WIP: Add better filter capabilities to kubernetes tools

[aantn]

No description provided.

[coderabbitai]

Walkthrough

The changes update two kubectl-related tools in a YAML configuration file, replacing simple command executions with shell scripts. These scripts introduce support for optional regex-based output filtering through new parameters (include_pattern and exclude_pattern) and add error handling, enhancing output processing and flexibility for both tools.

Changes

Cohort / File(s)	Change Summary
Kubernetes Toolset Script Enhancements holmes/plugins/toolsets/kubernetes.yaml	Replaced direct kubectl command executions with scripts for kubectl_get_by_name and kubectl_get_by_kind_in_namespace. Added include_pattern and exclude_pattern parameters for regex filtering, and implemented output filtering and error handling logic in both tools.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Note

⚡️ Unit Test Generation is now available in beta!

Learn more here, or try it out under "Finishing Touches" below.

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch better-kubernetes-filters

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Explain this complex logic.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai explain this code block.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and explain its main purpose.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai generate docstrings to generate docstrings for this PR.
• @coderabbitai generate sequence diagram to generate a sequence diagram of the changes in this PR.
• @coderabbitai generate unit tests to generate unit tests for this PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[github-actions]

Results of HolmesGPT evals

• ask_holmes: 26/42 test cases were successful, 0 regressions, 1 skipped, 15 mock failures

Test suite	Test case	Status
ask	01_how_many_pods	✅
ask	02_what_is_wrong_with_pod	🔧
ask	03_what_is_the_command_to_port_forward	🔧
ask	04_related_k8s_events	↪️
ask	05_image_version	🔧
ask	09_crashpod	✅
ask	10_image_pull_backoff	🔧
ask	11_init_containers	✅
ask	14_pending_resources	✅
ask	15_failed_readiness_probe	✅
ask	17_oom_kill	✅
ask	18_crash_looping_v2	✅
ask	19_detect_missing_app_details	🔧
ask	24_misconfigured_pvc	🔧
ask	28_permissions_error	✅
ask	29_events_from_alert_manager	✅
ask	39_failed_toolset	🔧
ask	41_setup_argo	✅
ask	42_dns_issues_steps_new_tools	🔧
ask	43_current_datetime_from_prompt	✅
ask	45_fetch_deployment_logs_simple	✅
ask	51_logs_summarize_errors	🔧
ask	53_logs_find_term	✅
ask	54_not_truncated_when_getting_pods	🔧
ask	59_label_based_counting	✅
ask	60_count_less_than	🔧
ask	61_exact_match_counting	✅
ask	63_fetch_error_logs_no_errors	✅
ask	77_liveness_probe_misconfiguration	🔧
ask	79_configmap_mount_issue	🔧
ask	83_secret_not_found	🔧
ask	86_configmap_like_but_secret	🔧
ask	88_affinity_like_but_taints	🔧
ask	89_runbook_missing_cloudwatch	🔧
ask	90_runbook_basic_selection	🔧
ask	93_calling_datadog	✅
ask	93_calling_datadog	✅
ask	93_calling_datadog	✅
ask	97_logs_clarification_needed	✅
ask	100_historical_logs	🔧
ask	24a_misconfigured_pvc_basic	🔧
ask	13a_pending_node_selector_basic	🔧

Legend

• ✅ the test was successful
• ↪️ the test was skipped
• ⚠️ the test failed but is known to be flaky or known to fail
• 🔧 the test failed due to mock data issues (not a code regression)
• ❌ the test failed and should be fixed before merging the PR

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

holmes/plugins/toolsets/kubernetes.yaml (1)

50-81: Second script has identical injection & error-handling gaps

Replicate the fixes suggested for the first script (set -euo pipefail, safe pattern handling, early exit on empty result).
Avoiding duplication keeps both tools equally safe.

