Kubernetes
Discover Kubernetes clusters, workloads, and resources and add them to your SixDegree knowledge graph.
Automatically syncs Kubernetes data into your knowledge graph:
- Clusters: Kubernetes clusters with version and node count
- Namespaces: Logical groupings of resources
- Deployments: Application deployments with replica counts
- Pods: Running containers with status and images
- Services: Network services exposing applications
- Ingresses: HTTP/HTTPS routing rules
- ConfigMaps: Configuration data (metadata only)
- Secrets: Sensitive data (metadata only, content never stored)
- StatefulSets: Stateful application workloads
- DaemonSets: Node-level services
AI agents can interact with Kubernetes using these tools:
Cluster Operations:
k8s_get_cluster_info- Get cluster version and health statusk8s_list_namespaces- List all namespaces
Workload Management:
k8s_list_deployments- List deployments in a namespacek8s_scale_deployment- Scale deployment replicask8s_restart_deployment- Restart a deployment (rolling restart)
Pod Operations:
k8s_list_pods- List pods with label selectorsk8s_get_pod- Get detailed pod informationk8s_get_pod_logs- Get logs from a pod (with tail/since options)
Service Discovery:
-
k8s_list_services- List services in a namespace -
k8s_list_ingresses- List ingress rules and hosts -
Kubernetes cluster (any version 1.19+)
-
kubectlconfigured with cluster access -
Kubeconfig file or in-cluster service account
Download the latest release:
curl -LO https://github.com/sixdegree-ai/molecules/releases/latest/download/kubernetes-linux-amd64
chmod +x kubernetes-linux-amd64
mv kubernetes-linux-amd64 /usr/local/bin/kubernetes-molecule
curl -LO https://github.com/sixdegree-ai/molecules/releases/latest/download/kubernetes-darwin-arm64
chmod +x kubernetes-darwin-arm64
mv kubernetes-darwin-arm64 /usr/local/bin/kubernetes-molecule
cd molecules/kubernetes
go build -o kubernetes
Create a configuration file kubernetes-config.yaml:
discovery:
enabled: true
settings:
# Path to kubeconfig (or 'in-cluster' for in-cluster auth)
kubeconfig: "~/.kube/config"
# Friendly cluster name
cluster_name: "production"
# Namespaces to discover (empty = all)
namespaces:
- "default"
- "production"
- "staging"
# Resource types to discover
resource_types:
- "deployments"
- "pods"
- "services"
- "ingresses"
# Sync interval
sync_interval: "15m"
mcp:
enabled: true
settings:
kubeconfig: "~/.kube/config"
cluster_name: "production"
namespace: "production"
When running inside Kubernetes:
discovery:
enabled: true
settings:
kubeconfig: "in-cluster"
cluster_name: "my-cluster"
degree discovery run kubernetes@1.0.0 --config kubernetes-config.yaml
degree discovery schedule kubernetes@1.0.0 --config kubernetes-config.yaml --interval 15m
Once configured, AI agents can interact with Kubernetes:
You: "List all deployments in the production namespace"
AI: [Uses k8s_list_deployments]
"Found 5 deployments in production:
- api-backend (3/3 replicas ready)
- frontend (2/2 replicas ready)
- worker (5/5 replicas ready)"
You: "Show me the logs for the api-backend pod"
AI: [Uses k8s_list_pods, then k8s_get_pod_logs]
"[2024-02-10 16:00:00] Server started on port 8080
[2024-02-10 16:00:01] Connected to database
[2024-02-10 16:00:02] Ready to accept requests"
You: "Scale the worker deployment to 10 replicas"
AI: [Uses k8s_scale_deployment]
"✅ Scaled deployment worker to 10 replicas"
You: "Restart the frontend deployment"
AI: [Uses k8s_restart_deployment]
"✅ Restarted deployment frontend (rolling restart initiated)"
The Kubernetes molecule creates powerful relationships with other molecules:
Deployments can link to source code repositories through annotations:
apiVersion: apps/v1
kind: Deployment
metadata:
name: api-backend
annotations:
github.com/repository: "https://github.com/myorg/api"
spec:
# ...
Relationship created: K8sDeployment[api-backend] → BUILT_FROM → GithubRepository[myorg/api]
Query example:
You: "Which GitHub repo is the api-backend deployment built from?"
