The problem addressed is the complexity of modern infrastructure—Kubernetes, Kafka, multi-cloud, and CI/CD—where traditional monitoring is slow, motivating an AI-driven approach.

The architecture unfolds in four layers: data collection from five specialized sources (Kubernetes, Kafka, Cloud, CI/CD, and Logs), an Apache Kafka event bus for durable, decoupled streams, an Intelligence Engine with an Anomaly Detector, Root Cause Analyzer, and Capacity Planner, and finally an Action & Integrations layer delivering outputs to Slack, PagerDuty, Prometheus, and APIs (including AWS Bedrock for LLMs).

In a live demonstration on a local kind Kubernetes cluster, an example incident INC-0001 was resolved in 1.7 milliseconds, with an anomaly score of 0.97 (critical) and clearly defined remediation steps.

Auto-remediation actions include scale_deployment, restart_pods, rollback_deploy, drain_node, failover_db, and toggle_feature, all governed by safety controls to prevent cascading issues.

The event flow moves from telemetry.raw to telemetry.enriched, then anomalies.detected, with incidents being created and updated as remediation actions proceed; governance flows are guided by policy and capacity forecasts.

Kronveil is an open-source, AI-powered observability agent compiled into a single Go binary that collects telemetry, detects anomalies in real time, analyzes root causes with LLMs, and auto-remediates incidents.

Deployment and health checks show all components—Kubernetes and Kafka collectors, anomaly detector, incident responder, root-cause analyzer, and capacity planner—operating healthily, with deployment relying on kind clusters, Docker image builds, and Helm charts.

Future plans emphasize deeper Kubernetes client-go integration, multi-cloud secret management, dashboard UI improvements, Prometheus metrics export, webhooks for Slack/PD, and multi-cluster support, all under an Apache 2.0 license for open contributions.

The tech stack centers on a single Go 1.21 binary (~10MB) using Apache Kafka with 10 topics and 3x replication, AWS Bedrock for LLMs (Claude or Titan), OPA for policies, AWS Secrets Manager and Vault for secrets, Kubernetes and Helm for deployment, and a React/TypeScript dashboard, with a focus on minimal external dependencies.

The intelligence pipeline combines Z-Score, EWMA, and Linear Trend for anomaly detection; the Root Cause Analyzer builds a dependency graph and uses DFS to establish causality, gathering evidence and querying LLMs for root cause and fixes, while the Capacity Planner offers forecasts via linear regression and confidence intervals.

Data collection is modular: collectors implement a simple interface and run in their own goroutines to push TelemetryEvent structures, making it easy to add new data sources by implementing the Collector interface.

The incident lifecycle spans anomaly detection triggering Incident Responder to triage incidents, correlate events, auto-remediate, notify stakeholders, and track resolution, with safety features like circuit breakers, dry-run mode, human approval gates, and cooldowns to prevent storms.