Skip to main content

Kubernetes Agent

What It Is

The OpsWorker Kubernetes Agent is a lightweight component that runs inside your Kubernetes cluster. It acts as OpsWorker's data collection layer — executing read-only commands to gather the information AI agents need during investigations and chat sessions.

The agent is:

  • A single pod deployed via Helm chart
  • Read-only — it observes resources but never modifies your cluster
  • Outbound-only — it initiates all communication; no inbound ports are required
  • Lightweight — minimal resource footprint (~128MB RAM, ~100m CPU)

Role in the System

The Kubernetes Agent is the bridge between OpsWorker's AI and your cluster:

sequenceDiagram
    participant OW as OpsWorker AI
    participant SQS as AWS SQS
    participant Agent as K8s Agent
    participant K8s as Kubernetes API

    OW->>SQS: "Get logs for pod X"
    Agent->>SQS: Poll for commands
    Agent->>K8s: kubectl logs pod-x
    K8s-->>Agent: Log output
    Agent->>SQS: Return results
    SQS-->>OW: Deliver data

During an investigation, OpsWorker's AI agents decide what data they need (e.g., pod logs, events, service endpoints), and the Kubernetes Agent executes those queries against your cluster's API.

What the Agent Can Access

The agent performs read operations only:

OperationExamples
Get/List resourcesPods, Deployments, Services, Ingresses, ConfigMaps, Nodes, Events
Describe resourcesDetailed resource specifications and status
Read logsContainer logs from pods
Check endpointsService endpoint health

The agent cannot create, update, delete, or patch any resources.

Security Model

  • No credentials stored in the cloud — The agent authenticates with a cluster token; OpsWorker has no direct access to your cluster
  • Outbound-only communication — Via AWS SQS over TLS (port 443)
  • Configurable RBAC — Permissions can be scoped to specific namespaces
  • Secret values are not read — Only secret metadata (names, labels) is accessed

Next Steps