Skip to main content

Crawl a Kubernetes cluster and produce structured operational knowledge

Project description

kube2docs

Reverse-engineer a Kubernetes cluster: crawl every workload, discover what it does at runtime, build a dependency graph, and generate operational documentation.

Two-step pipeline:

  1. scan — crawls the cluster, execs into pods, builds a structured JSON knowledge base
  2. generate — turns that knowledge base into Markdown docs (uses an LLM)

Optimized for non-production clusters where you need to document what's running but can't rely on live traffic to map dependencies.

Install

# From PyPI (coming soon)
pip install kube2docs

# From source
uv venv && uv pip install -e ".[dev]"

Quickstart

# Scan the cluster
kube2docs scan --kubeconfig ~/.kube/config --output ./kb/

# Generate docs
export OPENROUTER_API_KEY=...
kube2docs generate --input ./kb/ --output ./docs/ \
  --model openrouter/anthropic/claude-haiku-4-5 --recommendations

How scanning works

Scanning always starts with a read-only inventory via the Kubernetes API: every Deployment, StatefulSet, Service, ConfigMap, etc. is catalogued. Then for each workload, kube2docs picks one running pod and execs into it to discover runtime state — what processes are running, which ports are open, what config files exist, where outbound connections go.

You pick how that runtime discovery happens:

Mode Flag Cost Best for
Inventory only --depth survey Free Quick listing — no pod exec
Deterministic (default) Free Regulated envs, CI drift detection, nightly rescans
Agentic --agentic ~$0.003/workload Distroless containers, dependency discovery, initial exploration

Deterministic runs a fixed set of commands (ps, ss, cat known config paths) in every container and parses output with regex. Reproducible, data stays local.

Agentic hands the inventory data to an LLM, which iteratively chooses commands to exec based on what it learns from each step. Works on distroless containers (by reading image metadata when there's no shell), and discovers ~5x more dependencies in testing because it actually reads and understands config files. Non-deterministic; sends exec output (with secrets redacted) to the LLM provider.

# Preview what would be scanned and estimated cost
kube2docs scan --output ./kb/ --agentic \
  --model openrouter/moonshotai/kimi-k2.5 --dry-run

# Run the agentic scan
kube2docs scan --output ./kb/ --agentic \
  --model openrouter/moonshotai/kimi-k2.5 --api-key $OPENROUTER_API_KEY

Output

The scan command writes to --output:

kb/
├── cluster-overview.json      # Cluster summary + dependency list
├── dependency-graph.json      # Edges between workloads (internal + external)
├── topology.mmd               # Mermaid diagram, auto-embedded in generated docs
├── services.json              # All K8s Services
├── nodes.json                 # Node info
├── events.json                # Recent cluster events (last 24h)
├── kube2docs-status.json       # Scan progress
└── <namespace>/
    ├── <workload>.profile.json     # Structured workload record
    └── <workload>.raw/             # Raw exec outputs, config files
        └── agentic/                # LLM conversation artifacts (if --agentic)

The JSON is the source of truth. Designed to be consumed by AI agents, RAG pipelines, or read directly.

What agentic scan won't do

Agentic mode runs LLM-chosen commands inside your pods. The safety filter blocks:

  • Writes (rm, chmod, chown, mv, sed -i, > /path)
  • Process control (kill, systemctl stop, shutdown)
  • Outbound network to non-localhost (prevents data exfiltration)
  • Cluster API access (kubectl, helm, service account token reads)
  • Package installation (apt/yum/apk/pip/npm install)

Reads are broad: cat, find, grep, ps, ss, strings, etc. — the LLM has whatever filesystem access the pod's user already has. Secret patterns (JWTs, AWS keys, PEM private keys, URI credentials) are detected and hashed before leaving the local process.

Important: agentic scan sends exec output to the LLM provider you configured. Use --agentic only on clusters where that's acceptable.

Incremental scanning

Re-running scan on the same --output directory skips unchanged workloads by comparing image digests and config versions. Use --force-rescan to override.

Documentation

See CLAUDE.md for architecture details.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

kube2docs-0.1.1.tar.gz (52.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

kube2docs-0.1.1-py3-none-any.whl (52.6 kB view details)

Uploaded Python 3

File details

Details for the file kube2docs-0.1.1.tar.gz.

File metadata

  • Download URL: kube2docs-0.1.1.tar.gz
  • Upload date:
  • Size: 52.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for kube2docs-0.1.1.tar.gz
Algorithm Hash digest
SHA256 154bcc00e1ef5001acc15af1eba11b0299b52bc0d341c1b6b4b743ef761eff22
MD5 3288b0dc9fe69d3807260b244e13421d
BLAKE2b-256 8bc06594b4ee15b0946d37270a7fbfc8d5e3e054fff91870f85fb2d813c69977

See more details on using hashes here.

Provenance

The following attestation bundles were made for kube2docs-0.1.1.tar.gz:

Publisher: publish.yml on matt-szymczyk/kube2docs

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file kube2docs-0.1.1-py3-none-any.whl.

File metadata

  • Download URL: kube2docs-0.1.1-py3-none-any.whl
  • Upload date:
  • Size: 52.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for kube2docs-0.1.1-py3-none-any.whl
Algorithm Hash digest
SHA256 e4710f3a2d09b915cf27b14c70cf450bdc053aad15c0e433ad172a2bd8c867bc
MD5 d582b84ad78fbfbf4bd5fd8c6b646f5b
BLAKE2b-256 2b7bd3a1416b8d6d43088fc88a1b4e5faec61c52e9b5f6818e99e07d6ba9839b

See more details on using hashes here.

Provenance

The following attestation bundles were made for kube2docs-0.1.1-py3-none-any.whl:

Publisher: publish.yml on matt-szymczyk/kube2docs

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page