How It Works
Request a change in natural language
Ask the copilot to make a change: “Increase the memory limit for the payments-api to 1Gi” or “Add a network policy to block egress from the sandbox namespace.” The copilot determines the target resource, fetches its current configuration, and generates the modification.
Review the proposed diff
The copilot presents a side-by-side diff showing exactly what will change. Each diff includes an explanation of why the change addresses your request and what the impact will be.
Choose how to apply
Select one of three options:
- Safe Apply — Apply the change directly to the cluster or cloud account through the Kestrel operator
- Create PR — Open a pull request in your connected GitHub or GitLab repository (GitOps or IaC workflow)
- Copy — Copy the generated configuration to your clipboard for manual application
What You Can Change
The copilot generates changes for multiple infrastructure-as-code formats depending on the target.Kubernetes Resources
Generate YAML patches for any Kubernetes resource — deployments, services, configmaps, network policies, RBAC, HPA, and more.Terraform
Generate Terraform changes for AWS, OCI, and other cloud resources.Helm Values
Generate value overrides for Helm-managed releases.CloudFormation
Generate CloudFormation template changes for AWS resources managed through stacks.Change Review Interface
Every generated change is presented in a structured review interface:| Component | Description |
|---|---|
| Diff view | Side-by-side comparison of the current and proposed configuration |
| Explanation | Why the change was generated and what it addresses |
| Impact summary | What resources will be affected and any dependencies |
| Apply options | Safe Apply, Create PR, and Copy buttons |
Safety and Permissions
The copilot follows strict safety rules when generating and applying changes.- Never auto-applies — Every change requires your explicit approval through Safe Apply, Create PR, or Copy. The copilot will not apply changes on its own.
- Safe Apply requires write permissions — The Kestrel operator must have Safe Apply or auto-remediation enabled on the target cluster. Without write permissions, only Create PR and Copy are available.
- Create PR requires Git integration — Opening a pull request requires a connected GitHub or GitLab repository with write access.
- Validation before apply — The copilot validates generated YAML and Terraform against the target schema before presenting the change. Invalid configurations are flagged before you can apply them.
- Audit trail — Every generated change, approval, and application is logged and visible on the Configuration Changes page.
Chat Configuration Changes Page
All AI-generated configuration changes are recorded on the Chat Configuration Changes page, accessible from the Kestrel dashboard sidebar. This page shows:- Every change generated by the copilot, including the original request and the generated diff
- The approval status — whether it was applied, opened as a PR, copied, or dismissed
- Who approved or dismissed each change and when
- The target resource and cluster or cloud account
Example Conversation
You:
@prod-eks-cluster The checkout-api keeps getting OOMKilled. Current memory limit is 256Mi but Datadog shows it peaks at 400Mi. Fix it.
Kestrel:
I’ll increase the memory limit for theYou:checkout-apideployment. Based on the Datadog metrics showing peaks at 400Mi, I recommend setting the limit to 512Mi to provide a 25% buffer above peak usage. Here’s the proposed change: (displays diff changingresources.limits.memoryfrom256Mito512Mi) The memory request will also be updated from128Mito256Mito ensure the pod gets adequate guaranteed memory on the node. Would you like to Safe Apply, Create PR, or Copy?
Create a PR for this. Also add a CPU request of 250m while you’re at it — it’s missing.Kestrel:
Updated the change to include both modifications:You:(displays updated diff with both changes) I’ll open this as a PR in
- Memory limit
256Mi→512Mi, memory request128Mi→256Mi- Added CPU request of
250m(was unset)acme/infrastructuretargeting themainbranch. The change applies tok8s/checkout/deployment.yaml.
Go ahead.Kestrel:
PR #892 created in acme/infrastructure: Increase checkout-api memory limit and add CPU request. The PR includes the diff and a description explaining the OOMKill context and Datadog metrics that motivated the change.
Next Steps
- Kubernetes Investigation — query pods, deployments, events, and metrics
- Cloud Investigation — inspect AWS and OCI resources and security configurations
- Code Investigation — search and trace code changes across repositories
- Cost Analysis — analyze AWS spend patterns and anomalies