Kubernetes Configuration Drift Detector
"You call that drifting?"
Features • Installation • Usage • TUI Controls • How It Works • Roadmap
Dorikin compares your desired Kubernetes manifests against actual cluster state, detecting configuration drift in real-time. It provides both a CLI for scripting and CI/CD integration, and an interactive TUI for exploration and debugging.
How Drift Detection Works — Deep dive into the comparison algorithm, field filtering, limitations, and best practices.
Drift Types Detected:
| Status | Description |
|---|---|
IN_SYNC |
Resource matches manifest |
DRIFTED |
Resource exists but fields differ from manifest |
MISSING |
Resource defined in manifest but absent from cluster |
EXTRA |
Resource exists in cluster but not in manifests |
ERROR |
Resource couldn't be fetched or compared |
- Real-time drift detection — Compare YAML manifests against live cluster state
- Interactive TUI — Navigate resources, view detailed diffs, filter by status
- Auto-refresh — Continuously monitor for drift with configurable intervals
- Smart field filtering — Ignores Kubernetes-managed fields (status, metadata.uid, etc.)
- HPA-aware — Automatically skips replica comparison for HPA-managed resources
- Quantity normalization — Treats equivalent values as equal (
128Mi=134217728,500m=0.5) - Content-based matching — Matches arrays by key field (containers by name, not index)
- Helm support — Scan Helm charts directly with values and set overrides
- Kustomize support — Scan Kustomize overlays directly
- Multi-format output — Table, JSON, YAML, or quiet mode for CI/CD
- Recursive scanning — Process entire manifest directories
- Context-aware — Works with any kubeconfig context
Download the latest binary for your platform from Releases.
# Example for macOS ARM64
curl -LO https://github.com/indrasvat/dorikin/releases/latest/download/dorikin_darwin_arm64.tar.gz
tar -xzf dorikin_darwin_arm64.tar.gz
chmod +x dorikin
sudo mv dorikin /usr/local/bin/macOS users: You may need to remove the quarantine attribute:
xattr -d com.apple.quarantine /usr/local/bin/dorikingit clone https://github.com/indrasvat/dorikin.git
cd dorikin
make buildBinary will be available at ./bin/dorikin.
- Access to a Kubernetes cluster (via kubeconfig)
- Go 1.25+ (if building from source)
# Scan a directory of manifests
dorikin scan ./manifests/
# Scan specific files
dorikin scan -f deployment.yaml -f service.yaml
# Scan with a specific context
dorikin scan -c production ./manifests/
# Filter by namespace
dorikin scan -n my-namespace ./manifests/
# Output as JSON (for CI/CD)
dorikin scan -o json ./manifests/
# Quiet mode (exit code only)
dorikin scan -o quiet ./manifests/# Scan a Helm chart
dorikin scan --helm ./charts/myapp/
# With custom release name and namespace
dorikin scan --helm ./charts/myapp/ --helm-release production -n prod
# With values files and --set overrides
dorikin scan --helm ./charts/myapp/ --helm-values values-prod.yaml --helm-set image.tag=v1.2.3# Scan a Kustomize overlay
dorikin scan --kustomize ./k8s/overlays/production/
# With namespace filter
dorikin scan --kustomize ./k8s/overlays/production/ -n my-namespace# Launch TUI
dorikin ui ./manifests/
# With custom refresh interval (seconds)
dorikin ui --refresh-interval 10 ./manifests/
# With specific context
dorikin ui -c staging ./manifests/| Code | Meaning |
|---|---|
0 |
All resources in sync |
1 |
Drift detected |
2 |
Error during scan |
| Flag | Short | Description |
|---|---|---|
--kubeconfig |
-k |
Path to kubeconfig file |
--context |
-c |
Kubernetes context to use |
--debug |
Enable debug logging to ~/.cache/dorikin/debug.log |
|
--log-file |
Write logs to specified file (implies --debug) |
dorikin scan [flags] [paths...]| Flag | Short | Description |
|---|---|---|
--file |
-f |
Manifest file or directory (repeatable) |
--namespace |
-n |
Filter by namespace(s) (repeatable or comma-separated) |
