Skip to main content
Kestrel workflows let you chain AI-powered actions across 15+ integrations into automated pipelines. Workflows are triggered by events — Kubernetes incidents, cloud alerts, Slack messages, PagerDuty alerts, and more — and execute a sequence of steps that investigate, fix, and notify.

Creation Methods

You can create workflows five ways:
MethodBest For
Workflow AgentFastest way to build — describe what you want in natural language, the Workflow Agent builds it
Drag-and-Drop CanvasVisual construction with full control over step configuration
CLIScripting and automation — see CLI reference
SDKProgrammatic workflow management — see SDK reference
MCPAI agent orchestration (Cursor, Claude, etc.) — see MCP reference

Workflow Agent

Describe the workflow you want in plain English. The Workflow Agent interprets your intent, selects the right triggers and actions, wires up template variables, and generates a complete workflow on the canvas.
1

Open the workflow builder

Navigate to Workflows → All Workflows in the Kestrel dashboard and click Create Workflow.
2

Describe your workflow

Type a natural language description of what you want automated. Be specific about the trigger, the actions, and where results should go.
3

Review and adjust

The Workflow Agent generates the workflow on the canvas. Review each step and iterate the prompt to adjust configuration, add, or remove steps as needed.
4

Save and enable

Click Save to activate the workflow. It will begin responding to its configured trigger immediately.
Example prompts:
  • “When a K8s incident is detected, run root cause analysis, send the RCA to #incidents in Slack, and create a Jira ticket with the details.”
  • “When someone requests a new service in Slack, generate the K8s manifests, open a GitOps PR in GitHub, and sync with ArgoCD.”
  • “When a Vercel deployment fails, pull the build logs, run an AI investigation, and notify the team in Slack.”
  • “When a Railway service crashes, fetch the logs, investigate the root cause, roll back to the previous deployment, and alert #platform in Slack.”
  • “When AWS costs spike, run a cost anomaly analysis and post a report to #finops in Slack.”
The more specific your description, the better the generated workflow. Include the trigger source, desired actions, and output destinations.

Drag-and-Drop Canvas

The visual canvas gives you full control over workflow construction. Add triggers and actions from the sidebar, connect them into a pipeline, and configure each step individually.

Adding a Trigger

Every workflow starts with a trigger. Drag a trigger block from the sidebar onto the canvas and configure it:
  1. Select the trigger type (e.g., Pod CrashLoopBackOff, IAM Security Event, Slack Request)
  2. Configure trigger-specific settings (clusters, namespaces, AWS accounts, severity thresholds)
  3. The trigger’s output variables become available to all downstream steps

Adding Actions

Drag action blocks onto the canvas and connect them to the trigger or to previous actions:
  1. Select the action type (e.g., Kestrel RCA, Slack Message, GitHub PR)
  2. Configure action parameters — use the variable picker to reference data from previous steps
  3. Connect the action’s output port to the next step’s input port

Connecting Steps

Click an output port and drag to an input port to create a connection. Data flows top-to-bottom through the connections you define.

Trigger Types

Kubernetes Signals

Triggered when Kestrel detects a K8s incident in a connected cluster. Configure filters by cluster, namespace, or incident type.
Trigger BlockDescription
Deployment Replicas FailingTriggers when a Deployment has unavailable replicas
Nodes UnavailableTriggers when a node enters NotReady or unreachable state
Pod CrashLoopBackOffTriggers when a pod enters CrashLoopBackOff
Pod ImagePullBackOffTriggers when a pod cannot pull its container image
Pod OOMKilledTriggers when a container is killed due to out-of-memory
Pods FailingTriggers when a pod exits with a non-zero code
Pods RestartingTriggers when pod restart count exceeds threshold
StatefulSet Replicas FailingTriggers when a StatefulSet has unavailable replicas
Node Memory PressureTriggers when a node reports memory pressure
Node Disk PressureTriggers when a node reports disk pressure
DaemonSet FailingTriggers when a DaemonSet has failing replicas
Any Kubernetes IncidentTriggers on any Kubernetes incident signal

