GoogleCloudPlatform
bug: kubectl-ai asks for approval even when command doesn't modify a resource
kubectl-ai uses LLM to determine if a given command modifies a resource in kubernetes or not. We have seen foundation models such as Gemini, openai etc. gets this right, but local models tend to hallucinate more in this aspect.
For example, in this video, there are instances where no resource is being modified but the agent will still ask for approval.
I think we can definitely improve here. I am wondering if we can maintain a static filter for kubectl commands to determine if it modifies a resource of not or explore some other direction.
/cc @zvdy @hakman @tuannvm @selimacerbas @Vinay-Khanagavi
I think that a filter(s) would be great at tool definition, for this and additional usages (like filter commands of flags that should not be allowed. Though, regarding local models, I am a bit more reserved. There should be a balance between better support and tool complexity. There will always be models that will work better or worse in the Kubernetes context, and some will hallucinate more, in totally unexpected ways.
I agree that a static filter for kubectl commands could help reduce unnecessary approval prompts, especially for local models. For example, we could use a simple function like this to check if a command is mutating:
func isMutatingKubectl(cmd string) bool {
mutating := []string{"apply", "create", "delete", "patch", "replace", "edit", "scale", "rollout"}
for _, verb := range mutating {
if strings.HasPrefix(cmd, "kubectl "+verb+" ") {
return true
}
}
return false
}
We can use this as a first check before asking the LLM. This should make the behavior more predictable and reduce false positives. Let me know if this is the right direction, or if you have any other suggestions!
