drop microk8s audit log · parse api events
flags addon enable · cert rotation · unexpected cluster-admin grants · timeline + actor rollup
heuristic screener · microk8s audit format varies by snap channel and version — not definitive proof