AWS Cloud Signals

Triggered when Kestrel detects a cloud infrastructure incident. Filter by AWS account, region, or incident type.
Trigger BlockDescription
IAM Security EventTriggers on IAM compromise, privilege escalation, or unauthorized access
Root Account ActivityTriggers when the AWS root account is used
KMS Key ChangeTriggers on KMS key deletion, disabling, or scheduled deletion
Secrets Manager EventTriggers on secret deletion, policy changes, or rotation failures
Security Hub FindingTriggers on high or critical findings from Security Hub
S3 Bucket ChangeTriggers on S3 public access changes, policy modifications, or encryption changes
EC2 Instance IssueTriggers on EC2 instance termination, state changes, or status check failures
Lambda Function IssueTriggers on Lambda function errors, configuration issues, or throttling
ECS/EKS Container IssueTriggers on container service task failures or deployment issues
RDS Database IssueTriggers on RDS database deletion, snapshot issues, or availability problems
DynamoDB IssueTriggers on DynamoDB table deletion, throttling, or capacity issues
VPC/Network ChangeTriggers on VPC, security group, NACL, or route table modifications
CloudWatch AlarmTriggers when a CloudWatch alarm enters ALARM state
Application Log ErrorsTriggers when application errors are detected in CloudWatch Logs
Config Rule Non-CompliantTriggers when an AWS Config rule finds a non-compliant resource
AWS Service Health EventTriggers on AWS service health events affecting your resources
Any AWS Cloud IncidentTriggers on any AWS cloud incident
Cost Anomaly DetectedTriggers when AWS Cost Anomaly Detection finds an anomaly
Budget Threshold ExceededTriggers when an AWS Budget threshold is breached
Forecast Exceeds BudgetTriggers when the AWS cost forecast projects a budget overrun before it happens
Spend Spike DetectedTriggers when day-over-day spend rises beyond a configurable percentage threshold
Idle Resource DetectedTriggers when a daily scan finds idle resources (unattached EBS volumes, unassociated Elastic IPs, low-CPU instances, old snapshots)

Schedule

Triggered on a recurring cadence rather than by an external event. Ideal for periodic cost reports, cleanup scans, and audits. Configure the interval (hourly, daily, weekly, or monthly), the time of day (UTC), and — for weekly/monthly schedules — the day of week or day of month.
Trigger BlockDescription
Recurring ScheduleTriggers on a recurring schedule (hourly, daily, weekly, or monthly)
Scheduled triggers expose {{signal.schedule_interval}}, {{signal.fired_at}}, and {{signal.fired_date}} to downstream steps.

Slack Requests

Triggered when a user sends a /kestrel-workflow command in Slack. The user’s message is available as {{request.prompt}}.
Trigger BlockDescription
Create K8s ResourceTriggered when someone requests a new Kubernetes resource
Edit K8s ResourceTriggered when someone requests changes to a Kubernetes resource
General Kubernetes RequestTriggered when someone asks a Kubernetes-related question or task
Create AWS ResourceTriggered when someone requests a new AWS resource
Edit AWS ResourceTriggered when someone requests changes to an AWS resource
General Cloud RequestTriggered when someone asks a cloud-related question or task
Any Slack /kestrel-workflow RequestTriggers on any /kestrel-workflow request (catch-all)

PagerDuty

Triggered when a PagerDuty incident is created or updated. Filter by service, urgency, or severity.
Trigger BlockDescription
Incident TriggeredTriggers when a new PagerDuty incident is created
Incident AcknowledgedTriggers when a PagerDuty incident is acknowledged
Incident ResolvedTriggers when a PagerDuty incident is resolved
Any PagerDuty IncidentTriggers on any PagerDuty incident event
High Urgency IncidentTriggers only on high-urgency PagerDuty incidents

PostHog

Triggered by PostHog product analytics events. Filter by event type and properties.
Trigger BlockDescription
Session Error/ExceptionTriggers when PostHog captures a frontend exception
Console ErrorTriggers when PostHog captures a console error
Rage ClickTriggers when PostHog detects rage clicks in a session
Any PostHog EventTriggers on any PostHog event sent via webhook
Log Error AlertTriggers when PostHog Logs detects error patterns

Vercel

Triggered by Vercel deployment and platform events. Filter by project and event type.
Trigger BlockDescription
Deployment FailedTriggers when a Vercel deployment build fails
Deployment SucceededTriggers when a Vercel deployment succeeds
Deployment CreatedTriggers when a new Vercel deployment is created
Error AnomalyTriggers when Vercel detects a 5xx error rate anomaly
Usage AnomalyTriggers when Vercel detects abnormal usage patterns
Domain IssueTriggers when a Vercel project domain has configuration issues
Firewall Attack DetectedTriggers when Vercel’s WAF detects an attack
Deployment Checks FailedTriggers when post-deployment checks fail
Production RollbackTriggers when a production deployment is rolled back

Railway

Triggered by Railway deployment and platform events. Filter by project, environment, and event type.
Trigger BlockDescription
Deployment FailedTriggers when a Railway deployment build or deploy fails
Deployment CrashedTriggers when a Railway service crashes after a successful deploy
Deployment SucceededTriggers when a Railway deployment succeeds and is live
Volume Usage AlertTriggers when a Railway volume approaches its capacity
CPU/RAM Monitor AlertTriggers when a Railway service exceeds CPU or memory thresholds

Fly.io

Triggered by Fly.io machine lifecycle changes. Fly.io has no outbound webhooks, so Kestrel detects these events by polling the Fly Machines API and diffing machine state on a configurable interval. Filter by app, region, and event type, and set the poll cadence (1m / 5m / 15m / 30m).
Trigger BlockDescription
Machine CrashedTriggers when a Fly machine crashes (non-zero exit / OOM)
Machine StoppedTriggers when a machine transitions to stopped/suspended
Machine StartedTriggers when a machine transitions to started
App DownTriggers when all of an app’s machines are stopped/unhealthy

