// Execution Management (XEM)

Kubernetes Tools

Core Kubernetes resource management (pods, nodes, deployments, services, ingress, configmaps, secrets) plus Helm, Kustomize, and ArgoCD integrations, exposed as XEM tools. Authenticate via a kubeconfig file or an in-cluster service account token.

Overview

Tool inventory: 31 core Kubernetes tools (Sources/ExecTools/Kubernetes/KubernetesBundle.swift) + 5 ecosystem tools (Sources/ExecTools/KubernetesEcosystem/KubernetesEcosystemBundle.swift) = 36 tools total. The canonical set of registered names lives in Sources/XEMAgent/Service/XEMCanonicalToolNames.swift.

Dispatch Model

All k8s_*, helm_*, argocd_*, and kustomize_* tools are XEM exec-adapter tools. They are not advertised directly as chat-completion x_* tools. Chat callers invoke them through the x_exec_invoke envelope, passing tool_name set to the canonical name (for example k8s_get_pods). See the XEM Overview for the full execution lifecycle and approval flow.

Core Tools

Pods

  • k8s_get_pods, List pods in a namespace (JSON, read)
  • k8s_describe_pod, Describe a single pod (read)
  • k8s_delete_pod, Delete a pod (write)
  • k8s_logs, Fetch pod logs (read)
  • k8s_label_pod, Add or update a pod label (write)
  • k8s_annotate_pod, Add or update a pod annotation (write)

Nodes

  • k8s_get_nodes, List cluster nodes (read)
  • k8s_drain_node, Drain a node of pods (write, destructive)
  • k8s_cordon_node, Mark a node unschedulable (write)
  • k8s_uncordon_node, Mark a node schedulable (write)

Workloads

  • k8s_get_deployments, List deployments (read)
  • k8s_restart_deployment, Roll-restart a deployment (write)
  • k8s_scale_deployment, Scale replica count (write)
  • k8s_rollout_status, Inspect rollout status (read)
  • k8s_rollout_history, Inspect rollout history (read)
  • k8s_rollout_undo, Revert to a previous revision (write)

Networking

  • k8s_get_services, List services (read)
  • k8s_get_ingress, List ingresses (read)

Configuration

  • k8s_get_configmaps, List configmaps (JSON, read)
  • k8s_get_secrets, List secrets (read). Blast radius: emits kubectl get secrets -o json, which returns the full Secret resource including the base64-encoded data map. Treat the output as sensitive material and gate approvals accordingly.
  • k8s_get_namespaces, List namespaces (read)

Events

  • k8s_get_events, List recent events in a namespace (read)

Exec

  • k8s_exec, Run a command in a pod container (write, destructive)

Metrics

  • k8s_top_nodes, Per-node CPU/memory usage (read)
  • k8s_top_pods, Per-pod CPU/memory usage (read)
  • k8s_top_cluster, Aggregate cluster usage (read)

Manifests

  • k8s_apply_manifest, Apply an inline YAML/JSON manifest (write)
  • k8s_apply_from_file, Apply a manifest from a file path (write)
  • k8s_delete_resource, Delete a resource by kind/name (write, destructive)

Generic

  • k8s_wait, Wait for a resource condition (read)

Ecosystem Integrations

Helm

  • helm_list, List Helm releases (read)
  • helm_history, Show release history (read)

Kustomize

  • kustomize_build, Render overlays to YAML (read)

ArgoCD

  • argocd_app_list, List ArgoCD applications (read)
  • argocd_app_sync, Trigger an application sync (write)

Credential Setup

Every tool on this page declares credential: .kubernetes, which resolves to a kubeconfig file or an in-cluster service account token. The credential is sourced from the workspace credential vault at execution time; no inline secret is accepted on the tool-call envelope.

If you are running an in-cluster agent, the default in-cluster service account is used automatically when no kubeconfig is registered.

Examples

See the XEM Overview for the execution lifecycle and approval flow when using Kubernetes tools.