AI: "api-backend is built from myorg/api repository"
Pods automatically link to their container images, which can be scanned by Snyk:
Automatic relationships:
K8sPod[api-backend-xyz]→RUNS_IMAGE→SnykContainerImage[nginx:1.21]SnykContainerImage[nginx:1.21]→HAS_VULNERABILITY→SnykVulnerability[CVE-2024-1234]
Query example:
You: "What vulnerabilities are running in production?"
AI: [Queries: K8sPod → RUNS_IMAGE → SnykContainerImage → HAS_VULNERABILITY]
"Production has 3 pods running vulnerable images:
- api-backend: 2 critical CVEs in base image
- frontend: 1 high severity CVE in nginx
- worker: 0 critical issues ✅"
If you're using Argo CD for GitOps, the Argo molecule can link to Kubernetes:
Relationships:
ArgoApplication[api]→DEPLOYED_TO→K8sDeployment[api-backend]ArgoApplication[api]→SYNCED_FROM→GithubRepository[myorg/api]
Query example:
You: "What's the deployment status of the api application?"
AI: "ArgoApplication[api] is:
- Synced from: myorg/api (main branch)
- Deployed to: production/api-backend
- Health: Healthy
- Replicas: 3/3 ready"
Kubernetes manifests can be scanned for misconfigurations:
Relationships:
SnykIaCResource[k8s/deployment.yaml]→CONFIGURES→K8sDeployment[api-backend]SnykIaCResource[k8s/deployment.yaml]→HAS_VULNERABILITY→SnykVulnerability[misconfiguration]
Query example:
You: "Are there any security issues in our Kubernetes configurations?"
AI: "Found 2 IaC misconfigurations affecting deployments:
1. api-backend: No resource limits defined (medium severity)
2. frontend: Runs as root (high severity)"
┌─────────────────────┐
│ GithubRepository │
│ myorg/api │
└──────────┬──────────┘
│
│ BUILT_FROM
↓
┌─────────────────────┐ ┌─────────────────────┐
│ ArgoApplication │──────▶│ K8sDeployment │
│ api │DEPLOYED│ production/api │
└─────────────────────┘ TO └──────────┬──────────┘
│
│ MANAGES
↓
┌─────────────────────────────┐
│ K8sPod │
│ api-backend-xyz │
└──────────┬──────────────────┘
│
│ RUNS_IMAGE
↓
┌─────────────────────────────┐
│ SnykContainerImage │
│ myorg/api:v1.2.3 │
└──────────┬──────────────────┘
│
│ HAS_VULNERABILITY
↓
┌─────────────────────────────┐
│ SnykVulnerability │
│ CVE-2024-1234 │
└─────────────────────────────┘
You: "Give me a complete security report for the api deployment in production"
AI: [Traverses entire graph]
"📊 Security Report: production/api
Source Code:
- Repository: myorg/api (main branch)
- Last commit: 2 hours ago
- Build status: ✅ Passing
Deployment:
- Managed by: Argo CD (auto-sync enabled)
- Current version: v1.2.3
- Replicas: 3/3 ready
- Health: ✅ Healthy
Running Pods:
- api-backend-abc123 (node-1)
- api-backend-def456 (node-2)
- api-backend-ghi789 (node-3)
Container Security:
- Image: myorg/api:v1.2.3
- Base: node:18-alpine
- Vulnerabilities:
⚠️ 2 critical: CVE-2024-1234, CVE-2024-5678
⚠️ 3 high: CVE-2024-9999, CVE-2024-8888, CVE-2024-7777
✅ Remediation available for all
IaC Configuration:
- File: k8s/production/api-deployment.yaml
- Snyk scan: ⚠️ 1 medium issue (no resource limits)
Recommended Actions:
1. Upgrade base image to node:18.19-alpine (fixes 2 critical CVEs)
2. Add resource limits to deployment
3. Update PR in myorg/api with fixes"
cluster_name: "production"
version: "v1.28.0"
node_count: 10