Nebius AI Cloud

Triggered by Nebius GPU/compute and Managed Kubernetes node changes. Nebius has no outbound webhooks, so Kestrel detects these events by polling the Nebius compute and Managed Kubernetes APIs and diffing instance state and node conditions on a configurable interval. Filter by project, cluster, and event type, and set the poll cadence (1m / 5m / 15m / 30m).
Trigger BlockDescription
GPU ErrorTriggers when a node reports a GPU error condition
Maintenance ScheduledTriggers when a node has scheduled maintenance
Node Not ReadyTriggers when a Kubernetes node leaves the Ready state
Instance StoppedTriggers when a compute instance transitions to stopped

Jenkins

Triggered by Jenkins build lifecycle events, delivered by a webhook notification plugin (or a post-build curl step) authenticated with a per-tenant shared secret. Filter by job name (full path for folder-nested jobs) and build status.
Trigger BlockDescription
Build FailedTriggers when a build completes with FAILURE
Build UnstableTriggers when a build completes UNSTABLE (e.g. test failures)
Build SucceededTriggers when a build completes with SUCCESS
Build Completed (any result)Triggers when a build finishes with any result
Build StartedTriggers when a build starts

CircleCI

Triggered by CircleCI’s native outbound webhooks (workflow-completed / job-completed), signed with HMAC-SHA256 and verified by Kestrel. Filter by project slug, branch, and status.
Trigger BlockDescription
Workflow FailedTriggers when a workflow completes with failed or error status
Workflow SucceededTriggers when a workflow completes successfully
Workflow Completed (any status)Triggers when a workflow finishes with any status
Job FailedTriggers when a job completes with failed status (finer-grained than workflow-completed)

Terraform Cloud

Triggered by Terraform Cloud (HCP Terraform) run lifecycle and drift events, delivered by per-workspace notification configurations (webhooks) signed with HMAC-SHA512 and verified by Kestrel. Filter by workspace, event type, and run status.
Trigger BlockDescription
Run CreatedTriggers when a new run is queued on a workspace
Run PlanningTriggers when a run starts planning
Run Needs AttentionTriggers when a plan finishes and the run awaits confirmation
Run ApplyingTriggers when a run starts applying
Run CompletedTriggers when a run applies successfully or finishes as planned-and-finished
Run ErroredTriggers when a run fails (plan/apply error, policy hard-fail)
Drift DetectedTriggers when a workspace health assessment detects infrastructure drift
Assessment Check FailedTriggers when a workspace health assessment fails to run

Pulumi Cloud

Triggered by Pulumi Cloud stack, update, deployment, drift, and policy events, delivered by organization or stack webhooks signed with HMAC-SHA256 (Pulumi-Webhook-Signature) and verified by Kestrel. Filter by stack (project/stack reference), project, and event type.
Trigger BlockDescription
Update SucceededTriggers when a stack update (pulumi up) succeeds
Update FailedTriggers when a stack update, refresh, or destroy fails
Preview FailedTriggers when a stack preview fails
Destroy SucceededTriggers when a stack destroy succeeds
Deployment StartedTriggers when a Pulumi Deployments run starts executing
Deployment SucceededTriggers when a Pulumi Deployments run succeeds
Deployment FailedTriggers when a Pulumi Deployments run fails
Drift DetectedTriggers when a drift detection run finds infrastructure drift
Drift Run FailedTriggers when a drift detection or remediation run fails
Policy ViolationTriggers when a CrossGuard policy violation is detected
Stack CreatedTriggers when a new stack is created in the organization
Stack DeletedTriggers when a stack is deleted from the organization

Custom Webhook

Triggered by an HTTP POST to a unique webhook URL. Accepts any JSON payload with optional HMAC signature verification. See Custom Integrations for details.

Action Types

Actions are grouped by integration. Each action produces output variables that downstream steps can reference.
https://mintcdn.com/kestrelai/JbUAbfQFj7mgzc4Q/logo/icon.svg?fit=max&auto=format&n=JbUAbfQFj7mgzc4Q&q=85&s=df8db0a7b5b5d2773e58894bd595c389

Kestrel

Trigger K8s RCA & Generate Fix, Apply YAML Fix, Find Causal PRs/MRs, Trigger Cloud RCA & Generate Fix, Generate Runbook, Wait, Generate K8s Manifest, Apply K8s Manifest, Create GitOps PR, Generate Helm Values, Generate Cloud Resource, Execute Cloud CLI, Create IaC PR, Investigate Cloud, Investigate Kubernetes, AI Cost Analysis

GitHub

Create Pull Request, Create Issue, Trigger GitHub Action, Wait for GitHub Action Run, Get GitHub Action Status, Read File, Search Code, AI Code Investigation, AI Code Fix, Wait for PR Approval, Wait for PR Merge

GitLab

Create Merge Request, Create Issue, Trigger Pipeline, Wait for Pipeline, Get Pipeline Status, Wait for MR Approval, Wait for MR Merge