--kind |
Include only these resource kinds (repeatable) | |
--exclude-kind |
Exclude these resource kinds (repeatable) | |
--include-extra |
Detect cluster resources not in manifests | |
--output |
-o |
Output format: table, json, yaml, quiet |
--recursive |
-R |
Recursively scan directories (default: true) |
--ignore |
Field paths to ignore during comparison | |
--hpa-aware |
HPA awareness: manifests (default), cluster, disabled |
|
--helm |
Load manifests from Helm chart | |
--helm-release |
Helm release name (default: release) |
|
--helm-values |
Helm values files (repeatable) | |
--helm-set |
Helm --set values (repeatable) | |
--kustomize |
Load manifests from Kustomize directory |
dorikin ui [flags] [paths...]| Flag | Short | Description |
|---|---|---|
--file |
-f |
Manifest file or directory (repeatable) |
--namespace |
-n |
Filter by namespace(s) (repeatable or comma-separated) |
--kind |
Include only these resource kinds (repeatable) | |
--exclude-kind |
Exclude these resource kinds (repeatable) | |
--include-extra |
Detect cluster resources not in manifests | |
--recursive |
-R |
Recursively scan directories (default: true) |
--refresh-interval |
Auto-refresh interval in seconds (default: 5) | |
--ignore |
Field paths to ignore during comparison | |
--hpa-aware |
HPA awareness: manifests (default), cluster, disabled |
|
--helm |
Load manifests from Helm chart | |
--helm-release |
Helm release name (default: release) |
|
--helm-values |
Helm values files (repeatable) | |
--helm-set |
Helm --set values (repeatable) | |
--kustomize |
Load manifests from Kustomize directory |
Dorikin supports a .dorikin.yaml configuration file in the current directory for default settings:
# .dorikin.yaml
paths:
- ./manifests/
- ./k8s/
ignore:
- .metadata.annotations.custom-annotation
hpaAware: manifests # manifests, cluster, or disabledCLI flags override configuration file settings.
# Scan only Deployments and Services
dorikin scan --kind Deployment --kind Service ./manifests/
# Exclude Secrets and ConfigMaps
dorikin scan --exclude-kind Secret --exclude-kind ConfigMap ./manifests/
# Scan multiple namespaces
dorikin scan -n prod -n staging ./manifests/
dorikin scan -n prod,staging ./manifests/ # comma-separated
# Detect extra resources in cluster not defined in manifests
dorikin scan --include-extra ./manifests/| Key | Action |
|---|---|
↑ / k |
Navigate up |
↓ / j |
Navigate down |
Enter |
View resource details |
f |
Cycle status filter |
o |
Toggle IN_SYNC visibility |
r |
Manual refresh |
a |
Toggle auto-refresh |
L |
Open logs view |
? |
Show help |
q |
Quit |
| Key | Action |
|---|---|
1-4 |
Switch tabs (Diffs, Manifest, Cluster, Meta) |
Tab |
Cycle through tabs |
↑ / k |
Scroll up through diffs |
↓ / j |
Scroll down through diffs |
← / h |
Previous resource (lap) |
→ / l |
Next resource (lap) |
Esc |
Return to list view |
| Key | Action |
|---|---|
↑ / ↓ |
Scroll through logs |
f |
Cycle log level filter (all → info+ → warn+ → error) |
c |
Clear logs |
Esc |
Return to list view |
A local Kubernetes testing environment is included for development and demos. Requires Colima.
make track-setup # Create test environment
make track-scan # Run drift scan
make track-tui # Launch interactive TUI
make track-drift # Apply drift scenarios
make track-reset # Reset to baseline
make track-cleanup # Tear down environmentPotential future enhancements:
- Webhook notifications — Alert on drift via Slack, PagerDuty, or custom webhooks
- Prometheus metrics — Expose drift metrics for monitoring dashboards
- Drift remediation — Apply manifests to sync cluster state
- Historical tracking — Track drift over time with trend analysis
- Multi-cluster scanning — Compare state across clusters
- Policy rules — Define acceptable drift thresholds per resource type
- Git integration — Compare cluster state against Git branches
Apache 2.0