Remediator Configuration

The Remediator Agent can run in several modes.

Multi-Cluster Support

ArgoCD Hub Mode

Refer to the official ArgoCD documentation to setup ArgoCD in the hub cluster and register spoke cluster.

Here is an example repository containing an ArgoCD Application. Deploy this application onto the target cluster.

Apply the following Remediator CR:

apiVersion: serviceagents.nirmata.io/v1alpha1
kind: Remediator
metadata:
  name: remediator-argo-hub
  namespace: nirmata
spec:
  environment:
    type: argoHub
  
  target:
    argoHubTarget:
      argoAppSelector:
        allApps: true
  
  remediation:
    triggers:
      - schedule:
          crontab: "0 */6 * * *"
    llmConfigRef:
      name: remediator-agent-llm
      namespace: nirmata
    gitCredentials:
      name: toolconfig-sample
      namespace: nirmata
    actions:
      - type: CreatePR
        toolRef:
          name: toolconfig-sample
          namespace: nirmata

Local Cluster Mode

If you are not using ArgoCD for deployments, specify the repository to namespace configuration using a ConfigMap.

Create the configmap in nirmata namespace:

apiVersion: v1
kind: ConfigMap
metadata:
  name: repo-namespace-mapping
  namespace: nirmata
data:
  mapping: |
    [
      {
        "repo": "https://github.com/nirmata/demo-remediator",
        "branch": "main",
        "path": "apps/nginx",
        "targetNamespace": "default"
      }
    ]

Apply the Remediator CR.

apiVersion: serviceagents.nirmata.io/v1alpha1
kind: Remediator
metadata:
  name: remediator-local-cluster
  namespace: nirmata
spec:
  environment:
    type: localCluster
  
  target:
    localClusterTarget:
      repoNamespaceMappingRef:
        name: repo-namespace-mapping
        namespace: nirmata
        key: mapping
  remediation:
    triggers:
      - schedule:
          crontab: "0 */6 * * *"
    llmConfigRef:
      name: remediator-agent-llm
      namespace: nirmata
    gitCredentials:
      name: toolconfig-sample
      namespace: nirmata
    actions:
      - type: CreatePR
        toolRef:
          name: toolconfig-sample
          namespace: nirmata

Advanced Settings

Specify target clusters for ArgoCD Hub Mode:

Use the spec.target.argoHubTarget field to specify cluster names or server URLs.

target:
  argoHubTarget:
    clusterNames:
      - argocd-spoke
      - production-cluster
    clusterServerUrls:
      - "https://production-cluster.example.com"
    argoAppSelector:
      allApps: true

Specify target Argo applications:

Use the spec.target.argoHubTarget.argoAppSelector field to specify target applications, or use labelSelector to select specific applications.

target:
  argoHubTarget:
    argoAppSelector:
      names:
        - nginx-demo
      labelSelector:
        matchLabels:
          team: platform
          environment: production
        matchExpressions:
          - key: criticality
            operator: In
            values: ["high", "critical"]

NOTE: Set spec.target.argoHubTarget.argoAppSelector.allApps: true if you want to remediate all Argo applications. If allApps is true, it will override all other selection logic.

Filter violations for specific policies:

You can filter by policy severity using the spec.remediation.filters.policySelector field.

remediation:
  filters:
    policySelector:
      matchSeverity:
        - high
        - critical

Remediator CRD Reference

This section provides a comprehensive reference for all fields in the Remediator Custom Resource Definition (CRD).

RemediatorSpec

The RemediatorSpec defines the desired state of a Remediator resource.

Environment Configuration

environment (required)

Defines the environment configuration for the remediator.

Type: EnvironmentConfig

environment.type (required)

Determines the environment type for the remediator deployment.

Type: EnvironmentType (enum)
Valid Values:

• localCluster - Indicates a local cluster deployment
• argoHub - Indicates an ArgoCD hub cluster deployment

Example:

environment:
  type: argoHub

Target Configuration

target (optional)

Defines the target configuration for remediation. Required when environment type is argoHub, optional when localCluster.

Type: Target

The Target configuration supports three different target types, and exactly one must be specified:

target.localCluster (optional)

Local cluster-based targeting configuration.

Type: LocalClusterTarget

target.localCluster.repoNamespaceMappingRef (required)

Reference to a ConfigMap containing mapping between git repositories and target namespaces.

Type: ConfigMapRef

Fields:

• name (required) - Name of the ConfigMap
• namespace (optional) - Namespace of the ConfigMap
• key (optional) - Key within the ConfigMap containing mapping data (default: “mapping”)

target.argoHub (optional)

ArgoCD hub cluster-based targeting configuration.

Type: ArgoHubTarget

target.argoHub.clusterNames (optional)

List of cluster names to remediate.

