Claude Ops Investigator
Provides tools for investigating Kubernetes incidents, including listing pods, describing pods, retrieving pod logs, fetching recent namespace events, and checking top pod resource usage.
Click on "Install Server".
Wait a few minutes for the server to deploy. Once ready, it will show a "Started" state.
In the chat, type
@followed by the MCP server name and your instructions, e.g., "@Claude Ops InvestigatorInvestigate high CPU usage in pod my-app-xyz in namespace production"
That's it! The server will respond to your query, and you can continue using it as needed.
Here is a step-by-step guide with screenshots.
Claude Ops Investigator
A context-aware Kubernetes incident investigation assistant built with Claude Code, MCP, live cluster signals, Prometheus, log search, runbooks, evidence memory, and structured incident reports.
Claude Ops Investigator helps engineers investigate Kubernetes incidents safely by combining read-only operational tools, external evidence storage, compact investigation memory, and human-controlled remediation boundaries.
The goal is not to give an AI unrestricted production access. The goal is to expose narrow, auditable, read-only interfaces that help engineers gather evidence, form hypotheses, rule out causes, and produce reliable incident reports faster.
What this project provides
Narrow MCP-style tools instead of generic
kubectlRead-only live Kubernetes investigation
Claude Code project instructions
MCP resources, tools, and prompts
Skills, slash commands, and scoped project rules
Coordinator/subagent-style investigation workflows
Structured tool errors
Hooks and gates for destructive actions
Structured incident-report output
Human escalation for risky or ambiguous actions
Related MCP server: Kubernetes MCP Server
Safety rule
Start read-only. Do not give Claude unrestricted shell, kubectl, Helm, or production mutation permissions.
Allowed operations in this scaffold:
kubectl getkubectl describekubectl logskubectl top
Blocked operations include:
kubectl deletekubectl applykubectl patchkubectl scalekubectl rollout restarthelm upgradekubectl execby default
Quick start
cd claude-ops-investigator
python -m venv .venv
source .venv/bin/activate
pip install -e ".[dev]"Check Kubernetes access:
kubectl config current-context
kubectl auth can-i get pods -n si
kubectl auth can-i get pods/log -n siRun a read-only snapshot:
python -m claude_ops.main investigate --namespace si --service event-data --since-minutes 60Run tests:
pytestClaude Code slash command
The main interactive workflow is the /investigate-incident slash command:
/investigate-incident namespace=<namespace> service=<service> symptom="<specific symptom>" since_minutes=<minutes>symptom is required — this workflow is symptom-driven, not a generic
service health check. If no symptom is given, Claude asks for one before
investigating anything.
Examples:
/investigate-incident namespace=si service=multi-system-processor symptom="readiness probe failures during recent rollout" since_minutes=60
/investigate-incident namespace=si service=event-data symptom="KafkaConsumerCommitRateLow alert fired" since_minutes=120
/investigate-incident namespace=si service=multi-system-processor symptom="OOMKilled restarts observed" since_minutes=180What it does:
Mints an
investigation_idand createsruns/<investigation_id>/scratchpad/, then delegates to theincident-coordinatorsubagent (falls back to a single agent, with that fallback stated explicitly, only if subagents aren't available)The coordinator reads the service catalog and runbook catalog, then routes the symptom to the narrowest relevant specialist subagents:
k8s-evidence-collector— pod listing, describe, live logs, namespace events, current resource usageprometheus-analyst— restart counts/increase, CPU, memory, HTTP error rate, latency p95log-analyst— historical IBM Cloud Logs search (errors, probe failures, arbitrary text) spanning restarts/deploymentsrunbook-analyst— matches the symptom against local runbooks
Every specialist stores raw evidence as an
evidence_refand hands back only summaries/findings — the coordinator never gathers evidence directly. Each also writes a concise markdown scratchpad (scope, tools called, key findings, evidence_refs, unknowns/gaps, decisions, handoff summary) to its assignedruns/<investigation_id>/scratchpad/wave<N>-<subagent-name>.mdfile — never raw log/metric bodies, only summaries and evidence_refs. The coordinator maintains its own running Structured Finding Brief atcoordinator-brief.mdin the same directory, and passes each subagent that brief plus any relevant prior scratchpad paths in its task prompt.incident-reporterruns last, synthesizing all subagents' findings (never its own) into a single evidence-grounded, schema-valid reportThe final output includes a "Subagent usage audit" table: which subagent ran, what it did, which tools/evidence_refs/scratchpad path it used, and its result
What it does not do:
Does not mutate Kubernetes resources
Does not restart pods
Does not apply fixes
Does not run destructive commands
Does not fetch raw evidence detail unless needed
Environment for optional tools
Prometheus:
PROMETHEUS_URLPROMETHEUS_AUTO_PORT_FORWARDPROMETHEUS_PF_SERVICEPROMETHEUS_PF_NAMESPACE
IBM Cloud Logs:
IBM_LOGS_ENDPOINTIBM_CLOUD_API_KEY
Copy .env.example to .env and fill in local values. Never commit .env.