Slack

Send Message, Update Message, Request Justification

Confluence

Publish RCA, Publish Postmortem, Publish Runbook Entry, Update Page

Jira

Create Ticket, Add Comment, Transition Ticket

Linear

Create Issue, Add Comment, Update Issue, Search Issues

PagerDuty

Create Alert, Acknowledge Alert, Add Note to Alert, Resolve Alert, Escalate

ArgoCD

Trigger ArgoCD Sync, Wait for ArgoCD Sync, Get ArgoCD App Status

Jenkins

Trigger Build, Wait for Build, Get Build Status, Stop Build, Get Console Log, Investigate Jenkins

CircleCI

Trigger Pipeline, Wait for Pipeline, Get Workflow Status, Rerun Workflow, Cancel Workflow, Approve On-Hold Job, Get Job Test Results, Investigate CircleCI

Datadog

Query Metrics, Create Monitor, Send Event, Mute Monitor

Cloud Cost

Query Cost Explorer, Get Cost Anomalies, Get Cost Forecast, Get Budget Status, Get Rightsizing Recommendations, Get Savings Plans Recommendations, Get Reservation Recommendations, Get Commitment Utilization, Compare Cost Periods, Find Idle Resources, Get Compute Optimizer Recommendations, Get Trusted Advisor Cost Checks, Stop EC2 Instances, Delete Unattached EBS Volumes, Release Elastic IPs, Delete Old Snapshots

PostHog

Get Session Summary, Get Session Recording, Query Events, List Session Recordings, Get Error Issue

Vercel

Get Deployment, Get Build Logs, Rollback Production, Promote to Production, List Deployments, Investigate Vercel

Railway

Get Deployment, Get Deployment Logs, Rollback, Redeploy, Restart, List Deployments, Set Variables, Investigate Railway

Fly.io

Restart Machine, Start Machine, Stop Machine, Suspend Machine, Cordon Machine, Uncordon Machine, Get Machine, Get Machine Events, List Machines, Set Secrets, Investigate Fly

Nebius AI Cloud

Get Instance, Start Instance, Stop Instance, Restart Instance, List Instances, List Clusters, List Node Groups, Scale Node Group, Investigate Nebius

Terraform Cloud

List/Get Workspace, Lock/Unlock/Force-Unlock Workspace, List/Get Run, Create Run (Plan), Create Destroy Run, Apply Run, Discard Run, Cancel Run, Wait for Run, Get State Outputs, List Variables, Set Variable, Get Drift Assessment, Investigate Terraform

Pulumi Cloud

List/Get Stack, List/Get Update, Run Deployment, Get/Wait for/Cancel Deployment, Pause/Resume Deployments, Get Stack Outputs, Get Drift Status, Set/Delete Stack Tag, Investigate Pulumi

Approval Gates

Wait for Manual Approval, Wait for Slack Approval, Wait for PR/MR Approval, Refine RCA with Feedback

Custom HTTP & Webhooks

Create custom action blocks to call any API endpoint, and custom webhook triggers to start workflows from external systems. See Custom Integrations.
The Cloud Cost remediation blocks (Stop EC2 Instances, Delete Unattached EBS Volumes, Release Elastic IPs, Delete Old Snapshots) mutate real infrastructure. Always place them behind an Approval Gate. Resources tagged kestrel:protected are always skipped, every remediation block is pinned to an explicit region, and safety caps limit how many resources a single run can touch.

Template Variables

Template variables let you pass data between workflow steps. Use double curly braces to reference outputs from triggers and previous actions.

Variable Syntax

{{incident.title}}                  — Data from the trigger event
{{rca_result.root_cause}}           — Promoted field from RCA actions
{{step_outputs.action-1.summary}}   — Output from a specific action step
{{request.prompt}}                  — User input (for Slack request triggers)

