Agentic SREs and Kubernetes: Who's Actually Watching Your Fleet at 3AM¶

Your on-call engineer used to get paged, open Grafana, run kubectl describe pod fourteen times, grep some logs, form a theory, test the theory, and either fix it or escalate. That whole loop takes 30 to 60 minutes on a good incident and considerably longer on a bad one. It is also, structurally, a pattern-matching problem with a fixed toolset - which is exactly the kind of problem people have started pointing LLM agents at.
That's the pitch behind "agentic SRE": instead of an engineer running the observe-diagnose-fix loop by hand, an AI agent runs it, with varying degrees of a human still in the room. It's not hypothetical anymore. K8sGPT has been triaging pod failures since 2023 and graduated to CNCF Sandbox. Kagent, Solo.io's agent framework for Kubernetes, was donated to the CNCF in 2025 and has since picked up 800+ community members and tool integrations for Argo, Helm, Istio, and Prometheus. Resolve.ai raised $125M at a $1B valuation in February 2026 specifically to build "AI SREs." Cleric, Neubird, Causely, and Ciroos are all chasing the same category. Amazon shipped a DevOps Agent for exactly this. This is a real product category with real venture money behind it, not a KubeCon keynote fantasy.
None of that means you should let a language model run kubectl delete against production because it had a hunch. It means the design patterns for how you let it help are worth understanding before someone on your team adopts one of these tools during a fire drill and figures out the guardrails afterward.
What "Agentic" Actually Means Here¶
Worth being precise, because the term gets used loosely. An agentic SRE tool is not a chatbot that answers "what does CrashLoopBackOff mean." It's a system that can:
- Observe - pull live signal from your cluster (metrics, logs, events, traces) without you copy-pasting it in
- Reason - form a hypothesis about root cause using that context, not just pattern-match on the error string
- Plan - propose or select a sequence of actions, not a single canned response
- Act - execute against your cluster, APIs, or ticketing system, through tools it's been given access to
- Verify - check whether the action actually resolved the symptom, and loop back if not
That's the whole trick: it's a loop, not a lookup table. A static runbook that says "if CPU > 80%, restart the pod" isn't agentic, it's just automation with extra steps - and you already have that in your HorizontalPodAutoscaler and your liveness probes. What's new is a system that can handle the incident it hasn't seen a runbook for, because it's reasoning over live cluster state and correlating signals a human would have taken fifteen minutes to pull together manually.
flowchart LR
A[Observe] -->|metrics, logs, events, traces| B[Reason]
B -->|hypothesis + confidence| C[Plan]
C -->|proposed action| D{Autonomy gate}
D -->|below threshold| E[Act]
D -->|above threshold| F[Human approval]
F -->|approved| E
F -->|rejected| B
E --> G[Verify]
G -->|resolved| H[Close + log]
G -->|not resolved| B
The gate in the middle - not the loop itself - is the entire design problem. Everyone building these systems agrees on the observe-reason-plan-act-verify shape. Nobody agrees on where the gate should sit, and that's the decision your platform team actually has to make.
The Autonomy Ladder¶
Every agentic SRE deployment I've looked at, from K8sGPT's analyzers to Resolve.ai's incident copilot, converges on the same tiered rollout, whether or not they call it that:
flowchart TD
T1["Tier 1: Read-only diagnosis\nAgent explains, human decides and acts"]
T2["Tier 2: Suggested remediation\nAgent proposes a fix, human clicks approve"]
T3["Tier 3: Auto-remediate low-risk\nAgent acts unattended on a pre-approved allowlist"]
T4["Tier 4: Full autonomy\nAgent acts and only reports after the fact"]
T1 --> T2 --> T3 --> T4
Tier 1 is where almost every team starts, and where a lot of them should stay for a while. The agent has read access to your cluster and your observability stack, correlates signal across them, and produces a root-cause narrative a human reads before doing anything. This is K8sGPT's core mode and it's genuinely valuable even with zero write access - it compresses the "form a hypothesis" step, which is usually the slowest part of an incident, without touching anything.
Tier 2 adds a proposed fix with a one-click approval - "scale this deployment to 6 replicas," "roll back to revision 12," "cordon this node." A human is still the actor of record; the agent just did the diagnostic legwork and drafted the command. This is where most Slack-native tools (Cleric, Resolve.ai) sit today for anything beyond the most boring failure classes.