The MCP server loads it automatically at startup so these tools have access
without any secrets going into .mcp.json.
No-token local tests
These exercise the tools and structured error paths without any real Prometheus, IBM Cloud, or Kubernetes credentials:
python -m pytest
python scripts/mcp_smoke_client.pyDirect tool checks:
python - <<'PY'
from claude_ops.tools.prometheus_preflight import ensure_prometheus
import json
print(json.dumps(ensure_prometheus(), indent=2))
PY
python - <<'PY'
from claude_ops.tools.ibm_logs_tools import ibm_logs_search_errors
import json
print(json.dumps(ibm_logs_search_errors("si", "multi-system-processor", limit=1), indent=2))
PYLocal environment
The MCP server needs environment variables for the optional Prometheus and
IBM Cloud Logs tools (PROMETHEUS_URL, IBM_LOGS_ENDPOINT,
IBM_CLOUD_API_KEY, etc.). Configure them locally with a .env file — it is
gitignored and loaded automatically, no secrets ever need to go in
.mcp.json.
cp .env.example .env
# edit .env with your local values
source .venv/bin/activate
claudesrc/claude_ops/mcp/server.py calls load_dotenv() at startup, so the MCP
server picks up .env automatically when Claude Code launches it — no
manual export needed. Missing .env is fine; tools that need a variable
that still isn't set return a structured config error instead of failing
silently.
Harness hooks (safety gate + audit trail)
.claude/settings.json wires four read-only Claude Code hooks under
.claude/hooks/. They're a harness-level safety net and audit trail that sit
alongside the application-level guardrails (src/claude_ops/hooks.py,
schemas/incident_report_schema.py) — none of them call Kubernetes,
Prometheus, IBM Cloud Logs, or the Claude API; they only inspect the JSON
Claude Code already passes them on stdin, and the only files they write are
JSONL audit logs under runs/ (gitignored, like the rest of that directory).
Hook | Event | What it does |
|
| Denies raw shell |
|
| Appends |
|
| Appends |
|
| If the last assistant message looks like an incident report (mentions "Subagent usage audit", "incident report", or |
Disabling hooks locally
Two ways, from least to most surgical:
Disable everything: add
"disableAllHooks": trueto.claude/settings.local.json(gitignored, personal — never commit this to the project's shared.claude/settings.json).Disable just these four: set
CLAUDE_OPS_HOOKS_DISABLED=1in your shell environment before launchingclaude. Each script checks this at the top and no-ops immediately — no audit lines written, no shell command blocked, no report validated.
Recommended first live use
Use a non-production namespace first.
python -m claude_ops.main investigate --namespace si --service multi-system-processor --since-minutes 120Then paste the generated JSON snapshot into Claude/Claude Code and ask it to produce an incident report using the schema in src/claude_ops/schemas/incident_report_schema.py.
MCP client/server map
In this project:
Claude Code = MCP client
src/claude_ops/mcp/server.py = local MCP server
.mcp.json = project-level MCP client configuration for Claude CodeStart the MCP server manually for a quick syntax check:
python -m claude_ops.mcp.serverFor Claude Code, keep .mcp.json in the project root. Claude Code reads the config and launches the server over STDIO.
Optional smoke test:
pip install -e ".[dev,mcp]"
python scripts/mcp_smoke_client.pyThe MCP server exposes:
Resources:
ops://runbook-catalogops://service-catalog
Tools:
k8s_list_podsk8s_describe_podk8s_get_pod_logsk8s_get_recent_namespace_eventsk8s_top_podsrunbook_searchprom_query_instantprom_get_pod_restart_countsprom_get_pod_restart_increaseprom_get_pod_cpu_usageprom_get_pod_memory_usageprom_get_http_error_rateprom_get_latency_p95prom_ensure_connectionibm_logs_searchibm_logs_search_errorsibm_logs_search_probe_failuresibm_logs_search_textevidence_get_detail
Prompt:
investigate_incident
This server cannot be installed
Maintenance
Resources
Unclaimed servers have limited discoverability.
Looking for Admin?
If you are the server author, to access and configure the admin panel.
Latest Blog Posts
- Your AI Chatbot Just Exposed Your CEO's Salary to an InternBy Om-Shree-0709 on .Agent IdentityMCP SecurityOAuth Delegation
- Why MCP Servers Need Execution Sandboxing (And Why Your Current Stack Isn't Enough)By Om-Shree-0709 on .Agentic AiPrompt InjectionWebAssembly
MCP directory API
We provide all the information about MCP servers via our MCP API.
curl -X GET 'https://glama.ai/api/mcp/v1/servers/Randhir123/claude-ops-investigator'
If you have feedback or need assistance with the MCP directory API, please join our Discord server