Common Variables

VariableSourceDescription
{{incident.title}}K8s/Cloud triggerIncident title
{{incident.namespace}}K8s triggerKubernetes namespace
{{incident.resource_name}}K8s/Cloud triggerAffected resource
{{rca_result.root_cause}}Kestrel RCA actionRoot cause summary
{{rca_result.recommended_fix}}Kestrel RCA actionRecommended remediation
{{fix.description}}Kestrel RCA actionGenerated fix description
{{step_outputs.action-1.summary}}Any action stepSummary output of the step
{{request.prompt}}Slack request triggerThe user’s original message
{{request.requester}}Slack request triggerThe requesting user
{{signal.deployment_id}}Vercel triggerVercel deployment ID
{{signal.deployment_id}}Railway triggerRailway deployment ID
{{signal.service_id}}Railway triggerRailway service ID
{{signal.environment_id}}Railway triggerRailway environment ID
{{signal.app_name}}Fly.io triggerFly app name
{{signal.machine_id}}Fly.io triggerFly machine ID
{{signal.region}}Fly.io triggerFly region (e.g. iad)
{{signal.exit_code}}Fly.io triggerMachine exit code (crash events)
{{signal.project_id}}Nebius triggerNebius project ID
{{signal.instance_id}}Nebius triggerNebius compute instance ID
{{signal.cluster_id}}Nebius triggerNebius Managed Kubernetes cluster ID
{{signal.node_group_id}}Nebius triggerNebius node group ID
{{signal.node_name}}Nebius triggerKubernetes node name
{{signal.condition}}Nebius triggerNode condition that fired (e.g. NebiusGPUError)
{{signal.job_name}}Jenkins / CircleCI triggerJenkins job full name, or CircleCI job name (job-completed events)
{{signal.build_number}}Jenkins triggerNumber of the build
{{signal.build_status}}Jenkins triggerBuild result (SUCCESS, FAILURE, UNSTABLE, ABORTED)
{{signal.build_url}}Jenkins triggerLink to the build
{{signal.project_slug}}CircleCI triggerProject slug (e.g. gh/org/repo)
{{signal.pipeline_id}}CircleCI triggerID of the pipeline
{{signal.workflow_id}}CircleCI triggerID of the workflow
{{signal.workflow_name}}CircleCI triggerName of the workflow
{{signal.job_number}}CircleCI triggerNumber of the job (job-completed events)
{{signal.status}}CircleCI triggerWorkflow/job status (success, failed, error, canceled)
{{signal.branch}}CircleCI triggerVCS branch the pipeline ran on
{{signal.session_id}}PostHog triggerPostHog session ID
{{signal.workspace}}Terraform Cloud triggerWorkspace name
{{signal.run_id}}Terraform Cloud triggerRun ID (run-…)
{{signal.run_status}}Terraform Cloud triggerRun status at notification time
{{signal.run_url}}Terraform Cloud triggerLink to the run in Terraform Cloud
{{signal.organization}}Terraform Cloud triggerTerraform Cloud organization
{{signal.session_id}}PostHog triggerPostHog session ID
{{signal.stack}}Pulumi Cloud triggerStack reference (project/stack)
{{signal.project}}Pulumi Cloud triggerPulumi project name
{{signal.operation}}Pulumi Cloud triggerOperation kind (update, preview, refresh, destroy, detect-drift, remediate-drift)
{{signal.result}}Pulumi Cloud triggerOperation result (succeeded, failed)
{{signal.update_version}}Pulumi Cloud triggerStack update version number
{{signal.deployment_id}}Pulumi Cloud triggerPulumi Deployments run ID (deployment events)
{{signal.update_url}}Pulumi Cloud triggerLink to the update in the Pulumi Cloud console
{{signal.user}}Pulumi Cloud triggerUser who initiated the operation
{{signal.aws_account_id}}AWS cost triggerAWS account ID for cost anomaly, budget, forecast, spend spike, and idle resource signals
{{signal.schedule_interval}}Schedule triggerConfigured cadence (hourly, daily, weekly, monthly)
{{signal.fired_at}}Schedule triggerUTC timestamp (RFC3339) when the schedule fired
{{signal.fired_date}}Schedule triggerUTC date (YYYY-MM-DD) when the schedule fired

Variable Picker

When configuring an action step, click the Variables button on any text field to open the variable picker. It shows all available variables from the trigger and preceding steps, grouped by source. The picker is DAG-aware — it only shows variables that will be available at runtime based on the step’s position in the workflow.
The variable picker only shows variables that are available at the current step’s position in the workflow. Move a step earlier or later to change which variables it can access.

Cooldown Configuration

Cooldowns prevent a workflow from firing repeatedly for the same event. Configure the cooldown period per workflow.
PresetDurationDefault For
No cooldown0
5 minutes5m
10 minutes10mSlack, PostHog, Vercel, Railway, Fly.io, Nebius, Jenkins, CircleCI, Terraform Cloud, Pulumi Cloud, custom webhook triggers
30 minutes30m
1 hour1h
3 hours3h
12 hours12h
24 hours24hK8s incidents, cloud incidents, PagerDuty alerts
Cooldowns are scoped to the specific trigger event. For K8s incidents, the cooldown applies per workload. For Slack requests, it applies per request.

Approval Gates

Insert approval gates between steps to require human sign-off before the workflow continues. Three approval methods are available:

Wait for Manual Approval

The workflow pauses and shows a pending approval in the Kestrel dashboard. An authorized user clicks Approve or Reject.

Wait for Slack Approval

The workflow posts an approval request to a configured Slack channel with Approve and Reject buttons. Any member of the channel can respond.

Wait for PR/MR Approval

The workflow waits for the associated pull request or merge request to be approved or merged (webhook-driven). Merging the PR approves the step; closing it rejects it.

