Kubernetes manifest generation with Large Language Models (LLMs) has become increasingly common, but it faces significant challenges that CeLoR addresses.
When using LLMs to generate Kubernetes deployment manifests, several K8s-specific issues arise:
- Policy Violations
- LLMs often generate manifests that violate organizational policies. For example, production deployments might use
:latestimage tags, have insufficient replicas (e.g., 2 instead of 3-5), or lack required labels liketeamandtier. - Security Gaps
- Generated manifests frequently miss critical security configurations such as
runAsNonRoot: true, proper resource limits, or security contexts, leaving applications vulnerable. - Manual Fixes are Time-Consuming
- Developers must manually review and fix each violation, which is error-prone and slows down deployment workflows. This becomes especially problematic when generating many manifests or when policies change frequently.
For a discussion of general challenges with LLM-based configuration generation (token costs, determinism, privacy), see :doc:`../core_concepts/overview`.
Consider a developer asking an LLM to generate a production Kubernetes deployment manifest. The LLM might produce:
apiVersion: apps/v1
kind: Deployment
metadata:
name: payments-api
spec:
replicas: 2 # ❌ Policy violation: prod requires 3-5
template:
spec:
containers:
- name: payments-api
image: payments-api:latest # ❌ Policy violation: prod cannot use :latest
resources:
requests:
cpu: "100m" # ❌ Resource violation: prod needs medium/large profile
# ❌ Missing security context- Without CeLoR, the developer would need to:
- Manually identify all violations
- Fix each one individually
- Re-verify after each fix
- Repeat if new violations are introduced
With CeLoR, the developer simply runs:
celor repair deployment.yaml --out fixed/- CeLoR automatically:
- Detects all violations using oracles
- Generates a repair template (from LLM, Fix Bank, or default)
- Synthesizes correct values using local CEGIS loop
- Produces a verified, compliant manifest
The repaired manifest satisfies all policy, security, and resource requirements automatically.
- Learn the :doc:`repair_workflow` to see CeLoR in action
- Understand :doc:`../core_concepts/oracles` for verification concepts
- Explore :doc:`k8s_oracles` for K8s-specific oracle details