Skip to main content
An HTTP 500 alert driving an adaptive four-step probe chain — pod health, events, previous logs, and rollout history — whose signals correlate into a single root cause
An agent asked “why is my app returning 500s?” runs a full incident triage: checking pod health, recent Kubernetes events, error logs, and deployment rollout history, all composed across multiple execute calls, reasoning about each result before deciding what to check next.

The triage flow

This isn’t a single code block. It’s how the agent thinks. Each step is one execute call, but the agent decides what to check based on what it finds.

Step 1: Pod health check

The agent sees a pod in CrashLoopBackOff with 12 restarts. It decides to check events and logs.

Step 2: Recent events

Events show OOMKilled. The container ran out of memory. The agent checks logs to confirm.

Step 3: Error logs

Note previous: "true": the agent fetches logs from the crashed container, not the restarting one. It finds memory allocation failures in the last 20 error lines.

Step 4: Deployment rollout history

The agent finds that the latest revision changed the image but removed memory limits. Root cause identified.

Why this matters

An SRE manually doing this would:
  1. kubectl get pods to check status
  2. kubectl describe pod to read events
  3. kubectl logs --previous to check crash logs
  4. kubectl rollout history to check what changed
That’s 4 separate commands with raw output they need to mentally parse. The agent does it in 4 execute calls, but each one filters and extracts only what’s relevant. The LLM reasons about structured findings, not walls of YAML. More importantly, the agent adapts. It doesn’t run a fixed checklist. It sees OOMKilled and decides to check previous container logs and deployment history. A traditional MCP tool would need a pre-built “debug pod” tool that tries to anticipate every scenario.

Kubernetes access

The kube proxy and exec endpoints used in each triage step.

Security audit

Proactive security checks before incidents occur.

Parallel log analysis

Fetch and count logs across all pods in a single call.

Hosted agents

Ambient agents that start triage automatically on deploy failures.