Tier 3 is where it gets interesting and where the actual argument in your organization will happen. The agent gets a pre-approved allowlist of actions it can take without a human in the loop - restart a crash-looping pod, roll back a bad deploy that fails its own health checks within N minutes of rollout, bump replica count within a bounded range. Notice that all three of those are things a Kubernetes controller can already do on its own; the difference is the trigger condition is fuzzier than a controller can express declaratively, and that's the actual value-add of putting an LLM in front of it.
Tier 4 - fully autonomous, acts first, tells you later - is not where anyone serious is deploying this against production infrastructure today, and for good reason. Which brings up the part of this that isn't a design pattern, it's a trust problem.
The Trust Problem Is the Real Story¶
The adoption numbers are moving fast. Enterprise AI agent deployments have roughly doubled in a single quarter through early 2026, and a growing share of organizations report running 100+ agents somewhere in their infrastructure. That's not a slow, cautious rollout curve - that's a land rush.
The incident numbers are moving just as fast in the other direction. Recent industry survey data shows two out of three organizations experienced an AI-agent-related incident in the past 12 months - with data exposure, operational disruption, and financial loss all cited as outcomes - and 82% report having AI agents running somewhere in their infrastructure that nobody explicitly signed off on. Meanwhile only about one in five organizations have a tested incident response plan for when one of these agents goes wrong. Read that last part again: teams are giving agents write access to production systems faster than they're writing the runbook for when the agent itself becomes the incident.
That's not a reason to avoid the category. It's a reason to be deliberate about which tier you're actually operating at, because "the agent has kubectl access" and "the agent can restart pods within an allowlisted namespace with a rate limit and an audit trail" are not the same sentence even though they sound similar in a vendor demo.
A few things worth having in place before you move past Tier 2:
- Scoped credentials, not a service account with cluster-admin. The agent's
ClusterRoleshould be a strict subset of what a human on-call has - Kubernetes RBAC exists for exactly this, and giving an LLM a broader blast radius than your most junior engineer has is a choice, not a default. - A rate limit on actions, independent of the agent's own judgment. An agent that's wrong once an hour is annoying. An agent that's wrong once an hour and can act 40 times an hour because it's fast is an outage generator.
- An audit log that answers "why did it do that" after the fact, not just "what did it do." If your agent's reasoning trace isn't captured alongside the action, you're debugging a black box during your postmortem, which is a genuinely bad place to be.
- A kill switch that isn't itself gated behind the thing that's misbehaving. If the agent's action loop is what's broken, "ask the agent nicely to stop" is not a control.
Where This Actually Pays Off Today¶
Set aside the Tier 4 autonomous future for a second, because the boring present-day version of this is already worth adopting. The single highest-value use case across every tool in this space right now is correlation, not remediation: pulling together the CoreDNS latency spike, the admission webhook slowdown, and the pod restart pattern that a human would have to manually cross-reference across four different dashboards, and handing you a coherent story in the time it takes to read a Slack message.
That's not a controversial capability. It doesn't touch your cluster. It just does the "stare at 63 Grafana panels and figure out what's actually going on" step faster than a human under pressure at 3am can do it - which, if you've been following why more dashboards don't equal more understanding, is precisely the bottleneck that was never going to be solved by adding another panel.
The remediation tiers are where the real engineering work - and the real organizational trust-building - still has to happen. Start read-only. Earn Tier 2. Let Tier 3 apply to a genuinely boring, genuinely reversible action class before it applies to anything else. The agent doesn't need to be trusted with everything on day one. It needs to be trusted with one narrow, well-audited thing, consistently, before it earns the next one - which, entertainingly, is the exact same onboarding process you'd use for a new human hire on your SRE team. Nobody hands the new engineer prod cluster-admin in week one either.
The Bottom Line¶
Agentic SRE tooling for Kubernetes is real, it's funded, and parts of it - mainly the diagnosis and correlation layer - are already good enough to save your on-call rotation real time today. The remediation layer is where the category is still earning its keep, and the industry's own incident data says a lot of organizations are moving faster on deployment than on guardrails.
The design pattern that works is the same one platform teams already understand from every other automation rollout: observe-reason-plan-act-verify as the loop, and a deliberately staged autonomy gate - read-only, then suggest, then narrowly-scoped auto-remediation, then maybe someday full autonomy - as the thing standing between "useful teammate" and "the reason your postmortem has two root causes instead of one." Build the gate before you build the trust in what's behind it.