🧹 Nitpick comments (1)

holmes/plugins/toolsets/kubernetes.yaml (1)

37-43: Early-exit when include yields no matches

If the include filter finds nothing, filtered_output is overwritten with the “No matches…” message, after which the exclude filter may run on that message, producing confusing output.
Better: emit the message and exit 0 immediately once no matches remain.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between e5f13b4 and 20b3ca7.

📒 Files selected for processing (1)

• holmes/plugins/toolsets/kubernetes.yaml (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

holmes/plugins/toolsets/**/*.yaml

📄 CodeRabbit Inference Engine (CLAUDE.md)

Toolsets must be located in holmes/plugins/toolsets/{name}.yaml or {name}/

Files:

• holmes/plugins/toolsets/kubernetes.yaml

🧠 Learnings (3)

📚 Learning: applies to holmes/plugins/toolsets/**/*.yaml : toolsets must be located in holmes/plugins/toolsets/{...

Learnt from: CR
PR: robusta-dev/holmesgpt#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-06T08:36:24.907Z
Learning: Applies to holmes/plugins/toolsets/**/*.yaml : Toolsets must be located in holmes/plugins/toolsets/{name}.yaml or {name}/

Applied to files:

• holmes/plugins/toolsets/kubernetes.yaml

📚 Learning: in the kubernetes logs toolset for holmes, both current and previous logs are intentionally fetched ...

Learnt from: nherment
PR: robusta-dev/holmesgpt#408
File: holmes/plugins/toolsets/kubernetes_logs.py:90-97
Timestamp: 2025-05-15T05:13:43.169Z
Learning: In the Kubernetes logs toolset for Holmes, both current and previous logs are intentionally fetched and combined for each pod, even though this requires more API calls. This design ensures all logs are captured even when pods restart but retain their name, providing complete diagnostic information.

Applied to files:

• holmes/plugins/toolsets/kubernetes.yaml

📚 Learning: in robusta-dev/holmesgpt config.example.yaml, the azuremonitorlogs toolset configuration shows "enab...

Learnt from: vishiy
PR: robusta-dev/holmesgpt#782
File: config.example.yaml:31-49
Timestamp: 2025-08-05T00:42:23.792Z
Learning: In robusta-dev/holmesgpt config.example.yaml, the azuremonitorlogs toolset configuration shows "enabled: true" as an example of how to enable the toolset, not as a default setting. The toolset is disabled by default and requires explicit enablement in user configurations.

Applied to files:

• holmes/plugins/toolsets/kubernetes.yaml

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (3)

• GitHub Check: Pre-commit checks
• GitHub Check: llm_evals
• GitHub Check: Pre-commit checks

🔇 Additional comments (1)

holmes/plugins/toolsets/kubernetes.yaml (1)

24-30: Add set -euo pipefail to enforce safe-shell defaults

Both scripts run multiple commands whose failures would otherwise be ignored (e.g. grep, echo "$temp_error").
Pre-pending the script bodies with strict bash options hard-fails on undefined vars, failed commands in a pipeline, and non-zero exits, preventing silent mis-behaviour.

-          output=$(kubectl get --show-labels -o wide {{ kind }} {{ name }}{% if namespace %} -n {{ namespace }}{% endif %} 2>&1)
+          set -euo pipefail
+
+          output=$(kubectl get --show-labels -o wide {{ kind }} {{ name }}{% if namespace %} -n {{ namespace }}{% endif %} 2>&1)

⛔ Skipped due to learnings

Learnt from: CR
PR: robusta-dev/holmesgpt#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-06T08:36:24.907Z
Learning: Applies to holmes/plugins/toolsets/**/*.yaml : Toolsets must be located in holmes/plugins/toolsets/{name}.yaml or {name}/

Learnt from: vishiy
PR: robusta-dev/holmesgpt#782
File: config.example.yaml:31-49
Timestamp: 2025-08-05T00:42:23.792Z
Learning: In robusta-dev/holmesgpt config.example.yaml, the azuremonitorlogs toolset configuration shows "enabled: true" as an example of how to enable the toolset, not as a default setting. The toolset is disabled by default and requires explicit enablement in user configurations.

