Skip to main content
Seven parallel Kubernetes API sources feeding a checks engine that runs nine security checks and groups the findings into critical, warning, and passing severity lanes
An agent asked to “audit the cluster for security” ran 9 different security checks across 7 parallel Kubernetes API calls (pods, services, secrets, RBAC roles, RBAC bindings, network policies, and nodes), all in a single execute call.

What it checks

The Code

Why this matters

A traditional approach would require the agent to make 7+ sequential tool calls just to fetch the data, then somehow reason about all the raw JSON in its context window. The context would be flooded with every pod spec, every RBAC rule, every service definition. Code Mode runs all 7 fetches in parallel and does the analysis inside the sandbox. The agent wrote the security checks (privileged containers, missing capabilities, writable filesystems, RBAC wildcards, network policy gaps) as JavaScript logic. The LLM receives a structured findings report, not raw Kubernetes API responses.

What the agent does

  1. Fires 7 Kubernetes API calls in parallel (Promise.all)
  2. Audits every container’s security context (8 checks per container)
  3. Identifies overly permissive RBAC bindings and wildcard roles
  4. Finds namespaces with no network policies
  5. Flags pods using host namespaces or automounted service account tokens
  6. Collects node runtime info for version auditing
  7. Returns a structured report with findings grouped by severity

From audit to remediation

The agent doesn’t just report findings; it can fix them. After the audit flagged zero network policies across all namespaces, a follow-up “create network policies for my installs” produced two more execute calls: Step 1 (Discovery): fetched services and pods from each install namespace in parallel to learn which ports each app needs. Step 2 (Apply policies): created 3 network policies per namespace using POST through the kube proxy:
The result: 3 policies per namespace, all returning 201 Created: Each namespace is now isolated. Pods can only receive traffic on their app port and make DNS queries. No cross-namespace traffic. The agent went from finding the problem to fixing it without leaving the conversation.

Cross-cluster comparison

Run the same security checks across your entire fleet.

Incident debugging

Adaptive triage for when security issues cause failures.

Kubernetes access

The kube proxy endpoints behind these API calls.

Code Mode in action

How the parallel fan-out and in-sandbox analysis pattern works.