Refine RCA with Feedback (human-in-the-loop)

A self-looping review gate for incident-response workflows. Place it after a Trigger K8s RCA or Trigger Cloud RCA step. It presents the root cause and proposed fix for review with three outcomes:
  • Approve — continues on the approved branch (e.g. apply the fix, publish the runbook).
  • Reject — continues on the rejected branch.
  • Request changes — you provide free-text guidance (“the real cause is the readiness probe timeout, not the image tag”), and the RCA agent re-runs with your feedback and comes back for review again. Feedback accumulates across rounds, so each pass builds on the last.
The loop repeats until you approve or reject, capped by Max Refine Rounds (default 5). When the cap is hit, the workflow advances on the approved branch. Choose Kestrel UI or Slack as the review channel in the block config.

Poll Until (Loops)

The Poll Until block (Flow Control) repeatedly runs a single catalog action at a fixed interval and evaluates an exit condition against each iteration’s output. It’s the building block for “wait for X to reach state Y” automation — waiting for a sandbox to stop, a deployment to become healthy, a pipeline to finish, or a cloud resource to reach a target state. Drag Poll Until from the sidebar (next to Conditions) onto the canvas, then configure:
  • Action to Poll — any catalog action (searchable dropdown). Its config fields appear below and behave exactly like the standalone action block, including dynamic dropdowns (e.g. Cluster → Namespace scoping) and template variables.
  • Output Field Path — which output field of the polled action to test, chosen from the action’s known outputs.
  • Operator + Valueequals, not_equals, contains, not_contains, exists, not_exists. Where the output has known discrete values (states, statuses) or refers to live resources (cluster IDs), the Value field is a dropdown. You can select multiple values: equals/contains are met when the output matches ANY selected value; not_equals/not_contains are met only when it matches NONE.
  • Poll Interval — how often to re-run the action (default 60s, minimum 30s).
  • Timeout — how long to keep polling (default 60 minutes).
The block has two outgoing branches:
  • met — the exit condition held on some iteration; downstream steps see the final iteration’s output.
  • timeout — the timeout elapsed before the condition was met.
Polling is durable. The loop’s schedule is persisted server-side, so a server restart mid-interval resumes the countdown where it left off instead of restarting the interval — and in-flight loops survive redeployments.

Generating Runbooks

The Generate Runbook action (Kestrel) distills a completed RCA and its fixes into a reusable, generalized runbook for that class of incident — symptom, diagnosis steps, remediation steps, verification, and rollback. It requires an upstream RCA step. The generated runbook is available to downstream steps as {{runbook_html}} / {{runbook_markdown}}, and Publish Runbook Entry (Confluence) consumes runbook_html automatically.

Testing Workflows

Before relying on a workflow in production, test it with a simulated trigger:
  1. Open the workflow on the canvas
  2. Click Test Workflow
  3. Kestrel generates a sample trigger payload based on the trigger type
  4. Click Run Test to execute the workflow with the sample data
  5. Inspect the output of each step in the execution detail view
Test executions are marked as test runs in the Observability dashboard and do not count toward cooldowns.

Example Workflows

K8s Incident → RCA → Slack → Jira

Workflow Agent prompt: “When a Kubernetes incident is detected in any cluster, run root cause analysis, send the root cause and recommended fix to #incidents in Slack, and create a Jira ticket in the INFRA project with the full investigation summary.”
StepTypeConfiguration
TriggerAny Kubernetes IncidentAll clusters
Action 1Trigger K8s RCA & Generate FixInclude metrics and logs
Action 2Slack Send MessageChannel: #incidents, message: {{incident.title}}{{rca_result.root_cause}}
Action 3Jira Create TicketProject: INFRA, summary: {{incident.title}}, body: {{rca_result.investigation_summary}}

K8s Incident → RCA → Refine with Feedback → Apply → Publish Runbook

A full human-in-the-loop loop: detect the incident, run RCA, draft a reusable runbook, let an engineer iteratively refine the analysis, then apply the fix and publish the runbook. Workflow Agent prompt: “When a Kubernetes pod crashes, run root cause analysis, generate a runbook, then let me review and refine the analysis before applying — when I approve, apply the YAML fix and publish the runbook to Confluence; if I reject, notify #incidents.”
StepTypeConfiguration
TriggerAny Kubernetes IncidentAll clusters
Action 1Trigger K8s RCA & Generate FixInclude metrics and logs
Action 2Generate RunbookAudience: SRE, include rollback
ApprovalRefine RCA with FeedbackChannel: Kestrel UI, Max Refine Rounds: 3
On Approved → Action 3Apply YAML FixAuto-detected from RCA
On Approved → Action 4Publish Runbook Entry (Confluence)Uses {{runbook_html}}
On Rejected → Action 5Slack Send MessageChannel: #incidents, message: RCA rejected by reviewer
On Request changes, the reviewer’s free-text guidance re-runs the RCA agent and the gate re-opens — repeating until approve/reject or the round cap.