name: "production"
cluster: "production"
status: "Active"
name: "api-backend"
namespace: "production"
cluster: "production"
replicas: 3
ready_replicas: 3
strategy: "RollingUpdate"
name: "api-backend-abc123"
namespace: "production"
cluster: "production"
node: "node-1"
phase: "Running"
containers:
- name: "api"
image: "myorg/api:v1.2.3"
name: "api-service"
namespace: "production"
type: "ClusterIP"
cluster_ip: "10.96.0.10"
ports:
- port: 80
target_port: 8080
name: "api-ingress"
namespace: "production"
hosts:
- "api.example.com"
rules: 1
| Relationship | Source | Target | Description |
|---|---|---|---|
RUNS_IN | Pod | Namespace | Pod runs in namespace |
BELONGS_TO | Resource | Namespace | Resource belongs to namespace |
MANAGES | Deployment | Pod | Deployment manages pods |
EXPOSES | Service | Pod | Service exposes pods |
ROUTES_TO | Ingress | Service | Ingress routes to service |
USES_CONFIG | Pod | ConfigMap | Pod uses config |
USES_SECRET | Pod | Secret | Pod uses secret |
BUILT_FROM | Deployment | Repository | Deployment built from repo |
RUNS_IMAGE | Pod | ContainerImage | Pod runs container image |
DEPLOYED_BY | Deployment | ArgoApp | Deployment managed by Argo |
SCANNED_BY | Workload | SnykOrg | Workload scanned by Snyk |
Monitor multiple Kubernetes clusters:
discovery:
settings:
kubeconfig: "~/.kube/production-config"
cluster_name: "production"
namespaces: ["default", "production"]
discovery:
settings:
kubeconfig: "~/.kube/staging-config"
cluster_name: "staging"
namespaces: ["default", "staging"]
Run discovery for each cluster:
degree discovery run kubernetes@1.0.0 --config production-cluster-config.yaml
degree discovery run kubernetes@1.0.0 --config staging-cluster-config.yaml
The molecule needs these Kubernetes permissions:
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: sixdegree-kubernetes-molecule
rules:
# Read-only access to resources
- apiGroups: [""]
resources:
- namespaces
- pods
- services
- configmaps
- secrets
verbs: ["get", "list"]
- apiGroups: ["apps"]
resources:
- deployments
- statefulsets
- daemonsets
verbs: ["get", "list"]
- apiGroups: ["networking.k8s.io"]
resources:
- ingresses
verbs: ["get", "list"]
# For MCP tools (scaling/restarting)
- apiGroups: ["apps"]
resources:
- deployments
verbs: ["get", "update", "patch"]
- apiGroups: [""]
resources:
- pods/log
verbs: ["get"]
apiVersion: v1
kind: ServiceAccount
metadata:
name: sixdegree-kubernetes
namespace: sixdegree
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: sixdegree-kubernetes
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: sixdegree-kubernetes-molecule
subjects:
- kind: ServiceAccount
name: sixdegree-kubernetes
namespace: sixdegree
Error: unable to read kubeconfig
Solution: Check kubeconfig path and permissions
kubectl config view
ls -l ~/.kube/config
Error: forbidden: User "system:serviceaccount:default:default" cannot list deployments
Solution: Apply RBAC permissions (see Security section above)
kubectl config get-contexts
kubectl config use-context production-cluster
See EXAMPLES.md for more usage examples including:
- Multi-cluster deployments
- GitOps with Argo CD
- Security scanning integration
- Incident response workflows
MIT License - see LICENSE