Getting Started
Install the Remediator Agent and run your first policy violation remediation.
Service Agents
Autonomous AI agents deployed inside your Kubernetes clusters for 24/7 policy violation detection and remediation.
Applies to: Nirmata AI Agents 1.0 and later
Service Agents are autonomous AI agents that run inside your Kubernetes clusters. Unlike Cloud Agents, which are launched on-demand from the Control Hub, Service Agents are deployed directly into the cluster and operate continuously — detecting policy violations, generating remediation plans, and opening pull requests in your Git repositories without human intervention.
The primary Service Agent is the Remediator Agent: it monitors Kyverno policy reports, uses AI to generate compliant fixes, and integrates with your GitOps workflow by creating PRs against the affected repository.
For a conceptual overview of Service Agents, see Service Agents in Nirmata AI Agents.
In This Section
- Getting Started — Install the Remediator Agent and verify your first remediation
- Configuration — Configure ToolConfig (Git credentials), LLMConfig (AI provider), and the Remediator resource
- Observability — Prometheus metrics, status fields, and monitoring the agent in production
- GitHub Authentication — Connect to GitHub using the Nirmata GitHub App
How It Works
- The Remediator Agent is installed in the
nirmatanamespace via Helm. - It reads Kyverno
ClusterPolicyReportresources to discover violations. - For each violation, it calls a configured AI provider to generate a fix.
- It opens a pull request in the target Git repository with the proposed change.
- You review and merge the PR — the agent never pushes directly to a protected branch.
Key Capabilities
| Capability | Description |
|---|---|
| Continuous monitoring | Runs on a cron schedule or triggered on-demand via the Kubernetes API |
| Multi-cluster support | Hub Mode uses ArgoCD to manage violations across hundreds of clusters |
| GitOps integration | All changes go through PRs — no direct cluster mutations |
| Confidence-based actions | Configure whether PRs are opened for high-confidence fixes, low-confidence, or both |
| Split PR | Split a multi-policy PR into separate PRs for independent review workflows |
| AI provider choice | Nirmata AI (default), AWS Bedrock, or Azure OpenAI |
Configuration
Configure ToolConfig, LLMConfig, and the Remediator custom resource.
Observability
Prometheus metrics, status fields, and monitoring the Remediator Agent in production.
GitHub Authentication Guide
Complete guide to GitHub authentication methods for Nirmata AI Agents