Node footprint TODO clarified: requests are the correct default, Prometheus percentile is optional overlay
Changed
- Stale root-level working docs archived to
docs/archive/ SPIKE-ANALYSIS.mdmoved todocs/spike-analysis.md- Migration guide version references corrected (v1.x/v2.0 → v0.1.x/v0.2+)
Install
# macOS (Apple Silicon)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.3.1/kubenow_0.3.1_darwin_arm64.tar.gz
tar -xzf kubenow_0.3.1_darwin_arm64.tar.gz
sudo mv kubenow /usr/local/bin/
# macOS (Intel)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.3.1/kubenow_0.3.1_darwin_amd64.tar.gz
tar -xzf kubenow_0.3.1_darwin_amd64.tar.gz
sudo mv kubenow /usr/local/bin/
# Linux (amd64)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.3.1/kubenow_0.3.1_linux_amd64.tar.gz
tar -xzf kubenow_0.3.1_linux_amd64.tar.gz
sudo mv kubenow /usr/local/bin/Verify checksums: sha256sum -c checksums.txt
v0.3.0
Added
- CRD workload discovery in requests-skew analyzer
- Pods managed by CNPG, Strimzi, RabbitMQ, Redis, and Elasticsearch operators now appear in analysis reports
- Uses
ResolveWorkloadIdentity()to detect operator type from pod labels andmanaged-byannotations - Groups CRD-managed pods by workload name with oldest creation timestamp
- Only includes pods with recognized operator labels (no false positives from unknown controllers)
- Deduplicates against already-discovered Deployments/StatefulSets/DaemonSets
- Works in both metrics and no-metrics code paths (
analyzeNamespaceandlistNamespaceWorkloads)
Fixed
- Node footprint stability check used hardcoded "Deployment" for all PromQL queries regardless of actual owner kind
- Now resolves workload type from ownerReferences: ReplicaSet→Deployment, StatefulSet, DaemonSet, CRD→StatefulSet
Changed
- Analyzer
kubeClientfields widened from*kubernetes.Clientsettokubernetes.Interfacefor testability
Install
# macOS (Apple Silicon)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.3.0/kubenow_0.3.0_darwin_arm64.tar.gz
tar -xzf kubenow_0.3.0_darwin_arm64.tar.gz
sudo mv kubenow /usr/local/bin/
# macOS (Intel)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.3.0/kubenow_0.3.0_darwin_amd64.tar.gz
tar -xzf kubenow_0.3.0_darwin_amd64.tar.gz
sudo mv kubenow /usr/local/bin/
# Linux (amd64)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.3.0/kubenow_0.3.0_linux_amd64.tar.gz
tar -xzf kubenow_0.3.0_linux_amd64.tar.gz
sudo mv kubenow /usr/local/bin/Verify checksums: sha256sum -c checksums.txt
v0.2.7
Added
- Service mesh control plane detection in monitor mode
- Linkerd: detects deployments with zero replicas in
linkerdnamespace (FATAL) - Istio: detects istiod and other deployments with zero replicas in
istio-systemnamespace (FATAL) - Runs regardless of
--namespacefilter (mesh failures affect all namespaces)
- Linkerd: detects deployments with zero replicas in
- Service mesh certificate expiry detection
- Linkerd identity issuer cert: tiered alerts (<7d WARNING, <48h CRITICAL, <24h FATAL)
- Istio CA cert: tiered alerts (<7d WARNING, <48h CRITICAL, <24h FATAL)
- Direct X.509 parsing from K8s Secrets (no Prometheus dependency)
Changed
- CLAUDE.md synced with global project standards (Philosophy, Code Style, Git Safety, etc.)
- CONTRIBUTING.md Go version corrected to 1.25+, commit format aligned with conventional commits
Install
# macOS (Apple Silicon)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.2.7/kubenow_0.2.7_darwin_arm64.tar.gz
tar -xzf kubenow_0.2.7_darwin_arm64.tar.gz
sudo mv kubenow /usr/local/bin/
# macOS (Intel)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.2.7/kubenow_0.2.7_darwin_amd64.tar.gz
tar -xzf kubenow_0.2.7_darwin_amd64.tar.gz
sudo mv kubenow /usr/local/bin/
# Linux (amd64)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.2.7/kubenow_0.2.7_linux_amd64.tar.gz
tar -xzf kubenow_0.2.7_linux_amd64.tar.gz
sudo mv kubenow /usr/local/bin/Verify checksums: sha256sum -c checksums.txt
v0.2.6
Added
Dedicated Linkerd Traffic Map (t key)
- New
tkey screen in pro-monitor TUI showing bidirectional Linkerd traffic data - Inbound sources: who sends traffic to this workload (RPS, success rate, p50/p99 latency)
- Outbound destinations: where this workload sends traffic (RPS, success rate)
- TCP connection summary (inbound/outbound counts over 1h window)
- Color-coded success rates: green (>99%), yellow (95-99%), red (<95%)
- Only shown when
--prometheus-urlis configured;lscreen stays purely structural
Pro-Monitor Collect and Analyze Subcommands
pro-monitor collect: headless latch data collection for CI/CD pipelinespro-monitor analyze: load persisted latch data and launch TUI without re-latching- Latch data persisted to
~/.kubenow/latch/with validation (gap detection, staleness checks)
Early-Stop Brake for Latch Mode
- Double-press Esc to stop latching early and proceed with collected data
- First Esc shows confirmation prompt, second Esc confirms early stop
- TUI shows actual vs planned duration when early-stopped
Cluster Context Flag
- New
--contextglobal flag for explicit Kubernetes context targeting - Works across all commands (monitor, pro-monitor, analyze)
Install
# macOS (Apple Silicon)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.2.6/kubenow_0.2.6_darwin_arm64.tar.gz
tar -xzf kubenow_0.2.6_darwin_arm64.tar.gz
sudo mv kubenow /usr/local/bin/
# macOS (Intel)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.2.6/kubenow_0.2.6_darwin_amd64.tar.gz
tar -xzf kubenow_0.2.6_darwin_amd64.tar.gz
sudo mv kubenow /usr/local/bin/
# Linux (amd64)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.2.6/kubenow_0.2.6_linux_amd64.tar.gz
tar -xzf kubenow_0.2.6_linux_amd64.tar.gz
sudo mv kubenow /usr/local/bin/Verify checksums: sha256sum -c checksums.txt
v0.2.5
Fixed
- Apply pre-flight check always denied with "audit path not writable", "identity not recorded", "rate limit exceeded"
- SSA conflict with non-GitOps field managers (e.g. "Go-http-client") now force-retries instead of blocking
Added
kubenow.dev/last-applyannotation on Deployment after apply — shows timestamp, safety rating, and resource changes inkubectl describe
Install
# macOS (Apple Silicon)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.2.5/kubenow_0.2.5_darwin_arm64.tar.gz
tar -xzf kubenow_0.2.5_darwin_arm64.tar.gz
sudo mv kubenow /usr/local/bin/
# macOS (Intel)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.2.5/kubenow_0.2.5_darwin_amd64.tar.gz
tar -xzf kubenow_0.2.5_darwin_amd64.tar.gz
sudo mv kubenow /usr/local/bin/
# Linux (amd64)
curl -LO https://github.com/ppiankov/kubenow/releases/download/v0.2.5/kubenow_0.2.5_linux_amd64.tar.gz
tar -xzf kubenow_0.2.5_linux_amd64.tar.gz
sudo mv kubenow /usr/local/bin/