Detect β Diagnose β Plan β Remediate β Verify. Fully autonomous. Every action runs inside a kernel-isolated Agent Sandbox β never with cluster-admin on your nodes.
Quickstart Β· What it does Β· Architecture Β· Safe Autonomy Β· Roadmap
Diagnosing a broken cluster is only half the job β someone still has to fix it, by hand, often at 3am. True autonomy means letting an agent close that loop: detect the problem, reason about the root cause, apply the fix, and confirm it worked.
The thing standing in the way is trust. You do not want an LLM holding cluster-admin, free-handing kubectl delete against prod.
KubeZilla makes autonomy safe. It runs the full SRE loop on its own, but every diagnostic command and every line of LLM-generated remediation executes inside a gVisor/Kata-isolated Agent Sandbox with a scoped, time-boxed ServiceAccount, a dry-run gate, a full audit trail, and automatic rollback. The blast radius is the sandbox β not your node.
Reason freely. Act minimally. The model sees everything; the executor can touch almost nothing.
- π Detects & diagnoses β read-only analyzers scan pods, deployments, events and more, then a pluggable LLM ranks the most likely root cause with a confidence score.
- π οΈ Remediates autonomously β turns the diagnosis into a typed remediation plan (not free-text shell), then applies it and verifies the result.
- π Acts inside a sandbox β every action runs kernel-isolated (gVisor/Kata) with ephemeral, least-privilege credentials that expire in minutes. KubeZilla's own identity is read-mostly and never touches your workloads directly.
- β©οΈ Rolls back automatically β every action ships its own undo; if the fix doesn't verify, KubeZilla reverts it and escalates. No rollback, no apply.
- ποΈ Stays in your control β dial autonomy from "diagnose only" to "fully autonomous," with policy guardrails and human approval gates.
- π§Ύ Leaves an audit trail β every decision (signals β hypothesis β plan β action β result) is recorded and replayable.
- π§ Works with your model β Claude (default), OpenAI, Gemini, or a local Ollama. Never locked in.
- βοΈ CLI and GitOps-native β a one-command CLI to start in 60 seconds, plus CRDs and an operator for declarative, in-cluster autonomy.
# Install
go install github.com/ajeetraina/kubezilla/cmd/kubezilla@latest
# Point at your cluster + pick a model (Claude by default)
export ANTHROPIC_API_KEY=sk-ant-...
export KUBEZILLA_MODEL=claude-opus-4-8
# 1. Scan β a read-only diagnosis of your cluster
kubezilla analyze
# 2. Let it propose a fix β dry-run, nothing touches the cluster yet
kubezilla diagnose --namespace payments
# 3. Full autonomous loop, sandboxed, with an approval gate before apply
kubezilla agent run --namespace payments --autonomy assistedExample:
π¦ KubeZilla β scanning namespace "payments"
β CrashLoopBackOff payments/checkout-7f9c (restarts: 142)
ββ root cause: liveness probe hits :8080/health, container listens on :3000
ββ confidence: 0.93
Proposed remediation (sandboxed, dry-run):
patch deployment/checkout .spec...livenessProbe.httpGet.port 8080 β 3000
Sandbox: gvisor Β· sa/kubezilla-checkout-remediator (TTL 5m, verbs: get,patch on deployments/checkout)
Verify: rollout healthy AND 0 restarts in 120s, else auto-rollback
Approve? [y/N]
Don't have a cluster?
kubezilla demospins up a broken workload inkindso you can watch KubeZilla fix it end-to-end.
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β KubeZilla Agent β
β observe β reason (LLM) β plan β POLICY GATE β act β verify β
βββββββββ¬ββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββ
β read-only β every action
βΌ βΌ
βββββββββββββββββ ββββββββββββββββββββββββββββ
β Analyzers β β Agent Sandbox (SIG) β
β (k8s, events, β β gVisor / Kata isolation β
β metrics) β β scoped SA Β· TTL Β· audit β
βββββββββββββββββ ββββββββββββββββββββββββββββ
- Observe β analyzers scan resources, events, and metrics (read-only).
- Reason β a pluggable LLM correlates signals into a ranked root-cause hypothesis.
- Plan β KubeZilla emits a structured, typed
RemediationPlan(not free-text shell). - Policy gate β OPA/Rego + autonomy level decide: auto-apply, require approval, or refuse.
- Act β the plan executes inside an Agent Sandbox with a minimal, time-boxed ServiceAccount.
- Verify β success criteria are checked; on failure KubeZilla auto-rolls-back and escalates.
Full design: docs/architecture.md Β· safety model: docs/safe-autonomy.md.
KubeZilla never makes you choose between "useless" and "terrifying." Dial it in:
| Level | Behavior | Use it for |
|---|---|---|
observe |
Diagnose only β never mutates | First day on a new cluster |
assisted |
Propose + apply on approval (default) | Prod, with a human in the loop |
auto-safe |
Auto-apply allow-listed low-risk fixes | Restarts, probe fixes, HPA nudges |
autonomous |
Full loop within policy budget | Dev/staging, blue-green, on-call relief |
helm repo add kubezilla https://ajeetraina.github.io/kubezilla
helm install kubezilla kubezilla/kubezilla -n kubezilla-system --create-namespaceapiVersion: agents.kubezilla.dev/v1alpha1
kind: Agent
metadata:
name: payments-sre
spec:
scope:
namespaces: ["payments"]
autonomy: assisted
model: claude-opus-4-8
sandbox:
runtime: gvisor # or kata
ttlSeconds: 300
policyRef: payments-guardrailsKubeZilla is built in the open and aims for CNCF Sandbox donation. See ROADMAP.md.
We β€οΈ contributors β good first issues are labeled and mentored. Read CONTRIBUTING.md and our Code of Conduct.
Apache 2.0 β see LICENSE.