Documentation Index Fetch the complete documentation index at: https://docs.cloudthinker.io/llms.txt
Use this file to discover all available pages before exploring further.
Kubernetes Connect your Kubernetes clusters to enable Kai (Kubernetes Engineer) to analyze workloads, optimize resources, and manage cluster operations.
Platform Support Amazon EKS All versions Google GKE Standard, Autopilot Azure AKS All versions Self-managed Kubernetes 1.24+ Rancher RKE, RKE2 OpenShift 4.x
Setup Methods Auto-Discovery from Cloud Connections If you’ve already connected AWS, GCP, or Azure, your managed Kubernetes clusters are automatically discovered.
Clusters Auto-Discovered
EKS, GKE, or AKS clusters appear automatically in CloudThinker
Enable Cluster Access
Select which clusters to enable for analysis
Manual Setup with Service Account For self-managed clusters or additional access:
Create Namespace (Optional)
Create a dedicated namespace: apiVersion : v1 kind : Namespace metadata : name : cloudthinker
Create Service Account
Create a service account for CloudThinker: apiVersion : v1 kind : ServiceAccount metadata : name : cloudthinker-readonly namespace : cloudthinker
Create ClusterRole
Define read-only permissions: apiVersion : rbac.authorization.k8s.io/v1 kind : ClusterRole metadata : name : cloudthinker-readonly rules : - apiGroups : [ "" ] resources : [ "*" ] verbs : [ "get" , "list" , "watch" ] - apiGroups : [ "apps" , "extensions" ] resources : [ "*" ] verbs : [ "get" , "list" , "watch" ] - apiGroups : [ "autoscaling" ] resources : [ "*" ] verbs : [ "get" , "list" , "watch" ] - apiGroups : [ "metrics.k8s.io" ] resources : [ "pods" , "nodes" ] verbs : [ "get" , "list" ]
Create ClusterRoleBinding
Bind the role to the service account: apiVersion : rbac.authorization.k8s.io/v1 kind : ClusterRoleBinding metadata : name : cloudthinker-readonly roleRef : apiGroup : rbac.authorization.k8s.io kind : ClusterRole name : cloudthinker-readonly subjects : - kind : ServiceAccount name : cloudthinker-readonly namespace : cloudthinker
Create Long-Lived Token
Starting from Kubernetes 1.24, create a Secret for long-lived tokens: apiVersion : v1 kind : Secret metadata : name : cloudthinker-readonly-token namespace : cloudthinker annotations : kubernetes.io/service-account.name : cloudthinker-readonly type : kubernetes.io/service-account-token
Apply with: kubectl apply -f cloudthinker-token-secret.yaml
Retrieve Token
Get the long-lived token from the Secret: kubectl get secret cloudthinker-readonly-token -n cloudthinker \ -o jsonpath='{.data.token}' | base64 --decode
Get Cluster Info
Get your cluster endpoint: Extract the CA certificate: kubectl get secret cloudthinker-readonly-token -n cloudthinker \ -o jsonpath='{.data.ca\.crt}' | base64 --decode
Add Connection in CloudThinker
Navigate to Connections → Kubernetes and enter:
Cluster API endpoint
Service account token
CA certificate (for self-signed)
apiVersion : v1 kind : Config clusters : - cluster : certificate-authority-data : <base64-encoded-ca-cert> server : https://your-cluster-endpoint:6443 name : your-cluster contexts : - context : cluster : your-cluster user : cloudthinker-readonly name : cloudthinker-context current-context : cloudthinker-context users : - name : cloudthinker-readonly user : token : <your-service-account-token>
Required Permissions Minimum (Read-Only) apiVersion : rbac.authorization.k8s.io/v1 kind : ClusterRole metadata : name : cloudthinker-readonly rules : - apiGroups : [ "" ] resources : [ "pods" , "nodes" , "services" , "namespaces" , "events" , "configmaps" ] verbs : [ "get" , "list" , "watch" ] - apiGroups : [ "apps" ] resources : [ "deployments" , "replicasets" , "statefulsets" , "daemonsets" ] verbs : [ "get" , "list" , "watch" ] - apiGroups : [ "autoscaling" ] resources : [ "horizontalpodautoscalers" ] verbs : [ "get" , "list" , "watch" ] - apiGroups : [ "metrics.k8s.io" ] resources : [ "pods" , "nodes" ] verbs : [ "get" , "list" ]
Recommended (Full Analysis) apiVersion : rbac.authorization.k8s.io/v1 kind : ClusterRole metadata : name : cloudthinker-full-analysis rules : - apiGroups : [ "" ] resources : [ "pods" , "nodes" , "services" , "namespaces" , "events" , "configmaps" , "secrets" , "persistentvolumeclaims" , "resourcequotas" , "limitranges" , "replicationcontrollers" ] verbs : [ "get" , "list" , "watch" ] - apiGroups : [ "apps" ] resources : [ "deployments" , "replicasets" , "statefulsets" , "daemonsets" ] verbs : [ "get" , "list" , "watch" ] - apiGroups : [ "batch" ] resources : [ "jobs" , "cronjobs" ] verbs : [ "get" , "list" , "watch" ] - apiGroups : [ "networking.k8s.io" ] resources : [ "ingresses" , "networkpolicies" ] verbs : [ "get" , "list" , "watch" ] - apiGroups : [ "autoscaling" ] resources : [ "horizontalpodautoscalers" ] verbs : [ "get" , "list" , "watch" ] - apiGroups : [ "metrics.k8s.io" ] resources : [ "pods" , "nodes" ] verbs : [ "get" , "list" ]
Agent Capabilities Once connected, Kai can:
Capability Description Resource Analysis Pod CPU/memory usage, requests vs limits Node Health Node status, capacity, allocatable resources Workload Optimization Right-sizing recommendations, HPA tuning Troubleshooting CrashLoopBackOff, OOMKilled, pending pods Security Audit RBAC review, pod security, network policies
Example Prompts @kai analyze pod resource utilization in production namespace @kai identify nodes with < 30% CPU utilization @kai investigate crash loops in payment service @kai #recommend HPA policies for web deployments
Prerequisites For full functionality, ensure:
Component Purpose Metrics Server Required for resource metrics kube-state-metrics Enhanced cluster metrics (optional) Network access CloudThinker must reach API server
Install Metrics Server kubectl apply -f https://github.com/kubernetes-sigs/metrics-server/releases/latest/download/components.yaml
Troubleshooting
Cannot connect to cluster
Verify API server endpoint is accessible from internet
Check firewall/security groups allow CloudThinker IPs
For private clusters: Set up VPN or bastion access
Confirm API server certificate is valid
Verify service account token is correct
Check ClusterRoleBinding is applied
Ensure token hasn’t expired
Confirm service account exists in correct namespace
Verify Metrics Server is installed: kubectl top nodes
Check Metrics Server pods are running
Ensure metrics.k8s.io API is available
Verify ClusterRole has namespace list permission
Check if RBAC restricts access to certain namespaces
Confirm service account binding is cluster-wide
Security Best Practices
Read-only access - Never grant write permissions to CloudThinkerNamespace isolation - Keep service account in dedicated namespaceToken rotation - Rotate service account tokens periodicallyNetwork policies - Restrict API server access to CloudThinker IPsAudit logging - Enable Kubernetes audit logs
Kai Agent Kubernetes-focused optimization agent
AWS Connection Connect AWS for EKS auto-discovery
