Skip to content

Quick Start

Install the AIP Kubernetes Control Plane and submit your first governed agent request in under five minutes.

Prerequisites

  • A running Kubernetes cluster (local KIND, minikube, or remote)
  • kubectl configured to talk to your cluster
  • Helm 3

Install

helm install aip-k8s charts/aip-k8s/ \
  --namespace aip-k8s-system \
  --create-namespace

This installs the gateway, controller, and dashboard with dev mode defaults: - No authentication (anyone can submit requests) - No JWT minting - No OIDC

⚠️ Dev mode only. For production, see Production Hardening.

Verify

Wait for pods to be ready:

kubectl wait --for=condition=ready pod \
  -l app.kubernetes.io/component=gateway \
  -n aip-k8s-system --timeout=60s

Access the gateway

Port-forward the gateway service to your local machine:

kubectl port-forward -n aip-k8s-system svc/aip-k8s-gateway 8080:8080

Leave this running in a terminal. The gateway is now available at http://localhost:8080.

Your first request

1. Register a governed resource

curl -s -X POST http://localhost:8080/governed-resources \
  -H "Content-Type: application/json" \
  -d '{
    "name": "payment-api",
    "uriPattern": "k8s://prod/default/deployment/payment-api",
    "permittedActions": ["scale", "delete", "escalate"]
  }'

2. Submit an agent request

curl -s -X POST http://localhost:8080/agent-requests \
  -H "Content-Type: application/json" \
  -d '{
    "agentIdentity": "cost-optimizer",
    "action": "delete",
    "targetURI": "k8s://prod/default/deployment/payment-api",
    "reason": "CPU at 3% for 45 minutes. Assessed as idle."
  }'

3. See the response

The gateway returns the resolved phase:

{
  "phase": "Denied",
  "denialCode": "POLICY_VIOLATION",
  "reason": "SafetyPolicy live-traffic-guard: readyReplicas=3. Agent claimed idle."
}

The request was blocked because the agent's claimed state (idle) contradicted the live state (3 ready replicas).

Next steps