A read-only Kubernetes natural-language CLI agent using LangGraph
Project description
k8agent — Kubernetes Natural-Language Agent (MVP)
k8agent is a read-only, session-safe CLI tool designed to help you interactively diagnose and query your Kubernetes clusters in natural language. It uses a LangGraph ReAct agent and LangChain to interface with Kubernetes clusters.
Features
- Secure Session-Only Credentials: LLM keys and configurations are held strictly in memory.
- Strict Read-Only Access: Never modifies cluster state (no delete, apply, patch, scale, etc.).
- Namespace Allowed List: Restricts the LLM agent to a user-approved set of namespaces.
- Evidence-Gathering Agent: Calls tools in sequence (e.g. list pods -> check logs) before coming to a conclusion.
1. Quick Start
Prerequisites
- Python 3.11+
- A working Kubernetes context configured in
~/.kube/config
Installation
Clone the repository and install the dependencies:
# Initialize a virtual environment
python -m venv .venv
.\.venv\Scripts\activate
# Install the package in editable mode
pip install -e .[dev]
Starting the REPL
k8agent
# Or alternatively
python -m k8agent.cli
2. Configuring RBAC (Recommended Security Boundary)
To restrict the agent to read-only actions and specific namespaces, apply the provided template.
-
Customize the template: Open
k8s/rbac-template.yamland replace{{NAMESPACE}}with the namespace you wish to grant access to (e.g.default). -
Apply the template:
kubectl apply -f k8s/rbac-template.yaml
-
Generate Kubeconfig for the ServiceAccount: Use the following commands to create a temporary token and generate a dedicated kubeconfig context pointing to this ServiceAccount:
# Create a token for the ServiceAccount kubectl create token k8agent-sa --namespace=<YOUR_NAMESPACE>
You can then configure this token in a separate kubeconfig file to guarantee the cluster-side RBAC boundary.
3. Tool Reference
The agent has access to the following explicit list of tools:
list_allowed_namespaces: Get the namespace scope of the current session.list_pods: Get names, status, and restart counts.describe_pod: Get detailed container statuses and conditions.get_pod_logs: Retrieve container logs (supportstail_linesandprevious).list_deployments: View desired vs ready replicas.describe_deployment: View rolling status and conditions.list_services: View type, cluster IP, and ports.list_events: View recent events sorted by last-seen.list_configmaps: View names and keys only.get_node_status: View node names and cluster resource conditions (cluster-scoped).
4. Running Tests
To run unit tests against a mocked Kubernetes API:
pytest tests/
5. Publishing to PyPI
To build and upload the package to PyPI so it can be installed globally via pip:
-
Install build tools:
pip install build twine
-
Build the source and binary wheels:
python -m build
This generates
.tar.gzand.whlfiles in thedist/directory. -
Upload to PyPI:
python -m twine upload dist/*
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file k8agent-0.1.0.tar.gz.
File metadata
- Download URL: k8agent-0.1.0.tar.gz
- Upload date:
- Size: 14.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
2450cea2072da3b73c888f6c0974c94cd9cb22e49066745557b2b74ebe2b87fe
|
|
| MD5 |
0507f9e9d46bfc2efd686a4a2802fabd
|
|
| BLAKE2b-256 |
ad100218b572a7e8988c064fa2b5e8d9a97577e5e9218d93eee2ec911ea8c010
|
File details
Details for the file k8agent-0.1.0-py3-none-any.whl.
File metadata
- Download URL: k8agent-0.1.0-py3-none-any.whl
- Upload date:
- Size: 12.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5cb2c8aa3fd899ba94e8d91a9d6b8b6a1c6c161ad371ea7fcec6c62a2951ab4e
|
|
| MD5 |
3d0784d1bb09c8509faff826346cabfa
|
|
| BLAKE2b-256 |
facb7f51ff5d8cb811993907483e8aafbac558014b8539419fc43200bb93268c
|