Learnt from: aantn
PR: robusta-dev/holmesgpt#783
File: tests/llm/fixtures/test_ask_holmes/100_historical_logs/payment-api.yaml:49-70
Timestamp: 2025-08-05T06:14:39.523Z
Learning: For evaluation test fixtures in the holmesgpt project, security contexts and security hardening are not priorities. The focus should be on functionality and test reliability rather than adding security configurations to Kubernetes manifests used in evals.

Learnt from: CR
PR: robusta-dev/holmesgpt#0
File: CLAUDE.md:0-0
Timestamp: 2025-08-06T08:36:24.907Z
Learning: Bash toolset validates commands for safety

Learnt from: nherment
PR: robusta-dev/holmesgpt#408
File: holmes/plugins/toolsets/kubernetes_logs.py:90-97
Timestamp: 2025-05-15T05:13:43.169Z
Learning: In the Kubernetes logs toolset for Holmes, both current and previous logs are intentionally fetched and combined for each pod, even though this requires more API calls. This design ensures all logs are captured even when pods restart but retain their name, providing complete diagnostic information.

[coderabbitai]

⚠️ Potential issue

Unescaped user-supplied regex ⇒ command-injection vector

{{ include_pattern }} / {{ exclude_pattern }} are inserted verbatim inside a double-quoted string that is shell-parsed by grep.
A crafted value containing " ; malicious_cmd # would prematurely close the quotes and execute arbitrary commands.

Mitigate by:

1. Quoting the patterns with printf %q or similar after rendering, or
2. Passing the pattern via a variable and using grep -E -- "$pattern".

Example patch (conceptual):

-{% if include_pattern %}
-          filtered_output=$(echo "$filtered_output" | grep -E "{{ include_pattern }}" || echo "No matches found for include pattern: {{ include_pattern }}")
-{% endif %}
+{% if include_pattern %}
+          inc_pattern="{{ include_pattern }}"
+          filtered_output=$(echo "$filtered_output" | grep -E -- "$inc_pattern" || { 
+              echo "No matches found for include pattern: $inc_pattern"; exit 0; })
+{% endif %}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	# Apply filters if provided
	filtered_output="$output"
	{% if include_pattern %}
	# Apply include pattern (keep lines matching the pattern)
	filtered_output=$(echo "$filtered_output" | grep -E "{{ include_pattern }}" || echo "No matches found for include pattern: {{ include_pattern }}")
	{% endif %}
	{% if exclude_pattern %}
	# Apply exclude pattern (remove lines matching the pattern)
	filtered_output=$(echo "$filtered_output" | grep -vE "{{ exclude_pattern }}" || echo "$filtered_output")
	{% endif %}
	# Apply filters if provided
	filtered_output="$output"
	{% if include_pattern %}
	# Apply include pattern (keep lines matching the pattern)
	inc_pattern="{{ include_pattern }}"
	filtered_output=$(echo "$filtered_output" | grep -E -- "$inc_pattern" || {
	echo "No matches found for include pattern: $inc_pattern"; exit 0; })
	{% endif %}
	{% if exclude_pattern %}
	# Apply exclude pattern (remove lines matching the pattern)
	filtered_output=$(echo "$filtered_output" | grep -vE "{{ exclude_pattern }}" || echo "$filtered_output")
	{% endif %}

🤖 Prompt for AI Agents

In holmes/plugins/toolsets/kubernetes.yaml around lines 32 to 44, the
include_pattern and exclude_pattern are directly inserted into grep commands
inside double quotes, creating a command injection risk. To fix this, avoid
embedding the patterns directly in the command string; instead, assign the
rendered patterns to shell variables and pass them safely to grep using the
syntax grep -E -- "$pattern". This prevents shell interpretation of special
characters and mitigates injection vulnerabilities.