Aotanami¶

Autonomous Kubernetes Protection — Powered by Agentic AI

The flagship open source product of Zelyo AI

What is Aotanami?¶

Aotanami is a self-hosted, lightweight Kubernetes Operator that uses Agentic AI to provide complete 360° protection for your production clusters. It autonomously detects security vulnerabilities, misconfigurations, cost anomalies, and runtime threats — then proposes production-ready fixes via GitOps, all with read-only cluster access.

Bring your own LLM API keys (OpenRouter, OpenAI, Anthropic) — Aotanami is heavily optimized to minimize token usage and keep costs low.

Key Features¶

🔒

Security Scanning¶

RBAC audit, image vulnerabilities, PodSecurity violations, secrets exposure, and network policy gaps.

🛡️

Compliance¶

CIS Benchmarks, NSA/CISA hardening, PCI-DSS, SOC2, and HIPAA compliance mapping with automated checks.

🔗

Supply Chain Security¶

SBOM analysis, image signature verification (Cosign/Notary), and base image CVE tracking.

⚡

Real-Time Monitoring¶

24/7 Kubernetes events, pod logs, node conditions, and network telemetry with anomaly detection.

🧠

Agentic AI Remediation¶

LLM-powered diagnosis with production-ready fix PRs via GitHub App. BYO API keys, optimized for low token usage.

💰

Cost Optimization¶

Resource rightsizing, idle workload detection, and spot-readiness assessment to reduce cloud spend.

🔄

Config Drift Detection¶

Compares live cluster state against your GitOps repo manifests and auto-generates reconciliation PRs.

🚨

Runtime Threat Detection¶

Suspicious exec detection, privilege escalation, filesystem anomalies, and lateral movement detection.

🌐

Multi-Cluster Federation¶

Aggregate views, cross-cluster correlation, and centralized policy management across all your clusters.

Dual Operating Modes¶

Mode	When	Behavior
Audit Mode (default)	No GitOps repo onboarded	Detects, diagnoses, and sends alerts — zero cluster modifications
Protect Mode	GitOps repo onboarded	Full autonomous remediation — generates fixes, opens PRs via GitHub App

Architecture¶

graph TB
    subgraph "Kubernetes Cluster — Read-Only Access"
        Events[K8s Events]
        Logs[Pod Logs]
        Nodes[Node Conditions]
        Net[Network Telemetry]
        Metrics[Resource Metrics]
    end

    subgraph "Aotanami Operator"
        Watcher[Real-Time Watcher]
        Scanner[Security & Config Scanner]
        Compliance[Compliance Engine]
        CostEng[Cost Optimizer]
        AnomalyDet[Anomaly Detector]
        Threat[Runtime Threat Detector]
        DriftDet[Config Drift Detector]
        Correlator[Incident Correlator]
        LLM["LLM Engine — BYO Keys"]
        Dashboard[Embedded Dashboard]
    end

    subgraph "Integrations"
        GitOps[GitHub App — GitOps PRs]
        Alerts["Slack · Teams · PagerDuty<br/>Telegram · WhatsApp · AlertManager"]
        Prom["Prometheus · OpenTelemetry"]
    end

    Events & Logs & Nodes & Net & Metrics --> Watcher
    Watcher --> AnomalyDet & Scanner & CostEng & Threat & Compliance
    Scanner --> DriftDet
    AnomalyDet & Scanner & CostEng & Threat & Compliance & DriftDet --> Correlator
    Correlator --> LLM
    LLM -->|Protect Mode| GitOps
    LLM -->|Audit Mode| Alerts
    LLM --> Dashboard
    Watcher --> Prom

Quick Install¶

Helm (OCI)Kustomize

# Create namespace and LLM secret
kubectl create namespace aotanami-system
kubectl create secret generic aotanami-llm \
  --namespace aotanami-system \
  --from-literal=api-key=<YOUR_API_KEY>

# Install from OCI registry
helm install aotanami oci://ghcr.io/aotanami/charts/aotanami \
  --namespace aotanami-system \
  --set config.llm.provider=openrouter \
  --set config.llm.model=anthropic/claude-sonnet-4-20250514 \
  --set config.llm.apiKeySecret=aotanami-llm

kubectl apply -k https://github.com/aotanami/aotanami/config/default

Full installation guide

Built with ❤️ by Zelyo AI