Slack Request → K8s Manifest → GitOps PR → ArgoCD Sync

Workflow Agent prompt: “When someone requests a new Kubernetes resource via /kestrel-workflow in Slack, generate the K8s manifests based on their request, create a pull request in acme/k8s-manifests on GitHub, wait for the PR to be merged, then trigger an ArgoCD sync.”
StepTypeConfiguration
TriggerAny Slack /kestrel-workflow RequestCatch-all
Action 1Generate K8s ManifestPrompt: {{request.prompt}}
Action 2Create GitOps PRRepo: acme/k8s-manifests
ApprovalWait for PR/MR ApprovalWait for PR merge
Action 3Trigger ArgoCD SyncAuto-detected from PR

Vercel Deployment Failure → Build Logs → Investigation → Slack

Workflow Agent prompt: “When a Vercel deployment fails, fetch the build logs, run an AI investigation to identify the root cause of the build failure, and send the findings to #deploys in Slack.”
StepTypeConfiguration
TriggerVercel Deployment FailedAll projects
Action 1Get Build LogsDeployment: {{signal.deployment_id}}
Action 2Investigate VercelQuery: analyze build logs from {{step_outputs.action-1.summary}}
Action 3Slack Send MessageChannel: #deploys, message: {{step_outputs.action-2.summary}}

Railway Deployment Crash → Logs → Investigation → Rollback → Slack

Workflow Agent prompt: “When a Railway service crashes, fetch the deployment logs, run an AI investigation to find the root cause, roll the service back to its previous deployment, and post a summary to #platform in Slack.”
StepTypeConfiguration
TriggerRailway Deployment CrashedAll projects
Action 1Get Deployment LogsDeployment: {{signal.deployment_id}}
Action 2Investigate RailwayQuery: analyze crash logs from {{step_outputs.action-1.summary}}
Action 3RollbackService: {{signal.service_id}}, Environment: {{signal.environment_id}}
Action 4Slack Send MessageChannel: #platform, message: {{step_outputs.action-2.summary}}

Fly.io Machine Crash → Events → Investigation → Restart → Slack

Workflow Agent prompt: “When a Fly.io machine crashes, pull its recent events, run an AI investigation to find the root cause, restart the machine, and post a summary to #platform in Slack.”
StepTypeConfiguration
TriggerFly.io Machine CrashedAll apps, poll every 1m
Action 1Get Machine EventsApp: {{signal.app_name}}, Machine: {{signal.machine_id}}
Action 2Investigate FlyQuery: find why machine {{signal.machine_id}} crashed using {{step_outputs.action-1.summary}}
Action 3Restart MachineApp: {{signal.app_name}}, Machine: {{signal.machine_id}}
Action 4Slack Send MessageChannel: #platform, message: {{step_outputs.action-2.summary}}

Nebius GPU Error → Investigation → Scale Node Group → Slack

Workflow Agent prompt: “When a Nebius GPU node reports an error, run an AI investigation to find the root cause, add a node to the affected node group, and post a summary to #ml-infra in Slack.”
StepTypeConfiguration
TriggerNebius GPU ErrorAll projects, poll every 5m
Action 1Investigate NebiusQuery: find why node {{signal.node_name}} reported a GPU error
Action 2Scale Node GroupCluster: {{signal.cluster_id}}, Node Group: {{signal.node_group_id}}, Size: 3
Action 3Slack Send MessageChannel: #ml-infra, message: {{step_outputs.action-1.summary}}

Jenkins Build Failure → Console Log → Investigation → Slack + Jira

Workflow Agent prompt: “When a Jenkins build fails, fetch the console log, run an AI investigation to identify the root cause of the failure, post the findings to #ci in Slack, and create a Jira ticket in the INFRA project.”
StepTypeConfiguration
TriggerJenkins Build FailedAll jobs
Action 1Get Console LogJob: {{signal.job_name}}, Build: {{signal.build_number}}
Action 2Investigate JenkinsQuery: analyze the console log from {{step_outputs.action-1.summary}}
Action 3Slack Send MessageChannel: #ci, message: {{step_outputs.action-2.summary}}
Action 4Jira Create TicketProject: INFRA, description: {{step_outputs.action-2.answer}}

CircleCI Workflow Failure → Rerun From Failed → Wait → PagerDuty

Workflow Agent prompt: “When a CircleCI workflow fails on main, rerun only the failed jobs, wait for the pipeline to finish, and page on-call via PagerDuty with an AI investigation summary if the rerun also fails.”
StepTypeConfiguration
TriggerCircleCI Workflow FailedProjects: all, branch: main
Action 1Rerun WorkflowWorkflow: {{signal.workflow_id}}, from failed jobs only
Action 2Wait for PipelineProject: {{signal.project_slug}}, Pipeline: {{signal.pipeline_id}}, timeout 30m
Action 3Investigate CircleCIQuery: find why {{signal.workflow_name}} keeps failing (only on failure branch)
Action 4PagerDuty Create AlertSummary: {{step_outputs.action-3.summary}}

