a6eb4da214
- .ai/ instruction set (root, behavior, skills, constraints) - apply.sh workflow documentation (apply.md) - architecture documentation (docs/architecture.md) - .github/copilot-instructions.md for VS Code auto-load - .gitignore (tmp/, .ai-instructions.conf)"
3.8 KiB
3.8 KiB
Kubernetes and Helm Access Instructions
🚨 CRITICAL: AI Has NO Cluster Access
AI Assistant does NOT have direct access to Kubernetes clusters
What This Means:
AI cannot interact with live Kubernetes clusters. Only the user can.
kubectl Commands
- ❌ AI CANNOT run:
kubectlcommands against live clusters - ✅ AI CAN do: Ask user to run kubectl commands
- ✅ AI CAN do: Explain what kubectl command will do
- ✅ AI CAN do: Show the exact command user should run
Example workflow:
AI: "Please run this command to check pod status:"
kubectl get pods -n monitoring
User: [runs command and shows output]
AI: [analyzes output and provides guidance]
Port-Forwarding Workflow
AI creates curl commands, user handles port-forwards:
- User runs:
kubectl port-forward -n monitoring svc/prometheus 9090:80 - AI runs:
curl http://localhost:9090/api/v1/query?query=... - AI analyzes: Results and provides recommendations
Why this pattern:
- AI can make HTTP requests to localhost
- User controls cluster access
- Secure: AI never has cluster credentials
🎯 Helm Command Restrictions
What AI CAN Do:
- ✅
helm template- Render manifests locally (no cluster needed) - ✅
helm show values- Inspect chart values - ✅
helm show chart- Show chart metadata - ✅
helm dependency list/update/build- Manage dependencies - ✅
helm lint- Validate chart structure
Example:
# AI can run these locally:
helm template monitoring . -f values.yaml
helm show values charts/prometheus-*.tgz
helm dependency update
What AI CANNOT Do:
- ❌
helm install- Requires cluster access - ❌
helm upgrade- Requires cluster access - ❌
helm uninstall- Requires cluster access - ❌
helm list- Requires cluster access - ❌
helm get- Requires cluster access
Instead:
- AI generates the command
- AI explains what it will do
- User runs the command themselves
Example:
AI: "Run this to upgrade the release:"
helm upgrade observability-stack . -n monitoring -f values.yaml -f values.storage.dev.yaml
AI: "This will update the following resources: ..."
📊 Debugging Workflow
Check Pod Status:
AI: "Please check pod status:"
User runs: kubectl get pods -n monitoring
User: [shows output]
AI: [analyzes and guides]
Check Pod Logs:
AI: "Please get logs from prometheus pod:"
User runs: kubectl logs -n monitoring deployment/prometheus-server --tail=50
User: [shows output]
AI: [analyzes errors]
Check Events:
AI: "Please check recent events:"
User runs: kubectl get events -n monitoring --sort-by='.lastTimestamp' | tail -20
User: [shows output]
AI: [identifies issues]
Access Service via Port-Forward:
AI: "Please port-forward Prometheus:"
User runs: kubectl port-forward -n monitoring svc/prometheus 9090:80
AI runs: curl http://localhost:9090/api/v1/query?query=up
AI: [analyzes metrics]
🔑 Key Principles
- User has cluster access - AI does not
- AI asks user to run kubectl/helm - Never assumes access
- Port-forward pattern - User forwards, AI curls localhost
- Local operations only - AI uses helm template, not install
- Analysis role - AI analyzes output user provides
✅ Best Practices
- Always explain what command will do before asking user to run it
- Show exact command with all flags
- Ask for relevant output only (use grep/tail to filter)
- Use port-forward + curl instead of kubectl exec
- Generate manifests with helm template for validation
❌ Common Mistakes to Avoid
- Don't try to run kubectl directly
- Don't assume AI can install Helm releases
- Don't ask user for cluster credentials
- Don't suggest kubectl exec with tools that aren't available (see container-limitations.instructions.md)