Service Agents

Autonomous AI agents deployed inside your Kubernetes clusters for continuous policy violation detection and GitOps-friendly remediation.

Service Agents are autonomous AI agents deployed directly inside your Kubernetes clusters. They run continuously — watching for policy violations, generating AI-powered remediation plans, and creating pull requests in your Git repositories to fix them — without requiring any manual intervention.

Unlike Cloud Agents, which are ephemeral jobs you launch on-demand from Nirmata Control Hub, Service Agents are long-running deployments that operate on a schedule or respond to events in real time.

The Remediator Agent

The primary Service Agent is the Remediator Agent. It connects Kyverno’s policy enforcement with your GitOps workflow:

  1. Kyverno detects a policy violation and writes it to a ClusterPolicyReport.
  2. The Remediator Agent reads the report and calls an AI model (Nirmata AI, AWS Bedrock, or Azure OpenAI) to generate a compliant fix.
  3. The agent opens a pull request in the target Git repository with the proposed change.
  4. A human reviews and merges the PR — the agent never bypasses branch protection or pushes directly.

Use Cases

ScenarioHow It Helps
Continuous complianceFix policy violations within hours rather than days — on a recurring schedule
Multi-cluster governanceManage hundreds of clusters from a single ArgoCD hub without proportional team growth
Shift-left feedback loopDevelopers see auto-generated fix PRs alongside violation alerts — no need to look up how to fix them
Audit-ready remediationEvery fix is a Git commit with a PR — a complete, reviewable audit trail
Selective automationConfigure the agent to only open PRs when it’s highly confident, or for all findings

How Confidence Works

When the AI generates a fix, it assigns a confidence level:

LevelMeaning
HighThe fix is straightforward and the AI is highly confident it is correct and safe
LowThe AI identified a potential fix but recommends human review before merging

You can configure the agent to create PRs only for high-confidence fixes, only for low-confidence (for review), or both. This gives you control over how much automation you want in your workflow.

GitOps Integration

Service Agents are designed to work with your existing GitOps workflow — not replace it:

  • All changes are proposed as pull requests, not applied directly
  • PR branch names, titles, and labels are fully configurable
  • A single PR can cover multiple violations; the Split PR feature lets you break it apart for independent review
  • The agent monitors open PRs for comments, responding to @nirmatabot commands

Deploy and Configure

Service Agents are installed via Helm and configured through Kubernetes custom resources.

Get Started with Service Agents →