PostHog Exception → Investigation → Slack

Workflow Agent prompt: “When PostHog captures a frontend exception, generate an AI summary of the user’s session including what they were doing before the error, and send the summary with the replay URL to #product-alerts in Slack.”
StepTypeConfiguration
TriggerPostHog Session Error/ExceptionAll events
Action 1Get Session SummarySession: {{signal.session_id}}
Action 2Slack Send MessageChannel: #product-alerts, message: {{step_outputs.action-1.summary}} with replay URL

Terraform Run Needs Attention → Plan Summary → Slack Approval → Apply

Workflow Agent prompt: “When a Terraform Cloud run on a production workspace finishes planning and needs confirmation, fetch the planned changes, ask for approval in #infra-approvals, and apply the run if approved or discard it if rejected.”
StepTypeConfiguration
TriggerTerraform Run Needs AttentionWorkspaces: prod-*
Action 1Get RunWorkspace: {{signal.workspace}}, Run: {{signal.run_id}}
Action 2Wait for Slack ApprovalChannel: #infra-approvals, message includes {{step_outputs.action-1.summary}} and {{signal.run_url}}
On ApprovedApply RunWorkspace: {{signal.workspace}}, Run: {{signal.run_id}}
On RejectedDiscard RunWorkspace: {{signal.workspace}}, Run: {{signal.run_id}}

Pulumi Update Failure → Investigation → Slack Approval → Retry

Workflow Agent prompt: “When a Pulumi Cloud update fails on a production stack, investigate the failure, post the findings to #infra-approvals in Slack and ask for approval, then retry the update if approved.”
StepTypeConfiguration
TriggerPulumi Update FailedStacks: prod-*
Action 1Investigate PulumiQuery: why did the update fail?, Stack: {{signal.stack}}
Action 2Wait for Slack ApprovalChannel: #infra-approvals, message includes {{step_outputs.action-1.summary}} and {{signal.update_url}}
On ApprovedRun DeploymentStack: {{signal.stack}}, Operation: update
Action 4Wait for DeploymentStack: {{signal.stack}}, Deployment: {{step_outputs.action-3.deployment_id}}

Cloud Cost Anomaly → AI Analysis → Slack Report

Workflow Agent prompt: “When an AWS cost anomaly is detected, query the cost breakdown for the affected account over the last 7 days, run an AI cost analysis to identify the root cause and recommend optimizations, and post the analysis to #finops in Slack.”
StepTypeConfiguration
TriggerCost Anomaly DetectedAll AWS accounts
Action 1Query Cost ExplorerAccount: {{signal.aws_account_id}}, time range: 7 days
Action 2AI Cost AnalysisType: anomaly
Action 3Slack Send MessageChannel: #finops, message: {{step_outputs.action-2.summary}}

Weekly Schedule → Cost Report → Savings Recommendations → Slack

Workflow Agent prompt: “Every Monday at 9am UTC, query last week’s AWS costs grouped by service, get savings plans recommendations, run an AI cost analysis, and post an executive summary to #finops in Slack.”
StepTypeConfiguration
TriggerRecurring ScheduleWeekly, Monday, 09:00 UTC
Action 1Query Cost ExplorerTime range: 7 days, group by: Service
Action 2Get Savings Plans RecommendationsTerm: 1 year, payment: no upfront
Action 3AI Cost AnalysisType: summary
Action 4Slack Send MessageChannel: #finops, message: {{step_outputs.action-3.formatted_slack_message}}

Idle Resource Scan → Approval → Cleanup → Slack

Workflow Agent prompt: “Every day at 8am UTC, scan for idle resources (unattached EBS volumes and unassociated Elastic IPs), ask for approval in #finops, and if approved delete the unattached volumes (snapshot first) and release the idle Elastic IPs.”
StepTypeConfiguration
TriggerRecurring ScheduleDaily, 08:00 UTC
Action 1Find Idle ResourcesResource types: EBS volumes, Elastic IPs; all enabled regions
Action 2Wait for Slack ApprovalChannel: #finops, message includes {{step_outputs.action-1.idle_count}} idle resources, est. savings {{step_outputs.action-1.estimated_monthly_savings}}
On Approved → Action 3Delete Unattached EBS VolumesVolume IDs: {{step_outputs.action-1.idle_volume_ids}}, snapshot first
On Approved → Action 4Release Elastic IPsAllocation IDs: {{step_outputs.action-1.idle_eip_allocation_ids}}
Action 5Slack Send MessageChannel: #finops, message: cleanup summary

Forecast Overrun → Compare Periods → Rightsizing → Slack

Workflow Agent prompt: “When the AWS cost forecast projects a budget overrun, compare this month’s spend to last month to find the biggest movers, get rightsizing recommendations, and post the analysis to #finops in Slack.”
StepTypeConfiguration
TriggerForecast Exceeds BudgetAll AWS accounts
Action 1Compare Cost PeriodsThis month vs last month, group by: Service
Action 2Get Rightsizing RecommendationsAll recommendation types
Action 3AI Cost AnalysisType: optimization
Action 4Slack Send MessageChannel: #finops, message: {{step_outputs.action-3.summary}}

Next Steps