Type: []string

target.argoHub.clusterServerUrls (optional)

List of cluster server URLs to target.

Type: []string

target.argoHub.appSelector (optional)

Defines how to select Argo applications for remediation.

Type: ArgoAppSelector

Fields:

• names (optional) - List of specific Argo application names to select
• labelSelector (optional) - Label selector to select applications based on labels
• allApps (optional) - When true, selects all applications (overrides other selectors)

target.vcs (optional)

Version Control System-based targeting configuration.

Type: VCSTarget

target.vcs.policies (required)

List of policies with their git repository locations.

Type: []PolicyRepo

PolicyRepo Fields:

• name (required) - Name of the policy
• repo (required) - Repository URL containing the policy
• path (required) - Path to the policy within the repository
• ref (required) - Git reference (branch, tag, or commit) to use

target.vcs.resources (required)

List of resources with their git repository locations and associated policies.

Type: []ResourceRepo

ResourceRepo Fields:

• name (required) - Name of the resource
• repo (required) - Repository URL containing the resource
• path (required) - Path to the resource within the repository
• ref (required) - Git reference (branch, tag, or commit) to use
• policyRefs (required) - List of policy names to apply to this resource

Example:

target:
  vcs:
    policies:
      - name: security-policy
        repo: https://github.com/company/policies
        path: security/
        ref: main
    resources:
      - name: web-app
        repo: https://github.com/company/web-app
        path: k8s/
        ref: main
        policyRefs:
          - security-policy

Remediation Configuration

remediation (required)

Defines the remediation configuration including triggers, filters, and actions.

Type: RemediationConfig

remediation.triggers (required)

Defines when remediation should be triggered.

Type: []Trigger

remediation.triggers[].schedule (optional)

Cron-based schedule trigger configuration.

Type: ScheduleTrigger

Fields:

• crontab (required) - Cron expression for scheduling

remediation.filters (optional)

Defines what should be filtered for remediation.

Type: Filters

remediation.filters.policySelector (required)

Policy-based filtering criteria.

Type: PolicySelector

Fields:

• matchSeverity (required) - List of severity levels to match

remediation.actions (required)

Defines what actions to take during remediation.

Type: []Action

Action Fields:

• type (required) - Type of action to perform (e.g., “CreatePR”)
• confidence (optional) - Confidence levels that trigger this action (“high”, “low”)
• toolRef (required) - Reference to the tool configuration

remediation.llmConfigRef (required)

Reference to a LLMConfig resource for AI-powered remediation.

Type: LLMConfigRef

Fields:

• apiVersion (optional) - API version (default: “serviceagents.nirmata.io/v1alpha1”)
• kind (optional) - Resource kind (default: “LLMConfig”)
• name (required) - Name of the LLMConfig resource
• namespace (optional) - Namespace of the LLMConfig resource

remediation.gitCredentials (required)

Reference to a ToolConfig resource for git credentials.

Type: ToolRef

Fields:

• apiVersion (optional) - API version (default: “serviceagents.nirmata.io/v1alpha1”)
• kind (optional) - Resource kind (default: “ToolConfig”)
• name (required) - Name of the ToolConfig resource
• namespace (optional) - Namespace of the ToolConfig resource

RemediatorStatus

The RemediatorStatus defines the observed state of a Remediator resource.

Status Fields

phase

Current operational phase of the remediator.

Type: RemediatorPhase (enum)
Valid Values:

• Ready - Remediator is properly configured and operational
• Running - Remediator is currently executing a remediation cycle
• Failed - Remediator configuration is invalid or broken

message

Human-readable details about the current state.

Type: string

lastScheduleTime

Last time a remediation was scheduled to run.

Type: metav1.Time

lastSuccessfulTime

Last time a remediation run completed successfully.

Type: metav1.Time

nextScheduledTime

When the next remediation run is scheduled.

Type: metav1.Time

lastRunSummary

Details about the most recent remediation run.

Type: RemediationRunSummary

RemediationRunSummary Fields:

• status (optional) - Run outcome (“Succeeded” or “Failed”)
• startTime (optional) - When the run started
• endTime (optional) - When the run completed
• message (optional) - Details about the run outcome
• targetsProcessed (optional) - Number of targets processed
• violationsFound (optional) - Total violations discovered
• remediationPlans (optional) - Number of remediation plans generated
• actionsExecuted (optional) - Number of actions executed
• errors (optional) - List of errors encountered

Validation Rules

The Remediator CRD includes several validation rules:

1. Target Requirement: target is required when environment type is argoHub
2. Target Exclusivity: Exactly one of localCluster, argoHub, or vcs must be set in the target configuration
3. Environment-Target Consistency: Target configuration must be compatible with the specified environment type

These validation rules ensure that the Remediator configuration is consistent and valid.